From d637614fcc966c02c3df1832f911cf90c4236166 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 30 May 2024 21:54:47 +0000 Subject: [PATCH 01/27] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 50 +++++++++++++++++++ .github/workflows/chart-ci.yaml | 15 ++++-- .github/workflows/container-ci.yaml | 53 +++++++++++++++------ .github/workflows/dependency-review.yaml | 9 +++- .github/workflows/dockerhub-description.yml | 16 +++++-- .github/workflows/docs.yaml | 13 +++-- .github/workflows/gitleaks.yaml | 9 +++- .github/workflows/integration-test.yaml | 12 ++++- .github/workflows/lint.yaml | 9 +++- .github/workflows/scorecard.yaml | 13 +++-- .github/workflows/test-runner-ci.yaml | 45 +++++++++++------ .github/workflows/weekly-test.yaml | 7 ++- 12 files changed, 198 insertions(+), 53 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e70a73961..603bf2c70 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -71,3 +71,53 @@ updates: package-ecosystem: pip schedule: interval: weekly + + - package-ecosystem: docker + directory: /classical-ml + schedule: + interval: daily + + - package-ecosystem: docker + directory: /preset/classical-ml + schedule: + interval: daily + + - package-ecosystem: docker + directory: /preset/data-analytics + schedule: + interval: daily + + - package-ecosystem: docker + directory: /preset/deep-learning + schedule: + interval: daily + + - package-ecosystem: docker + directory: /preset/inference-optimization + schedule: + interval: daily + + - package-ecosystem: docker + directory: /python + schedule: + interval: daily + + - package-ecosystem: docker + directory: /pytorch + schedule: + interval: daily + + - package-ecosystem: pip + directory: /pytorch/serving/model-store + schedule: + interval: daily + + - package-ecosystem: docker + directory: /tensorflow + schedule: + interval: daily + + - package-ecosystem: pip + directory: /tensorflow/serving + schedule: + interval: daily diff --git a/.github/workflows/chart-ci.yaml b/.github/workflows/chart-ci.yaml index d98a6bc8d..cae9e6656 100644 --- a/.github/workflows/chart-ci.yaml +++ b/.github/workflows/chart-ci.yaml @@ -27,17 +27,22 @@ jobs: helm-ci: runs-on: kubectl steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 # ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: azure/setup-kubectl@v4 - - uses: azure/setup-helm@v4.2.0 - - uses: actions/setup-python@v5 + - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.x - name: Setup chart-testing - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Get chart diff id: changed run: | diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 8afc941ce..fa630fd9a 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -82,7 +82,12 @@ jobs: matrix: ${{ steps.build-matrix.outputs.matrix }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - name: Set Matrix @@ -101,11 +106,16 @@ jobs: outputs: group: ${{ steps.build-group.outputs.container-group }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} if: ${{ !inputs.no_build }} - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} @@ -114,7 +124,7 @@ jobs: - name: Build Container Group if: ${{ !inputs.no_build }} id: build-group - uses: intel/ai-containers/.github@main + uses: intel/ai-containers/.github@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: group_dir: ${{ inputs.group_dir }} env_overrides: ${{ inputs.env_overrides || env.env_overrides || '' }} @@ -131,7 +141,12 @@ jobs: outputs: matrix: ${{ steps.scan-matrix.outputs.matrix }} steps: - - uses: actions/download-artifact@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: path: matrix - name: Set Matrix @@ -146,10 +161,15 @@ jobs: container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }} fail-fast: false steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} @@ -157,14 +177,14 @@ jobs: - name: Pull Image run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }} - name: Scan Container - uses: intel/ai-containers/.github/scan@main + uses: intel/ai-containers/.github/scan@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }} output: ${{ matrix.container }}-scan.sarif - name: Cleanup if: always() run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }} - - uses: github/codeql-action/upload-sarif@v3 + - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 with: sarif_file: '${{ matrix.container }}-scan.sarif' #################################################################################################### @@ -176,7 +196,12 @@ jobs: outputs: matrix: ${{ steps.test-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - name: Get Recipes @@ -192,19 +217,19 @@ jobs: experimental: [true] fail-fast: false steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - name: Test Container Group - uses: intel/ai-containers/test-runner@main + uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} recipe_dir: ${{ inputs.group_dir }} diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index c8db227de..65dc0f1e5 