feat(engine): Better user registry repo isolation #1275
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
daryllimyt
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
cubic analysis
2 issues found across 7 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
|
@cubic-dev-ai please re-review |
@daryllimyt I've started the AI code review. It'll take a few minutes to complete. |
There was a problem hiding this comment.
cubic analysis
1 issue found across 9 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
…ing in /actions routes
- Split runtime environment setup into get_ray_runtime_env function - Add is_builtin_action function to check if action origin is DEFAULT_REGISTRY_ORIGIN - Modify run_action_on_ray_cluster to skip runtime env for builtin actions - Add module field to BoundRegistryAction model This optimization improves performance by avoiding unnecessary runtime environment setup for builtin actions that don't require custom dependencies. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Add RegistryActionMetadata model for standardized action metadata - Create new inspector.py module for subprocess-based inspection - Add utility functions for walking modules and extracting metadata: - construct_module_name, walk_module_py_files, walk_module_yaml_files, walk_module_udfs - metadata_from_function, metadata_from_template - Add _inspect_repo_via_subprocess method to Repository class - Add helper functions for venv path management This isolates repository inspection in subprocess for better security and reliability when loading untrusted code. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> Signed-off-by: Daryl Lim <[email protected]>
daryllimyt
force-pushed
the
feat/better-repo-isolation
branch
from
b037a51 to
07cc561
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
uv run pytest tests)?pre-commit run --all-files)?Description
Related Issues
Screenshots / Recordings
Steps to QA
Summary by cubic
Improved repository isolation by running untrusted repo inspection in a subprocess and extracting action metadata without importing user code into the main process. This makes loading external actions safer and more reliable.