Merge branch 'release_25.1' into dev

Author: nsoranzo

client/src/components/User/UserPreferencesForm.vue

@@ -2,7 +2,6 @@
 import { BAlert } from "bootstrap-vue";
 import { storeToRefs } from "pinia";
 import { computed, ref, watchEffect } from "vue";
-import { useRouter } from "vue-router/composables";
 
 import { isRegisteredUser } from "@/api";
 import {
@@ -18,6 +17,7 @@ import LoadingSpan from "@/components/LoadingSpan.vue";
 
 interface Props {
     formId: UserPreferencesKey;
+    id?: string;
 }
 
 const props = defineProps<Props>();
@@ -29,13 +29,11 @@ const breadcrumbItems = computed(() => [{ title: "User Preferences", to: "/user"
 const userStore = useUserStore();
 const { currentUser } = storeToRefs(userStore);
 
-const router = useRouter();
-
 const loading = ref(true);
 
 const model = computed<UserPreferencesModel | undefined>(() => {
-    if (router.currentRoute.params.id) {
-        return getUserPreferencesModel(router.currentRoute.params.id);
+    if (props.id) {
+        return getUserPreferencesModel(props.id);
     } else if (isRegisteredUser(currentUser.value)) {
         return getUserPreferencesModel(currentUser.value.id);
     } else {

client/src/entry/analysis/router.js

@@ -673,7 +673,10 @@ export function getRouter(Galaxy) {
                     {
                         path: "user/:formId",
                         component: UserPreferencesForm,
-                        props: true,
+                        props: (route) => ({
+                            formId: route.params.formId,
+                            id: route.query.id,
+                        }),
                         redirect: redirectAnon(),
                     },
                     {

doc/schema_template.md

@@ -34,6 +34,9 @@ $tag:tool|requirements://complexType[@name='Requirements']
 $tag:tool|requirements|requirement://complexType[@name='Requirement']
 $tag:tool|requirements|container://complexType[@name='Container']
 $tag:tool|requirements|resource://complexType[@name='Resource']
+$tag:tool|requirements|credentials://complexType[@name='Credentials']
+$tag:tool|requirements|credentials|variable://complexType[@name='CredentialsVariable']
+$tag:tool|requirements|credentials|secret://complexType[@name='CredentialsSecret']
 $tag:tool|required_files://complexType[@name='RequiredFiles']
 $tag:tool|required_files|include://complexType[@name='RequiredFileInclude']
 $tag:tool|required_files|exclude://complexType[@name='RequiredFileExclude']

doc/source/admin/galaxy_options.rst

@@ -2465,7 +2465,7 @@
 :Description:
     The BibTeX citation for Galaxy, to be displayed in the History
     Tool Reference List
-:Default: ``@article{Galaxy2024, title={The Galaxy platform for accessible, reproducible, and collaborative data analyses: 2024 update}, author={{The Galaxy Community}}, journal={Nucleic Acids Research}, year={2024}, doi={10.1093/nar/gkae410}, url={https://doi.org/10.1093/nar/gkae410}}``
+:Default: ``@article{Galaxy2024, title="The Galaxy platform for accessible, reproducible, and collaborative data analyses: 2024 update", author="{The Galaxy Community}", journal="Nucleic Acids Research", year="2024", doi="10.1093/nar/gkae410", url="https://doi.org/10.1093/nar/gkae410"}``
 :Type: str
 
 

