Merge branch 'main' into merge-3.6.x-main-f94ba6d

.github/workflows/continous-integration.yml

@@ -1095,8 +1095,6 @@ jobs:
           IS_NEWEST_VERSION=${{ needs.build_docker_base_images_and_set_env.outputs.is_newest_version }}
 
           docker buildx bake --set *.platform=linux/amd64,linux/arm64 -f docker/docker-bake.hcl ${{ matrix.image }} --push
-          docker buildx bake --set *.platform=linux/amd64 -f docker/docker-bake.hcl ${{ matrix.image }} --load
-          docker buildx bake --set *.platform=linux/arm64 -f docker/docker-bake.hcl ${{ matrix.image }} --load
 
           # Tag the image as latest
           if [[ "${IS_NEWEST_VERSION}" == "true" ]]; then
@@ -1107,9 +1105,11 @@ jobs:
             fi
 
             LATEST_TAG=$(echo $RELEASE_TAG | sed 's/'$IMAGE_TAG'/latest/g')
-
-            docker tag rasa/rasa:${RELEASE_TAG} rasa/rasa:${LATEST_TAG}
-            docker push rasa/rasa:${LATEST_TAG}
+            
+            # This will not build the image from ground up, but will only tag the existing image with LATEST_TAG
+            IMAGE_TAG=${LATEST_TAG} docker buildx bake --set *.platform=linux/amd64,linux/arm64 -f docker/docker-bake.hcl ${{ matrix.image }}
+            # Push tagged image
+            IMAGE_TAG=${LATEST_TAG} docker buildx bake --set *.platform=linux/amd64,linux/arm64 -f docker/docker-bake.hcl ${{ matrix.image }} --push
           fi
 
   deploy:

.typo-ci.yml

@@ -62,27 +62,43 @@ excluded_files:
 
 # # Any typos we should ignore?
 excluded_words:
+  - CDD
+  - Comerica
+  - ConveRTFeaturizer
+  - ConveRTTokenizer
+  - HookimplMarker
+  - Juste
+  - NLG
+  - README
+  - Tanja
+  - Vova
   - analytics
+  - anonymization
+  - anonymized
   - asyncio
+  - backends
   - bot
   - bot's
   - cdd
-  - CDD
   - cmdline
+  - conftest
   - conveRT
-  - ConveRTFeaturizer
-  - ConveRTTokenizer
+  - crf
+  - crfentityextractor
   - crfsuite
+  - crypto
   - custom-nlg-service
+  - customizable
   - daksh
+  - dataset
   - db's
-  - deque
-  - docusaurus
-  - non-latin
   - deduplicate
   - deduplication
+  - deque
+  - docusaurus
   - donath
-  - matplotlib
+  - dslim
+  - entitysynonymmapper
   - extractor
   - fbmessenger
   - featurization
@@ -95,13 +111,17 @@ excluded_words:
   - forni
   - gzip
   - gzipped
+  - hallo
   - hftransformersnlp
+  - hookimpl
   - initializer
   - instaclient
-  - jwt
-  - jwt's
+  - ish
+  - jieba
   - jupyter
   - jupyterhub
+  - jwt
+  - jwt's
   - karpathy
   - keras
   - knowledgebase
@@ -110,101 +130,82 @@ excluded_words:
   - llm
   - luis
   - matmul
+  - matplotlib
   - mattermost
   - memoization
+  - memoizationpolicy
   - miniconda
   - mitie
-  - mitiefeaturizer
   - mitie's
+  - mitiefeaturizer
   - mitienlp
-  - dataset
   - mongod
   - mrkdown
   - mrkdwn
   - myio
   - mymodelname
   - myuser
-  - numpy
   - networkx
+  - ngram
+  - nlg
   - nlu
   - nlu's
+  - non-latin
+  - numpy
   - perceptron
+  - pii-management
   - pika
   - pika's
-  - jieba
+  - pluggy
+  - pre
   - pretrained
   - prototyper
+  - prototyper
   - pycodestyle
   - pykwalify
   - pymessenger
   - pyobject
   - python-engineio
-  - pre
-  - customizable
   - quickstart
   - rasa
   - rasa's
   - readthedocs
+  - regexes
+  - regexfeaturizer
   - regularizer
   - repo
   - rst
+  - ruamel
+  - rustc
+  - rustup
+  - rustup-init
   - sanic
   - sanitization
   - scipy
   - sklearn
   - socketio
+  - spaCy
+  - spaCy's
   - spacy
   - spacyfeaturizer
   - spacynlp
-  - ish
-  - spaCy
-  - spaCy's
-  - README
-  - crf
-  - backends
-  - whitespaced
-  - ngram
   - subsampled
   - testagent
+  - thisismysecret
+  - tokenization
   - tokenize
   - tokenized
-  - tokenization
   - tokenizer
   - tokenizers
   - tokenizing
   - typoci
   - unfeaturized
   - unschedule
-  - wsgi
-  - ruamel
-  - prototyper
-  - hallo
-  - crypto
-  - regexes
+  - venv
   - walkthroughs
   - webexteams
-  - venv
-  - regexfeaturizer
-  - crfentityextractor
-  - Comerica
-  - entitysynonymmapper
-  - memoizationpolicy
-  - NLG
-  - nlg
-  - Juste
-  - Tanja
-  - Vova
-  - rustup
-  - rustup-init
-  - rustc
-  - conftest
+  - whitespaced
   - winpty
-  - pii-management
-  - anonymization
-  - anonymized
-  - dslim
-  - pluggy
-  - HookimplMarker
-  - hookimpl
+  - wsgi
 
