Merge branch 'hotosm:develop' into develop

Author: jeafreezy

.env.dev.example

@@ -22,6 +22,16 @@ OSM_SCOPE=read_prefs
 OSM_LOGIN_REDIRECT_URI=http://127.0.0.1:3500/authenticate/
 OSM_SECRET_KEY=dev-osm-secret-key
 
+# Authentication: "legacy" or "hanko"
+AUTH_PROVIDER=legacy
+# HANKO_API_URL=https://dev.login.hotosm.org
+# COOKIE_SECRET=your-cookie-secret
+# COOKIE_DOMAIN=.hotosm.org
+# COOKIE_SECURE=true
+# JWT_AUDIENCE=
+# LOGIN_URL=https://dev.login.hotosm.org
+# OSM_REDIRECT_URI=http://127.0.0.1:8000/api/v1/auth/osm/callback/
+
 ALLOWED_ORIGINS=http://127.0.0.1:3500
 FRONTEND_URL=http://127.0.0.1:3500
 
@@ -34,8 +44,9 @@ EMAIL_USE_TLS=False
 
 ENABLE_FAIR_PREDICTOR=True
 
-## Frontend 
-
+## Frontend
 
 VITE_BASE_API_URL="http://localhost:8200/api/v1/"
 VITE_FAIR_PREDICTOR_API_URL="http://localhost:8200/api/v1/fairpredictor/predict/"
+VITE_AUTH_PROVIDER="legacy"
+# VITE_HANKO_URL="https://dev.login.hotosm.org"

.github/workflows/docker_build.yml

@@ -32,7 +32,7 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -53,13 +53,16 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push API Docker image
         uses: docker/build-push-action@v6
         with:
           context: backend/
           file: backend/Dockerfile.API
+          platforms: linux/amd64
+          provenance: false
+          sbom: false
           push: false
           tags: ${{ steps.meta_api.outputs.tags }}
           labels: ${{ steps.meta_api.outputs.labels }}
@@ -82,7 +85,7 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -103,13 +106,16 @@ jobs:
             type=semver,pattern={{major}}.{{minor}},suffix=-${{ matrix.build_type }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push Worker Docker image (${{ matrix.build_type }})
         uses: docker/build-push-action@v6
         with:
           context: backend/
           file: backend/Dockerfile.workers
+          platforms: linux/amd64
+          provenance: false
+          sbom: false
           push: false
           build-args: |
             BUILD_TYPE=${{ matrix.build_type }}
@@ -131,7 +137,7 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -152,13 +158,16 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push Offline Predictor Docker image
         uses: docker/build-push-action@v6
         with:
           context: backend/
           file: backend/Dockerfile.API
+          platforms: linux/amd64
+          provenance: false
+          sbom: false
           push: false
           build-args: |
             BUILD_TARGET=predictor

.github/workflows/docker_publish_image.yml

@@ -14,13 +14,13 @@ on:
   workflow_dispatch:
     inputs:
       use_cache:
-        description: 'Use Docker build cache'
+        description: "Use Docker build cache"
         required: false
-        default: 'true'
+        default: "true"
         type: choice
         options:
-          - 'true'
-          - 'false'
+          - "true"
+          - "false"
 
