diff --git a/.claude/settings.json b/.claude/settings.json new file mode 100644 index 000000000..03fd0554b --- /dev/null +++ b/.claude/settings.json @@ -0,0 +1,7 @@ +{ + "permissions": { + "allow": [ + "Bash(git check-ignore *)" + ] + } +} diff --git a/changelog/seqera-enterprise/v26.1.md b/changelog/seqera-enterprise/v26.1.md new file mode 100644 index 000000000..dc6105b0f --- /dev/null +++ b/changelog/seqera-enterprise/v26.1.md @@ -0,0 +1,208 @@ +--- +title: Seqera Platform Enterprise v26.1 +date: 2026-04-07 +tags: [enterprise] +--- + +Significant integration, troubleshooting, and management improvements. + +:::info +The legacy distribution endpoint at `cr.seqera.io/private` is deprecated. Only bug fixes for existing major releases will continue to be published there. New major releases of Seqera Platform are available from `cr.seqera.io/enterprise`. Seqera will provide updated credentials for the new endpoint — [contact your Seqera representative](https://support.seqera.io) if you need access. +::: + +## Feature updates and improvements + +### Studios + +- Improved Studios session management and stability. +- Updated Studios micromamba builds to use `conda/micromamba:v2` and Wave 1.33.0. +- Added `nameStrategy` configuration option to Studios workspace settings. +- Renamed Studios settings route from `data-studios` to `studios`. +- Added ability to edit stopped Studios without restarting them. +- Container registry improvements: + - Configurable container repository path for custom image builds. + - Configurable container image naming strategy (default, tag prefix, image suffix, none). +- Studios work with Wine/XFCE/VNC (Windows compatible OS). + +### Compute environments + +- Added separate head and worker pool support for Azure Batch compute environments in both Forge and manual modes. +- Added ability to disable a compute environment. +- Improved Seqera Compute integration. +- Improved compute environment form warning display with individual stacked alerts. + +### Azure + +- Changed default Azure Batch job timeout to 7 days and exposed it as a new configuration item. +- Updated default Azure termination policy in compute environment creation form. +- Added VNet and subnet support for Azure Batch compute environments. +- Added support for separate managed identity client IDs for head and compute jobs in Azure Batch. +- Enabled Entra (service principal) credentials for Azure Batch Forge pool creation and Fusion v2. + +### AWS + +- Added AWS credential modes with support for key-based and role-based access. +- Added AWS External ID support for role-based credentials. + +### GCP + +- Added Workload Identity Federation (WIF) credential support for Google Batch and Google Cloud compute environments. +- Added support for network tagging in Google Batch. +- Added boot disk image selection for Google Batch compute environments. +- Added support for multiple machine types in Google Batch compute environments. +- Configurable retry behavior for tasks with null exit codes in Google Batch compute environments. + +### Pipelines + +- Redesigned workflow notification email templates with updated styling. +- Added GitHub App manifest flow for credential creation. +- Improved clipboard UX in workflow details header. +- Updated schema radio control copy. +- Redesigned report preview modal header layout and modal. +- Registered Nextflow CLI as a static OIDC client for authorization code with PKCE flow. +- Enriched the `POST /trace/create` response with platform metadata to reduce downstream API calls from Nextflow. (link needed) + +### Datasets + +- Added preview support for linked (URL-referenced) dataset versions. + +### Data Explorer + +- Added data lake support in Data Explorer. +- Added Molstar 3D viewer for PDB and CIF file preview. +- Added extensible view mode selection for JSON files in Data Explorer (JSON, IGV, and plain text). +- Updated Data Explorer to display non-native browser files as text when opened in a new tab. +- Added Fusion symlink resolution to the Data Explorer API. +- Increased the maximum data link name length to 512 characters. + +### Access control + +- Added required description field to custom role creation. +- Exposed roles API endpoints in the OpenAPI specification. +- Added SSO domain-based redirect for the login guard. + +### Monitoring and observability + +- Added real-time active user count display in the admin panel. +- Added workspace usage metrics. +- Added CSV export for audit logs v2 with configurable maximum record limit. +- Added audit event metadata (owner ID, workspace ID) to Studios audit events. +- Switched audit logs v2 to token-based pagination for improved performance. +- Added comprehensive audit logging for SSO lifecycle events. +- Migrated telemetry usage queries to use the audit logs v2 table. +- Updated the audit log cleaner to handle both v1 and v2 audit log tables. +- Added CSV export button to the admin audit logs v2 table. +- Added descriptions and documentation metadata to audit event types. +- Added audit event metadata to the remaining Studios session audit events. +- Added audit event metadata (owner ID, workspace ID) to all data link audit events. +- Added `target_name` field to the audit log v2 data model. +- Renamed outdated audit event types to use consistent naming conventions. +- Deprecated the legacy `/admin/audit-logs` (v1) endpoint. +- Added target resource names to all audit event emission points. +- Refined audit log v2 target resource context labels in API, UI, and CSV export. +- Added a `TOWER_AUDIT_LOG_V2_WRITE_MODE` setting supporting `v1`, `v2`, and `dual` modes. +- Removed unused `instanceId` and `instanceName` columns from the audit log v2 table. +- Updated the audit log v2 admin table to display resource names alongside target IDs. +- Added target organization, workspace, and user context to audit log v2 interfaces. + +### General + +- Bumped Micronaut from 4.7.6 to 4.8.3. +- Improved admin workspace list toolbar responsiveness. +- Applied updated status icons across platform components. +- Redesigned page header layout with improved toolbar and breadcrumb integration. +- Added automatic breadcrumb navigation to page headers. +- Updated delete workspace confirmation modal text to clarify the impact of deletion. +- Removed the unused Containers page. +- Removed the dynamic resource labels feature toggle (feature is now always active). + +#### New environment variables in 26.1 + +The following environment variables are new or changed in 26.1. See the [Configuration overview](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview) for the full descriptions and defaults: + +- [`TOWER_DATA_STUDIO_ALLOWED_WORKSPACES`](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#data-features) — control which workspaces have Studios