Fix bundled setup script fallback

[wyli]

Summary

• bundle template setup requirements with holoscan-cli setup scripts
• allow container extra-script layers to use setup script directories outside the active source project
• document the PR-first release-candidate process in .github/CI.md

Testing

• python -m pytest -q
• python -m black --check src/holoscan_cli/container/core.py tests/unit/test_container_core.py tests/unit/test_package_data.py
• python -m ruff check src/holoscan_cli/container/core.py tests/unit/test_container_core.py tests/unit/test_package_data.py
• python -m build --wheel --sdist --outdir /tmp/holoscan-cli-rc3-build
• python -m twine check /tmp/holoscan-cli-rc3-build/*
• .github/scripts/assert_wheel_contents.sh /tmp/holoscan-cli-rc3-build
• .github/scripts/smoke_test.sh /tmp/holoscan-cli-rc3-venv/bin

AI-assisted: Created with Codex/GPT at the user's request.

Summary by CodeRabbit

• New Features

  • Setup scripts now reliably use bundled requirements with a fallback and improved execution handling.
  • Container build supports extra setup scripts located outside the project source.

• Bug Fixes

  • Corrected Docker build context handling for extra-script layers.

• Documentation

  • Clarified CI runbook guidance for RC candidate fixes to require merging to main before cherry-picking.

• Chores

  • Pinned dependency versions for key setup-script packages.

• Tests

  • Added unit tests verifying bundled setup-script behavior and build dry-run handling.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

src/holoscan_cli/setup_scripts/requirements.template.txt

Package	Version	License	Issue Type
cookiecutter	>= 2.7.1	Null	Unknown License
jsonschema	>= 4.26.0	Null	Unknown License
referencing	>= 0.36.2	Null	Unknown License

Allowed Licenses:

Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MIT, MPL-2.0, Python-2.0, Unlicense, 0BSD

OpenSSF Scorecard

Package	Version	Score	Details
pip/cookiecutter	>= 2.7.1	Unknown	Unknown
pip/jsonschema	>= 4.26.0	Unknown	Unknown
pip/referencing	>= 0.36.2	Unknown	Unknown

Scanned Files

• src/holoscan_cli/setup_scripts/requirements.template.txt

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 167d8bb3-ef92-4aae-a0f2-a51d8ccafb52

📥 Commits

Reviewing files that changed from the base of the PR and between caa72ee and 44d5bde.

📒 Files selected for processing (1)

• src/holoscan_cli/setup_scripts/template.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• src/holoscan_cli/setup_scripts/template.sh

---

Walkthrough

Packages bundled setup-scripts with pinned requirements, updates template.sh to use the bundled requirements, adjusts Dockerfile execution and HoloscanContainer build to support external/bundled script directories, adds tests and wheel-content checks, and documents an updated RC-fix workflow requiring main-first merges.

Changes

Bundled Setup Scripts with Packaged Requirements

Layer / File(s)	Summary
Requirements template and template script tests src/holoscan_cli/setup_scripts/requirements.template.txt, src/holoscan_cli/setup_scripts/template.sh, tests/unit/test_package_data.py	Adds minimum-version pins for cookiecutter, jsonschema, referencing; changes template.sh to resolve requirements.template.txt from the script directory; adds tests verifying the packaged template script uses the bundled requirements.
Dockerfile execution environment for setup scripts src/holoscan_cli/setup_scripts/Dockerfile.util	Copy build context into /tmp/holoscan-cli-setup/, chmod +x, and execute the selected setup script from that temp directory.
Container build-context handling for extra_scripts src/holoscan_cli/container/core.py, tests/unit/test_container_core.py	Cache setup_scripts_dir, compute per-script relative paths preferring HOLOHUB_ROOT with fallback to setup_scripts_dir, use computed script_build_context in docker build calls; add dry-run test for bundled external script dir.
Wheel packaging validation and package-data expectations .github/scripts/assert_wheel_contents.sh, tests/unit/test_package_data.py	Require holoscan_cli/setup_scripts/requirements.template.txt in wheel assertions and update package-data tests to include that file.

Release Candidate Fix Workflow Documentation

Layer / File(s)	Summary
Release Candidate Fix Process Runbook .github/CI.md	Require fixes to be merged to main before cherry-picking onto release/X.Y.0; remove prior allowance for direct merge/cherry-pick iteration on the release branch and prohibit unreviewed direct pushes or premature RC/Kitmaker releases.

