Merge branch 'master' of https://github.com/brunopistone/sagemaker-python-sdk

Author: brunopistone

.github/workflows/codeql.yml

@@ -0,0 +1,35 @@
+name: "CodeQL"
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '30 8 * * *'
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ 'ubuntu-latest' }}
+    permissions:
+      security-events: write
+      packages: read
+
+    strategy:
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+          - language: java-kotlin
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@6ccd57f4c5d15bdc2fef309bd9fb6cc9db2ef1c6
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@4b1d7da102ff94aca014c0245062b1a463356d72
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@4b1d7da102ff94aca014c0245062b1a463356d72
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/security-monitoring.yml

@@ -0,0 +1,122 @@
+name: Security Monitoring
+
+on:
+  schedule:
+    - cron: '0 9 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+
+jobs:
+  check-code-scanning-alerts:
+    runs-on: ubuntu-latest
+    outputs:
+      code_scanning_alert_status: ${{ steps.check-code-scanning-alerts.outputs.code_scanning_alert_status }}
+    steps:
+      - name: Check for security alerts
+        id: check-code-scanning-alerts
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            async function checkAlerts() {
+              const owner = '${{ github.repository_owner }}';
+              const repo = '${{ github.event.repository.name }}';
+              const ref = 'refs/heads/master';
+            
+              const codeScanningAlerts = await github.rest.codeScanning.listAlertsForRepo({
+                owner,
+                repo,
+                ref: ref
+              });
+              const activeCodeScanningAlerts = codeScanningAlerts.data.filter(alert => alert.state === 'open');
+              core.setOutput('code_scanning_alert_status', activeCodeScanningAlerts.length > 0 ? '1': '0');
+            }
+            await checkAlerts();
+
+  check-dependabot-alerts:
+    runs-on: ubuntu-latest
+    outputs:
+      dependabot_alert_status: ${{ steps.check-dependabot-alerts.outputs.dependabot_alert_status }}
+    steps:
+      - name: Check for dependabot alerts
+        id: check-dependabot-alerts
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            async function checkAlerts() {
+              const owner = '${{ github.repository_owner }}';
+              const repo = '${{ github.event.repository.name }}';
+            
+              const dependabotAlerts = await github.rest.dependabot.listAlertsForRepo({
+                owner,
+                repo,
+                headers: {
+                  'accept': 'applications/vnd.github+json'
+                }
+              }); 
+              const activeDependabotAlerts = dependabotAlerts.data.filter(alert => alert.state === 'open');
+              core.setOutput('dependabot_alert_status', activeDependabotAlerts.length > 0 ? '1': '0');
+            }
+            await checkAlerts();
+
+  check-secret-scanning-alerts:
+    runs-on: ubuntu-latest
+    outputs:
+      secret_scanning_alert_status: ${{ steps.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}
+    steps:
+      - name: Check for secret scanning alerts
+        id: check-secret-scanning-alerts
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            async function checkAlerts() {
+              const owner = '${{ github.repository_owner }}';
+              const repo = '${{ github.event.repository.name }}';
+
+              const secretScanningAlerts = await github.rest.secretScanning.listAlertsForRepo({
+                owner,
+                repo,
+              }); 
+              const activeSecretScanningAlerts = secretScanningAlerts.data.filter(alert => alert.state === 'open');
+              core.setOutput('secret_scanning_alert_status', activeSecretScanningAlerts.length > 0 ? '1': '0');
+              console.log("Active Secret Scanning Alerts", activeSecretScanningAlerts);
+            }
+            await checkAlerts();
+
+  put-metric-data:
+    runs-on: ubuntu-latest
+    needs: [check-code-scanning-alerts, check-dependabot-alerts, check-secret-scanning-alerts]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@12e3392609eaaceb7ae6191b3f54bbcb85b5002b
+        with:
+          role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
+          aws-region: us-west-2
+      - name: Put Code Scanning Alert Metric Data
+        run: |
+          if [ "${{ needs.check-code-scanning-alerts.outputs.code_scanning_alert_status }}" == "1" ]; then
+            aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          else
+            aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          fi
+      - name: Put Dependabot Alert Metric Data
+        run: |
+          if [ "${{ needs.check-dependabot-alerts.outputs.dependabot_alert_status }}" == "1" ]; then
+            aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          else
+            aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          fi
+      - name: Put Secret Scanning Alert Metric Data
+        run: |
+          if [ "${{ needs.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}" == "1" ]; then
+            aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          else
+            aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          fi

