Skip to content
18 changes: 18 additions & 0 deletions .github/workflows/_ketryx_report_and_check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,28 @@ jobs:
name: audit-results
path: audit-results

# The Ketryx action derives `changeRequestNumber` from GITHUB_REF_NAME when
# it ends in "/merge" (pull_request runs, e.g. "694/merge"). Ketryx then
# tries to fetch that PR as a Code Change Request (CCR) and returns HTTP
# 500 when the fetch fails (its PAT lacks the required GitHub permissions),
# failing the build even though it is otherwise reported successfully. We
# do not use the CCR feature (check-item-association is false). A step-level
# `env:` cannot override the default GITHUB_REF_NAME, so rewrite it via
# $GITHUB_ENV to the branch name (never ends in "/merge") to suppress
# changeRequestNumber.
- name: Suppress PR merge ref for Ketryx report
if: |
!contains(inputs.commit_message, 'skip:ketryx') &&
!contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
run: echo "GITHUB_REF_NAME=${{ github.head_ref || github.ref_name }}" >> "$GITHUB_ENV"

- name: Report build to Ketryx and check for approval
if: |
!contains(inputs.commit_message, 'skip:ketryx') &&
!contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
# Safety net: a Ketryx-side 500 must not block PR CI (the build still
# lands in Ketryx). On push/tag runs (releases) the gate is enforced.
continue-on-error: ${{ github.event_name == 'pull_request' }}
uses: Ketryx/ketryx-github-action@40b13ef68c772e96e58ec01a81f5b216d7710186 # v1.4.0
with:
project: ${{ secrets.KETRYX_PROJECT }}
Expand Down
2 changes: 1 addition & 1 deletion noxfile.py
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ def audit(session: nox.Session) -> None:
_format_json_with_jq(session, "reports/licenses_grouped.json")

# SBOMs
session.run("cyclonedx-py", "environment", "-o", SBOM_CYCLONEDX_PATH)
session.run("cyclonedx-py", "environment", "--pyproject", "pyproject.toml", "-o", SBOM_CYCLONEDX_PATH)
_format_json_with_jq(session, SBOM_CYCLONEDX_PATH)

# Generates an SPDX SBOM including vulnerability scanning
Expand Down
6 changes: 5 additions & 1 deletion src/aignostics/application/_service.py
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,10 @@
APPLICATION_RUN_FILE_READ_CHUNK_SIZE = 1024 * 1024 * 1024 # 1GB
APPLICATION_RUN_DOWNLOAD_CHUNK_SIZE = 1024 * 1024 # 1MB
APPLICATION_RUN_UPLOAD_CHUNK_SIZE = 1024 * 1024 # 1MB
# Buffer for streaming a source slide while computing its CRC32C checksum during metadata
# preparation. Sized to amortize per-read overhead (which dominates on slow/high-latency
# storage such as USB or network drives) while staying well within the 8GB RAM floor.
APPLICATION_RUN_METADATA_CHECKSUM_CHUNK_SIZE = 8 * 1024 * 1024 # 8MB


class Service(BaseService): # noqa: PLR0904
Expand Down Expand Up @@ -372,7 +376,7 @@ def generate_metadata_from_source_directory( # noqa: PLR0913, PLR0917
# Generate CRC32C checksum with crc32c and encode as base64
hash_sum = crc32c.CRC32CHash()
with file_path.open("rb") as f:
while chunk := f.read(1024):
while chunk := f.read(APPLICATION_RUN_METADATA_CHECKSUM_CHUNK_SIZE):
hash_sum.update(chunk)
checksum = str(base64.b64encode(hash_sum.digest()), "UTF-8")

Expand Down
Loading