From 2c3c86987f9a6f6ad1fd1203ede0519286432681 Mon Sep 17 00:00:00 2001
From: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com>
Date: Fri, 19 Jan 2024 15:13:31 +0100
Subject: [PATCH 1/9] MIDRC-425 OCC-69 Add restricted download jupyter (#145)

---
 .../workflows/build_and_push_python_image.yml |  6 +-
 .../build_azlinux_jupyter_scipy_image.yml     |  2 +-
 .../build_jupyter_nextflow_image.yml          |  2 +-
 ...uild_jupyter_restricted_download_image.yml | 22 +++++
 .../workflows/build_vadc_notebook_image.yml   |  1 +
 .../build_vlmd_submission_python_image.yml    |  4 +-
 jupyter-restricted-download/.env              |  3 +
 jupyter-restricted-download/Dockerfile        | 91 +++++++++++++++++++
 jupyter-restricted-download/README.md         |  3 +
 .../resources/custom.js                       |  3 +
 .../resources/jupyter_notebook_config.py      |  3 +
 jupyter-restricted-download/start-notebook.sh |  7 ++
 .../start-singleuser.sh                       | 43 +++++++++
 jupyter-restricted-download/start.sh          | 25 +++++
 14 files changed, 208 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/build_jupyter_restricted_download_image.yml
 create mode 100644 jupyter-restricted-download/.env
 create mode 100644 jupyter-restricted-download/Dockerfile
 create mode 100644 jupyter-restricted-download/README.md
 create mode 100644 jupyter-restricted-download/resources/custom.js
 create mode 100644 jupyter-restricted-download/resources/jupyter_notebook_config.py
 create mode 100644 jupyter-restricted-download/start-notebook.sh
 create mode 100644 jupyter-restricted-download/start-singleuser.sh
 create mode 100644 jupyter-restricted-download/start.sh

diff --git a/.github/workflows/build_and_push_python_image.yml b/.github/workflows/build_and_push_python_image.yml
index 9fd8b8b4..e965638d 100644
--- a/.github/workflows/build_and_push_python_image.yml
+++ b/.github/workflows/build_and_push_python_image.yml
@@ -1,14 +1,14 @@
-name: Build Python Images and Push to Quay and ECR
+name: Build and Push python3.9-data-science
 
 on:
   push:
     paths:
-    - python3.9-data-science/Dockerfile
+    - python3.9-data-science/**
     - .github/workflows/build_and_push_python_image.yml
 
 jobs:
   python_3-9:
-    name: Python 3.9 Build and Push
+    name: Build and Push python3.9-data-science
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     with:
       DOCKERFILE_LOCATION: "./python3.9-data-science/Dockerfile"
diff --git a/.github/workflows/build_azlinux_jupyter_scipy_image.yml b/.github/workflows/build_azlinux_jupyter_scipy_image.yml
index ac934e81..59144ab3 100644
--- a/.github/workflows/build_azlinux_jupyter_scipy_image.yml
+++ b/.github/workflows/build_azlinux_jupyter_scipy_image.yml
@@ -3,7 +3,7 @@ name: Build and push AmazonLinux jupyter-scipy
 on:
   push:
     paths:
-    - azlinux-jupyter-scipy/Dockerfile
+    - azlinux-jupyter-scipy/**
     - .github/workflows/build_azlinux_jupyter_scipy_image.yml
 
 jobs:
diff --git a/.github/workflows/build_jupyter_nextflow_image.yml b/.github/workflows/build_jupyter_nextflow_image.yml
index abf56048..7d4993c6 100644
--- a/.github/workflows/build_jupyter_nextflow_image.yml
+++ b/.github/workflows/build_jupyter_nextflow_image.yml
@@ -3,7 +3,7 @@ name: Build and Push Jupyter-Nextflow image
 on:
   push:
     paths:
-    - jupyter-nextflow
+    - jupyter-nextflow/**
     - .github/workflows/build_jupyter_nextflow_image.yml
 
