Release v0.6.6

.github/workflows/docker.yml

@@ -94,17 +94,17 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to Docker Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ secrets.DOCKER_REGISTRY_URL }}
           username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
           password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
 
       - name: 🐳 Build and push Backend Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: ./backend-agent
           file: ./backend-agent/Dockerfile
@@ -147,17 +147,17 @@ jobs:
           ls -la dist/
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to Docker Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ secrets.DOCKER_REGISTRY_URL }}
           username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
           password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
 
       - name: 🐳 Build and push Frontend Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: ./frontend
           file: ./frontend/Dockerfile
@@ -213,7 +213,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up kubectl
-        uses: azure/setup-kubectl@v4
+        uses: azure/setup-kubectl@v5
         with:
           version: 'latest'
 
@@ -246,7 +246,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up kubectl
-        uses: azure/setup-kubectl@v4
+        uses: azure/setup-kubectl@v5
         with:
           version: 'latest'
 

.github/workflows/lint-backend.yml

@@ -1,7 +1,7 @@
 name: Lint backend
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - develop
       - main
@@ -13,12 +13,14 @@ on:
 permissions:
   checks: write
   contents: read
-  pull-requests: write
 
 jobs:
   lint-backend:
     name: Run backend linter
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Check out Git repository

.github/workflows/lint-frontend.yml

@@ -1,7 +1,7 @@
 name: Lint frontend
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - develop
       - main
@@ -14,7 +14,7 @@ on:
 
 permissions:
   checks: write
-  contents: write
+  contents: read
 
 jobs:
   lint-frontend:

.github/workflows/pr-bot.yml

@@ -1,28 +1,35 @@
 name: AI-assisted
 on:
-  pull_request_target:
+  pull_request:
     types: [ready_for_review, opened, reopened]
 
 jobs:
+  approve:
+    name: Approve
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.pull_request.head.repo.fork == true && 'manual-approval' || '' }}
+
   summary:
     name: PR Summary
-    if: github.actor != 'dependabot'
+    needs: approve
+    if: github.actor != 'dependabot[bot]'
     runs-on: [ubuntu-latest]
     steps:
       - uses: SAP/ai-assisted-github-actions/pr-summary@v3
         with:
           aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
-          model: gpt-4o
+          model: gpt-4.1-nano
           exclude-files: package-lock.json, uv.lock
   review:
     name: PR Review
-    if: github.actor != 'dependabot'
+    needs: approve
+    if: github.actor != 'dependabot[bot]'
     runs-on: [ubuntu-latest]
     steps:
       - uses: SAP/ai-assisted-github-actions/pr-review@v3
         with:
           aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
-          model: anthropic--claude-4-sonnet
+          model: anthropic--claude-4.6-sonnet
           exclude-files: package-lock.json, uv.lock
           footer-text: |
             ---

CHANGELOG.md

@@ -1,3 +1,21 @@
+# Version: v0.6.6
+
+* [#182](https://github.com/SAP/STARS/pull/182): Bump pypdf from 6.0.0 to 6.6.0 in /backend-agent
+* [#183](https://github.com/SAP/STARS/pull/183): Bump unstructured from 0.18.21 to 0.18.27 in /backend-agent
+* [#185](https://github.com/SAP/STARS/pull/185): Bump filelock from 3.19.1 to 3.20.3 in /backend-agent
+* [#186](https://github.com/SAP/STARS/pull/186): Bump azure-core from 1.35.0 to 1.38.0 in /backend-agent
+* [#187](https://github.com/SAP/STARS/pull/187): Bump pyasn1 from 0.6.1 to 0.6.2 in /backend-agent
+* [#189](https://github.com/SAP/STARS/pull/189): Bump weasyprint from 67.0 to 68.0 in /backend-agent
+* [#191](https://github.com/SAP/STARS/pull/191): Bump lodash from 4.17.21 to 4.17.23 in /frontend
+* [#192](https://github.com/SAP/STARS/pull/192): Bump weasyprint from 67.0 to 68.0 in /backend-agent
+* [#193](https://github.com/SAP/STARS/pull/193): Bump pypdf from 6.0.0 to 6.6.2 in /backend-agent
+* [#194](https://github.com/SAP/STARS/pull/194): Bump python-multipart from 0.0.20 to 0.0.22 in /backend-agent
+* [#196](https://github.com/SAP/STARS/pull/196): Bump sentence-transformers from 5.2.0 to 5.2.2 in /backend-agent
+* [#197](https://github.com/SAP/STARS/pull/197): Bump unstructured from 0.18.27 to 0.18.31 in /backend-agent
+* [#199](https://github.com/SAP/STARS/pull/199): Bump protobuf from 5.29.5 to 5.29.6 in /backend-agent
+* [#201](https://github.com/SAP/STARS/pull/201): Bump langsmith from 0.4.23 to 0.6.3 in /backend-agent
+
+
 # Version: v0.6.5
 
 * [#168](https://github.com/SAP/STARS/pull/168): Bump weasyprint from 66.0 to 67.0 in /backend-agent

backend-agent/llm.py

@@ -23,34 +23,27 @@
 logger.addHandler(status.trace_logging)
 