CHANGELOG.md

@@ -1,5 +1,82 @@
 # Changelog
 
+## v2.228.0 (2024-08-06)
+
+### Features
+
+ * triton v24.05
+
+### Bug Fixes and Other Changes
+
+ * chore: telemetry for deployment configs
+ * censoring sensitive values from being logged
+ * update image_uri_configs  08-05-2024 07:17:38 PST
+ * enable uncompressed model artifacts upload to S3 for SAGEMAKER_ENDPOINT overwrite for TGI, TEI, MMS model servers
+ * ModelReference deployment for Alt Configs models
+ * Add optional typecheck for nullable parameters
+ * Update package metadata
+ * release TEI 1.4.0
+
+## v2.227.0 (2024-07-30)
+
+### Features
+
+ * added code scanning through CodeQL
+
+### Bug Fixes and Other Changes
+
+ * Fixed cpu isntance type for the estimator register test
+ * update image_uri_configs  07-29-2024 11:28:28 PST
+ * avoid AccessDenied error for a while on SageMaker Studio wtih do…
+ * SMP PT 2.3 Fix
+ * chore: pin framework version in serverless inference tests
+ * image uri in TGI 2.2.0 image
+ * explicitly access enum member values to avoid Python version related regression
+ * chore: add huggingface TGI 2.2.0 config
+ * update image_uri_configs  07-22-2024 11:53:54 PST
+ * update image_uri_configs  07-17-2024 07:17:38 PST
+ * update image_uri_configs  07-16-2024 07:17:45 PST
+ * add support for new regions
+
+## v2.226.1 (2024-07-17)
+
+## v2.226.0 (2024-07-12)
+
+### Features
+
+ * Curated hub improvements
+ * InferenceSpec support for MMS and testing
+
+### Bug Fixes and Other Changes
+
+ * ModelBuilder not passing HF_TOKEN to model.
+ * update image_uri_configs  07-10-2024 07:18:04 PST
+
+## v2.225.0 (2024-07-10)
+
+### Features
+
+ * model optimization
+
+### Bug Fixes and Other Changes
+
+ * fix integ test
+ * update uris for v1.1.1
+ * update image_uri_configs  07-04-2024 07:17:24 PST
+
+## v2.224.4 (2024-07-04)
+
+### Bug Fixes and Other Changes
+
+ * allow for inf spec and server override to be passed
+
+## v2.224.3 (2024-07-03)
+
+### Bug Fixes and Other Changes
+
+ * Upgrade local dependencies
+ * Improve docstrings for estimator tags
+
 ## v2.224.2 (2024-06-27)
 
 ### Bug Fixes and Other Changes

MANIFEST.in

@@ -8,6 +8,7 @@ recursive-include requirements *
 include VERSION
 include LICENSE.txt
 include README.rst
+include hatch_build.py
 