 jobs:
diff --git a/.github/workflows/build_jupyter_restricted_download_image.yml b/.github/workflows/build_jupyter_restricted_download_image.yml
new file mode 100644
index 00000000..d28b2bfa
--- /dev/null
+++ b/.github/workflows/build_jupyter_restricted_download_image.yml
@@ -0,0 +1,22 @@
+name: Build and Push jupyter-restricted-download
+
+on:
+  push:
+    paths:
+    - jupyter-restricted-download/**
+    - .github/workflows/build_jupyter_restricted_download_image.yml
+
+jobs:
+  jupyter-restricted-download:
+    name: Build and Push jupyter-restricted-download
+    uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
+    with:
+      DOCKERFILE_LOCATION: "./jupyter-restricted-download/Dockerfile"
+      DOCKERFILE_BUILD_CONTEXT: "./jupyter-restricted-download"
+      OVERRIDE_REPO_NAME: "jupyter-notebook"
+      OVERRIDE_TAG_NAME: "restricted-download-$(echo ${GITHUB_REF#refs/*/} | tr / _)"
+    secrets:
+      ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
+      QUAY_ROBOT_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}
diff --git a/.github/workflows/build_vadc_notebook_image.yml b/.github/workflows/build_vadc_notebook_image.yml
index b12f4367..da7c92f6 100644
--- a/.github/workflows/build_vadc_notebook_image.yml
+++ b/.github/workflows/build_vadc_notebook_image.yml
@@ -4,6 +4,7 @@ on:
   push:
     paths:
     - jupyter-vadc/**
+    - .github/workflows/build_vadc_notebook_image.yml
 
 jobs:
   push-image:
diff --git a/.github/workflows/build_vlmd_submission_python_image.yml b/.github/workflows/build_vlmd_submission_python_image.yml
index 1d2406ce..cccc08a3 100644
--- a/.github/workflows/build_vlmd_submission_python_image.yml
+++ b/.github/workflows/build_vlmd_submission_python_image.yml
@@ -1,4 +1,4 @@
-name: Build Python Image and Push to Quay and ECR
+name: Build VLMD Image
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
 