doc/source/admin/special_topics/vault.md

@@ -111,4 +111,49 @@ In a file source the password could be used as follows:
   password: ${user.user_vault.read_secret('preferences/ufz-nextcloud/password')}
 ```
 
-This example assumes that the NextCloud username is identical to the Galaxy username. If this is not the case also the username could be a user preference that is stored in a vault.
+This example assumes that the NextCloud username is identical to the Galaxy username. If this is not the case also the username could be a user preference that is stored in a vault.
+
+## Tool Credentials System
+
+Starting with Galaxy 25.1, tools can request credentials directly through a new tool credentials system. This system provides a secure, user-friendly way for tools to access external APIs and services using credentials stored in the vault.
+
+### Overview
+
+The tool credentials system allows tool developers to declaratively specify credential requirements in their tool XML, and Galaxy automatically:
+- Presents a user-friendly credential management interface in the tool form
+- Stores sensitive credentials (secrets) encrypted in the configured vault
+- Injects credentials as environment variables when tools execute
+- Provides centralized credential management in User Preferences
+
+### How it works
+
+1. **Tool Definition**: Tool developers add a `<credentials>` element to their tool XML defining required secrets (API keys, passwords) and optional variables (endpoints, usernames).
+2. **User Experience**: When users run a tool requiring credentials, they see a credential management section in the tool form where they can provide or select existing credentials.
+3. **Secure Storage**: All secrets are automatically stored encrypted in the vault (configured via `vault_config_file`).
+4. **Automatic Injection**: When the tool runs, Galaxy injects the credentials as environment variables into the tool's execution environment.
+
+### Vault Configuration Requirements
+
+The tool credentials system requires a properly configured vault. Any of the supported vault backends (hashicorp, custos, or database) can be used. Ensure you have:
+
+1. Set up your vault configuration as described in the sections above
+2. Configured the `vault_config_file` setting in `galaxy.yml`
+3. Tested that the vault is working properly
+
+The tool credentials system will automatically use the configured vault to store all tool secrets.
+
+### Admin Considerations
+
+- **No additional configuration needed**: Unlike the older user preferences approach, the tool credentials system requires no admin configuration in `user_preferences_extra_conf.yml`. Tools can define their own credential requirements.
+- **Vault is required**: The tool credentials system only works when a vault is configured. If no vault is configured, tools requesting credentials will not function properly.
+- **User isolation**: Each user's credentials are isolated in the vault. Credentials cannot be shared between users.
+- **Migration from user preferences**: If you previously configured tool credentials via `user_preferences_extra_conf.yml`, those can be gradually phased out as tools migrate to the new system. Both systems can coexist.
+
+### API Access
+
+The tool credentials system provides a REST API at `/api/users/{user_id}/credentials` for programmatic credential management. This can be useful for:
+- Automating credential setup for multiple users
+- Building custom credential management interfaces
+- Integrating with external identity management systems
+
+For more information on the tool credentials system from a developer perspective, see the [Tool XML Schema documentation](https://docs.galaxyproject.org/en/master/dev/schema.html#tool-requirements-credentials).

doc/source/releases/25.1_announce.rst

@@ -97,6 +97,13 @@ Deprecation Notices
   * `Galaxy Monitoring with Telegraf and Grafana <https://training.galaxyproject.org/training-material/topics/admin/tutorials/monitoring/tutorial.html>`__
   * `Galaxy Monitoring with gxadmin <https://training.galaxyproject.org/training-material/topics/admin/tutorials/gxadmin/tutorial.html>`__
 
+**Deprecation of Python 3.9 support in Galaxy release 26.0**
+  Since Python 3.9 reached its end-of-life in October 2025, support for it will
+  be removed in Galaxy 26.0.
+  Administrators should upgrade their Python environment to version 3.10 or
+  higher to avoid security vulnerabilities and ensure a smooth transition to
+  Galaxy 26.0 and beyond.
+
 Release Team
 ===========================================================
 

lib/galaxy/config/sample/galaxy.yml.sample

@@ -1518,7 +1518,7 @@ galaxy:
 
   # The BibTeX citation for Galaxy, to be displayed in the History Tool
   # Reference List
-  #citation_bibtex: '@article{Galaxy2024, title={The Galaxy platform for accessible, reproducible, and collaborative data analyses: 2024 update}, author={{The Galaxy Community}}, journal={Nucleic Acids Research}, year={2024}, doi={10.1093/nar/gkae410}, url={https://doi.org/10.1093/nar/gkae410}}'
+  #citation_bibtex: '@article{Galaxy2024, title="The Galaxy platform for accessible, reproducible, and collaborative data analyses: 2024 update", author="{The Galaxy Community}", journal="Nucleic Acids Research", year="2024", doi="10.1093/nar/gkae410", url="https://doi.org/10.1093/nar/gkae410"}'
 
   # The URL linked by the "Galaxy Version" link in the "Help" menu.
   #release_doc_base_url: https://docs.galaxyproject.org/en/release_

lib/galaxy/config/schemas/config_schema.yml

@@ -1834,7 +1834,7 @@ mapping:
 
       citation_bibtex:
         type: str
-        default: "@article{Galaxy2024, title={The Galaxy platform for accessible, reproducible, and collaborative data analyses: 2024 update}, author={{The Galaxy Community}}, journal={Nucleic Acids Research}, year={2024}, doi={10.1093/nar/gkae410}, url={https://doi.org/10.1093/nar/gkae410}}"
+        default: '@article{Galaxy2024, title="The Galaxy platform for accessible, reproducible, and collaborative data analyses: 2024 update", author="{The Galaxy Community}", journal="Nucleic Acids Research", year="2024", doi="10.1093/nar/gkae410", url="https://doi.org/10.1093/nar/gkae410"}'
         required: false
         per_host: true
         desc: |