 spellcheck_filenames: false

3.7.0b1/main_plain/.config/rasa/global.yml

@@ -0,0 +1,4 @@
+metrics:
+  enabled: true
+  rasa_user_id: 003ff8fbd6e04031b5597b37356022d4
+  date: 2023-09-12 13:20:59.423434

changelog/1557.improvement.md

@@ -0,0 +1,8 @@
+Added environment variables to configure JWT and auth token.
+For JWT the following environment variables are available:
+- JWT_SECRET
+- JWT_METHOD
+- JWT_PRIVATE_KEY
+
+For auth token the following environment variable is available:
+- AUTH_TOKEN

docs/docs/http-api.mdx

@@ -66,6 +66,18 @@ rasa run \
     --auth-token thisismysecret
 ```
 
+You can also use environment variable `AUTH_TOKEN` to set the auth token:
+```
+AUTH_TOKEN=thisismysecret
+```
+
+:::tip Security best practice
+
+We recommend that you use environment variables to store
+and share sensitive information such as tokens and secrets
+when deploying Rasa as Docker container as they will not be stored in your shell history.
+:::
+
 Any clients sending requests to the server must pass the token
 as a query parameter, or the request will be rejected. For example, to fetch a tracker from the server:
 
@@ -85,6 +97,18 @@ rasa run \
     --jwt-secret thisismysecret
 ```
 