 jobs:
   ci:
-    name: Build Image and Push to Quay
+    name: Build VLMD Image
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     with:
       DOCKERFILE_LOCATION: "./vlmd-submission-tools/Dockerfile"
diff --git a/jupyter-restricted-download/.env b/jupyter-restricted-download/.env
new file mode 100644
index 00000000..a73747cf
--- /dev/null
+++ b/jupyter-restricted-download/.env
@@ -0,0 +1,3 @@
+SERVICE_PORT=9880
+USER_VOLUME=./user-volume
+DATA_VOLUME=./data-volume
diff --git a/jupyter-restricted-download/Dockerfile b/jupyter-restricted-download/Dockerfile
new file mode 100644
index 00000000..877c98fa
--- /dev/null
+++ b/jupyter-restricted-download/Dockerfile
@@ -0,0 +1,91 @@
+ARG ROOT_CONTAINER=quay.io/cdis/ubuntu:focal
+
+FROM $ROOT_CONTAINER
+
+LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"
+
+# Fix DL4006
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+USER root
+
+# Install all OS dependencies for the notebook server that starts but lacks all
+# features (e.g., download as all possible file formats)
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update --yes && \
+    apt-get install --yes --no-install-recommends \
+    python3.9 \
+    python3-pip \
+    tini \
+    wget \
+    git \
+    curl \
+    ca-certificates \
+    sudo \
+    locales \
+    fonts-liberation \
+    vim \
+    run-one && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* && \
+    echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
+    locale-gen
+
+# Set Python 3.9 as the default Python version
+RUN ln -s /usr/bin/python3.9 /usr/bin/python
+
+# Add the Python 3.9 executable path to the PATH environment variable
+ENV PATH="/usr/bin/python3.9:$PATH"
+
+# Upgrade pip to ensure it's associated with Python 3.9.5
+RUN python3.9 -m pip install --upgrade pip
+
+# Remove /usr/bin/pip3 if it exists
+RUN rm -f /usr/bin/pip3
+
+# Create a symbolic link from pip3 to pip
+RUN ln -s /usr/bin/pip /usr/bin/pip3
+
+RUN pip install JPype1 jupyter
+
+RUN jupyter notebook --generate-config
+
+# this is where we disable downloads
+RUN jupyter labextension disable @jupyterlab/docmanager-extension:download \
+    && jupyter labextension disable @jupyterlab/filebrowser-extension:download
+
+RUN pip install pandas numpy seaborn scipy matplotlib pyNetLogo SALib boto3 awscli --upgrade
+
+# RUN pip install PyYAML==5.3.1 --upgrade
+RUN pip install gen3==4.18.0 --upgrade
+
+RUN pip install jupyter --upgrade
+
+RUN pip uninstall nbconvert --yes
+# Create a non-root user for Jupyter without copying /bin or /bin/bash
+ARG NB_USER=jupyter
+ARG NB_UID=1000
+RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER
+RUN chown -R $NB_USER:users /home/$NB_USER
+RUN chmod -R u+rwx /home/$NB_USER
+
+# Expose port 8888 for JupyterLab
+EXPOSE 8888
+
+ARG COVID_TOOLS_BRANCH=master
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/welcome.html /home/$NB_USER/
+RUN touch /home/$NB_USER/welcome.html
+
+# Add local files as late as possible to avoid cache busting
+COPY start.sh /usr/local/bin/
+COPY start-notebook.sh /usr/local/bin/
+COPY start-singleuser.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/*.sh
+
+COPY resources/custom.js /home/$NB_USER/.jupyter/custom/
+COPY resources/jupyter_notebook_config.py /home/$NB_USER/.jupyter/tmp.py
+RUN cat /home/$NB_USER/.jupyter/tmp.py >> /home/$NB_USER/.jupyter/jupyter_notebook_config.py && rm /home/$NB_USER/.jupyter/tmp.py
+
+# Set the default command to start JupyterLab
+USER $NB_USER
+WORKDIR /home/$NB_USER
+ENTRYPOINT ["jupyter", "lab", "--allow-root", "--ip=0.0.0.0", "--port=8888", "--no-browser"]
diff --git a/jupyter-restricted-download/README.md b/jupyter-restricted-download/README.md
new file mode 100644
index 00000000..f0d810ea
--- /dev/null
+++ b/jupyter-restricted-download/README.md
@@ -0,0 +1,3 @@
+# jupyter-restricted-download
+
+A "restricted" build of `jupyter-slim`.  Basically the same as `../jupyter-slim/`, but it prevents users from downloading anything from the jupyter lab
diff --git a/jupyter-restricted-download/resources/custom.js b/jupyter-restricted-download/resources/custom.js
new file mode 100644
index 00000000..2f6d4c13
--- /dev/null
+++ b/jupyter-restricted-download/resources/custom.js
@@ -0,0 +1,3 @@
+define(['base/js/namespace'], function(Jupyter){
+    Jupyter._target = '_self';
+})
diff --git a/jupyter-restricted-download/resources/jupyter_notebook_config.py b/jupyter-restricted-download/resources/jupyter_notebook_config.py
new file mode 100644
index 00000000..89d1b20c
--- /dev/null
+++ b/jupyter-restricted-download/resources/jupyter_notebook_config.py
@@ -0,0 +1,3 @@
+c.NotebookApp.tornado_settings = {
+    "headers": {"Content-Security-Policy": "frame-ancestors 'self'"}
+}
diff --git a/jupyter-restricted-download/start-notebook.sh b/jupyter-restricted-download/start-notebook.sh
new file mode 100644
index 00000000..d028cfd6
--- /dev/null
+++ b/jupyter-restricted-download/start-notebook.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+set -e
+
+. /usr/local/bin/start.sh jupyter notebook --no-browser --port 8888 --ip=* --NotebookApp.token='' --NotebookApp.disable_check_xsrf=True $*
diff --git a/jupyter-restricted-download/start-singleuser.sh b/jupyter-restricted-download/start-singleuser.sh
new file mode 100644
index 00000000..09c1d695
--- /dev/null
+++ b/jupyter-restricted-download/start-singleuser.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+set -e
+
+# set default ip to 0.0.0.0
+if [[ "$NOTEBOOK_ARGS $@" != *"--ip="* ]]; then
+  NOTEBOOK_ARGS="--ip=0.0.0.0 $NOTEBOOK_ARGS"
+fi
+
+# handle some deprecated environment variables
+# from DockerSpawner < 0.8.
+# These won't be passed from DockerSpawner 0.9,
+# so avoid specifying --arg=empty-string
+if [ ! -z "$NOTEBOOK_DIR" ]; then
+  NOTEBOOK_ARGS="--notebook-dir='$NOTEBOOK_DIR' $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_PORT" ]; then
+  NOTEBOOK_ARGS="--port=$JPY_PORT $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_USER" ]; then
+  NOTEBOOK_ARGS="--user=$JPY_USER $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_COOKIE_NAME" ]; then
+  NOTEBOOK_ARGS="--cookie-name=$JPY_COOKIE_NAME $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_BASE_URL" ]; then
+  NOTEBOOK_ARGS="--base-url=$JPY_BASE_URL $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_HUB_PREFIX" ]; then
+  NOTEBOOK_ARGS="--hub-prefix=$JPY_HUB_PREFIX $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_HUB_API_URL" ]; then
+  NOTEBOOK_ARGS="--hub-api-url=$JPY_HUB_API_URL $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JUPYTER_ENABLE_LAB" ]; then
+  NOTEBOOK_BIN="jupyter labhub"
+else
+  NOTEBOOK_BIN=jupyterhub-singleuser
+fi
+
+. /usr/local/bin/start.sh $NOTEBOOK_BIN $NOTEBOOK_ARGS $@
diff --git a/jupyter-restricted-download/start.sh b/jupyter-restricted-download/start.sh
new file mode 100644
index 00000000..f3c3a67f
--- /dev/null
+++ b/jupyter-restricted-download/start.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+set -e
+
+# Handle special flags if we're root
+if [ $UID == 0 ] ; then
+    # Change UID of NB_USER to NB_UID if it does not match
+    if [ "$NB_UID" != $(id -u $NB_USER) ] ; then
+        usermod -u $NB_UID $NB_USER
+        chown -R $NB_UID $CONDA_DIR .
+    fi
+
+    # Enable sudo if requested
+    if [ ! -z "$GRANT_SUDO" ]; then
+        echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook #pragma: allowlist secret
+    fi
+
+    # Exec the command as NB_USER
+    exec su $NB_USER -c "env PATH=$PATH $*"
+else
+    # Exec the command
+    exec $*
+fi