 env:
   REGISTRY: ghcr.io
@@ -38,7 +38,7 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -59,20 +59,39 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push API Docker image
+        id: build_api
         uses: docker/build-push-action@v6
         with:
           context: backend/
           file: backend/Dockerfile.API
+          platforms: linux/amd64
+          provenance: false
+          sbom: false
           push: true
           tags: ${{ steps.meta_api.outputs.tags }}
           labels: ${{ steps.meta_api.outputs.labels }}
           cache-from: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.use_cache == 'false') && '' || 'type=gha,scope=api,timeout=20m' }}
           cache-to: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.use_cache == 'false') && '' || 'type=gha,mode=max,scope=api,timeout=20m,ignore-error=true' }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Validate API manifest
+        env:
+          IMAGE_REF: ${{ env.REGISTRY }}/${{ github.repository_owner }}/fair-api@${{ steps.build_api.outputs.digest }}
+        run: |
+          json=$(docker buildx imagetools inspect --format '{{json .}}' "$IMAGE_REF")
+          echo "$json" | jq -e '
+            if (.manifest.manifests? | type) == "array" then
+              (any(.manifest.manifests[]?; .platform.os == "linux" and .platform.architecture == "amd64"))
+              and
+              (all(.manifest.manifests[]?; (.platform.os != "unknown" and .platform.architecture != "unknown")))
+            else
+              (.image.os == "linux" and .image.architecture == "amd64")
+            end
+          ' >/dev/null
+
   build-and-push-worker-image:
     needs: build-and-push-api-image
     runs-on: ubuntu-24.04
@@ -88,7 +107,7 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -109,13 +128,17 @@ jobs:
             type=semver,pattern={{major}}.{{minor}},suffix=-${{ matrix.build_type }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push Worker Docker image (${{ matrix.build_type }})
+        id: build_worker
         uses: docker/build-push-action@v6
         with:
           context: backend/
           file: backend/Dockerfile.workers
+          platforms: linux/amd64
+          provenance: false
+          sbom: false
           push: true
           build-args: |
             BUILD_TYPE=${{ matrix.build_type }}
@@ -125,6 +148,21 @@ jobs:
           cache-to: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.use_cache == 'false') && '' || format('type=gha,mode=min,scope=docker-worker-{0},timeout=20m,ignore-error=true', matrix.build_type) }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Validate Worker manifest
+        env:
+          IMAGE_REF: ${{ env.REGISTRY }}/${{ github.repository_owner }}/fair-worker@${{ steps.build_worker.outputs.digest }}
+        run: |
+          json=$(docker buildx imagetools inspect --format '{{json .}}' "$IMAGE_REF")
+          echo "$json" | jq -e '
+            if (.manifest.manifests? | type) == "array" then
+              (any(.manifest.manifests[]?; .platform.os == "linux" and .platform.architecture == "amd64"))
+              and
+              (all(.manifest.manifests[]?; (.platform.os != "unknown" and .platform.architecture != "unknown")))
+            else
+              (.image.os == "linux" and .image.architecture == "amd64")
+            end
+          ' >/dev/null
+
   build-and-push-offline-predictor-image:
     runs-on: ubuntu-24.04
     needs: build-and-push-api-image
@@ -137,7 +175,7 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3
@@ -158,13 +196,17 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build and push Offline Predictor Docker image
+        id: build_offline_predictor
         uses: docker/build-push-action@v6
         with:
           context: backend/
           file: backend/Dockerfile.API
+          platforms: linux/amd64
+          provenance: false
+          sbom: false
           push: true
           build-args: |
             BUILD_TARGET=predictor
@@ -173,3 +215,18 @@ jobs:
           cache-from: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.use_cache == 'false') && '' || 'type=gha,scope=offline-predictor,timeout=20m' }}
           cache-to: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.use_cache == 'false') && '' || 'type=gha,mode=max,scope=offline-predictor,timeout=20m,ignore-error=true' }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Validate Offline Predictor manifest
+        env:
+          IMAGE_REF: ${{ env.REGISTRY }}/${{ github.repository_owner }}/fair-offline-predictor@${{ steps.build_offline_predictor.outputs.digest }}
+        run: |
+          json=$(docker buildx imagetools inspect --format '{{json .}}' "$IMAGE_REF")
+          echo "$json" | jq -e '
+            if (.manifest.manifests? | type) == "array" then
+              (any(.manifest.manifests[]?; .platform.os == "linux" and .platform.architecture == "amd64"))
+              and
+              (all(.manifest.manifests[]?; (.platform.os != "unknown" and .platform.architecture != "unknown")))
+            else
+              (.image.os == "linux" and .image.architecture == "amd64")
+            end
+          ' >/dev/null

.github/workflows/frontend_build.yml

@@ -23,18 +23,14 @@ jobs:
     env:
       CI: false
 
-    strategy:
-      matrix:
-        node-version: [18, 20, 22]
-
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
-      - name: Set up Node.js ${{ matrix.node-version }}
+      - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: 22
 
       - name: Install pnpm
         run: npm install -g pnpm

.github/workflows/frontend_build_push.yml

@@ -12,7 +12,7 @@ permissions:
 jobs:
   frontend-unit-test:
     uses: hotosm/gh-workflows/.github/workflows/test_pnpm.yml@3.2.0
-    
+
     with:
       working_dir: frontend
   build_and_upload:
@@ -23,18 +23,14 @@ jobs:
     env:
       CI: false
 
-    strategy:
-      matrix:
-        node-version: [20]
-
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: 22
 
       - name: Install pnpm
         run: npm install -g pnpm

.github/workflows/test_backend_build.yml

@@ -46,7 +46,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Python ${{ matrix.python-version }} and uv
         uses: astral-sh/setup-uv@v6

.github/workflows/zenml_postgres_build.yml

@@ -0,0 +1,39 @@
+name: Build ZenML Postgres Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      zenml_version:
+        description: "ZenML version to build"
+        required: true
+        type: string
+
+jobs:
+  server-image:
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.6.0
+    with:
+      context: infra/zenml
+      # This remains hotosm/zenml-postgres for legacy reasons
+      # Ideally it would be hotosm/fair/zenml-postgres
+      image_name: ghcr.io/${{ github.repository_owner }}/zenml-postgres
+      build_target: runtime
+      dockerfile: Dockerfile.postgres
+      extra_build_args: ZENML_VERSION=${{ inputs.zenml_version }}
+      image_tags: ghcr.io/${{ github.repository_owner }}/zenml-postgres:${{ inputs.zenml_version }}
+      # Workaround until CVE-2026-27143 fixed in ZenML upstream image...
+      scan_image: false
+
+  cli-image:
+    needs: server-image
+    uses: hotosm/gh-workflows/.github/workflows/image_build.yml@3.6.0
+    with:
+      context: infra/zenml
+      image_name: ghcr.io/${{ github.repository_owner }}/fair/cli
+      build_target: cli
+      dockerfile: Dockerfile.cli
+      extra_build_args: ZENML_VERSION=${{ inputs.zenml_version }}
+      image_tags: ghcr.io/${{ github.repository_owner }}/fair/cli:${{ inputs.zenml_version }}
+      # Disable dockerfile_scan else it flags usage of :latest image
+      scan_dockerfile: false
+      # It's a CLI, so we don't care about vulnerabilities
+      scan_image: false

.gitignore

@@ -34,13 +34,13 @@ frontend/package-lock*
 
 frontend/.env
 
-# for backend 
+# for backend
+**/__pycache__
 backend/static
 backend/api_static
 backend/env
 backend/temp
 backend/postgres-data
-backend/**/__pycache__/**
 backend/media
 backend/data/*
 backend/log/*