 AICORE_MODELS = {
-    'aicore-ibm':
-    [
-        'ibm--granite-13b-chat'
-    ],
     'aicore-mistralai':
     [
         'mistralai--mistral-large-instruct',
         'mistralai--mistral-medium-instruct',
         'mistralai--mistral-small-instruct',
     ],
-    'aicore-opensource':
-    [
-        'meta--llama3.1-70b-instruct',
-    ],
     'aws-bedrock':
     [
         'amazon--nova-lite',
         'amazon--nova-micro',
         'amazon--nova-pro',
         'amazon--nova-premier',
         'anthropic--claude-3-haiku',
-        'anthropic--claude-3-opus',
-        'anthropic--claude-3.5-sonnet',
         'anthropic--claude-3.7-sonnet',
-        'anthropic--claude-4-sonnet',
         'anthropic--claude-4-opus',
-        'anthropic--claude-4.5-sonnet',
+        'anthropic--claude-4-sonnet',
         'anthropic--claude-4.5-haiku',
+        'anthropic--claude-4.5-opus',
+        'anthropic--claude-4.5-sonnet',
+        'anthropic--claude-4.6-opus',
+        'anthropic--claude-4.6-sonnet',
     ],
     'azure-openai':
     [
@@ -62,6 +55,7 @@
         'gpt-5',
         'gpt-5-mini',
         'gpt-5-nano',
+        'gpt-5.2',
         'o1',
         'o3',
         'o3-mini',
@@ -79,6 +73,7 @@
     [
         'sonar',
         'sonar-pro',
+        'sonar-deep-research',
     ],
 }
 
@@ -97,28 +92,28 @@ def from_model_name(cls, model_name: str) -> 'LLM':
         Useful because the user can specify only the name in the agent.
         """
         # Foundation-models scenarios in AI Core
-        if model_name in AICORE_MODELS['azure-openai']:
+        if model_name in AICORE_MODELS.get('azure-openai', []):
             return AICoreOpenAILLM(model_name)
         # IBM models are compatible with OpenAI completion API
-        if model_name in AICORE_MODELS['aicore-ibm']:
+        if model_name in AICORE_MODELS.get('aicore-ibm', []):
             return AICoreOpenAILLM(model_name)
-        if model_name in AICORE_MODELS['aicore-opensource']:
+        if model_name in AICORE_MODELS.get('aicore-opensource', []):
             return AICoreOpenAILLM(model_name, False)
         # Mistral models are compatible with OpenAI completion API
-        if model_name in AICORE_MODELS['aicore-mistralai']:
+        if model_name in AICORE_MODELS.get('aicore-mistralai', []):
             return AICoreOpenAILLM(model_name, False)
         # Perplexity models are compatible with OpenAI completion API
-        if model_name in AICORE_MODELS['perplexity-ai']:
+        if model_name in AICORE_MODELS.get('perplexity-ai', []):
             return AICoreOpenAILLM(model_name)
 
         # Non OpenAI-compatible models in AI Core
-        if model_name in AICORE_MODELS['aws-bedrock']:
+        if model_name in AICORE_MODELS.get('aws-bedrock', []):
             if 'titan' in model_name:
                 # Titan models don't support system prompts
                 return AICoreAmazonBedrockLLM(model_name, False)
             else:
                 return AICoreAmazonBedrockLLM(model_name)
-        if model_name in AICORE_MODELS['gcp-vertexai']:
+        if model_name in AICORE_MODELS.get('gcp-vertexai', []):
             return AICoreGoogleVertexLLM(model_name)
 
         # Custom models

backend-agent/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = 'stars'
-version = '0.6.5'
+version = '0.6.6'
 description = 'Smart Threat AI Reporting Scanner (STARS)'
 readme = 'README.md'
 license = {text = 'Apache-2.0'}
@@ -14,7 +14,7 @@ maintainers = [
 requires-python = '>=3.10,<3.13'
 dependencies = [
     'sap-ai-sdk-gen[all]==5.10.0',
-    'python-dotenv==1.2.1',
+    'python-dotenv==1.2.2',
     'faiss-cpu==1.13.2',
     'Flask==3.1.2',
     'Flask-Cors==6.0.1',
@@ -26,16 +26,16 @@ dependencies = [
     'langchain-text-splitters>=0.3.0,<0.4.0',
     'PyYAML==6.0.3',
     'requests==2.32.5',
-    'unstructured==0.18.21',
+    'unstructured==0.18.31',
     'art==6.5',
     'pandas==2.3.3',
     'ollama==0.6.1',
-    'weasyprint==67.0',
+    'weasyprint==68.0',
     'pyrit==0.9.0',
     'codeattack @ git+https://github.com/marcorosa/CodeAttack',
     'gptfuzzer @ git+https://github.com/marcorosa/GPTFuzz@no-vllm',
     'garak==0.11.0',
-    'sentence-transformers==5.2.0',
+    'sentence-transformers==5.2.2',
 ]
 
 [project.optional-dependencies]