コンテンツにスキップ

Connectome Mirror - Operational Template

[!NOTE] 最新の実装状況は 機能実装ステータス (Remaining Functionality) を参照してください。

This document provides recommended templates and operational guidance for hosting a connectome JSON/NPZ mirror and integrating it with the bootstrap-connectome GitHub Actions workflow.

Goals - Provide a stable, short-lived or long-lived URL for CONNECTOME_DOWNLOAD_URL that can be stored as a GitHub Actions secret. - Allow maintainers to publish new connectome assets via CI and rotate URLs securely.

Options 1. S3 bucket (recommended) - Upload file to a public or signed location and set CONNECTOME_DOWNLOAD_URL to the S3 HTTPS URL or a presigned URL. - Use bucket policy to restrict PutObject to a CI principal and GetObject to public or specific principals.

  1. Presigned PUT URL from an object store
  2. Create presigned PUT URL and use tools/upload_connectome_mirror.py locally or via CI to upload.

  3. Store the final GET URL as the secret if desired.

  4. Static hosting (GCS / GitHub Releases)

  5. Upload asset to an immutable release or a public cloud storage location and reference it directly.

Example: GitHub Actions - publish to S3 and set secret via manual step

name: Publish Connectome Mirror
on:
  workflow_dispatch:
    inputs:
      file_path:
        description: 'Path to connectome JSON in repo or workspace'
        required: true

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-region: us-east-1
          role-to-assume: ${{ secrets.PUBLISH_ROLE_ARN }}
      - name: Upload to S3
        run: |
          aws s3 cp "${{ github.event.inputs.file_path }}" s3://my-bucket/public/connectome/${{ github.run_id }}.json --acl public-read
          echo "s3://my-bucket/public/connectome/${{ github.run_id }}.json"
      - name: Create presigned URL (optional)
        run: |
          aws s3 presign s3://my-bucket/public/connectome/${{ github.run_id }}.json --expires-in 604800 > presigned.txt
          cat presigned.txt
      - name: Upload artifact (optional)
        uses: actions/upload-artifact@v4
        with:
          name: connectome-publish
          path: presigned.txt

# Post-run: copy the presigned URL from artifact or step output and create/rotate
# the repository secret CONNECTOME_DOWNLOAD_URL in repo Settings -> Secrets.

Security notes - Prefer using a dedicated publish role with least privilege (PutObject only to a specific prefix). - If using presigned URLs, prefer issuing short-lived GET URLs for consumers; for bootstrap you can store a presigned GET URL valid for a week. - Avoid embedding credentials in workflow_dispatch inputs; use repository or organization secrets.

Integration with bootstrap-connectome - Set CONNECTOME_DOWNLOAD_URL repository secret to the stable GET URL or presigned URL. - Optionally set CONNECTOME_TMPDIR secret if runner TMP issues exist.

Operational checklist - [ ] Create S3 bucket with lifecycle policy for old connectome artifacts - [ ] Configure publish role and store PUBLISH_ROLE_ARN as an organization secret - [ ] Add CI workflow that uploads and emits presigned URL (as artifact) - [ ] Rotate CONNECTOME_DOWNLOAD_URL after publishing new version