From 14cc06ef162471d7403905075069e673932e52d3 Mon Sep 17 00:00:00 2001
From: Aidan Hilt <ahilt@uchicago.edu>
Date: Mon, 22 Jan 2024 17:17:29 -0500
Subject: [PATCH 2/9] Added a command to install jsonschema 4.20.0

---
 jupyter-restricted-download/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/jupyter-restricted-download/Dockerfile b/jupyter-restricted-download/Dockerfile
index 877c98fa..4de42fb7 100644
--- a/jupyter-restricted-download/Dockerfile
+++ b/jupyter-restricted-download/Dockerfile
@@ -59,6 +59,8 @@ RUN pip install pandas numpy seaborn scipy matplotlib pyNetLogo SALib boto3 awsc
 RUN pip install gen3==4.18.0 --upgrade
 
 RUN pip install jupyter --upgrade
+# This is needed to fix an error that cropped up
+RUN pip install jsonschema==4.20.0
 
 RUN pip uninstall nbconvert --yes
 # Create a non-root user for Jupyter without copying /bin or /bin/bash

From 07d5053cec31e88f49e09836455eb93029836507 Mon Sep 17 00:00:00 2001
From: Aidan Hilt <ahilt@uchicago.edu>
Date: Thu, 25 Jan 2024 10:49:35 -0500
Subject: [PATCH 3/9] I think ensuring that the jsonschema install happening
 last is all that was needed

---
 jupyter-restricted-download/Dockerfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/jupyter-restricted-download/Dockerfile b/jupyter-restricted-download/Dockerfile
index 4de42fb7..259eb219 100644
--- a/jupyter-restricted-download/Dockerfile
+++ b/jupyter-restricted-download/Dockerfile
@@ -59,8 +59,6 @@ RUN pip install pandas numpy seaborn scipy matplotlib pyNetLogo SALib boto3 awsc
 RUN pip install gen3==4.18.0 --upgrade
 
 RUN pip install jupyter --upgrade
-# This is needed to fix an error that cropped up
-RUN pip install jsonschema==4.20.0
 
 RUN pip uninstall nbconvert --yes
 # Create a non-root user for Jupyter without copying /bin or /bin/bash
@@ -87,6 +85,10 @@ COPY resources/custom.js /home/$NB_USER/.jupyter/custom/
 COPY resources/jupyter_notebook_config.py /home/$NB_USER/.jupyter/tmp.py
 RUN cat /home/$NB_USER/.jupyter/tmp.py >> /home/$NB_USER/.jupyter/jupyter_notebook_config.py && rm /home/$NB_USER/.jupyter/tmp.py
 
+# Putting this all the way down here, to make sure its the last thing done
+# The image can't function with jsonschema version 3.20.0, which some dependency installs
+RUN pip install jsonschema==4.20.0
+
 # Set the default command to start JupyterLab
 USER $NB_USER
 WORKDIR /home/$NB_USER