enabled. +- [`TOWER_AUDIT_LOG_V2_WRITE_MODE`](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#audit-log-v2) — switch between v1, v2, and dual-write audit log tables. +- [`TOWER_AUDIT_LOG_V2_CSV_EXPORT_MAX_LOGS`](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#audit-log-v2) — cap the number of records in a CSV export. +- [`TOWER_AUDIT_LOG_V2_PRE_POST_CHANGE_ENABLED`](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#audit-log-v2) — capture pre/post change state images. +- [`TOWER_CRON_AUDIT_LOG_CLEAN_UP_*`](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#audit-log-v2) — tune the audit log cleanup cron job. +- [`TOWER_COMPUTE_ENV_CLEANUP_*`](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#compute-environment-cleanup) — tune the cron job that transitions compute environments stuck in `CREATING` or `DELETING` states. +- New Studios family variables for default lifespan, privacy default, list page size, feature manifest URL, Connect iframe scoping, Wave build status checks, disallowed registries, and startup metrics. See [Data features](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#data-features). + +## Bug fixes + +### Studios + +- Added workspace existence check before creating Studios workspace settings. +- Fixed R-IDE icon styling. +- Added validation of git repository configuration files when creating a Studio. +- Fixed broken navigation from Studio details page for private Studios. + +### Compute environments + +- Fixed Google Batch machine type migration to be portable across MySQL and MariaDB. +- Removed hardcoded prediction model configuration from AWS Cloud platform provider. +- Fixed metering event handling to batch events when more than 100 events are received, preventing silent data loss. +- Removed default `terminateAsync` implementation to enforce explicit provider implementations. +- Fixed Workload Identity Federation (WIF) log retrieval by setting the project ID on the Cloud Logging client. +- Fixed WIF log retrieval by resolving GCP project numbers to project names for Cloud Logging filters. +- Fixed WIF credential context propagation for log retrieval and data link operations. +- Propagated AWS Forge disposal failures instead of silently swallowing exceptions. +- Pinned `google-cloud-storage` to a compatible version to fix `NoClassDefFoundError` on GCS data link access. +- Returned an actionable error message when an Azure Batch pool is missing during job submission. +- Propagated GCP Forge disposal failures instead of silently ignoring resource deletion errors. +- Enabled cloud cache for Kubernetes compute environments with local PVC paths. +- Reverted unintended cloud cache change for Kubernetes compute environments. + +### Pipelines + +- Fixed pipeline implicit default version resolution. +- Removed logs from AI debug button URL to prevent URI too large errors. +- Replaced `document.write` with client-side form submission in GitHub App manifest flow to fix Firefox blank page issue. +- Made workflow job cancellation idempotent to prevent 500 errors on concurrent cancel requests. +- Fixed parallel requests to pipeline info in the launch form. + +### Datasets + +- Fixed `LazyInitializationException` in avatar resolution during dataset creation. +- Fixed dataset name field to apply input normalization (spaces converted to underscores). +- Fixed column order preservation in dataset preview for TSV files. + +### Data Explorer + +- Fixed IGV MIME type detection in Data Explorer. + +### Access control + +- Fixed refresh token JWT secret configuration for enterprise deployments. +- Hardened the Auth0 OAuth2 flow with retries against `ResponseClosedException` errors. +- Fixed `auth0org_id` column naming to align with Hibernate naming strategy. +- Fixed erroneous `@QueryValue` annotations on SSO controller path variables causing 404 errors. +- Fixed `@PermissionRequired` interceptor binding with `@Type` annotation. +- Fixed `@JWTAuthRequired` interceptor binding with `@Type` annotation to prevent silent bypass. + +### Monitoring and observability + +- Fixed dashboard drop-down scrolling and character overflow. +- Fixed task logging to use populated `taskId` instead of empty `id`. +- Fixed `user_sign_in` audit events to correctly populate the actor field with the signing user's ID. + +### General + +- Fixed side navigation width not updating in Safari when toggling the collapsed state. +- Fixed credits banner appearing during page load. +- Fixed oversized icon on the forbidden access page. + +## Upgrade notes + +No breaking changes. Standard upgrade procedure applies. + +### Configuration changes + +- `TOWER_AUDIT_LOG_V2_ENABLED` and `TOWER_AUDIT_LOG_V2_WRITE_MODE` added as configuration options. + + - `TOWER_AUDIT_LOG_V2_WRITE_MODE`: Turns on the v2 Audit Log for parallel writes with v1 Audit Log. + - `TOWER_AUDIT_LOG_V2_ENABLED`: Turns on or off the v2 Audit Log view from the Admin Panel. + +### Database migrations + +Database migrations run automatically during upgrade. No manual steps required. diff --git a/docusaurus.config.js b/docusaurus.config.js index ad0321e99..07226336b 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -417,6 +417,15 @@ export default async function createConfigAsync() { ].filter(Boolean), themeConfig: getSeqeraThemeConfig({ + seqera: { + docs: { + versionDropdown: { + 'platform-enterprise': { + showCurrent: process.env.INCLUDE_NEXT ? true : false, + }, + }, + }, + }, typesense: { typesenseCollectionName: 'seqera_docs', searchPagePath: '/search', diff --git a/netlify.toml b/netlify.toml index cd6098467..82de6af11 100644 --- a/netlify.toml +++ b/netlify.toml @@ -17,7 +17,7 @@ DOCUSAURUS_SSG_WORKER_THREAD_COUNT = "1" [context.deploy-preview.build.environment] - INCLUDE_NEXT="" + INCLUDE_NEXT="true" EXCLUDE_CHANGELOG="" EXCLUDE_PLATFORM_CLI="true" EXCLUDE_PLATFORM_ENTERPRISE="" diff --git a/platform-enterprise_docs/enterprise-sidebar.json b/platform-enterprise_docs/enterprise-sidebar.json index 3939a3408..5cd7691ca 100644 --- a/platform-enterprise_docs/enterprise-sidebar.json +++ b/platform-enterprise_docs/enterprise-sidebar.json @@ -230,7 +230,8 @@ "seqera-ai/installation", "seqera-ai/authentication", "seqera-ai/command-approval", - "seqera-ai/use-cases" + "seqera-ai/use-cases", + "seqera-ai/projects" ] }, { diff --git a/platform-enterprise_docs/enterprise/_templates/docker/docker-compose.yml b/platform-enterprise_docs/enterprise/_templates/docker/docker-compose.yml index c9fc65ce5..472b62ef5 100644 --- a/platform-enterprise_docs/enterprise/_templates/docker/docker-compose.yml +++ b/platform-enterprise_docs/enterprise/_templates/docker/docker-compose.yml @@ -47,7 +47,7 @@ services: - $HOME/.tower/db/redis:/data migrate: - image: cr.seqera.io/enterprise/platform/migrate-db:v25.3.6 + image: cr.seqera.io/enterprise/platform/migrate-db:v26.1 platform: