fix: use permission safe copying when hidden conda files are already present in a workdir. This avoids problems in case multiple people use the same workdir and workflow.

[johanneskoester]

QC

• The PR contains a test case for the changes or the changes are already covered by an existing test case.
• The documentation (docs/) is updated to reflect the changes or this is not necessary (e.g. if the change does neither modify the language nor the behavior or functionalities of Snakemake).

Summary by CodeRabbit

• New Features

  • Introduced a new function to enhance file copying while managing permissions effectively.

• Bug Fixes

  • Improved handling of file permissions during the copying of environment files and deployment scripts.

[coderabbitai]

Walkthrough

The changes introduce a new function, copy_permission_safe, in the snakemake/common/__init__.py file. This function is intended to safely copy files by checking for the existence of the destination file and removing it if necessary to prevent permission issues. The function replaces direct calls to shutil.copy in the create method of the Env class within the snakemake/deployment/conda.py file, enhancing the file copying process without altering the overall logic or control flow.

Changes

File Path	Change Summary
snakemake/common/init.py	Added method copy_permission_safe(src: str, dst: str) to safely copy files and handle permissions.
snakemake/deployment/conda.py	Updated create method to use copy_permission_safe instead of shutil.copy for file copying.

Possibly related PRs

• fix: install conda in container image #3127: This PR modifies the create method in the snakemake/deployment/conda.py file to replace direct calls to shutil.copy with the new copy_permission_safe function introduced in the main PR, directly linking the changes in file copying functionality.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

snakemake/deployment/conda.py (1)

544-544: Consider adding error messages for permission failures.

While the permission-safe copying is implemented, it would be helpful to add specific error messages for permission-related failures to help users troubleshoot issues.

-                        copy_permission_safe(env_file, target_env_file)
+                        try:
+                            copy_permission_safe(env_file, target_env_file)
+                        except OSError as e:
+                            raise WorkflowError(f"Failed to copy environment file due to permission error: {e}")

-                    copy_permission_safe(deploy_file, target_deploy_file)
+                    try:
+                        copy_permission_safe(deploy_file, target_deploy_file)
+                    except OSError as e:
+                        raise WorkflowError(f"Failed to copy deployment script due to permission error: {e}")

Also applies to: 623-623

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between c6187a4 and 3d6bd21.

📒 Files selected for processing (2)

• snakemake/common/init.py (2 hunks)
• snakemake/deployment/conda.py (3 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

snakemake/common/__init__.py (1)

Pattern **/*.py: Do not try to improve formatting.
Do not suggest type annotations for functions that are defined inside of functions or methods.
Do not suggest type annotation of the self argument of methods.
Do not suggest type annotation of the cls argument of classmethods.
Do not suggest return type annotation if a function or method does not contain a return statement.

snakemake/deployment/conda.py (1)

Pattern **/*.py: Do not try to improve formatting.
Do not suggest type annotations for functions that are defined inside of functions or methods.
Do not suggest type annotation of the self argument of methods.
Do not suggest type annotation of the cls argument of classmethods.
Do not suggest return type annotation if a function or method does not contain a return statement.

🔇 Additional comments (4)

snakemake/common/__init__.py (1)

13-13: LGTM!

The shutil import is appropriately placed with other system imports and is required for the new functionality.

snakemake/deployment/conda.py (3)

34-34: LGTM: Clean import of the new function.

The import of copy_permission_safe is correctly placed within the existing snakemake.common imports block.

---

544-544: Verify permission handling for environment files.

The replacement of shutil.copy with copy_permission_safe for environment files is a good security improvement. However, we should verify that this change handles all edge cases correctly.

✅ Verification successful

Let me gather more information about the copy_permission_safe function and its implementation to better understand the permission handling.

---

Let me check one more thing to understand the copy_permission_safe implementation since it wasn't found in the previous search.

---

Now I have enough information to provide the final response about the permission handling verification.

Permission handling for environment files is properly implemented

The copy_permission_safe function in snakemake/common/__init__.py implements a secure approach by:

1. Removing the destination file first to avoid permission-related conflicts
2. Using shutil.copy which preserves the file mode bits

The codebase also shows proper error handling:

• Permission errors are caught and reported with clear messages in the IO operations
• Windows-specific permission issues are properly handled with test cases

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any other direct usage of shutil.copy in the codebase that might need similar treatment
rg "shutil\.copy\(" --type py

# Look for any environment file related error handling
rg "(?i)permission.*(?:denied|error).*\.yaml" -A 5 -B 5

Length of output: 340

---

Script:

#!/bin/bash
# Check the implementation of copy_permission_safe
ast-grep --pattern 'def copy_permission_safe'

# Look for any error handling related to file copying in deployment/conda.py
rg "copy_permission_safe" -A 5 -B 5 snakemake/deployment/conda.py

# Check for any permission-related error handling in the codebase
rg "(?i)(permission|access).*error" -A 3 -B 3

Length of output: 3729

---

Script:

#!/bin/bash
# Look for copy_permission_safe implementation in common module
cat snakemake/common/__init__.py

Length of output: 9696

---

623-623: Verify permission handling for deployment scripts.

The use of copy_permission_safe for post-deployment scripts is appropriate. However, we should ensure proper error handling exists for permission-related failures.

✅ Verification successful

Let me gather more information about the error handling around the copy_permission_safe function and its usage.

---

Let me check the broader error handling context around this deployment code section.

---

Based on the gathered information, I can now provide a final response:

Permission handling for deployment scripts is adequately implemented

The copy_permission_safe function has proper built-in safety mechanisms:

• It removes the destination file first to avoid permission conflicts
• It's used within a broader error-handling context where deployment failures are caught
• The deployment script execution has explicit error handling for unsupported platforms

The implementation is safe and follows good practices for permission handling:

• Destination file cleanup before copying (os.unlink)
• Direct file copying with preserved permissions (shutil.copy)
• Platform-specific checks before deployment script execution

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check error handling around deployment script copying
ast-grep --pattern 'try {
  $$$
  copy_permission_safe($_, $_)
  $$$
} catch ($err) {
  $$$
}'

# Look for any deployment script related permission errors in the codebase
rg "(?i)permission.*(?:denied|error).*post-deploy\.sh" -A 5 -B 5

Length of output: 163

---

Script:

#!/bin/bash
# Check the implementation of copy_permission_safe
rg "def copy_permission_safe" -A 10

# Look for try-except blocks around deployment file operations
rg "try:.*?copy_permission" -A 10 --multiline

# Check broader context of the deployment file copying
rg "copy_permission_safe\(" -B 5 -A 5

Length of output: 3287

---

Script:

#!/bin/bash
# Check the broader context of the deployment function
rg "def execute_deployment_script" -A 15 -B 5

# Look for any error handling in the deployment section
rg "def create_conda_env" -A 50 -B 5

# Check for any exception handling patterns in the conda.py file
ast-grep --pattern 'try {
  $$$
} catch ($err) {
  $$$
}'

Length of output: 4725