[WIP] release-v2.7 CI

[trvachov]

Description

Usage

TODO: Add code snippet

Type of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Refactor
• Documentation update
• Other (please describe):

CI Pipeline Configuration

Configure CI behavior by applying the relevant labels. By default, only basic unit tests are run.

• ciflow:skip - Skip all CI tests for this PR
• ciflow:notebooks - Run Jupyter notebooks execution tests for bionemo2
• ciflow:slow - Run slow single GPU integration tests marked as @pytest.mark.slow for bionemo2
• ciflow:all - Run all tests (unit tests, slow tests, and notebooks) for bionemo2. This label can be used to enforce running tests for all bionemo2.
• ciflow:all-recipes - Run tests for all recipes (under bionemo-recipes). This label can be used to enforce running tests for all recipes.

Unit tests marked as @pytest.mark.multi_gpu or @pytest.mark.distributed are not run in the PR pipeline.

For more details, see CONTRIBUTING

Note

By default, only basic unit tests are run. Add appropriate labels to enable an additional test coverage.

Authorizing CI Runs

We use copy-pr-bot to manage authorization of CI
runs on NVIDIA's compute resources.

• If a pull request is opened by a trusted user and contains only trusted changes, the pull request's code will
  automatically be copied to a pull-request/ prefixed branch in the source repository (e.g. pull-request/123)
• If a pull request is opened by an untrusted user or contains untrusted changes, an NVIDIA org member must leave an
  /ok to test comment on the pull request to trigger CI. This will need to be done for each new commit.

Pre-submit Checklist

• I have tested these changes locally
• I have updated the documentation accordingly
• I have added/updated tests as needed
• All existing tests pass successfully

Summary by CodeRabbit

• Documentation
  • Updated release notes for BioNeMo Framework v2.7: Evo2 improvements (longer context with parallelism, LoRA fine-tuning, memory usage fix, flash-decode, rotary/seq-length corrections, tag masking, spike-no-more). Refreshed SCDL archive notes. Deprecations: bionemo-geometric; molecular-featurization moved to cuik-molmaker. Known Issues note libtiff removal.
• Chores
  • Finalized version to 2.7.
  • Hardened container by removing libtiff6 due to CVE-2025-9900.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Walkthrough

Adds a Dockerfile step to remove libtiff6 due to CVE-2025-9900, bumps VERSION from 2.7rc1 to 2.7, updates framework release notes with Evo2 items and deprecations, and adjusts/relocates contributing and code-review docs/links.

Changes

Cohort / File(s)	Summary of changes
Release image security tweak Dockerfile	Adds final-stage cleanup: apt remove -qy libtiff6 with comments referencing CVE-2025-9900.
Version bump VERSION	Updates version string from 2.7rc1 to 2.7.
Framework release notes update docs/docs/main/about/releasenotes-fw.md	Revises v2.7 notes: Evo2 improvements (parallelism, LoRA, memory fix, flash-decode, rotary/seq-length updates, tag masking, stability), SCDL clarifications, deprecations, and note on removing libtiff.
Docs relocation and link updates docs/docs/user-guide/contributing/code-review.md, docs/docs/main/contributing/code-review.md, CODE-REVIEW.md, CONTRIBUTING.md	Moves code-review doc to docs/docs/main/contributing/... and updates contributing links/paths; content unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hop through tags from rc to two-seven, neat,
Patch my Docker pantry—no tiff for me to eat.
Evo2 hums, parallel lines align,
Docs found new burrows, paths now fine.
CVE bugs shooed from my warren’s door—
Onward we ship, secure to the core! 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The title “[WIP] release-v2.7 CI” includes a work-in-progress tag and narrowly references CI configuration, but the PR actually encompasses a version bump to 2.7, Dockerfile CVE-driven package removal, release notes updates, and documentation moves, so it does not accurately summarize the primary changes.	Rename the title to concisely reflect the core updates—such as “Bump version to v2.7, remove libtiff6 for CVE-2025-9900, update release notes, and configure CI”—and drop the WIP prefix once the PR is ready.
Description Check	⚠️ Warning	The pull request description is merely the unchanged template, lacking any actual summary of the changes, a filled-in usage example, selection of the type of change, or updates to the pre-submit checklist, so it does not meet the repository’s documentation requirements.	Populate the description by detailing each change in the PR, add the usage code snippet, mark the appropriate type of change checkbox, and update the pre-submit checklist to reflect what has been completed.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch release-v2.7

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47e4391 and 8d88bd8.