linux/amd64 command: -c "/migrate-db.sh" networks: @@ -64,7 +64,7 @@ services: condition: service_healthy cron: - image: cr.seqera.io/enterprise/platform/backend:v25.3.6 + image: cr.seqera.io/enterprise/platform/backend:v26.1 platform: linux/amd64 command: -c '/tower.sh' networks: @@ -85,7 +85,7 @@ services: backend: - image: cr.seqera.io/enterprise/platform/backend:v25.3.6 + image: cr.seqera.io/enterprise/platform/backend:v26.1 platform: linux/amd64 command: -c '/wait-for-it.sh db:3306 -t 60; /tower.sh' networks: @@ -110,7 +110,7 @@ services: - cron frontend: - image: cr.seqera.io/enterprise/platform/frontend:v25.3.6 + image: cr.seqera.io/enterprise/platform/frontend:v26.1 platform: linux/amd64 networks: - frontend diff --git a/platform-enterprise_docs/enterprise/configuration/configtables/audit_log_v2_env.yml b/platform-enterprise_docs/enterprise/configuration/configtables/audit_log_v2_env.yml new file mode 100644 index 000000000..fa0680781 --- /dev/null +++ b/platform-enterprise_docs/enterprise/configuration/configtables/audit_log_v2_env.yml @@ -0,0 +1,36 @@ +--- +- + Environment variable: '`TOWER_AUDIT_LOG_V2_WRITE_MODE`' + Description: > + Determine which audit log tables receive write operations. Accepted values are `v1` (legacy table only), `v2` (v2 table only), or `dual` (both tables simultaneously). + Value: 'Default: `v1`' +- + Environment variable: '`TOWER_AUDIT_LOG_V2_CSV_EXPORT_MAX_LOGS`' + Description: > + Maximum number of records allowed in a single audit log CSV export. + Value: 'Default: `500000`' +- + Environment variable: '`TOWER_AUDIT_LOG_V2_PRE_POST_CHANGE_ENABLED`' + Description: > + Enable capturing pre/post change state images for audit log target resources. + Value: 'Default: `false`' +- + Environment variable: '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_ENABLED`' + Description: > + Enable the audit log cleanup cron job. + Value: 'Default: `true`' +- + Environment variable: '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_INTERVAL`' + Description: > + Interval at which the audit log cleanup cron job runs. + Value: 'Default: `5m`' +- + Environment variable: '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_DELAY`' + Description: > + Initial delay before the audit log cleanup cron job starts after application startup. + Value: 'Default: `10s`' +- + Environment variable: '`TOWER_CRON_AUDIT_LOG_CLEAN_UP_CHUNK_SIZE`' + Description: > + Maximum number of audit log records deleted per cleanup run. + Value: 'Default: `1000`' diff --git a/platform-enterprise_docs/enterprise/configuration/configtables/compute_env_cleanup_env.yml b/platform-enterprise_docs/enterprise/configuration/configtables/compute_env_cleanup_env.yml new file mode 100644 index 000000000..8c3a937aa --- /dev/null +++ b/platform-enterprise_docs/enterprise/configuration/configtables/compute_env_cleanup_env.yml @@ -0,0 +1,36 @@ +--- +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_ENABLED`' + Description: > + Enable the compute environment cleanup cron job, which transitions compute environments stuck in `CREATING` or `DELETING` states. + Value: 'Default: `false`' +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_DELAY`' + Description: > + Initial delay before the compute environment cleanup cron job runs for the first time after application startup. + Value: 'Default: `1m`' +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_INTERVAL`' + Description: > + Interval at which the compute environment cleanup cron job runs. + Value: 'Default: `1h`' +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_BATCH_SIZE`' + Description: > + Number of organizations processed per batch in the compute environment cleanup job. + Value: 'Default: `10`' +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_TIME_OFFSET`' + Description: > + Delay between consecutive batch tasks in the compute environment cleanup job. + Value: 'Default: `60s`' +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_STUCK_CREATING_TIMEOUT`' + Description: > + Time after which a compute environment stuck in the `CREATING` state is transitioned to `ERRORED`. + Value: 'Default: `1h`' +- + Environment variable: '`TOWER_COMPUTE_ENV_CLEANUP_STUCK_DELETING_TIMEOUT`' + Description: > + Time after which a compute environment stuck in the `DELETING` state is transitioned to `INVALID`. + Value: 'Default: `1h`' diff --git a/platform-enterprise_docs/enterprise/configuration/configtables/data_features_env.yml b/platform-enterprise_docs/enterprise/configuration/configtables/data_features_env.yml index f7f720eb2..5bc6496c0 100644 --- a/platform-enterprise_docs/enterprise/configuration/configtables/data_features_env.yml +++ b/platform-enterprise_docs/enterprise/configuration/configtables/data_features_env.yml @@ -9,6 +9,7 @@ Description: > Disable Data Explorer automatic cloud bucket retrieval per workspace. Value: 'Example: `,`' +# TODO(26.1): not in platform repo's ENVIRONMENT-VARIABLES.md — verify still valid - Environment variable: '`TOWER_DATA_EXPLORER_CREDENTIALS_TTL`' Description: > @@ -34,6 +35,7 @@ Description: > The period of time that retry attempts will be made even when max retries has been exceeded. Value: 'Default: `1d`' +# TODO(26.1): not in platform repo's ENVIRONMENT-VARIABLES.md — verify still valid - Environment variable: '`TOWER_CONTENT_MAX_FILE_SIZE`' Description: > @@ -49,11 +51,13 @@ Description: > The custom image repository for Wave containers. Ignored if custom image registry is not present. Value: 'Default: `data-studios/`' +# TODO(26.1): default conflict between docs and platform manifest — needs Studios team confirmation - Environment variable: '`TOWER_DATA_STUDIO_WAVE_CUSTOM_IMAGE_NAME_STRATEGY`' Description: > The custom image name strategy for Wave containers. See the [Wave documentation](https://docs.seqera.io/wave/configuration#container-registry) for available options. Value: 'Default: `imageSuffix`' +# TODO(26.1): default conflict between docs and platform manifest — needs Studios team confirmation - Environment variable: '`TOWER_DATA_STUDIO_WAVE_CUSTOM_IMAGE_REGISTRY`' Description: > @@ -99,3 +103,58 @@ Description: > This is set only if the SSH server runs on a different domain to the Connect proxy. Value: 'Example: `ssh.example.com`' +- + Environment variable: '`TOWER_DATA_STUDIO_ALLOWED_WORKSPACES`' + Description: > + Control which workspaces have Studios enabled. Leave unset (default) to enable Studios in all workspaces, set to an empty string to disable Studios for all workspaces, or provide a comma-separated list of workspace IDs to enable Studios only in those workspaces. + Value: 'Default: Enabled for all workspaces' +- + Environment variable: '`TOWER_DATA_STUDIO_DEFAULT_LIFESPAN`' + Description: > + Default lifespan in hours for Studios when no workspace-specific settings are configured. + Value: 