---

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Possibly related PRs

• nvidia-holoscan/holoscan-cli#181: Both PRs update .github/CI.md release runbook instructions for RC→GA iteration and fix landing workflows.

---

Suggested reviewers

• tbirdso

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: fixing the bundled setup script fallback mechanism to be self-contained and work outside the project source folder.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/CI.md (1)

133-138: ⚡ Quick win

Consider consistent terminology for clarity.

Line 138 uses "has been picked onto" while line 134 uses "cherry-pick." For consistency and clarity, consider using "has been cherry-picked onto" in line 138.

📝 Suggested wording improvement

-Do not direct-push unreviewed fixes to `release/X.Y.0`, and do not submit an RC
-workflow or Kitmaker release before the fix has merged to `main` and has been
-picked onto the release branch.
+Do not direct-push unreviewed fixes to `release/X.Y.0`, and do not submit an RC
+workflow or Kitmaker release before the fix has merged to `main` and has been
+cherry-picked onto the release branch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/CI.md around lines 133 - 138, The wording is inconsistent: replace
the phrase "has been picked onto the release branch" in the sentence that begins
"Do not submit an RC workflow or Kitmaker release before the fix..." with "has
been cherry-picked onto the release branch" so it matches the earlier use of
"cherry-pick" and keeps terminology consistent; search for the sentence
containing "has been picked onto" to locate and update it.

src/holoscan_cli/container/core.py (1)

506-514: ⚡ Quick win

Validate extra_scripts names before building paths.

Line 506 currently accepts tokens with path separators (for example ../foo), which can escape the intended setup-script namespace and target unintended files. Enforce basename-only script identifiers before resolving paths.

Suggested patch

         if extra_scripts:
             setup_scripts_dir = get_holohub_setup_scripts_dir()
             for script in extra_scripts:
+                if Path(script).name != script or script in {".", ".."}:
+                    fatal(
+                        f"Invalid script name {script!r}. "
+                        "Use a setup script basename without path separators."
+                    )
                 script_path = setup_scripts_dir / f"{script}.sh"
                 if not script_path.exists():
                     fatal(f"Script {script}.sh not found in {setup_scripts_dir}")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/holoscan_cli/container/core.py` around lines 506 - 514, The code
currently builds script paths from potentially unsafe tokens in extra_scripts;
before constructing script_path (where script is used), validate that script is
a basename-only identifier (no path separators, no parent traversals, and not an
absolute path). Concretely, in the block that uses script, add a check (e.g.
ensure Path(script).name == script and not Path(script).is_absolute() and not
any(sep in script for sep in ("/","\\")) ) and call fatal(...) if validation
fails; then continue to compute script_path using setup_scripts_dir and resolve
relative paths against HoloscanContainer.HOLOHUB_ROOT as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/CI.md:
- Around line 133-138: The wording is inconsistent: replace the phrase "has been
picked onto the release branch" in the sentence that begins "Do not submit an RC
workflow or Kitmaker release before the fix..." with "has been cherry-picked
onto the release branch" so it matches the earlier use of "cherry-pick" and
keeps terminology consistent; search for the sentence containing "has been
picked onto" to locate and update it.

In `@src/holoscan_cli/container/core.py`:
- Around line 506-514: The code currently builds script paths from potentially
unsafe tokens in extra_scripts; before constructing script_path (where script is
used), validate that script is a basename-only identifier (no path separators,
no parent traversals, and not an absolute path). Concretely, in the block that
uses script, add a check (e.g. ensure Path(script).name == script and not
Path(script).is_absolute() and not any(sep in script for sep in ("/","\\")) )
and call fatal(...) if validation fails; then continue to compute script_path
using setup_scripts_dir and resolve relative paths against
HoloscanContainer.HOLOHUB_ROOT as before.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 33a0e8c2-83af-4a24-ae78-49e087068d1e

📥 Commits

Reviewing files that changed from the base of the PR and between 0fbaec9 and caa72ee.

📒 Files selected for processing (8)

• .github/CI.md
• .github/scripts/assert_wheel_contents.sh
• src/holoscan_cli/container/core.py
• src/holoscan_cli/setup_scripts/Dockerfile.util
• src/holoscan_cli/setup_scripts/requirements.template.txt
• src/holoscan_cli/setup_scripts/template.sh
• tests/unit/test_container_core.py
• tests/unit/test_package_data.py