From 3c47181884f401f3802d8fe15cea43b03d685f01 Mon Sep 17 00:00:00 2001
From: Sai Shanmukha Narumanchi <nss10@outlook.com>
Date: Fri, 26 Jan 2024 15:35:55 -0600
Subject: [PATCH 4/9] Add nvcr based fips compliant dockerfile (#142)

* Add nvcr based fips compliant dockerfile
* Add `sed` commands to update `openssl.cnf`
* Update `LD_LIBRARY_PATH` env var to match with images built for x86 platform
---
 nextflow-base-images/nvcr_image/Dockerfile | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 nextflow-base-images/nvcr_image/Dockerfile

diff --git a/nextflow-base-images/nvcr_image/Dockerfile b/nextflow-base-images/nvcr_image/Dockerfile
new file mode 100644
index 00000000..28d14dad
--- /dev/null
+++ b/nextflow-base-images/nvcr_image/Dockerfile
@@ -0,0 +1,36 @@
+# Use the specified base image
+FROM nvcr.io/nvidia/cuda:11.8.0-base-ubuntu22.04
+
+RUN apt-get purge -y --auto-remove openssl && apt-get autoremove && apt-get autoclean
+
+RUN apt-get update && apt-get -y upgrade && apt install -y wget
+
+RUN apt install -y build-essential && \
+    apt-get install -y python3 && \
+    apt-get install -y python3-pip
+
+# install openssl 3.0.8 as it is required for FIPS compliance.
+WORKDIR /tmp
+RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz && \
+    tar -xzvf openssl-3.0.8.tar.gz && \
+    rm openssl-3.0.8.tar.gz
+
+WORKDIR /tmp/openssl-3.0.8
+RUN ./Configure enable-fips && \
+    make && \
+    make install
+
+# Changing adding `/usr/local/lib` as a prefix to LD_LIBRARY_PATH will
+# give precedence to OpenSSL 3.0.8 library files over the 3.0.2
+ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64:$LD_LIBRARY_PATH
+
+# Make config changes ti ensure FIPS compliance
+RUN sed -i 's$# .include fipsmodule.cnf$.include /usr/local/ssl/fipsmodule.cnf$g' /usr/local/ssl/openssl.cnf
+RUN sed -i 's$providers = provider_sect$providers = provider_sect\nalg_section = algorithm_sect$g' /usr/local/ssl/openssl.cnf
+RUN sed -i 's$# fips = fips_sect$fips = fips_sect$g' /usr/local/ssl/openssl.cnf
+RUN sed -i -e 's$# activate = 1$activate = 1 \n\n[algorithm_sect]\ndefault_properties = fips=yes$g' /usr/local/ssl/openssl.cnf
+
+
+# Clean up the temporary directory
+WORKDIR /
+RUN rm -rf /tmp/openssl-3.0.8

From 82b79f5a1fa04f3fc51446c0b823eadb5593a0d0 Mon Sep 17 00:00:00 2001
From: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com>
Date: Thu, 1 Feb 2024 11:36:28 -0600
Subject: [PATCH 5/9] MIDRC-425 OCC-69 Jupyter-covid19 restricted download
 (#146)

---
 .../workflows/build_jupyter_covid19_image.yml | 22 +++++++++++++++++++
 jupyter-covid19/Dockerfile                    | 12 +++++++---
 jupyter-restricted-download/Dockerfile        | 14 +++++-------
 3 files changed, 37 insertions(+), 11 deletions(-)
 create mode 100644 .github/workflows/build_jupyter_covid19_image.yml

diff --git a/.github/workflows/build_jupyter_covid19_image.yml b/.github/workflows/build_jupyter_covid19_image.yml
new file mode 100644
index 00000000..f66cf051
--- /dev/null
+++ b/.github/workflows/build_jupyter_covid19_image.yml
@@ -0,0 +1,22 @@
+name: Build and Push jupyter-covid19
+
+on:
+  push:
+    paths:
+    - jupyter-covid19/**
+    - .github/workflows/build_jupyter_covid19_image.yml
+
+jobs:
+  jupyter-covid19:
+    name: Build and Push jupyter-covid19
+    uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
+    with:
+      DOCKERFILE_LOCATION: "./jupyter-covid19/Dockerfile"
+      DOCKERFILE_BUILD_CONTEXT: "./jupyter-covid19"
+      OVERRIDE_REPO_NAME: "jupyter-notebook"
+      OVERRIDE_TAG_NAME: "covid19-$(echo ${GITHUB_REF#refs/*/} | tr / _)"
+    secrets:
+      ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
+      QUAY_ROBOT_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}
diff --git a/jupyter-covid19/Dockerfile b/jupyter-covid19/Dockerfile
index d4d514b9..149e7950 100644
--- a/jupyter-covid19/Dockerfile
+++ b/jupyter-covid19/Dockerfile
@@ -1,4 +1,4 @@
-FROM quay.io/cdis/jupyter-notebook:1.1.0
+FROM quay.io/cdis/jupyter-notebook:restricted-download-master
 