'Default: `8`' +- + Environment variable: '`TOWER_DATA_STUDIO_PRIVATE_STUDIO_BY_DEFAULT`' + Description: > + Default privacy setting for Studios when no workspace-specific or Studio-specific settings are configured. Set to `true` to make Studios private by default; the default value (`false`) makes Studios collaborative unless overridden on creation. + Value: 'Default: `false`' +- + Environment variable: '`TOWER_DATA_STUDIO_LIST_MAX_ALLOWED`' + Description: > + Maximum and default number of items returned in a single page when listing Studios. + Value: 'Default: `100`' +- + Environment variable: '`TOWER_DATA_STUDIO_FEATURE_MANIFEST_URL`' + Description: > + The manifest URL used for feature version compatibility checks of Studio clients. + Value: 'Example: `https://example.com/manifest.json`' +- + Environment variable: '`TOWER_DATA_STUDIO_CONNECT_IFRAME_ALLOWED_WORKSPACES`' + Description: > + Control which workspaces have the Studio iframe in Connect enabled. Set to `null` (undefined) to disable for all workspaces, set to an empty string to enable for all workspaces, or provide a comma-separated list of workspace IDs to enable per workspace. + Value: 'Default: null' +- + Environment variable: '`TOWER_DATA_STUDIO_WAVE_STATUS_CHECK_INITIAL_DELAY`' + Description: > + Initial delay before the job that checks Wave build status for Studios in building status runs for the first time. + Value: 'Default: `5s`' +- + Environment variable: '`TOWER_DATA_STUDIO_WAVE_STATUS_CHECK_RATE`' + Description: > + Fixed rate at which Wave build status is checked for Studios in building status. + Value: 'Default: `30s`' +- + Environment variable: '`TOWER_DATA_STUDIO_WAVE_DISALLOWED_REGISTRIES`' + Description: > + Comma-separated list of registry URLs that are not allowed as build destinations for dockerfile-based Studio images. Registries in this list won't be used for pushing dockerfile builds. + Value: 'Default: `community.wave.seqera.io`' +- + Environment variable: '`TOWER_STUDIO_METRICS_ENABLED_WORKSPACES`' + Description: > + Control which workspaces have Studio startup metrics collection enabled. Set to `null` (undefined) to disable for all workspaces, set to an empty string to enable for all workspaces, or provide a comma-separated list of workspace IDs to enable per workspace. + Value: 'Default: null' +- + Environment variable: '`TOWER_STUDIO_METRICS_RETENTION_DAYS`' + Description: > + Number of days to retain Studio startup metrics in the database before automatic deletion. Metrics older than this threshold are deleted by a daily scheduled job. + Value: 'Default: `90`' diff --git a/platform-enterprise_docs/enterprise/configuration/configtables/features_env.yml b/platform-enterprise_docs/enterprise/configuration/configtables/features_env.yml index 0e050f71b..ffa34901f 100644 --- a/platform-enterprise_docs/enterprise/configuration/configtables/features_env.yml +++ b/platform-enterprise_docs/enterprise/configuration/configtables/features_env.yml @@ -24,6 +24,7 @@ Description: > Allow log and report files from Nextflow CLI runs (`-with-tower`) to be accessible in the Seqera UI. Run output files must be accessible to your Seqera workspace primary compute environment. Value: 'Default: `false`' +# TODO(26.1): not in platform repo's ENVIRONMENT-VARIABLES.md — verify still valid - Environment variable: '`TOWER_STEPPED_LAUNCH_FORM_ALLOWED_WORKSPACES`' Description: > diff --git a/platform-enterprise_docs/enterprise/configuration/configtables/tower_logging.yml b/platform-enterprise_docs/enterprise/configuration/configtables/tower_logging.yml index c8c0d591e..28978b01a 100644 --- a/platform-enterprise_docs/enterprise/configuration/configtables/tower_logging.yml +++ b/platform-enterprise_docs/enterprise/configuration/configtables/tower_logging.yml @@ -39,11 +39,13 @@ Description: > The maximum file size of the Platform backend log file. When this limit is reached, a new log file is created. Value: +# TODO(26.1): not in platform repo's ENVIRONMENT-VARIABLES.md — verify still valid - Environment variable: '`LOGGER_LEVELS_IO_SEQERA_TOWER_AGENT`' Description: > Tower Agent logging detail level. Value: 'Options: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`' +# TODO(26.1): not in platform repo's ENVIRONMENT-VARIABLES.md — verify still valid - Environment variable: '`TOWER_AGENT_HEARTBEAT`' Description: > diff --git a/platform-enterprise_docs/enterprise/configuration/overview.mdx b/platform-enterprise_docs/enterprise/configuration/overview.mdx index 91b2abd37..c4b81f0ab 100644 --- a/platform-enterprise_docs/enterprise/configuration/overview.mdx +++ b/platform-enterprise_docs/enterprise/configuration/overview.mdx @@ -390,6 +390,18 @@ Configuration values to enable computing platforms and customize Batch Forge res +### Compute environment cleanup + +A scheduled cron job can transition compute environments that are stuck in `CREATING` or `DELETING` states into terminal states (`ERRORED` or `INVALID`). The cleanup job is disabled by default. + + + + +::table{file=configtables/compute_env_cleanup_env.yml} + + + + ## Git integration Seqera Platform has built-in support for public and private Git repositories. Create [Git provider credentials](../../git/overview) to allow Seqera to interact with the following services: @@ -604,3 +616,15 @@ logger: + +### Audit log v2 + +Configuration values for the v2 audit log subsystem and the audit log cleanup cron job. The v2 audit log adds support for pre/post change state capture and CSV export limits, and runs alongside the existing v1 table when `TOWER_AUDIT_LOG_V2_WRITE_MODE` is set to `dual`. + + + + +::table{file=configtables/audit_log_v2_env.yml} + + + diff --git a/platform-enterprise_docs/enterprise/upgrade.md b/platform-enterprise_docs/enterprise/upgrade.md index 89f04b1cb..952d7461e 100644 --- a/platform-enterprise_docs/enterprise/upgrade.md +++ b/platform-enterprise_docs/enterprise/upgrade.md @@ -1,28 +1,27 @@ --- title: "Upgrade deployment" -description: "Guidance for upgrading to Platform Enterprise version 25.3" +description: "Guidance for upgrading to Platform Enterprise version 26.1" date created: "2025-11-11" -last updated: "2026-01-30" +last updated: "2026-05-06" tags: [enterprise, update, install] --- -This page outlines the steps to upgrade your database instance and Platform Enterprise installation to version 25.3, including special considerations for upgrading from versions prior to 25.1. +This page outlines the steps to upgrade your database instance and Platform Enterprise installation to version 26.1, including special considerations for upgrading from earlier versions. :::note - Make a backup of your Platform database prior to upgrade. -- If you are upgrading from a version prior to 25.1, complete all intermediate major version upgrades before upgrading to 25.3. +- If you