feat: add DIA-NN 2.5.0 container

[ypriverol]

Summary

• Add DIA-NN 2.5.0 Academia Linux container (diann-2.5.0/Dockerfile)
• 2.5.0 becomes the :latest tag (replaces 2.3.2)
• CI workflow updated with change detection + build matrix entry

DIA-NN 2.5.0 highlights

• Up to 70% increase in protein IDs for low sample amounts
• New deep learning model selection flags (--rt-model, --fr-model, --im-model, --tokens)
• New --aa-eq flag for amino acid equivalence in reannotation
• --parent flag to override model directory path

Container verified locally: docker buildx build --platform linux/amd64

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added DIA-NN version 2.5.0 support with Ubuntu 22.04-based container image.

• Chores

  • Updated container build configuration and workflow matrix selection logic.
  • Adjusted versioning tags for existing DIA-NN releases.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds DIA-NN version 2.5.0 support by introducing a new Dockerfile with installation steps and updating the CI workflow with corresponding build matrix entries, filtering logic, and environment variables. The prior 2.3.2 version's latest tag assignment is also adjusted.

Changes

Cohort / File(s)	Summary
CI Workflow Configuration .github/workflows/quantms-containers.yml	Adds diann_2_5_0 path filter and CHG_250 env var mapping; includes new diann-2.5.0 matrix entry with latest tag assignment; updates non-release/workflow-dispatch jq selection predicate; removes latest tag from prior diann-2.3.2 entry.
DIA-NN 2.5.0 Container diann-2.5.0/Dockerfile	New Dockerfile for Ubuntu 22.04-based DIA-NN 2.5.0 image; installs OS dependencies, downloads/unpacks v2.5.0 release from GitHub, configures locale settings, sets up PATH and executable symlink, and defines working directory.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• PR #5 — Modifies the same workflow file with overlapping DIANN matrix entry and filtering logic updates.
• PR #7 — Contains near-identical workflow changes for adding a new DIANN version filter, env var mapping, and matrix selection logic.
• PR #6 — Updates the quantms-containers workflow and adds/modifies multiple DIA-NN version Dockerfiles.

Suggested labels

Review effort [1-5]: 2

Poem

🐰 A version so new, DIA-NN takes flight,
Two-point-five-oh in containers so bright,
With Ubuntu base and locale so fine,
The rabbit hops gladly—all paths align! 🐇✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add DIA-NN 2.5.0 container' directly and clearly describes the main change: adding a new DIA-NN 2.5.0 container, which matches the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/diann-2.5.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@diann-2.5.0/Dockerfile`:
- Line 1: Add a non-root user and switch to it in the Dockerfile: create a
dedicated unprivileged user/group (e.g., appuser), ensure /data is created and
owned by that user (chown/chgrp) during image build, then set USER to that
unprivileged account before the WORKDIR /data/ instruction so the container runs
unprivileged; update related RUN commands that create files under /data/ to use
the new user or to perform chown as part of the build.
- Around line 35-37: Remove the insecure wget flag and add checksum
verification: replace the RUN line that downloads and unzips
"DIA-NN-2.5.0-Academia-Linux.zip" so it uses a TLS-verified download (remove
--no-check-certificate or use curl -fsSL), also download the corresponding
checksum file (e.g. "DIA-NN-2.5.0-Academia-Linux.zip.sha256" or ".sha256sum")
from the same GitHub release, verify the archive with sha256sum -c (or echo
"<expected>  DIA-NN-2.5.0-Academia-Linux.zip" | sha256sum -c -) and fail the
build if the check fails, then unzip "DIA-NN-2.5.0-Academia-Linux.zip" and
remove both the zip and checksum files; update the RUN block that references
these filenames accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f68d507f-614c-492f-b4c5-19f0a34df95f

📥 Commits

Reviewing files that changed from the base of the PR and between 4357944 and 2ecc7bc.

📒 Files selected for processing (2)

• .github/workflows/quantms-containers.yml
• diann-2.5.0/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Drop root at runtime.

The container currently runs as root. Add a dedicated unprivileged user and switch to it before WORKDIR /data/.

🛡️ Proposed hardening

-WORKDIR /data/
+RUN useradd --create-home --uid 10001 --shell /usr/sbin/nologin diann && \
+    mkdir -p /data && \
+    chown -R diann:diann /data
+USER diann
+WORKDIR /data/

Also applies to: 50-50

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@diann-2.5.0/Dockerfile` at line 1, Add a non-root user and switch to it in
the Dockerfile: create a dedicated unprivileged user/group (e.g., appuser),
ensure /data is created and owned by that user (chown/chgrp) during image build,
then set USER to that unprivileged account before the WORKDIR /data/ instruction
so the container runs unprivileged; update related RUN commands that create
files under /data/ to use the new user or to perform chown as part of the build.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove insecure download flag and verify artifact integrity.

Disabling certificate verification here is a release-blocking supply-chain risk. Keep TLS verification enabled and add checksum verification before unzip.

🔒 Proposed fix

+ARG DIANN_URL="https://github.com/vdemichev/DiaNN/releases/download/2.0/DIA-NN-2.5.0-Academia-Linux.zip"
+ARG DIANN_SHA256="<official_sha256_here>"
-RUN wget --no-check-certificate https://github.com/vdemichev/DiaNN/releases/download/2.0/DIA-NN-2.5.0-Academia-Linux.zip && \
-    unzip DIA-NN-2.5.0-Academia-Linux.zip -d /usr/ && \
-    rm DIA-NN-2.5.0-Academia-Linux.zip
+RUN wget -O /tmp/diann.zip "$DIANN_URL" && \
+    echo "${DIANN_SHA256}  /tmp/diann.zip" | sha256sum -c - && \
+    unzip /tmp/diann.zip -d /usr/ && \
+    rm /tmp/diann.zip

🧰 Tools

🪛 Checkov (3.2.513)

[high] 35-37: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@diann-2.5.0/Dockerfile` around lines 35 - 37, Remove the insecure wget flag
and add checksum verification: replace the RUN line that downloads and unzips
"DIA-NN-2.5.0-Academia-Linux.zip" so it uses a TLS-verified download (remove
--no-check-certificate or use curl -fsSL), also download the corresponding
checksum file (e.g. "DIA-NN-2.5.0-Academia-Linux.zip.sha256" or ".sha256sum")
from the same GitHub release, verify the archive with sha256sum -c (or echo
"<expected>  DIA-NN-2.5.0-Academia-Linux.zip" | sha256sum -c -) and fail the
build if the check fails, then unzip "DIA-NN-2.5.0-Academia-Linux.zip" and
remove both the zip and checksum files; update the RUN block that references
these filenames accordingly.