 USER $NB_USER
 WORKDIR /home/$NB_USER
@@ -96,5 +96,11 @@ ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools
 RUN touch /home/$NB_USER/covid19-notebook/peregrine.py
 
 # premade notebooks dependencies
-RUN pip install --upgrade 'pip<20.3' # pip 20.3 causes dependency resolution issues
-RUN pip install -r /home/$NB_USER/covid19-notebook/requirements.txt
+RUN pip install -U -r /home/$NB_USER/covid19-notebook/requirements.txt
+
+# The image can't function (see error below) with `jsonschema` version 3.2.0. Some dependencies are
+# preventing `jsonschema` from being upgraded to a more recent version. Updating it here as a quick fix.
+#   File "/usr/local/lib/python3.9/dist-packages/jupyter_events/validators.py", line 44, in <module>
+#     JUPYTER_EVENTS_SCHEMA_VALIDATOR = Draft7Validator(
+# TypeError: __init__() got an unexpected keyword argument 'registry'
+RUN pip install jsonschema==4.20.0 --upgrade
diff --git a/jupyter-restricted-download/Dockerfile b/jupyter-restricted-download/Dockerfile
index 259eb219..8cb236ea 100644
--- a/jupyter-restricted-download/Dockerfile
+++ b/jupyter-restricted-download/Dockerfile
@@ -62,11 +62,12 @@ RUN pip install jupyter --upgrade
 
 RUN pip uninstall nbconvert --yes
 # Create a non-root user for Jupyter without copying /bin or /bin/bash
-ARG NB_USER=jupyter
+ARG NB_USER=jovyan
 ARG NB_UID=1000
-RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER
-RUN chown -R $NB_USER:users /home/$NB_USER
-RUN chmod -R u+rwx /home/$NB_USER
+RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
+    chown -R $NB_USER:users /home/$NB_USER && \
+    chmod -R u+rwx /home/$NB_USER && \
+    mkdir -p /home/$NB_USER/pd
 
 # Expose port 8888 for JupyterLab
 EXPOSE 8888
@@ -85,11 +86,8 @@ COPY resources/custom.js /home/$NB_USER/.jupyter/custom/
 COPY resources/jupyter_notebook_config.py /home/$NB_USER/.jupyter/tmp.py
 RUN cat /home/$NB_USER/.jupyter/tmp.py >> /home/$NB_USER/.jupyter/jupyter_notebook_config.py && rm /home/$NB_USER/.jupyter/tmp.py
 
-# Putting this all the way down here, to make sure its the last thing done
-# The image can't function with jsonschema version 3.20.0, which some dependency installs
-RUN pip install jsonschema==4.20.0
+USER $NB_USER
 
 # Set the default command to start JupyterLab
-USER $NB_USER
 WORKDIR /home/$NB_USER
 ENTRYPOINT ["jupyter", "lab", "--allow-root", "--ip=0.0.0.0", "--port=8888", "--no-browser"]

From 24b235bde11ce9a4b728ed72c07565d94783afb5 Mon Sep 17 00:00:00 2001
From: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com>
Date: Thu, 1 Feb 2024 15:45:59 -0600
Subject: [PATCH 6/9] jupyter-covid19 base = restricted download 1.3.0

---
 jupyter-covid19/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jupyter-covid19/Dockerfile b/jupyter-covid19/Dockerfile
index 149e7950..cc9083ce 100644
--- a/jupyter-covid19/Dockerfile
+++ b/jupyter-covid19/Dockerfile
@@ -1,4 +1,4 @@
-FROM quay.io/cdis/jupyter-notebook:restricted-download-master
+FROM quay.io/cdis/jupyter-notebook:restricted-download-1.3.0
 
 USER $NB_USER
 WORKDIR /home/$NB_USER

From f541afb3e28a3bbd706039223c5e1fd943956014 Mon Sep 17 00:00:00 2001
From: Pauline <4224001+paulineribeyre@users.noreply.github.com>
Date: Wed, 7 Feb 2024 11:02:16 -0600
Subject: [PATCH 7/9] fix jupyter-restricted-download to pass config to
 downstream images