are upgrading from a version prior to 25.1, complete all intermediate major version upgrades before upgrading to 26.1, for example from 23.1 upgrade to 24.1, then 25.1, and finally 26.1. More specific requirements are detailed below for each major version. - Ensure that no pipelines are in a running state during this upgrade as active run data may be lost. ::: -### Considerations for versions prior to 24.1 - -- If you are upgrading from a version older than 23.4.1, update your installation to version 23.4.4 **first**, before updating to version 25.3 with the steps on this page. +## Considerations for versions prior to 24.1 +- If you are upgrading from a version older than 23.4.1, update your installation to version 23.4.4 **first**, before updating to version 26.1 with the steps on this page. - **MySQL 8 required** - From Seqera Enterprise version 23.4, MySQL 8 is the only supported database version. If you are running MySQL 5.6 or 5.7, you must upgrade your database to MySQL 8 before upgrading to version 23.4 or later. See [General upgrade steps](#general-upgrade-steps) for database upgrade instructions. + From Seqera Enterprise version 23.4, MySQL 8 was the only supported database version. If you are running MySQL 5.6 or 5.7, you must upgrade your database to a supported MySQL version (see the [26.1 database considerations below](#database-changes) for the new baseline) before upgrading. -### Considerations for versions 24.1 - 25.1 +## Considerations for versions 24.1 – 25.1 - **OIDC Secrets injection modifications** @@ -38,32 +37,100 @@ This page outlines the steps to upgrade your database instance and Platform Ente - **Redis version change and property deprecation** - - From Seqera Enterprise version 24.2, Redis version 6.2 or greater is required, and the stable and generally available version 7.4.5 is strongly recommended. - - From Seqera Enterprise version 24.2, `redisson.*` configuration properties are deprecated. If you have set `redisson.*` properties directly previously, do the following: - • Replace `/redisson/*` references in AWS Parameter Store entries with TOWER_REDIS_*. - • Replace `redisson.*` references in tower.yml with `TOWER_REDIS_*`. - :::note - Set TOWER_REDIS_* values directly in the tower.yml or AWS Parameter Store entry (for example, TOWER_REDIS_URL: redis://...). - ::: + - From Seqera Enterprise version 24.2, Redis version 6.2 or greater was required. **In 26.1, Redis 6.x is no longer supported — see the [26.1 cache considerations](#cache-layer-changes-redis-eol-and-valkey-support) below.** + - From Seqera Enterprise version 24.2, `redisson.*` configuration properties are deprecated. If you previously set `redisson.*` properties directly: + - Replace `/redisson/*` references in AWS Parameter Store entries with `TOWER_REDIS_*` environment variables. + - Replace `redisson.*` references in `tower.yml` with `TOWER_REDIS_*` environment variables. + + :::note + Set `TOWER_REDIS_*` values directly in the `tower.yml` or AWS Parameter Store entry (for example, `TOWER_REDIS_URL: redis://...`). + ::: - **Micronaut property key changes** - In version 24.1, the property that determines the expiration time of the JWT access token (used for authenticating web sessions and Nextflow-Platform interactions) has changed: + In version 24.1, the property that determines the expiration time of the JWT access token (used for authenticating web sessions and Nextflow-Platform interactions) changed: - | Previous | New | - | ---------------------------------------------------------------- | ------------------------------------------------------------ | + | Previous | New | + | --- | --- | | `micronaut.security.token.jwt.generator.access-token.expiration` | `micronaut.security.token.generator.access-token.expiration` | Enterprise deployments that have customized this value previously will need to adopt the new format. -### Version 25.3 upgrade considerations +## Considerations for version 25.3 + +- **Secret key rotation requires backup and careful configuration** + + To configure [secret key rotation](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#secret-key-rotation): + + - To prevent data loss, perform a backup of your Platform database and securely back up your current crypto secret key before enabling and performing key rotation. + - All backend pods or containers for your Enterprise deployment must contain the same previous and new secret key values in their configuration. + - All backend pods or containers must be in a ready/running state before starting the Platform cron service. + +## Version 26.1 upgrade considerations + +### Database changes -**Secret key rotation requires backup and careful configuration** +26.1 changes the supported database baseline. Review your current database against the table below **before upgrading**. -To configure [secret key rotation](../enterprise/configuration/overview.mdx#secret-key-rotation): -- To prevent data loss, perform a backup of your Platform database and securely back up your current crypto secret key before enabling and performing key rotation. -- All backend pods or containers for your Enterprise deployment must contain the same previous and new secret key values in their configuration. -- All backend pods or containers must be in a ready/running state before starting the Platform cron service. +| Database / version | 26.1 status | Action | +| --- | --- | --- | +| MySQL 5.7 | No longer tested or supported (upstream EoL) | Upgrade to MySQL 8.4 before upgrading to 26.1 | +| MySQL 8.0 | No longer tested or supported (upstream EoL April 2026) | Upgrade to MySQL 8.4 | +| MySQL 8.4 (LTS) | Recommended default | No action | +| MariaDB | No longer tested or supported | Contact Seqera Professional Services for migration support | +| AWS Aurora MySQL (provisioned) | Supported | No action | +| AWS Aurora Serverless | Not supported (existing guidance) | Migrate to a supported configuration | + +If you are running on MySQL 5.7, MySQL 8.0, or MariaDB, complete your database migration **before** running the 26.1 application upgrade. The Seqera-supplied `migrate-db` container will not run against an unsupported database version. + +### Cache layer changes: Redis EoL and Valkey support + +26.1 introduces Valkey support and tightens Redis version requirements. + +| Cache / version | 26.1 status | Action | +| --- | --- | --- | +| Redis 6.x | EoL upstream — no longer supported | Upgrade to Redis 7.2+ or migrate to Valkey 7+ | +| Redis 7.2 | Supported | No action | +| Redis 8.x | Supported | No action | +| Redis 9.x | Not supported | Do not upgrade Redis to version 9 | +| Valkey 7.x | Newly supported in 26.1 | Optional migration path from Redis | +| Valkey 8.x | Supported | Optional migration path from Redis | + +#### Migrating from Redis to Valkey + +To migrate from