[CI]: Fix junifer-ci Docker image

.github/workflows/ci.yml

@@ -13,6 +13,7 @@ on:
       - '.github/workflows/**'
       - 'tox.ini'
       - 'pyproject.toml'
+  workflow_dispatch: {}
 
 jobs:
   run-tests:
@@ -24,63 +25,62 @@ jobs:
       fail-fast: false
       matrix:
         python-version: ['3.9', '3.10', '3.11', '3.12']
-
     steps:
-    - run: df -h
-    - name: Clean runner
-      run: |
-        rm -rf /usr/share/dotnet \
-                    /usr/local/lib/android \
-                    /opt/ghc \
-                    /opt/hostedtoolcache/CodeQL
-    - run: df -h
-    - name: Check ANTs
-      run: |
-        echo "Using ANTs : $(antsRegistration --version)"
-    - name: Check AFNI
-      run: |
-        echo "Using AFNI : $(afni --version)"
-    - name: Check FSL
-      run: |
-        echo "Using FSL : $(flirt -version)"
-    - name: Install system dependencies
-      # actions/checkout fails to identify Git as it's not in the CI image
-      run: |
-        apt-get -qq update
-        apt-get -qq install -y \
-        git \
-        git-annex \
-        make \
-        jq
-    - name: Copy junifer-data directory
-      run: |
-        mkdir -p $HOME/junifer_data/v4
-        cp -ar /root/junifer_data/v4/. $HOME/junifer_data/v4/
-    - name: Checkout repository
-      uses: actions/checkout@v5
-      with:
-        submodules: true
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install Python dependencies
-      run: |
-        python -m pip install --upgrade pip setuptools wheel
-        python -m pip install tox tox-gh-actions
-    - name: Configure Git for DataLad
-      run: |
-        git config --global user.email "junifer-runner@github.com"
-        git config --global user.name "GitHub Runner"
-    - name: Test with tox
-      # https://github.com/actions/checkout/issues/1169#issuecomment-2291682583
-      run: |
-        git config --system --add safe.directory $(pwd)
-        tox
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v5
-      with:
-        token: ${{ secrets.CODECOV_TOKEN }}
-        fail_ci_if_error: true
-        flags: junifer
-      if: success() && matrix.python-version == 3.12
+      - run: df -h
+      - name: Clean runner
+        run: |
+          rm -rf /usr/share/dotnet \
+                 /usr/local/lib/android \
+                 /opt/ghc \
+                 /opt/hostedtoolcache
+      - run: df -h
+      - name: Check ANTs
+        run: |
+          echo "Using ANTs : $(antsRegistration --version)"
+      - name: Check AFNI
+        run: |
+          echo "Using AFNI : $(afni --version)"
+      - name: Check FSL
+        run: |
+          echo "Using FSL : $(flirt -version)"
+      - name: Install system dependencies
+        # actions/checkout fails to identify Git as it's not in the CI image
+        run: |
+          apt-get -qq update
+          apt-get -qq install -y \
+          git \
+          git-annex \
+          make \
+          jq
+      - name: Copy junifer-data directory
+        run: |
+          mkdir -p $HOME/junifer_data/v4
+          cp -ar /root/junifer_data/v4/. $HOME/junifer_data/v4/
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          submodules: true
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip setuptools wheel
+          python -m pip install tox tox-gh-actions
+      - name: Configure Git for DataLad
+        run: |
+          git config --global user.email "junifer-runner@github.com"
+          git config --global user.name "GitHub Runner"
+      - name: Test with tox
+        # https://github.com/actions/checkout/issues/1169#issuecomment-2291682583
+        run: |
+          git config --system --add safe.directory $(pwd)
+          tox
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: true
+          flags: junifer
+        if: success() && matrix.python-version == 3.12

.github/workflows/docker-ci-publish.yml

@@ -1,83 +1,58 @@
 name: Docker for CI
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
   push:
-    # Only run when the file is edited on main
     branches: [ "main" ]
     paths: [ "Dockerfile-ci" ]
   pull_request:
-    # Only run when the file is edited on main
     branches: [ "main" ]
     paths: [ "Dockerfile-ci" ]
   workflow_dispatch: {}
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}-ci
 