📒 Files selected for processing (4)

• CODE-REVIEW.md (1 hunks)
• CONTRIBUTING.md (1 hunks)
• VERSION (1 hunks)
• docs/docs/main/about/releasenotes-fw.md (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• CODE-REVIEW.md
• CONTRIBUTING.md

🚧 Files skipped from review as they are similar to previous changes (1)

• VERSION

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

docs/docs/main/about/releasenotes-fw.md

9-9: Bare URL used

(MD034, no-bare-urls)

---

9-9: Bare URL used

(MD034, no-bare-urls)

---

9-9: Bare URL used

(MD034, no-bare-urls)

---

11-11: Bare URL used

(MD034, no-bare-urls)

---

13-13: Bare URL used

(MD034, no-bare-urls)

---

15-15: Bare URL used

(MD034, no-bare-urls)

---

17-17: Bare URL used

(MD034, no-bare-urls)

---

19-19: Bare URL used

(MD034, no-bare-urls)

---

21-21: Bare URL used

(MD034, no-bare-urls)

---

24-24: Bare URL used

(MD034, no-bare-urls)

---

24-24: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-bionemo-image
• GitHub Check: Analyze (rust)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[trvachov]

/ok to test 4bfc384

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.93%. Comparing base (dd4f626) to head (8d88bd8).
⚠️ Report is 17 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1202   +/-   ##
=======================================
  Coverage   79.93%   79.93%           
=======================================
  Files         160      160           
  Lines       11858    11858           
=======================================
  Hits         9479     9479           
  Misses       2379     2379           

[trvachov]

/ok to test 4bfc384

[trvachov]

/ok to test

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 10e4c0d and cd88f0c.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-bionemo-image
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (rust)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

Verify CVE reference and use apt-get for scripting.

The change removes libtiff6 to mitigate CVE-2025-9900. However:

1. The apt command is intended for interactive use; scripts should prefer apt-get.
2. The command will fail if libtiff6 is not installed, breaking idempotency.
3. No cleanup of apt cache is performed after removal.

Apply this diff to use apt-get and ensure idempotency:

-RUN apt remove -qy libtiff6
+RUN apt-get remove -qy libtiff6 || true && \
+    apt-get autoremove -qy && \
+    rm -rf /var/lib/apt/lists/*

Run the following script to verify the CVE exists and check dependencies:

Additionally, search the web to verify the CVE:

---

🏁 Script executed:

#!/bin/bash
# Verify CVE-2025-9900 exists and check libtiff6 dependencies

# Check for any references to libtiff in the codebase
echo "=== Checking for libtiff usage in codebase ==="
rg -i "libtiff|tiff" --type py --type dockerfile -C 2

# Check if there are any Python packages that depend on libtiff
echo "=== Checking Python package requirements ==="
fd -e txt -e toml . | xargs cat | rg -i "pillow|opencv|imageio|scikit-image" || echo "No common image processing libraries found in requirements"

Length of output: 173

---

🌐 Web query:

CVE-2025-9900 libtiff6

💡 Result:

Summary — CVE-2025-9900: a high-severity "write-what-where" memory-corruption bug in LibTIFF (reported 23 Sep 2025). A specially crafted TIFF with an abnormally large image-height can cause arbitrary writes, leading to denial-of-service or remote code execution when an application using libtiff parses the file. CVSSv3 score 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). [1][2][3]

Affected: upstream LibTIFF (impacts distributions' libtiff packages, e.g. libtiff6 in many Linux distros); vendors (Ubuntu, Debian, Red Hat, SUSE) have published advisories. Check your distro’s security notice for exact affected package version(s). [3][4][5]

Mitigation: update libtiff/libtiff6 to the patched package from your distribution (install the vendor security update) or avoid processing untrusted TIFF files until patched. Vendor advisories/patches linked below. [3][4][5]

References

• Ubuntu security advisory CVE-2025-9900 (publication & mitigation). [1]
• NVD entry (description/NVD placeholder). [2]
• OSV / Debian tracker import of vendor advisory. [3]
• SUSE advisory summary. [4]
• Aggregated vulnerability pages (CVE details / security trackers). [5]

---

🏁 Script executed:

#!/bin/bash
echo "=== Checking for PIL imports in Python code ==="
rg -nP --type=py 'import\s+PIL' -C2 || echo "No 'import PIL' statements found"
rg -nP --type=py 'from\s+PIL' -C2 || echo "No 'from PIL' statements found"
echo "=== Checking for Image.open usage in Python code ==="
rg -nP --type=py 'Image\s*\.\s*open' -C2 || echo "No 'Image.open' usage found"

Length of output: 192

---

Use apt-get for non-interactive removal and ensure idempotency.

Removal of libtiff6 to mitigate CVE-2025-9900 is safe—no PIL imports or Image.open usage found in the codebase. However, in Docker scripts:

• Prefer apt-get over apt.
• Make the remove command idempotent (|| true).
• Auto-remove dependencies and clear apt lists to reduce image size.

