diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 5f78091e..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,23 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: / - schedule: - interval: "weekly" - target-branch: "master" - groups: - github-actions-dependency: - applies-to: version-updates - patterns: - - "*" - commit-message: - prefix: "chore(deps)" - - package-ecosystem: pip - directory: /src - schedule: - interval: weekly - target-branch: "master" - ignore: - - dependency-name: "ultralytics" - commit-message: - prefix: "chore(deps)" diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 00000000..1f4d97d7 --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,71 @@ +// Dependency Update Configuration +// +// See https://docs.renovatebot.com/configuration-options/ +// See https://json5.org/ for JSON5 syntax + +// [!] While updating the Renovate config, test changes on your own fork. +// 1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork. +// 2. Enable the Renovate GitHub app in your GitHub account. +// Verify that Renovate is activated in the repository settings within the Renovate Dashboard. +// To enable the dashboard set `dependencyDashboard` to true +// 3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate. +// 4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts. +// 5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR, +// and include links in the description to share details about the testing you've conducted. + +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + + // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance + lockFileMaintenance: { + enabled: true, + schedule: ["* * * * 0"], // weekly + }, + + extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"], + // https://docs.renovatebot.com/presets-default/#gitsignoff + // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests + + // if necessary, add supported releases branches here + // it is possible to enable/disable specific upgrades per branch with + // `matchBaseBranches` in specific rule + baseBranches: ["master"], + + enabledManagers: ["github-actions", "pep621"], + + // Set limit to 10 + ignorePresets: [":prHourlyLimit2"], + prHourlyLimit: 10, + + packageRules: [ + { + enabled: true, + matchManagers: ["pep621"], + schedule: ["* * * * 0"], // weekly + }, + + // Disable ultralytics notifications (based on previous Dependabot config) + { + enabled: false, + matchDatasources: ["pypi"], + matchDepNames: ["ultralytics"], + }, + + // Group GitHub Actions updates + { + enabled: true, + separateMajorMinor: false, + groupName: "GitHub Actions", + matchManagers: ["github-actions"], + matchPackagePatterns: ["*"], + schedule: ["* * 1 * *"], // every month + }, + ], + + // Enable security upgrades + vulnerabilityAlerts: { + enabled: true, + }, + osvVulnerabilityAlerts: true, + dependencyDashboard: true, +} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0d632458..3baf5b08 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -70,22 +70,24 @@ jobs: echo "Branch gh-pages already exists" fi - name: Commit docs to gh-pages branch + env: + RELEASE_VERSION: ${{ env.RELEASE_VERSION }} run: | git fetch git checkout gh-pages mkdir -p /tmp/docs_build cp -r docs/build/html/* /tmp/docs_build/ - rm -rf ${{ env.RELEASE_VERSION }}/* + rm -rf "$RELEASE_VERSION"/* echo '' > index.html - mkdir -p ${{ env.RELEASE_VERSION }} - cp -r /tmp/docs_build/* ./${{ env.RELEASE_VERSION }} + mkdir -p "$RELEASE_VERSION" + cp -r /tmp/docs_build/* ./"$RELEASE_VERSION" rm -rf /tmp/docs_build git config --local user.email "action@github.com" git config --local user.name "GitHub Action" - if [[ ${{ env.RELEASE_VERSION }} != 'test_build' ]]; then - ln -sfn ${{ env.RELEASE_VERSION }} latest + if [[ "$RELEASE_VERSION" != 'test_build' ]]; then + ln -sfn "$RELEASE_VERSION" latest fi - git add ./latest ${{ env.RELEASE_VERSION }} + git add ./latest "$RELEASE_VERSION" git add index.html git commit -m "Update documentation" -a || true - name: Push changes diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index 1a265c02..8006b12c 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -69,8 +69,8 @@ jobs: uses: open-edge-platform/anomalib/.github/actions/security/zizmor@f6ec1c57363a9894ff57184a5bfb78efa8f3de1b with: scan-scope: "changed" - severity-level: "MEDIUM" - confidence-level: "HIGH" + severity-level: "LOW" + confidence-level: "LOW" fail-on-findings: true Bandit-Scan-PR: runs-on: ubuntu-latest diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml new file mode 100644 index 00000000..7740df58 --- /dev/null +++ b/.github/workflows/renovate-config-validator.yml @@ -0,0 +1,42 @@ +# Renovate configuration validator +# +# This workflow validates changes proposed into Renovate configuration file +# (.github/renovate.json5) and prevents non-valid configuration to be used by Renovate. +# +# Required Secrets: +# - None +# +# Automatically triggered on: +# - Pull requests to .github/renovate.json5. +# + +name: Validate Renovate configuration + +on: + pull_request: + paths: + - ".github/renovate.json5" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} + cancel-in-progress: true + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout configuration + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Validate configuration + run: | + # renovate: datasource=docker + export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 + docker run --rm --entrypoint "renovate-config-validator" \ + -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ + ${RENOVATE_IMAGE} "/renovate.json5" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 00000000..2e2a0674 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,84 @@ +# Dependencies Management Workflow +# +# This workflow automates the dependence management based on self-hosed Renovate +# ensure the project's dependencies remains up-to-date and security fixes are delivered regularly. +# +# Key Features: +# - Automated PR creation into pyproject.toml and uv.lock regeneration +# - Dry-run for debug purposes +# - Dependency dashboard (is available in GitHub issues) maintenance +# +# Process Stages: +# +# 1. Dependencies Management: +# - Runs on a daily schedule. +# - Identifies dependencies that may be updated based on .github/renovate.json5 configuration. +# - Opens corresponding PRs with respect to schedule defined in Renovate config file. +# - Updates Renovate Dependency dashboard that is available in GitHub issues. +# +# Required Secrets: +# - RENOVATE_APP_ID: application ID +# - RENOVATE_APP_PEM: application private key +# +# Example Usage: +# 1. Scheduled Run: +# Automatically runs, daily +# +# 2. Manual Trigger: +# workflow_dispatch: +# inputs: +# dry-run: +# description: "Run Renovate in dry-run mode (no PR)" +# required: false +# default: false +# type: boolean +# +# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues. + +name: Renovate +on: + schedule: + # daily + - cron: "0 2 * * *" + + # allow to manually trigger this workflow + workflow_dispatch: + inputs: + dry-run: + description: "Run Renovate in dry-run mode (no PR)" + required: false + default: false + type: boolean + +permissions: {} + +jobs: + renovate: + permissions: + contents: read + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Get token + id: get-github-app-token + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + with: + app-id: ${{ secrets.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_APP_PEM }} + + - name: Self-hosted Renovate + uses: renovatebot/github-action@13f127373fd3dc43b41b0979e37ba570d6c2b8f4 # v43.0.0 + with: + configurationFile: .github/renovate.json5 + token: "${{ steps.get-github-app-token.outputs.token }}" + env: + LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }} + # Dry run if the event is workflow_dispatch AND the dry-run input is true + RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }} + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: ${{ github.repository }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 94f62310..760c9674 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,10 +42,10 @@ repos: # zizmor detects security issues in GitHub Actions workflows. - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.9.0 + rev: v1.11.0 hooks: - id: zizmor - args: ["--min-severity", "medium", "--min-confidence", "high"] + args: ["--min-severity", "low", "--min-confidence", "low"] # add bandit for security checks - repo: https://github.com/PyCQA/bandit diff --git a/README.md b/README.md index 005006c1..f64f30f1 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ [![Build Docs](https://github.com/open-edge-platform/model_api/actions/workflows/docs.yml/badge.svg)](https://github.com/open-edge-platform/model_api/actions/workflows/docs.yml) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-edge-platform/model_api/badge)](https://scorecard.dev/viewer/?uri=github.com/open-edge-platform/model_api) ## Introduction