-
 jobs:
   build:
-
     runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
       id-token: write
-
     steps:
-      # Taken from https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
-      - name: Delete huge unnecessary tools folder
-        run: rm -rf /opt/hostedtoolcache
+      - run: df -h
+      - name: Clean runner
+        run: |
+          sudo rm -rf /usr/share/dotnet \
+                 /usr/local/lib/android \
+                 /opt/ghc \
+                 /opt/hostedtoolcache
+          sudo docker image prune --all --force
+          sudo docker builder prune -a
+      - run: df -h
       - name: Checkout repository
         uses: actions/checkout@v5
-
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 #v3.10.0
-        with:
-          cosign-release: 'v2.2.4'
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
+        uses: sigstore/cosign-installer@v3.10.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
+        uses: docker/setup-buildx-action@v3.11.1
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@v3.5.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@v5.8.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@v6.18.0
         with:
           context: .
           file: Dockerfile-ci
@@ -86,18 +61,9 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
         if: ${{ github.event_name != 'pull_request' }}
         env:
-          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
           TAGS: ${{ steps.meta.outputs.tags }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.github/workflows/docker-docs-publish.yml

@@ -1,80 +1,58 @@
 name: Docker for docs
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
   push:
-    # Only run when the file is edited on main
     branches: [ "main" ]
     paths: [ "Dockerfile-docs" ]
   pull_request:
-    # Only run when the file is edited on main
     branches: [ "main" ]
     paths: [ "Dockerfile-docs" ]
   workflow_dispatch: {}
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}-docs
 
-
 jobs:
   build:
-
     runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
       id-token: write
-
     steps:
+      - run: df -h
+      - name: Clean runner
+        run: |
+          rm -rf /usr/share/dotnet \
+                 /usr/local/lib/android \
+                 /opt/ghc \
+                 /opt/hostedtoolcache
+          docker image prune --all --force
+          docker builder prune -a
+      - run: df -h
       - name: Checkout repository
         uses: actions/checkout@v5
-
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 #v3.10.0
-        with:
-          cosign-release: 'v2.2.4'
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
+        uses: sigstore/cosign-installer@v3.10.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
+        uses: docker/setup-buildx-action@v3.11.1
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@v3.5.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@v5.8.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@v6.18.0
         with:
           context: .
           file: Dockerfile-docs
@@ -83,18 +61,9 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
         if: ${{ github.event_name != 'pull_request' }}
         env:
-          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
           TAGS: ${{ steps.meta.outputs.tags }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

Dockerfile-ci

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM python:3.12-slim
+FROM python:3.12-slim-bookworm
 
 LABEL org.opencontainers.image.source=https://github.com/juaml/junifer
 LABEL org.opencontainers.image.description="Junifer CI container image"
@@ -60,14 +60,13 @@ ENV PATH="/opt/afni/bin:$PATH"
 # Patch gsl
 RUN ln -s /usr/lib/x86_64-linux-gnu/libgsl.so.27 /usr/lib/x86_64-linux-gnu/libgsl.so.23
 
-# disabled as standard github runner fails to install due to insufficient space on device
-# # Add FSL
-# RUN curl https://fsl.fmrib.ox.ac.uk/fsldownloads/fslconda/releases/fslinstaller.py | \
-#     python - -d /opt/fsl/ --skip_registration
-# # Set env vars for FSL
-# ENV FSLDIR=/opt/fsl \
-#     FSLOUTPUTTYPE=NIFTI_GZ \
-#     PATH="/opt/fsl/share/fsl/bin:$PATH"
+# Add FSL
+RUN curl https://fsl.fmrib.ox.ac.uk/fsldownloads/fslconda/releases/fslinstaller.py | \
+    python - -d /opt/fsl/ --skip_registration
+# Set env vars for FSL
+ENV FSLDIR=/opt/fsl \
+    FSLOUTPUTTYPE=NIFTI_GZ \
+    PATH="/opt/fsl/share/fsl/bin:$PATH"
 
 # Clean apt cache
 RUN apt-get autoremove --purge && apt-get clean

docs/changes/newsfragments/467.misc

@@ -1 +1 @@
-Disable FSL installation for `junifer-ci` Docker image build with `junifer-data` v4 by `Synchon Mandal`_
+Disable FSL installation for ``junifer-ci`` Docker image build with ``junifer-data`` v4 by `Synchon Mandal`_

docs/changes/newsfragments/468.misc

@@ -0,0 +1 @@
+Pin ``junifer-ci`` Docker image to ``python:3.12-slim-bookworm`` and re-enable FSL installation by `Synchon Mandal`_