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -32,7 +32,12 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: actions/dependency-review-action@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2 with: comment-summary-in-pr: true diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index f2849b6bf..342e82db6 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -23,7 +23,12 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Set matrix data id: set-matrix run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT @@ -34,8 +39,13 @@ jobs: matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} fail-fast: false steps: - - uses: actions/checkout@v4 - - uses: peter-evans/dockerhub-description@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index e927369d4..9ef04f438 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -31,8 +31,13 @@ jobs: id-token: write pages: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.8 cache: pip @@ -40,8 +45,8 @@ jobs: run: python -m pip install -r docs/requirements.txt - name: Build run: mkdocs build --clean - - uses: actions/upload-pages-artifact@v3 + - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: site - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 36eb7cc39..40562fd1a 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -27,11 +27,16 @@ jobs: name: gitleaks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: gitleaks/gitleaks-action@v2 + - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6 env: GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 9f87ecc11..645f51e9a 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -28,7 +28,12 @@ jobs: outputs: groups: ${{ steps.group-list.outputs.FOLDERS }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref || github.ref }} @@ -75,6 +80,11 @@ jobs: runs-on: ubuntu-latest if: always() steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - run: exit 1 if: >- ${{ diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 9d23711fd..b45112f1e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -30,11 +30,16 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: super-linter/super-linter/slim@v6.5.1 + - uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1 env: # To report GitHub Actions status checks GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 240202a41..364fbe1c6 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -35,20 +35,25 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false - - uses: ossf/scorecard-action@v2.3.3 + - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif repo_token: ${{ secrets.ACTION_TOKEN }} publish_results: true - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@v3.25.3 + - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 with: sarif_file: results.sarif diff --git a/.github/workflows/test-runner-ci.yaml b/.github/workflows/test-runner-ci.yaml index 2c287bce3..7c9f02730 100644 --- a/.github/workflows/test-runner-ci.yaml +++ b/.github/workflows/test-runner-ci.yaml @@ -35,18 +35,23 @@ jobs: python: ["3.8", "3.9", "3.10", "3.11", "3.12"] fail-fast: true steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: driver: docker - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.python }} - name: Install requirements @@ -58,7 +63,7 @@ jobs: FORCE_COLOR: 1 REGISTRY: ${{ secrets.REGISTRY }} REPO: ${{ secrets.REPO }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: covdata-${{ matrix.python }} path: ${{ github.workspace }}/.coverage* @@ -66,13 +71,18 @@ jobs: needs: [unit-test] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.10" - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: merge-multiple: true - name: Coverage @@ -82,34 +92,39 @@ jobs: python -m coverage xml --skip-empty - name: Comment on PR if: ${{ github.event_name == 'pull_request_target' }} - uses: orgoro/coverage@v3.1 + uses: orgoro/coverage@4e3bc9302f715595336a40f7dd4a3b15c687bdb4 # v3.1 with: coverageFile: coverage.xml token: ${{ secrets.ACTION_TOKEN }} treshholdAll: 80 - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage.xml path: coverage.xml integration-test: runs-on: k8-runners steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 with: driver: docker - - uses: docker/login-action@v3 + - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8" - name: Test Container Group - uses: intel/ai-containers/test-runner@main + uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} recipe_dir: test-runner diff --git a/.github/workflows/weekly-test.yaml b/.github/workflows/weekly-test.yaml index c704e1e38..5315bcdc7 100644 --- a/.github/workflows/weekly-test.yaml +++ b/.github/workflows/weekly-test.yaml @@ -24,7 +24,12 @@ jobs: outputs: groups: ${{ steps.group-list.outputs.FOLDERS }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Output Group Directories id: group-list run: | From f7b0d8ba5b7f0ade76111cf544941b27b76a3a14 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 14:56:04 -0700 Subject: [PATCH 02/27] Update dependabot.yml --- .github/dependabot.yml | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 603bf2c70..7a8fabec1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -75,49 +75,39 @@ updates: - package-ecosystem: docker directory: /classical-ml schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /preset/classical-ml schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /preset/data-analytics schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /preset/deep-learning schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /preset/inference-optimization schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /python schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /pytorch schedule: - interval: daily - - - package-ecosystem: pip - directory: /pytorch/serving/model-store - schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: /tensorflow schedule: - interval: daily - - - package-ecosystem: pip - directory: /tensorflow/serving - schedule: - interval: daily + interval: weekly From 802a380212420532b01e3844be03832e17060c5f Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 14:58:07 -0700 Subject: [PATCH 03/27] Update dependency-review.yaml --- .github/workflows/dependency-review.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 65dc0f1e5..6fa610e22 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -21,7 +21,11 @@ # # Source repository: https://github.com/actions/dependency-review-action name: 'Dependency Review' -on: [pull_request] +on: + pull_request: null + pull_request_target: + types: [opened, edited, reopened, synchronize] + branches: [main] permissions: contents: read concurrency: From 3d75d2af74107cf45439983e8735403255cd01fb Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:00:35 -0700 Subject: [PATCH 04/27] Update container-ci.yaml --- .github/workflows/container-ci.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index fa630fd9a..af6a3e648 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -38,6 +38,12 @@ on: ref: description: 'Enter Git Ref:' required: true + default: 'main' + type: string + repo: + description: 'Enter Git Repo: + required: true + default: 'intel/ai-containers' type: string runner_label: description: 'Enter Validation Runner Label:' @@ -73,6 +79,9 @@ on: ref: required: true type: string + repo: + required: true + type: string jobs: #################################################################################################### # Compose Build @@ -86,10 +95,10 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} + repo: ${{ inputs.repo }} - name: Set Matrix id: build-matrix run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT @@ -114,6 +123,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} + repo: ${{ inputs.repo }} if: ${{ !inputs.no_build }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: @@ -169,6 +179,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} + repo: ${{ inputs.repo }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} @@ -204,6 +215,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} + repo: ${{ inputs.repo }} - name: Get Recipes id: test-matrix run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT @@ -223,6 +235,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} + repo: ${{ inputs.repo }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} From 5a3142934f13968a886f153395b4ca99ef40b4b2 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:04:30 -0700 Subject: [PATCH 05/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 645f51e9a..501631104 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -32,11 +32,11 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref || github.ref }} + repo: ${{ github.event.pull_request.repository || github.event.merge_group.repository }} - name: Output Modified Group Directories id: group-list run: | @@ -74,6 +74,7 @@ jobs: with: group_dir: ${{ matrix.group }} ref: "refs/pull/${{ github.event.number }}/merge" + repo: ${{ github.event.pull_request.repository || github.event.merge_group.repository }} secrets: inherit status-check: needs: [group-diff, pipeline-ci] @@ -84,7 +85,6 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - run: exit 1 if: >- ${{ From 92d30c20d31847c9f9be8c772c927b26266318c9 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:05:33 -0700 Subject: [PATCH 06/27] Update container-ci.yaml --- .github/workflows/container-ci.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index af6a3e648..2e170d872 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -115,11 +115,6 @@ jobs: outputs: group: ${{ steps.build-group.outputs.container-group }} steps: - - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 - with: - egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} @@ -155,7 +150,6 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: path: matrix @@ -171,11 +165,6 @@ jobs: container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }} fail-fast: false steps: - - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 - with: - egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} @@ -211,7 +200,6 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} From e0f3e688892df7614a5dea4227fc05ec62563b17 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:07:03 -0700 Subject: [PATCH 07/27] Update container-ci.yaml --- .github/workflows/container-ci.