---
 jupyter-restricted-download/Dockerfile | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/jupyter-restricted-download/Dockerfile b/jupyter-restricted-download/Dockerfile
index 8cb236ea..3f4178de 100644
--- a/jupyter-restricted-download/Dockerfile
+++ b/jupyter-restricted-download/Dockerfile
@@ -54,29 +54,37 @@ RUN jupyter labextension disable @jupyterlab/docmanager-extension:download \
     && jupyter labextension disable @jupyterlab/filebrowser-extension:download
 
 RUN pip install pandas numpy seaborn scipy matplotlib pyNetLogo SALib boto3 awscli --upgrade
-
-# RUN pip install PyYAML==5.3.1 --upgrade
 RUN pip install gen3==4.18.0 --upgrade
-
 RUN pip install jupyter --upgrade
-
 RUN pip uninstall nbconvert --yes
+
 # Create a non-root user for Jupyter without copying /bin or /bin/bash
 ARG NB_USER=jovyan
 ARG NB_UID=1000
+ARG NB_GID=100
 RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \
     chown -R $NB_USER:users /home/$NB_USER && \
     chmod -R u+rwx /home/$NB_USER && \
     mkdir -p /home/$NB_USER/pd
 
+# Configure environment
+ENV CONDA_DIR=/opt/conda \
+    PATH=/usr/local/bin:$PATH \
+    SHELL=/bin/bash \
+    NB_USER=${NB_USER} \
+    NB_UID=${NB_UID} \
+    NB_GID=${NB_GID} \
+    HOME=/home/$NB_USER \
+    LC_ALL=en_US.UTF-8 \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8
+
 # Expose port 8888 for JupyterLab
 EXPOSE 8888
 
-ARG COVID_TOOLS_BRANCH=master
-ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/welcome.html /home/$NB_USER/
-RUN touch /home/$NB_USER/welcome.html
-
 # Add local files as late as possible to avoid cache busting
+RUN wget https://raw.githubusercontent.com/jupyter/docker-stacks/7e1a19a8427f99652c75d1d4fda3df780721b574/images/docker-stacks-foundation/fix-permissions
+RUN mv fix-permissions /usr/local/bin/fix-permissions.sh
 COPY start.sh /usr/local/bin/
 COPY start-notebook.sh /usr/local/bin/
 COPY start-singleuser.sh /usr/local/bin/
@@ -86,6 +94,8 @@ COPY resources/custom.js /home/$NB_USER/.jupyter/custom/
 COPY resources/jupyter_notebook_config.py /home/$NB_USER/.jupyter/tmp.py
 RUN cat /home/$NB_USER/.jupyter/tmp.py >> /home/$NB_USER/.jupyter/jupyter_notebook_config.py && rm /home/$NB_USER/.jupyter/tmp.py
 
+RUN fix-permissions.sh "/home/${NB_USER}"
+
 USER $NB_USER
 
 # Set the default command to start JupyterLab

From 78b8c2b90e36f7edcc32bbf62e245b452ac88a33 Mon Sep 17 00:00:00 2001
From: Pauline <4224001+paulineribeyre@users.noreply.github.com>
Date: Wed, 7 Feb 2024 14:39:04 -0600
Subject: [PATCH 8/9] Pin jupyter-covid19 image to new restricted-download base

---
 jupyter-covid19/Dockerfile | 58 +++++++++++++++++++-------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/jupyter-covid19/Dockerfile b/jupyter-covid19/Dockerfile
index cc9083ce..c77b32c5 100644
--- a/jupyter-covid19/Dockerfile
+++ b/jupyter-covid19/Dockerfile
@@ -1,98 +1,98 @@
-FROM quay.io/cdis/jupyter-notebook:restricted-download-1.3.0
+FROM quay.io/cdis/jupyter-notebook:restricted-download-1.3.1
 
 USER $NB_USER
 WORKDIR /home/$NB_USER
 ARG COVID_TOOLS_BRANCH=master
 
 # copy welcome splash page
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/welcome.html /home/$NB_USER/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/welcome.html /home/$NB_USER/
 RUN touch /home/$NB_USER/welcome.html
 
 # copy readme and notebooks requirements
 RUN mkdir /home/$NB_USER/covid19-notebook
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/readme.md /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/readme.md /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/readme.md
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/requirements.txt /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/requirements.txt /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/requirements.txt
 