Redis to Valkey, update the `TOWER_REDIS_URL` connection scheme to use `valkey://` (or `valkeyss://` for TLS). The Redisson client embedded in Platform 26.1 has been upgraded to support Valkey 7 and 8 dial schemes; no further configuration is required. + +:::note +Redis password and ACL configuration carry over unchanged when migrating to Valkey. +::: + +### Frontend image — root user deprecation + +The frontend image running as root user is removed in 26.1. The unprivileged ("rootless") image is now the only supported frontend image. If you have not already migrated, update your `tower-svc.yml` (Kubernetes) or `docker-compose.yml` (Docker Compose) to reference the unprivileged image when downloading the new templates in the General upgrade steps below. + +See the [unprivileged frontend image documentation](https://docs.seqera.io/platform-enterprise/enterprise/platform-kubernetes#seqera-frontend-unprivileged) for security context, file system, and port differences. + +### Studios — enabled on all workspaces by default + +In 26.1, Studios is enabled on every workspace in your instance by default. This is a behavior change from earlier versions where Studios required explicit per-workspace enablement. + +The [`TOWER_DATA_STUDIO_ALLOWED_WORKSPACES`](./configuration/overview#data-features) environment variable controls Studios availability: + +| Value | Behaviour | +| --- | --- | +| Unset (new default) | Studios enabled on **all workspaces** | +| `""` (empty string) | Studios disabled on all workspaces | +| Comma-separated workspace IDs | Studios enabled only on the listed workspaces | + +To preserve previous opt-in behaviour after upgrading, set `TOWER_DATA_STUDIO_ALLOWED_WORKSPACES=""` before the upgrade, or set it to a comma-separated list of workspace IDs to allow. + +#### Studios container template version + +The recommended Studios container template version for 26.1 is **0.9**. If you have customized your Studios container templates, update them to the 0.9 base images during this upgrade. Templates pinned to earlier Connect versions may no longer be supported. See the [Studios migration documentation](https://docs.seqera.io/platform-enterprise/studios/managing#migrate-a-studio-from-an-earlier-container-image-template). + +### AWS data lineage tracking via SQS (preview, AWS only) + +26.1 introduces a preview of AWS data lineage tracking that depends on an Amazon SQS queue. This feature is AWS-only and disabled by default. If you plan to enable it, ensure your IAM policies grant the Seqera role the relevant SQS permissions in addition to the existing [Seqera IAM permissions](../compute-envs/aws-batch#iam-user-creation). ### General upgrade steps @@ -71,10 +138,6 @@ To configure [secret key rotation](../enterprise/configuration/overview.mdx#secr The database volume is persistent on the local machine by default if you use the `volumes` key in the `db` or `redis` section of your `docker-compose.yml` file to specify a local path to the DB or Redis instance. If your database is not persistent, you must back up your database before performing any application or database upgrades. ::: -:::info -Starting from version 26.1, the frontend image running as root user will be deprecated. We recommend starting to switch to the [root-less image (also known as "unprivileged" image)](./platform-kubernetes#seqera-frontend-unprivileged) during this upgrade. -::: - 1. Make a backup of the Seqera database. If you use the pipeline optimization service and your `groundswell` database resides in a database instance separate from your Seqera database, make a backup of your `groundswell` database as well. 1. Download the latest versions of your deployment templates and update your Seqera container versions: - [docker-compose.yml](./_templates/docker/docker-compose.yml) for Docker Compose deployments @@ -103,12 +166,14 @@ Starting from version 26.1, the frontend image running as root user will be depr - Run the `/migrate-db.sh` script provided in the `migrate-db` container. This will migrate the database schema. - Deploy Seqera following your usual procedures. -### Nextflow launcher image +## Nextflow launcher image -If you host your nf-launcher container image on a private image registry, copy the [nf-launcher image](https://quay.io/seqeralabs/nf-launcher:j17-24.04.4) to your private registry. Then update your `tower.env` with the launch container environment variable: +If you host your nf-launcher container image on a private image registry, copy the [nf-launcher image](https://quay.io/seqeralabs/nf-launcher:j17-25.10.x) *(confirm exact tag at release cut)* to your private registry. Then update your `tower.env` with the launch container environment variable: - `TOWER_LAUNCH_CONTAINER=` +``` +TOWER_LAUNCH_CONTAINER= +``` :::caution -If you're using AWS Batch, you will need to [configure a custom job definition](./advanced-topics/custom-launch-container) and populate the `TOWER_LAUNCH_CONTAINER` with the job definition name instead. +If you're using AWS Batch, you will need to [configure a custom job definition](https://docs.seqera.io/platform-enterprise/enterprise/advanced-topics/custom-launch-container) and populate the `TOWER_LAUNCH_CONTAINER` with the job definition name instead. ::: diff --git a/platform-enterprise_docs/git/_images/credentials-github-app-form.png b/platform-enterprise_docs/git/_images/credentials-github-app-form.png new file mode 100644 index 000000000..4d00f2c73 Binary files /dev/null and b/platform-enterprise_docs/git/_images/credentials-github-app-form.png differ diff --git a/platform-enterprise_docs/git/_images/credentials-github-install-app.png b/platform-enterprise_docs/git/_images/credentials-github-install-app.png new file mode 100644 index 000000000..8acfc90d3 Binary files /dev/null and b/platform-enterprise_docs/git/_images/credentials-github-install-app.png differ diff --git a/platform-enterprise_docs/git/_images/credentials-github-mainfest-page.png b/platform-enterprise_docs/git/_images/credentials-github-mainfest-page.png new file mode 100644 index 000000000..b26415e83 Binary files /dev/null and b/platform-enterprise_docs/git/_images/credentials-github-mainfest-page.png differ diff --git a/platform-enterprise_docs/git/overview.md b/platform-enterprise_docs/git/overview.md index 9c858ef42..214e8cb45 100644 --- a/platform-enterprise_docs/git/overview.md +++ b/platform-enterprise_docs/git/overview.md @@ -126,6 +126,84 @@ After you've created and copied your access token, create a new credential in Se 5. (Recommended) Enter the **Repository base URL** for which the credentials should be applied. This option is used to apply the provided credentials to a specific repository, e.g., `https://github.com/seqeralabs`. +### GitHub App + +As an alternative to personal access tokens, you can authenticate