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 2e170d872..ccf9f3f35 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -41,7 +41,7 @@ on: default: 'main' type: string repo: - description: 'Enter Git Repo: + description: 'Enter Git Repo:' required: true default: 'intel/ai-containers' type: string @@ -233,6 +233,8 @@ jobs: uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} + gh_repo: ${{ inputs.repo }} + gh_ref: ${{ inputs.ref }} recipe_dir: ${{ inputs.group_dir }} registry: ${{ secrets.REGISTRY }} repo: ${{ secrets.REPO }} From 4faa73a395bac039691553c7b93b867fb6b32675 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:08:25 -0700 Subject: [PATCH 08/27] Update action.yml --- test-runner/action.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test-runner/action.yml b/test-runner/action.yml index 91230773e..3854252fc 100644 --- a/test-runner/action.yml +++ b/test-runner/action.yml @@ -20,6 +20,14 @@ inputs: description: 'Container Cache Registry URL' required: true type: string + gh_repo: + description: 'GitHub Repo' + required: true + type: string + gh_ref: + description: 'GitHub Ref' + required: true + type: string recipe_dir: description: 'Path to Recipe Directory' required: false @@ -45,8 +53,8 @@ runs: - uses: actions/checkout@v4 with: path: mlops - ref: ${{ github.ref }} - repository: intel/ai-containers + ref: ${{ inputs.gh_ref }} + repository: ${{ inputs.gh_repo }} token: ${{ inputs.token }} - name: Install Requirements shell: bash From 408264a8b109566d2b3d60a50bb16ffdb1c47f53 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:09:21 -0700 Subject: [PATCH 09/27] Update container-ci.yaml --- .github/workflows/container-ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index ccf9f3f35..495e2dc63 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -233,8 +233,8 @@ jobs: uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} - gh_repo: ${{ inputs.repo }} - gh_ref: ${{ inputs.ref }} + gh_repo: 'intel/ai-containers' # ${{ inputs.repo }} + gh_ref: ${{ github.ref }} # ${{ inputs.ref }} recipe_dir: ${{ inputs.group_dir }} registry: ${{ secrets.REGISTRY }} repo: ${{ secrets.REPO }} From 9939dd3a257cd82f8830759c56e9a91cff229045 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:09:52 -0700 Subject: [PATCH 10/27] Update docs.yaml --- .github/workflows/docs.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 9ef04f438..a4f6ef5a5 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -35,7 +35,6 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: From 454c3e0d0bd09106116049965f070045a72dc00b Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:10:03 -0700 Subject: [PATCH 11/27] Update gitleaks.yaml --- .github/workflows/gitleaks.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 40562fd1a..23824f963 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -31,7 +31,6 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 From 946da4ce8b893b848ad82d8f24cdac913c862d04 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:11:03 -0700 Subject: [PATCH 12/27] Update dependency-review.yaml --- .github/workflows/dependency-review.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 6fa610e22..94be46c63 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -40,7 +40,6 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2 with: From 94eccf7f25ab8d522ffdfe12fe61b56a72acc7c1 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:14:47 -0700 Subject: [PATCH 13/27] Update lint.yaml --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b45112f1e..3fe538529 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -34,11 +34,11 @@ jobs: uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref || github.ref }} + repo: ${{ github.event.pull_request.repository || github.event.merge_group.repository }} - uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1 env: # To report GitHub Actions status checks From 1f4a75e30876fbd2519441508e0a65836f753610 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:18:18 -0700 Subject: [PATCH 14/27] Update lint.yaml --- .github/workflows/lint.