At lines 375–377 in Dockerfile, apply:

-RUN apt remove -qy libtiff6
+RUN apt-get remove -qy libtiff6 || true && \
+    apt-get autoremove -qy && \
+    rm -rf /var/lib/apt/lists/*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Remove libtiff just for v2.7 release due to CVE https://nvd.nist.gov/vuln/detail/CVE-2025-9900
	# This has no effect on bionemo since we do not do any image processing.
	RUN apt remove -qy libtiff6
	# Remove libtiff just for v2.7 release due to CVE https://nvd.nist.gov/vuln/detail/CVE-2025-9900
	# This has no effect on bionemo since we do not do any image processing.
	RUN apt-get remove -qy libtiff6 || true && \
	apt-get autoremove -qy && \
	rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

In Dockerfile around lines 375 to 377, replace the non-idempotent apt removal
with an apt-get based, non-interactive, idempotent and cleanup sequence: use
apt-get remove (or apt-get purge) with -y, fall back to ignore errors (e.g., add
"|| true") so the build doesn't fail if package is absent, run apt-get
autoremove -y to remove orphaned dependencies, and finally clear apt lists (rm
-rf /var/lib/apt/lists/*) to reduce image size; ensure these steps are combined
in the same RUN layer to avoid extra image layers.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6195e56 and 80e052b.

📒 Files selected for processing (2)

• VERSION (1 hunks)
• docs/docs/main/about/releasenotes-fw.md (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• VERSION

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

docs/docs/main/about/releasenotes-fw.md

8-8: Bare URL used

(MD034, no-bare-urls)

---

8-8: Bare URL used

(MD034, no-bare-urls)

---

10-10: Bare URL used

(MD034, no-bare-urls)

---

12-12: Bare URL used

(MD034, no-bare-urls)

---

14-14: Bare URL used

(MD034, no-bare-urls)

---

18-18: Bare URL used

(MD034, no-bare-urls)

---

19-19: Bare URL used

(MD034, no-bare-urls)

---

21-21: Bare URL used

(MD034, no-bare-urls)

---

25-25: Bare URL used

(MD034, no-bare-urls)

---

25-25: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (rust)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80e052b and 47e4391.

📒 Files selected for processing (3)

• VERSION (1 hunks)
• docs/docs/main/about/releasenotes-fw.md (1 hunks)
• docs/mkdocs.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• VERSION

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

docs/docs/main/about/releasenotes-fw.md

9-9: Bare URL used

(MD034, no-bare-urls)

---

10-10: Bare URL used

(MD034, no-bare-urls)

---

11-11: Bare URL used

(MD034, no-bare-urls)

---

12-12: Bare URL used

(MD034, no-bare-urls)

---

13-13: Bare URL used

(MD034, no-bare-urls)

---

14-14: Bare URL used

(MD034, no-bare-urls)

---

17-17: Bare URL used

(MD034, no-bare-urls)

---

17-17: Bare URL used

(MD034, no-bare-urls)

---

23-23: Bare URL used

(MD034, no-bare-urls)

---

23-23: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (rust)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

LGTM! Docker tag correctly updated for v2.7 release.

The change from nightly to 2.7 is appropriate for this release. Verify that any documentation content or scripts referencing the nightly tag have also been updated to reference 2.7 where appropriate.

Run the following script to check for any remaining references to the nightly tag:

---

🏁 Script executed:

#!/bin/bash
# Description: Search for remaining references to "nightly" tag that might need updating for the release.

# Search for "nightly" in documentation and configuration files
rg -n -C2 'nightly' --type=yaml --type=md --type=rst -g '!CHANGELOG*' -g '!*release*notes*'

Length of output: 148

---

Below is a broader search to catch any remaining nightly references across the repository. Please run this and review the results:

---

🏁 Script executed:

#!/bin/bash
# Description: Broadly search for any remaining references to "nightly" in the repo.
rg -n 'nightly'

Length of output: 3083

---

docker_tag updated, but leftover “nightly” references need updating
The change in docs/mkdocs.yml from nightly to 2.7 is correct, but I found several remaining occurrences of nightly across the repo. Please update or confirm each reference to use 2.7 (or justify keeping it pointing at nightly):

• README.md (line 44)
• sub-packages/bionemo-evo2/examples/fine-tuning-tutorial.ipynb
• sub-packages/bionemo-example_model/README.md
• sub-packages/bionemo-esm2/examples/pretrain.md & mutant-design.ipynb
• docs/docs/main/getting-started/access-startup.md & index.md
• docs/docs/main/contributing/code-review.md
• ci/scripts/build_docker_image.sh (cache/tag flags)
• bionemo-recipes/recipes/README.md