Seqera Platform to GitHub using a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps). GitHub Apps are the GitHub-recommended way to integrate with the GitHub API: they act on their own behalf rather than impersonating a user, support fine-grained permissions scoped to specific repositories, and use short-lived installation tokens that are not tied to a single account. + +When you select _GitHub_ as the **Provider**, the credentials form shows a **GitHub credential type** selector with two tabs: + +- **Access token** — Authenticate using a personal access token (PAT) for API access. This is the legacy flow described in the [GitHub](#github) section above. +- **GitHub App** — Set up app-based authentication with dedicated credentials. When you select this tab, a second selector lets you choose between two flows: + - **Create and add** — Use the GitHub App manifest flow to create a new app on GitHub directly from Seqera. Seqera generates a pre-filled manifest, redirects you to GitHub for approval, then automatically retrieves and stores the resulting App ID, private key, client secret, and webhook secret. + - **Add preexisting** — Register an app you have already created on GitHub by entering its App ID, installation ID, private key, and other security keys manually. + +The manifest flow (**Create and add**) is recommended for new integrations: it eliminates the manual copy-paste of multiple secrets, ensures the app is created with the minimum required permissions (`contents: read`, `metadata: read`), and avoids configuration errors. Use **Add preexisting** only when the app already exists or when you must create the app outside of Seqera. + +![GitHub App credentials form showing the Access token / GitHub App tabs and the Create and add / Add preexisting sub-selector](./_images/credentials-github-app-form.png) + +**Create a new GitHub App from Seqera** + +To create and install a GitHub App from Seqera using the manifest flow: + +1. From an organization workspace: Select **Credentials > Add Credentials**. From your personal workspace: Go to the user menu and select **Your credentials > Add credentials**. + +2. Enter a **Name** for the new credentials, e.g., `my-github-app`. Underscores in the credential name are replaced with spaces in the resulting GitHub App name (`Seqera Platform - my github app`). + +3. Select _GitHub_ as the **Provider**, set the **GitHub credential type** to **GitHub App**, then select **Create and add**. + +4. Enter the **GitHub URL**: + + - For GitHub.com, leave the default value (`https://github.com`). + - For a GitHub Enterprise Server instance, enter the base URL of your instance (for example, `https://github.example.com`). HTTPS is required, and private or loopback addresses are rejected. + +5. (Optional) Enter the **GitHub repository URL** to scope access to a single repository, e.g., `https://github.com/seqeralabs/nf-tower`. Leave this field empty to create credentials that are not bound to a specific repository. + +6. Select the **App scope**: + + - **Organization** — App owned by an organization (requires admin access). Enter the **GitHub organization name** (case-sensitive). You must be an **owner** of the target organization to create an app on its behalf. + - **Personal** — App owned by your personal GitHub account. The **GitHub organization name** field is hidden. + +7. Select **Create app on GitHub**. Seqera redirects you to GitHub: + + - For personal scope: `https://github.com/settings/apps/new` + - For organization scope: `https://github.com/organizations//settings/apps/new` + - For GitHub Enterprise Server, the equivalent path on your instance. + + The manifest is pre-filled with the app name, callback URL, webhook URL, and the required permissions (`contents: read`, `metadata: read`). + + ![GitHub "Create GitHub App" page with the manifest pre-filled, showing the app name "Seqera Platform - new github app"](./_images/credentials-github-mainfest-page.png) + +8. On GitHub, review the requested permissions and select **Create GitHub App**. GitHub redirects you back to Seqera, which exchanges the temporary code for the app credentials and stores them in your workspace or personal credentials. + +9. After the redirect, install the app on the repositories you want Seqera to access: + + - Open the new app on GitHub: **Settings > Developer settings > GitHub Apps > [your app] > Install App**. + - For an organization-owned app, select the organization. For a personal app, select your user account. + - Choose **Only select repositories** and add the specific repositories Seqera should access, or **All repositories** to grant access to all current and future repositories. + - Select **Install** to complete installation. + + ![GitHub App installation page showing "Only select repositories" with one or more repositories selected](./_images/credentials-github-install-app.png) + +The new credential appears in the **Credentials** list with the GitHub App icon. Credentials created from a workspace credentials page are scoped to that workspace; credentials created from your personal credentials page are scoped to your user and are not visible to any workspace. + +:::note +If you cancel the manifest flow on GitHub or close the browser tab before approving the app, no credential is created on the Seqera side. The temporary state that protects the redirect against CSRF expires after 10 minutes and cannot be reused — restart the flow from the credentials form. +::: + +**Add an existing GitHub App** + +If you have already created and installed a GitHub App, register it in Seqera by setting the **GitHub credential type** to **GitHub App** and selecting **Add preexisting**, then entering the app's security keys (App ID, installation ID, app slug, private key, client secret, and webhook secret) along with the same **GitHub URL**, **App scope**, and optional **GitHub repository URL** fields described above. You can find these values under **Settings > Developer settings > GitHub Apps > [your app]** on GitHub. + +**Handling duplicate credentials** + +Seqera enforces uniqueness of GitHub App credentials by **Repository URL** within the same workspace or user context. If you attempt to create a credential — through either the manifest flow or the existing-app flow — for a repository URL that already has a GitHub App credential, the operation fails with a duplicate error and no new credential is stored. + +To resolve a duplicate: + +- **Reuse the existing credential** — In most cases the existing credential already grants Seqera the access it needs. Open it from the **Credentials** list to confirm the installed app and repository association. +- **Delete the obsolete credential first** — If the existing credential is stale (for example, the app has been uninstalled or the private key was rotated