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 3fe538529..4fbff66cd 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -37,8 +37,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.head.ref || github.ref }} - repo: ${{ github.event.pull_request.repository || github.event.merge_group.repository }} + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} - uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1 env: # To report GitHub Actions status checks From 7888483bbf7b755adf07c1d16cb1616d1e972bb0 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:18:53 -0700 Subject: [PATCH 15/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 501631104..e7098ca38 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -35,8 +35,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.head.ref || github.ref }} - repo: ${{ github.event.pull_request.repository || github.event.merge_group.repository }} + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} - name: Output Modified Group Directories id: group-list run: | @@ -73,8 +72,7 @@ jobs: uses: ./.github/workflows/container-ci.yaml with: group_dir: ${{ matrix.group }} - ref: "refs/pull/${{ github.event.number }}/merge" - repo: ${{ github.event.pull_request.repository || github.event.merge_group.repository }} + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} secrets: inherit status-check: needs: [group-diff, pipeline-ci] From 32bcb2c7853f13811881b2553779b0c88810e6d5 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:20:23 -0700 Subject: [PATCH 16/27] Update container-ci.yaml --- .github/workflows/container-ci.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 495e2dc63..810fd2789 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -40,11 +40,6 @@ on: required: true default: 'main' type: string - repo: - description: 'Enter Git Repo:' - required: true - default: 'intel/ai-containers' - type: string runner_label: description: 'Enter Validation Runner Label:' default: test-runner @@ -79,9 +74,6 @@ on: ref: required: true type: string - repo: - required: true - type: string jobs: #################################################################################################### # Compose Build @@ -98,7 +90,6 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - repo: ${{ inputs.repo }} - name: Set Matrix id: build-matrix run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT @@ -118,7 +109,6 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - repo: ${{ inputs.repo }} if: ${{ !inputs.no_build }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: @@ -168,7 +158,6 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - repo: ${{ inputs.repo }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} @@ -203,7 +192,6 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - repo: ${{ inputs.repo }} - name: Get Recipes id: test-matrix run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT @@ -223,7 +211,6 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ inputs.ref }} - repo: ${{ inputs.repo }} - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ${{ secrets.REGISTRY }} @@ -233,8 +220,6 @@ jobs: uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main with: cache_registry: ${{ secrets.CACHE_REGISTRY }} - gh_repo: 'intel/ai-containers' # ${{ inputs.repo }} - gh_ref: ${{ github.ref }} # ${{ inputs.ref }} recipe_dir: ${{ inputs.group_dir }} registry: ${{ secrets.REGISTRY }} repo: ${{ secrets.REPO }} From 716c196e1696579f30b5d6268c142cf77a801b96 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:21:56 -0700 Subject: [PATCH 17/27] Update action.yml --- test-runner/action.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/test-runner/action.yml b/test-runner/action.yml index 3854252fc..9dd73ef97 100644 --- a/test-runner/action.yml +++ b/test-runner/action.yml @@ -20,14 +20,6 @@ inputs: description: 'Container Cache Registry URL' required: true type: string - gh_repo: - description: 'GitHub Repo' - required: true - type: string - gh_ref: - description: 'GitHub Ref' - required: true - type: string recipe_dir: description: 'Path to Recipe Directory' required: false @@ -53,8 +45,8 @@ runs: - uses: actions/checkout@v4 with: path: mlops - ref: ${{ inputs.gh_ref }} - repository: ${{ inputs.gh_repo }} + ref: main + repository: intel/ai-containers token: ${{ inputs.token }} - name: Install Requirements shell: bash From d503c32cade26ac88fc90bb5ff95088ca1d39705 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:36:42 -0700 Subject: [PATCH 18/27] Update dependency-review.yaml --- .github/workflows/dependency-review.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 94be46c63..56c2d099a 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -28,13 +28,12 @@ on: branches: [main] permissions: contents: read + pull-requests: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} jobs: dependency-review: runs-on: ubuntu-latest - permissions: - pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 From b0a848ebe85fe92ff0610c784672d6c46e86ce3c Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:38:15 -0700 Subject: [PATCH 19/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index e7098ca38..1b6bd26b7 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -35,7 +35,6 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} - name: Output Modified Group Directories id: group-list run: | @@ -72,7 +71,6 @@ jobs: uses: ./.github/workflows/container-ci.yaml with: group_dir: ${{ matrix.group }} - ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} secrets: inherit status-check: needs: [group-diff, pipeline-ci] From 5bb17efd5e49040105e6efdec15e6a1aafe80c20 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:39:33 -0700 Subject: [PATCH 20/27] Update dependency-review.yaml --- .github/workflows/dependency-review.