 # copy premade notebooks
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/jhu-summary-overview/COVID-19-JHU_data_analysis.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/jhu-summary-overview/COVID-19-JHU_data_analysis.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/COVID-19-JHU_data_analysis.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/kaggle-demographics/kaggle_data_analysis.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/kaggle-demographics/kaggle_data_analysis.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/kaggle_data_analysis.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/chicago-seir-forecast/covid19_seir.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/chicago-seir-forecast/covid19_seir.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/covid19_seir.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/chicago-seir-forecast/seir_diagram.png /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/chicago-seir-forecast/seir_diagram.png /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/seir_diagram.png
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/ctp_testing/CTP_testing.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/ctp_testing/CTP_testing.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/CTP_testing.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/TCGA_COAD_COVID.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/TCGA_COAD_COVID.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/TCGA_COAD_COVID.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/nCoV-2019_data_analysis.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/nCoV-2019_data_analysis.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/nCoV-2019_data_analysis.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/SSR/SSR_notebook.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/SSR/SSR_notebook.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/SSR_notebook.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/X-ray/DarkCovidNet_binary_classes.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/X-ray/DarkCovidNet_binary_classes.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/DarkCovidNet_binary_classes.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/X-ray/CNN_XRAY_CF.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/X-ray/CNN_XRAY_CF.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/CNN_XRAY_CF.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/google_mobility.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/google_mobility.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/google_mobility.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/pypfb/PFB_example.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/pypfb/PFB_example.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/PFB_example.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/IL_tab_charts.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/IL_tab_charts.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/IL_tab_charts.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/3D_Protein_Vis.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_7D4F_gui.png /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_7D4F_gui.png /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/3D_Protein_Vis_7D4F_gui.png
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_7D4F_view.html /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_7D4F_view.html /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/3D_Protein_Vis_7D4F_view.html
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_A_view.html /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_A_view.html /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/3D_Protein_Vis_A_view.html
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_B_view.html /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_B_view.html /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/3D_Protein_Vis_B_view.html
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_demo_view.html /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/3D_Protein_Vis/3D_Protein_Vis_demo_view.html /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/3D_Protein_Vis_demo_view.html
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/ICU_prediction/Percentage_ICU_prediction.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/ICU_prediction/Percentage_ICU_prediction.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/Percentage_ICU_prediction.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/extended-seir/extended-seir.ipynb /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/extended-seir/extended-seir.ipynb /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/extended-seir.ipynb
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/extended-seir/extended-seir_diagram.png /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/extended-seir/extended-seir_diagram.png /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/extended-seir_diagram.png
 
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/extended-seir/extended-seir_parameters.png /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/extended-seir/extended-seir_parameters.png /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/extended-seir_parameters.png
 
 # small pfb file
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/pypfb/PFB_example.avro /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/pypfb/PFB_example.avro /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/PFB_example.avro
 
 # peregrine helper script required by the X-ray notebooks
-ADD --chown=jovyan:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/X-ray/peregrine.py /home/$NB_USER/covid19-notebook/
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/X-ray/peregrine.py /home/$NB_USER/covid19-notebook/
 RUN touch /home/$NB_USER/covid19-notebook/peregrine.py
 
 # premade notebooks dependencies

From 7a600620770263a18796e8622dc487e231124dfe Mon Sep 17 00:00:00 2001
From: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com>
Date: Thu, 8 Feb 2024 14:13:42 -0600
Subject: [PATCH 9/9] Update comments

---
 jupyter-restricted-download/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/jupyter-restricted-download/Dockerfile b/jupyter-restricted-download/Dockerfile
index 3f4178de..2e0fd8a3 100644
--- a/jupyter-restricted-download/Dockerfile
+++ b/jupyter-restricted-download/Dockerfile
@@ -49,13 +49,14 @@ RUN pip install JPype1 jupyter
 
 RUN jupyter notebook --generate-config
 
-# this is where we disable downloads
+# step 1 to disable downloads:
 RUN jupyter labextension disable @jupyterlab/docmanager-extension:download \
     && jupyter labextension disable @jupyterlab/filebrowser-extension:download
 
 RUN pip install pandas numpy seaborn scipy matplotlib pyNetLogo SALib boto3 awscli --upgrade
 RUN pip install gen3==4.18.0 --upgrade
 RUN pip install jupyter --upgrade
+# step 2 to disable downloads:
 RUN pip uninstall nbconvert --yes
 
 # Create a non-root user for Jupyter without copying /bin or /bin/bash