 prune tests
 

VERSION

@@ -1 +1 @@
-2.224.3.dev0
+2.228.1.dev0

hatch_build.py

@@ -0,0 +1,43 @@
+from __future__ import absolute_import
+
+import os
+import sys
+
+from hatchling.metadata.plugin.interface import MetadataHookInterface
+
+
+class CustomMetadataHook(MetadataHookInterface):
+    def update(self, metadata):
+        metadata["optional-dependencies"] = get_optional_dependencies(self.root)
+
+
+def get_optional_dependencies(root):
+
+    def read_feature_deps(feature):
+        req_file = os.path.join(root, "requirements", "extras", f"{feature}_requirements.txt")
+        with open(req_file, encoding="utf-8") as f:
+            return list(filter(lambda d: not d.startswith("#"), f.read().splitlines()))
+
+    optional_dependencies = {"all": []}
+
+    for feature in ("feature-processor", "huggingface", "local", "scipy"):
+        dependencies = read_feature_deps(feature)
+        optional_dependencies[feature] = dependencies
+        optional_dependencies["all"].extend(dependencies)
+
+    # Test dependencies come last because we don't want them in `all`
+    optional_dependencies["test"] = read_feature_deps("test")
+    optional_dependencies["test"].extend(optional_dependencies["all"])
+
+    # remove torch and torchvision if python version is not 3.10/3.11
+    if sys.version_info.minor not in (10, 11):
+        optional_dependencies["test"] = list(
+            filter(
+                lambda d: not d.startswith(
+                    ("sentencepiece", "transformers", "torch", "torchvision")
+                ),
+                optional_dependencies["test"],
+            )
+        )
+
+    return optional_dependencies

pyproject.toml

@@ -1,2 +1,90 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "sagemaker"
+dynamic = ["version", "optional-dependencies"]
+description = "Open source library for training and deploying models on Amazon SageMaker."
+readme = "README.rst"
+requires-python = ">=3.8"
+authors = [
+  { name = "Amazon Web Services" },
+]
+keywords = [
+  "AI",
+  "AWS",
+  "Amazon",
+  "ML",
+  "MXNet",
+  "Tensorflow",
+]
+classifiers = [
+  "Development Status :: 5 - Production/Stable",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: Apache Software License",
+  "Natural Language :: English",
+  "Programming Language :: Python",
+  "Programming Language :: Python :: 3.8",
+  "Programming Language :: Python :: 3.9",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+]
+dependencies = [
+  "attrs>=23.1.0,<24",
+  "boto3>=1.34.142,<2.0",
+  "cloudpickle==2.2.1",
+  "docker",
+  "google-pasta",
+  "importlib-metadata>=1.4.0,<7.0",
+  "jsonschema",
+  "numpy>=1.9.0,<2.0",
+  "packaging>=20.0",
+  "pandas",
+  "pathos",
+  "platformdirs",
+  "protobuf>=3.12,<5.0",
+  "psutil",
+  "PyYAML~=6.0",
+  "requests",
+  "schema",
+  "smdebug_rulesconfig==1.0.1",
+  "tblib>=1.7.0,<4",
+  "tqdm",
+  "urllib3>=1.26.8,<3.0.0",
+]
+
+[project.scripts]
+sagemaker-upgrade-v2 = "sagemaker.cli.compatibility.v2.sagemaker_upgrade_v2:main"
+
+[project.urls]
+Homepage = "https://github.com/aws/sagemaker-python-sdk"
+
+[tool.hatch.version]
+path = "VERSION"
+pattern = "(?P<version>.+)"
+
+# Dynamically define optional dependencies from requirements.txt files so
+# they can be be tracked by Dependabot
+[tool.hatch.metadata.hooks.custom]
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/sagemaker"]
+exclude = ["src/sagemaker/serve/model_server/triton/pack_conda_env.sh"]
+
+[tool.hatch.build.targets.wheel.shared-scripts]
+"src/sagemaker/serve/model_server/triton/pack_conda_env.sh" = "pack_conda_env.sh"
+
+[tool.hatch.build.targets.sdist]
+only-include = [
+  "/requirements/extras",
+  "/src",
+  "/VERSION",
+]
+
+[tool.pytest.ini_options]
+addopts = ["-vv"]
+testpaths = ["tests"]
+
 [tool.black]
 line-length = 100

requirements/extras/local_requirements.txt

@@ -1,3 +1,3 @@
 urllib3>=1.26.8,<3.0.0
-docker>=5.0.2,<7.0.0
+docker>=5.0.2,<8.0.0
 PyYAML>=5.4.1,<7