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 56c2d099a..35f735dbb 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -22,18 +22,18 @@ # Source repository: https://github.com/actions/dependency-review-action name: 'Dependency Review' on: - pull_request: null pull_request_target: types: [opened, edited, reopened, synchronize] branches: [main] permissions: contents: read - pull-requests: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} jobs: dependency-review: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 From 70403bd564b5fc675b71053ab74f3dfd76c919db Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:41:43 -0700 Subject: [PATCH 21/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 1b6bd26b7..bddccaada 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -15,6 +15,7 @@ name: Integration Tests on: merge_group: null + pull_request: null pull_request_target: types: [opened, edited, reopened, synchronize] branches: [main] From e9417006b9685be2f44dc644163625c40b15882c Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:44:16 -0700 Subject: [PATCH 22/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index bddccaada..b28049e04 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -36,6 +36,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 + ref: "refs/pull/${{ github.event.number }}/merge" - name: Output Modified Group Directories id: group-list run: | From 0b16de4fb0fb8901a4a8f2ffc55a5991580c89b4 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:56:53 -0700 Subject: [PATCH 23/27] Update chart-ci.yaml --- .github/workflows/chart-ci.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/chart-ci.yaml b/.github/workflows/chart-ci.yaml index 06344bc17..cae9e6656 100644 --- a/.github/workflows/chart-ci.yaml +++ b/.github/workflows/chart-ci.yaml @@ -35,17 +35,10 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 -<<<<<<< stepsecurity_remediation_1717106086 # ref: ${{ github.event.pull_request.head.ref || github.ref }} - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 -======= - # ref: "refs/pull/${{ github.event.number }}/merge" - - uses: azure/setup-kubectl@v4 - - uses: azure/setup-helm@v4.2.0 - - uses: actions/setup-python@v5 ->>>>>>> main with: python-version: 3.x - name: Setup chart-testing From 5ac25089fd3a1b94a25cfc81945e81be23ac59f8 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:57:16 -0700 Subject: [PATCH 24/27] Update chart-ci.yaml --- .github/workflows/chart-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-ci.yaml b/.github/workflows/chart-ci.yaml index cae9e6656..996c94e82 100644 --- a/.github/workflows/chart-ci.yaml +++ b/.github/workflows/chart-ci.yaml @@ -35,7 +35,7 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - # ref: ${{ github.event.pull_request.head.ref || github.ref }} + # ref: "refs/pull/${{ github.event.number }}/merge" - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 From 0a5ea42bb20a274576911118b53cf2f0ac4e07c0 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:58:02 -0700 Subject: [PATCH 25/27] Update gitleaks.yaml --- .github/workflows/gitleaks.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 87f610a4f..b207a4c25 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -31,13 +31,8 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 -<<<<<<< stepsecurity_remediation_1717106086 - ref: ${{ github.event.pull_request.head.ref || github.ref }} - - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6 -======= ref: "refs/pull/${{ github.event.number }}/merge" - - uses: gitleaks/gitleaks-action@v2 ->>>>>>> main + - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6 env: GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} From d5696aee195bb3cd23679bff72bce8b5edf7515f Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 15:59:05 -0700 Subject: [PATCH 26/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index b28049e04..8cf430f4f 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -73,6 +73,7 @@ jobs: uses: ./.github/workflows/container-ci.yaml with: group_dir: ${{ matrix.group }} + ref: "refs/pull/${{ github.event.number }}/merge" secrets: inherit status-check: needs: [group-diff, pipeline-ci] From 3aee007175669adc28425dd5b3b3006d1bdc84e2 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Thu, 30 May 2024 16:01:18 -0700 Subject: [PATCH 27/27] Update integration-test.yaml --- .github/workflows/integration-test.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 8cf430f4f..efba86e43 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -15,7 +15,6 @@ name: Integration Tests on: merge_group: null - pull_request: null pull_request_target: types: [opened, edited, reopened, synchronize] branches: [main]