+You can also use environment variable `JWT_SECRET` to set the JWT secret:
+```
+JWT_SECRET=thisismysecret
+```
+
+:::tip Security best practice
+
+We recommend that you use environment variables to store
+and share sensitive information such as tokens and secrets
+when deploying Rasa as Docker container as they will not be stored in your shell history.
+:::
+
 If you want to sign a JWT token with asymmetric algorithms, you can specify the JWT private key to the `--jwt-private-key`
 CLI argument. You must pass the public key to the `--jwt-secret` argument, and also specify the algorithm to the
 `--jwt-method` argument:
@@ -97,6 +121,20 @@ rasa run \
     --jwt-method RS512
 ```
 
+You can also use environment variables to configure JWT:
+```
+JWT_SECRET=<public_key>
+JWT_PRIVATE_KEY=<private_key>
+JWT_METHOD=RS512
+```
+
+:::tip Security best practice
+
+We recommend that you use environment variables to store
+and share sensitive information such as tokens and secrets
+when deploying Rasa as Docker container as they will not be stored in your shell history.
+:::
+
 Client requests to the server will need to contain a valid JWT token in
 the `Authorization` header that is signed using this secret
 and the `HS256` algorithm e.g.

docs/docs/setting-up-ci-cd.mdx

@@ -68,7 +68,6 @@ jobs:
       - name: Rasa Train and Test GitHub Action
         uses: RasaHQ/rasa-train-test-gha@main
         with:
-          requirements_file: requirements.txt
           data_validate: true
           rasa_train: true
           cross_validation: true

rasa/cli/arguments/run.py

@@ -1,8 +1,17 @@
+import os
+
 import argparse
 from typing import Union
 
 from rasa.cli.arguments.default_arguments import add_model_param, add_endpoint_param
 from rasa.core import constants
+from rasa.env import (
+    DEFAULT_JWT_METHOD,
+    JWT_METHOD_ENV,
+    JWT_SECRET_ENV,
+    JWT_PRIVATE_KEY_ENV,
+    AUTH_TOKEN_ENV,
+)
 
 
 def set_run_arguments(parser: argparse.ArgumentParser) -> None:
@@ -82,16 +91,25 @@ def add_server_arguments(parser: argparse.ArgumentParser) -> None:
         "yml file.",
     )
 
+    add_server_settings_arguments(parser)
+
+
+def add_server_settings_arguments(parser: argparse.ArgumentParser) -> None:
+    """Add arguments for the API server.
+
+    Args:
+        parser: Argument parser.
+    """
     server_arguments = parser.add_argument_group("Server Settings")
 
     add_interface_argument(server_arguments)
-
     add_port_argument(server_arguments)
 
     server_arguments.add_argument(
         "-t",
         "--auth-token",
         type=str,
+        default=os.getenv(AUTH_TOKEN_ENV),
         help="Enable token based authentication. Requests need to provide "
         "the token to be accepted.",
     )
@@ -150,10 +168,20 @@ def add_server_arguments(parser: argparse.ArgumentParser) -> None:
         "--connector", type=str, help="Service to connect to."
     )
 
+    add_jwt_arguments(parser)
+
+
+def add_jwt_arguments(parser: argparse.ArgumentParser) -> None:
+    """Adds arguments related to JWT authentication.
+
+    Args:
+        parser: Argument parser.
+    """
     jwt_auth = parser.add_argument_group("JWT Authentication")
     jwt_auth.add_argument(
         "--jwt-secret",
         type=str,
+        default=os.getenv(JWT_SECRET_ENV),
         help="Public key for asymmetric JWT methods or shared secret"
         "for symmetric methods. Please also make sure to use "
         "--jwt-method to select the method of the signature, "
@@ -163,12 +191,13 @@ def add_server_arguments(parser: argparse.ArgumentParser) -> None:
     jwt_auth.add_argument(
         "--jwt-method",
         type=str,
-        default="HS256",
+        default=os.getenv(JWT_METHOD_ENV, DEFAULT_JWT_METHOD),
         help="Method used for the signature of the JWT authentication payload.",
     )
     jwt_auth.add_argument(
         "--jwt-private-key",
         type=str,
+        default=os.getenv(JWT_PRIVATE_KEY_ENV),
         help="A private key used for generating web tokens, dependent upon "
         "which hashing algorithm is used. It must be used together with "
         "--jwt-secret for providing the public key.",

rasa/env.py

@@ -0,0 +1,5 @@
+AUTH_TOKEN_ENV = "AUTH_TOKEN"
+JWT_SECRET_ENV = "JWT_SECRET"
+JWT_METHOD_ENV = "JWT_METHOD"
+DEFAULT_JWT_METHOD = "HS256"
+JWT_PRIVATE_KEY_ENV = "JWT_PRIVATE_KEY"