diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e70a73961..7a8fabec1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -71,3 +71,43 @@ updates: package-ecosystem: pip schedule: interval: weekly + + - package-ecosystem: docker + directory: /classical-ml + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /preset/classical-ml + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /preset/data-analytics + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /preset/deep-learning + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /preset/inference-optimization + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /python + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /pytorch + schedule: + interval: weekly + + - package-ecosystem: docker + directory: /tensorflow + schedule: + interval: weekly diff --git a/.github/workflows/chart-ci.yaml b/.github/workflows/chart-ci.yaml index 93d55502c..996c94e82 100644 --- a/.github/workflows/chart-ci.yaml +++ b/.github/workflows/chart-ci.yaml @@ -27,17 +27,22 @@ jobs: helm-ci: runs-on: kubectl steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 # ref: "refs/pull/${{ github.event.number }}/merge" - - uses: azure/setup-kubectl@v4 - - uses: azure/setup-helm@v4.2.0 - - uses: actions/setup-python@v5 + - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.x - name: Setup chart-testing - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Get chart diff id: changed run: | diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 8afc941ce..810fd2789 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -38,6 +38,7 @@ on: ref: description: 'Enter Git Ref:' required: true + default: 'main' type: string runner_label: description: 'Enter Validation Runner Label:' @@ -82,7 +83,11 @@ jobs: matrix: ${{ steps.build-matrix.outputs.matrix }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - name: Set Matrix @@ -101,11 +106,11 @@ jobs: outputs: group: ${{ steps.build-group.outputs.container-group }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} if: ${{ !inputs.no_build }} - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} @@ -114,7 +119,7 @@ jobs: - name: Build Container Group if: ${{ !inputs.no_build }} id: build-group - uses: intel/ai-containers/.github@main + uses: intel/ai-containers/.github@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: group_dir: ${{ inputs.group_dir }} env_overrides: ${{ inputs.env_overrides || env.env_overrides || '' }} @@ -131,7 +136,11 @@ jobs: outputs: matrix: ${{ steps.scan-matrix.outputs.matrix }} steps: - - uses: actions/download-artifact@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: path: matrix - name: Set Matrix @@ -146,10 +155,10 @@ jobs: container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }} fail-fast: false steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} @@ -157,14 +166,14 @@ jobs: - name: Pull Image run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }} - name: Scan Container - uses: intel/ai-containers/.github/scan@main + uses: intel/ai-containers/.github/scan@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }} output: ${{ matrix.container }}-scan.sarif - name: Cleanup if: always() run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }} - - uses: github/codeql-action/upload-sarif@v3 + - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 with: sarif_file: '${{ matrix.container }}-scan.sarif' #################################################################################################### @@ -176,7 +185,11 @@ jobs: outputs: matrix: ${{ steps.test-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - name: Get Recipes @@ -192,19 +205,19 @@ jobs: experimental: [true] fail-fast: false steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - name: Test Container Group - uses: intel/ai-containers/test-runner@main + uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} recipe_dir: ${{ inputs.group_dir }} diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index c8db227de..35f735dbb 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -21,7 +21,10 @@ # # Source repository: https://github.com/actions/dependency-review-action name: 'Dependency Review' -on: [pull_request] +on: + pull_request_target: + types: [opened, edited, reopened, synchronize] + branches: [main] permissions: contents: read concurrency: @@ -32,7 +35,11 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: actions/dependency-review-action@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2 with: comment-summary-in-pr: true diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index f2849b6bf..342e82db6 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -23,7 +23,12 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Set matrix data id: set-matrix run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT @@ -34,8 +39,13 @@ jobs: matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} fail-fast: false steps: - - uses: actions/checkout@v4 - - uses: peter-evans/dockerhub-description@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index e4f7f867f..efa4e432d 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -30,8 +30,12 @@ jobs: id-token: write pages: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.8 cache: pip @@ -39,8 +43,8 @@ jobs: run: python -m pip install -r docs/requirements.txt - name: Build run: mkdocs build --clean - - uses: actions/upload-pages-artifact@v3 + - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: site - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 8769265f4..b207a4c25 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -24,11 +24,15 @@ jobs: name: gitleaks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: "refs/pull/${{ github.event.number }}/merge" - - uses: gitleaks/gitleaks-action@v2 + - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6 env: GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index a374ed116..efba86e43 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -28,7 +28,11 @@ jobs: outputs: groups: ${{ steps.group-list.outputs.FOLDERS }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: "refs/pull/${{ github.event.number }}/merge" @@ -75,6 +79,10 @@ jobs: runs-on: ubuntu-latest if: always() steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit - run: exit 1 if: >- ${{ diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 49f558924..df78f9d09 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -27,11 +27,15 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: "refs/pull/${{ github.event.number }}/merge" - - uses: super-linter/super-linter/slim@v6.5.1 + - uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1 env: # To report GitHub Actions status checks GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 240202a41..364fbe1c6 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -35,20 +35,25 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false - - uses: ossf/scorecard-action@v2.3.3 + - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif repo_token: ${{ secrets.ACTION_TOKEN }} publish_results: true - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@v3.25.3 + - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: sarif_file: results.sarif diff --git a/.github/workflows/test-runner-ci.yaml b/.github/workflows/test-runner-ci.yaml index a86542e46..51e9a0501 100644 --- a/.github/workflows/test-runner-ci.yaml +++ b/.github/workflows/test-runner-ci.yaml @@ -32,18 +32,22 @@ jobs: python: ["3.8", "3.9", "3.10", "3.11", "3.12"] fail-fast: true steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: "refs/pull/${{ github.event.number }}/merge" - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: driver: docker - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.python }} - name: Install requirements @@ -55,7 +59,7 @@ jobs: FORCE_COLOR: 1 REGISTRY: ${{ secrets.REGISTRY }} REPO: ${{ secrets.REPO }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: covdata-${{ matrix.python }} path: ${{ github.workspace }}/.coverage* @@ -63,13 +67,17 @@ jobs: needs: [unit-test] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: "refs/pull/${{ github.event.number }}/merge" - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.10" - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: merge-multiple: true - name: Coverage @@ -79,34 +87,38 @@ jobs: python -m coverage xml --skip-empty - name: Comment on PR if: ${{ github.event_name == 'pull_request_target' }} - uses: orgoro/coverage@v3.1 + uses: orgoro/coverage@4e3bc9302f715595336a40f7dd4a3b15c687bdb4 # v3.1 with: coverageFile: coverage.xml token: ${{ secrets.ACTION_TOKEN }} treshholdAll: 80 - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage.xml path: coverage.xml integration-test: runs-on: k8-runners steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: "refs/pull/${{ github.event.number }}/merge" - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: driver: docker - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8" - name: Test Container Group - uses: intel/ai-containers/test-runner@main + uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} recipe_dir: test-runner diff --git a/.github/workflows/weekly-test.yaml b/.github/workflows/weekly-test.yaml index c704e1e38..5315bcdc7 100644 --- a/.github/workflows/weekly-test.yaml +++ b/.github/workflows/weekly-test.yaml @@ -24,7 +24,12 @@ jobs: outputs: groups: ${{ steps.group-list.outputs.FOLDERS }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Output Group Directories id: group-list run: |