feat: bucket set-up#211
Draft
RaidedCluster wants to merge 1 commit into
Draft
Conversation
RaidedCluster
force-pushed
the
johan/external-submissions-v2
branch
2 times, most recently
from
c8b322f to
5046302
Compare
houtanb
requested changes
Jun 9, 2026
| @@ -0,0 +1,39 @@ | |||
| """Submission pipeline date utilities. | |||
| Max submissions: 3 per round (one per model). | ||
|
|
||
| Validate your file before submitting: | ||
| {VALIDATE_URL} |
Member
There was a problem hiding this comment.
validation is not here yet, so delete these lines
|
|
||
| Team: {display_name} | ||
| Upload folder: gs://{upload_bucket}/{team_id}/ | ||
|
|
Member
There was a problem hiding this comment.
mention the next forecast due date
| import os | ||
| from datetime import datetime, timezone | ||
|
|
||
| BUILD_ENV = os.environ.get("BUILD_ENV", "prod") |
Member
There was a problem hiding this comment.
use RunMode instead of this. See https://github.com/forecastingresearch/forecastbench/blob/main/src/helpers/constants.py#L102-L119
| | `team_id` | `team1`, `team2`, ... — permanent internal ID, used as GCS folder name | | ||
| | `team_name` | Optional display name (unique). Shown in emails. | | ||
| | `organization` | Public name. `"Anonymous N"` if anonymous. | | ||
| | `original_organization` | Always the real org name. Never shown publicly. | |
Member
There was a problem hiding this comment.
Maybe call deanonymized_organization
| FRI_EMAIL=forecastbench@forecastingresearch.org | ||
| VALIDATE_URL= | ||
|
|
||
| BUILD_ENV=prod |
| SUBMISSIONS_BUCKET=<project>-submissions | ||
| SUBMISSIONS_INTERSTITIAL_BUCKET=<project>-submissions-interstitial | ||
| SUBMISSIONS_HISTORY_BUCKET=<project>-submissions-history | ||
| SUBMISSIONS_DEPLOYER=<your-email>@forecastingresearch.org |
Member
There was a problem hiding this comment.
put all of this in variables.mk in the root dir and delete this file
| @@ -0,0 +1,75 @@ | |||
| #!/bin/bash | |||
Member
There was a problem hiding this comment.
Instead of a permissions script, can you do this in Python using google-cloud-resource-manager?
Codex says something like:
from google.cloud import resourcemanager_v3
from google.iam.v1 import iam_policy_pb2, policy_pb2
def grant_role_on_folder(
folder_id: str,
member: str,
role: str,
) -> None:
"""
Example:
folder_id = "123456789012"
member = "serviceAccount:my-sa@my-project.iam.gserviceaccount.com"
role = "roles/viewer"
"""
client = resourcemanager_v3.FoldersClient()
resource = f"folders/{folder_id}"
policy = client.get_iam_policy(
request=iam_policy_pb2.GetIamPolicyRequest(resource=resource)
)
for binding in policy.bindings:
if binding.role == role:
if member not in binding.members:
binding.members.append(member)
break
else:
policy.bindings.append(
policy_pb2.Binding(
role=role,
members=[member],
)
)
client.set_iam_policy(
request=iam_policy_pb2.SetIamPolicyRequest(
resource=resource,
policy=policy,
)
)| @@ -0,0 +1,130 @@ | |||
| #!/bin/bash | |||
Member
There was a problem hiding this comment.
I'm a bit lost as to why there's a deploy.sh script when you have a Makefile
|
|
||
| Each team gets a unique internal ID (team1, team2, ...) used as their GCS folder name. | ||
| One organization can have multiple teams (e.g. GDM has team1 and team2). | ||
| Teams can optionally provide a display name to distinguish multiple teams from the same org. |
Member
There was a problem hiding this comment.
Teams can optionally provide a display name to distinguish multiple teams from the same org.
This is not correct
Member
|
The review above was mine. This is from Codex. I haven't looked into the details of it but skimmed it and it seems useful |
RaidedCluster
force-pushed
the
johan/external-submissions-v2
branch
5 times, most recently
from
f04f5df to
bcc2b44
Compare
RaidedCluster
force-pushed
the
johan/external-submissions-v2
branch
from
bcc2b44 to
2f61ff4
Compare
houtanb
requested changes
Jun 10, 2026
| RUN_MODE=$(RUN_MODE),\ | ||
| SMTP_USER=$(SMTP_USER),\ | ||
| SMTP_PASSWORD=$(SMTP_PASSWORD),\ | ||
| UPLOAD_BUCKET=$(SUBMISSIONS_BUCKET),\ |
Member
There was a problem hiding this comment.
UPLOAD_BUCKET should be called SUBMISSIONS_BUCKET as the first one is not informative.
also, you need to modify variables.example.mk to include any variables that need to be set
| #!/usr/bin/env python3 | ||
| """Set up IAM permissions for the ForecastBench submissions service account. | ||
|
|
||
| Run once per environment after creating the service account: |
Member
There was a problem hiding this comment.
what does "environment" mean here?
|
|
||
| Run once per environment after creating the service account: | ||
|
|
||
| eval $(cat ../../variables.mk | grep -v '^#' | xargs) python setup_permissions.py |
Member
There was a problem hiding this comment.
you can remove this comment altogether
| eval $(cat ../../variables.mk | grep -v '^#' | xargs) python setup_permissions.py | ||
|
|
||
| Requirements: | ||
| pip install google-cloud-storage google-cloud-resource-manager |
| UPLOAD_BUCKET=$(SUBMISSIONS_BUCKET),\ | ||
| NEXT_DUE_DATE=$(NEXT_DUE_DATE) | ||
|
|
||
| deploy-onboard: |
Member
There was a problem hiding this comment.
the files this deplooyment depends on should be on this line
| NEXT_DUE_DATE=$(NEXT_DUE_DATE) | ||
|
|
||
| deploy-onboard: | ||
| cp $(ROOT_DIR)src/helpers/email.py $(FUNC_DIR)/onboard/email_utils.py |
Member
There was a problem hiding this comment.
why is this file renamed in the copy?
| --gen2 \ | ||
| --project=$(CLOUD_PROJECT) \ | ||
| --region=$(REGION) \ | ||
| --runtime=python312 \ |
| --set-env-vars=$(ONBOARD_ENV_VARS) | ||
| rm -f $(FUNC_DIR)/onboard/email_utils.py | ||
|
|
||
| setup-permissions: |
| | `service_accounts` | GCP service accounts for automated uploads. No emails sent to these. | | ||
| | `anonymous` | bool | | ||
| | `created_at` | Firestore server timestamp | | ||
| | `active` | bool — set to false on removal | |
Member
There was a problem hiding this comment.
in the above list add two more columns showing what's required vs optional and the default value when optional. e.g., anonymous is optional, default false
| SMTP_USER = os.environ.get("SMTP_USER", "") | ||
| SMTP_PASSWORD = os.environ.get("SMTP_PASSWORD", "") | ||
| SMTP_HOST = os.environ.get("SMTP_HOST", "smtp.gmail.com") | ||
| SMTP_PORT = int(os.environ.get("SMTP_PORT", "587")) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds Makefile, setup_permissions.sh, and variables.mk.example to automate IAM setup for the external submissions pipeline.