outside of Seqera), delete it from the **Credentials** list and then re-run the creation flow. +- **Use a different repository URL or leave the field empty** — If you need a second credential covering a broader scope, omit the **Repository URL** or use a different one. Seqera's credential filtering then selects the most specific match at launch time. + ### GitLab GitLab supports [Personal](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html), [Group](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#group-access-tokens), and [Project](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) access tokens for authentication. Your access token must have the `api`, `read_api`, and `read_repository` scopes to work with Seqera. For all three token types, use the token value in both the **Password** and **Access token** fields in the Seqera credential creation form. diff --git a/platform-enterprise_docs/seqera-ai/index.md b/platform-enterprise_docs/seqera-ai/index.md index 90e7b2ff9..e85b39727 100644 --- a/platform-enterprise_docs/seqera-ai/index.md +++ b/platform-enterprise_docs/seqera-ai/index.md @@ -63,10 +63,15 @@ Resume previous sessions to continue your work. Use `seqera ai -c` to continue y Full access to Platform capabilities including compute environments, datasets, data links, and workspace management. +### Projects + +Organize a workspace into projects by applying Seqera Platform labels prefixed with `project_`. Each project scopes the pipelines, datasets, workflow runs, and chat context the AI sees, without needing a separate CRUD surface in Seqera AI. + ## Learn more - [Installation](./installation.mdx): Detailed installation instructions - [Authentication](./authentication.md): Log in, log out, and session management - [Command approval](./command-approval.md): Control which commands run automatically - [Use cases](./use-cases.md): Seqera AI CLI use cases +- [Projects](./projects.md): Organize workspace resources into projects using Platform labels - [Troubleshooting](../troubleshooting_and_faqs/seqera-ai.md): Troubleshoot common errors diff --git a/platform-enterprise_docs/seqera-ai/projects.md b/platform-enterprise_docs/seqera-ai/projects.md new file mode 100644 index 000000000..b2455254a --- /dev/null +++ b/platform-enterprise_docs/seqera-ai/projects.md @@ -0,0 +1,92 @@ +--- +title: "Projects" +description: "Organize workspace resources into projects using Seqera Platform labels" +date: "2026-04-22" +tags: [seqera-ai, projects, labels] +--- + +:::caution Seqera AI is in beta +Seqera AI is currently in beta. Features and behavior may change as we continue to improve the product. +::: + +Projects in Seqera AI group the pipelines, datasets, and workflow runs that belong to a single piece of work. You can view and chat about them without the noise of the rest of the workspace. + +Projects are not created inside Seqera AI. They are derived from **workspace labels in Seqera Platform** whose names start with `project_`. Each matching label surfaces in Seqera AI as a separate project scope, with the Platform label acting as the source of truth for membership. + +:::note +Projects are part of the Seqera AI **portal web interface**. The portal must be deployed alongside Seqera AI in your Enterprise installation. See [Install Seqera AI](../enterprise/install-seqera-ai.md) for more information. +::: + +## How projects are derived + +When you open a workspace in the Seqera AI portal web interface: + +1. Seqera AI reads the list of workspace labels from the Seqera Platform API. +2. Any label whose name starts with `project_` becomes a project. +3. An **Entire workspace** view is included alongside your projects. You can see every resource in the workspace. +4. Pipelines, datasets, and workflow runs are scoped to a project by matching on its `project_*` label. + +Because membership lives on the Platform label, adding or removing a resource from a project is the same action as applying or removing the label in Platform. + +## Create a project + +To create a project: + +1. In **Seqera Platform**, open the workspace where the project should live. +2. Go to **Labels** in workspace settings and create a new label with the `project_` prefix. For example: + - `project_rnaseq` + - `project_variant_calling` + - `project_chip_seq` +3. Apply the label to the pipelines and datasets that belong to the project. +4. Open Seqera AI. The new project appears on the **Projects** page and in the chat project selector on the next page load. + +:::tip +Create the label in workspace settings **before** applying it to resources. This ensures the label has a Platform-assigned ID, which Seqera AI needs to auto-attach the label when you upload new datasets into the project. +::: + +## Display names + +Seqera AI strips the `project_` prefix to produce the display name shown in the portal: + +| Platform label | Seqera AI display name | +|-----------------------|-------------------------| +| `project_rnaseq` | Project rnaseq | +| `project_wgs` | Project wgs | +| `project_single_cell` | Project single_cell | + +Choose descriptive names after the prefix so projects are easy to identify. + +## Where projects appear + +Once a `project_*` label exists in the workspace and is applied to at least one resource, the project is used in the following places: + +- **Projects page**: one row per project, plus the **Entire workspace** row. +- **Project details page**: the pipelines, datasets, and workflow runs filtered to that project's label. +- **Chat project selector**: scopes the resources the AI can see and act on during a chat session. +- **Dataset upload**: when you upload a dataset from inside a project, the project's label is auto-attached. + +## Edge cases + +### A resource carries a `project_*` label that isn't in the workspace label list + +If a pipeline has a `project_*` label but the label has not been created in workspace settings, Seqera AI still surfaces the project, inferred from the pipeline. In this case: + +- The project has no Platform-assigned label ID. +- Dataset uploads into the project cannot auto-attach the label. + +To avoid this, always create `project_*` labels in workspace settings first, then apply them. + +### No `project_*` labels in the workspace + +When a workspace has no `project_*` labels: + +- The **Projects** page shows a **No projects configured yet** empty state. +- The project selector is hidden in the chat header. +- The workspace view shows a header-only empty state. + +Ask a workspace admin to create the first `project_*` label to enable projects for the workspace. + +## Learn more + +- [Install Seqera AI](../enterprise/install-seqera-ai.md): Deploy Seqera AI and the portal web interface in Enterprise +- [Get started with Seqera AI](./get-started.md): Install and authenticate the Seqera AI CLI