From 46fb16005411cd352b3fecd1f2420a2e08d43607 Mon Sep 17 00:00:00 2001 From: "Barabanov, Alexander" Date: Wed, 7 Jan 2026 10:56:08 +0000 Subject: [PATCH 1/5] add zizmor workflow Signed-off-by: Barabanov, Alexander --- .github/workflows/zizmor-scan.yaml | 41 ++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/zizmor-scan.yaml diff --git a/.github/workflows/zizmor-scan.yaml b/.github/workflows/zizmor-scan.yaml new file mode 100644 index 0000000000..7e8641b5f2 --- /dev/null +++ b/.github/workflows/zizmor-scan.yaml @@ -0,0 +1,41 @@ +# This workflow scans repo with Zizmor (static analysis tool for GitHub Actions), +# comments PR and outputs results into GitHub security tab + +name: Zizmor scan + +on: + push: + branches: + - main + pull_request: + branches: + - main + types: + - edited + - opened + - ready_for_review + - synchronize + schedule: + # Run security checks every day at 2 AM UTC + - cron: "0 2 * * *" + workflow_dispatch: + +permissions: {} + +jobs: + zizmor-scan: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write # Needed to upload the results to code-scanning dashboard + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + - name: Run Zizmor scan + uses: open-edge-platform/geti-ci/actions/zizmor@cdb7239fe84ee55b8d3640fa6177da1ff3f97d02 + with: + scan-scope: ${{ github.event_name == 'pull_request' && 'changed' || 'all' }} + severity-level: ${{ github.event_name == 'pull_request' && 'HIGH' || 'LOW' }} + fail-on-findings: ${{ github.event_name == 'pull_request' && 'true' || 'false' }} From 9d63c43abe5e8a9e5758f1358cf1f82f222ad3e9 Mon Sep 17 00:00:00 2001 From: "Barabanov, Alexander" Date: Wed, 7 Jan 2026 11:17:26 +0000 Subject: [PATCH 2/5] update dependabot settings Signed-off-by: Barabanov, Alexander --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6a8d3161a5..508eb37b9a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,3 +5,12 @@ updates: directory: "/" schedule: interval: "weekly" + # update actions used in zizmor-scan.yaml on a weekly interval + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + allow: + - dependency-name: "*" + patterns: + - ".github/workflows/zizmor-scan.yaml" From 02263916bd209c2b6735f802a2113ee66c4ce9b3 Mon Sep 17 00:00:00 2001 From: "Barabanov, Alexander" Date: Wed, 7 Jan 2026 11:23:29 +0000 Subject: [PATCH 3/5] fix zizmor findings Signed-off-by: Barabanov, Alexander --- .../workflows/dlsps-package-helm-weekly.yaml | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/dlsps-package-helm-weekly.yaml b/.github/workflows/dlsps-package-helm-weekly.yaml index 4db11b7033..e5a98eddab 100644 --- a/.github/workflows/dlsps-package-helm-weekly.yaml +++ b/.github/workflows/dlsps-package-helm-weekly.yaml @@ -26,7 +26,7 @@ jobs: path: edge-ai-libraries-repo persist-credentials: false - name: Install Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 #v4.3.1 with: version: v3.15.2 - name: Log in to GitHub Container Registry @@ -37,20 +37,28 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Package Helm Chart + env: + HELM_CHART_TAG: ${{ inputs.helm-chart-tag }} run: | cd edge-ai-libraries-repo/microservices/dlstreamer-pipeline-server/helm - helm package . --version ${{ inputs.helm-chart-tag }} --app-version ${{ inputs.helm-chart-tag }} + helm package . --version "${HELM_CHART_TAG}" --app-version "${HELM_CHART_TAG}" - name: Push to GHCR + env: + HELM_CHART_TAG: ${{ inputs.helm-chart-tag }} + GITHUB_REPO: ${{ github.repository }} run: | - CHART_PACKAGE=$(ls edge-ai-libraries-repo/microservices/dlstreamer-pipeline-server/helm/dlstreamer-pipeline-server-${{ inputs.helm-chart-tag }}.tgz) - helm push $CHART_PACKAGE oci://ghcr.io/${{ github.repository }}/ + CHART_PACKAGE=$(ls edge-ai-libraries-repo/microservices/dlstreamer-pipeline-server/helm/dlstreamer-pipeline-server-"${HELM_CHART_TAG}".tgz) + helm push $CHART_PACKAGE oci://ghcr.io/${GITHUB_REPO}/ - name: Update Github Summary + env: + HELM_CHART_TAG: ${{ inputs.helm-chart-tag }} + GITHUB_REPO: ${{ github.repository }} run: | echo "### ✅ DLStreamerPipelineServer helm chart published to github container registry" >> $GITHUB_STEP_SUMMARY - echo "- Registry: \`oci://ghcr.io/${{ github.repository }}\`" >> $GITHUB_STEP_SUMMARY - echo "- Version: \`${{ inputs.helm-chart-tag }}\`" >> $GITHUB_STEP_SUMMARY - echo "- Pull command: \`helm pull oci://ghcr.io/${{ github.repository }}/dlstreamer-pipeline-server --version ${{ inputs.helm-chart-tag }}\`" >> $GITHUB_STEP_SUMMARY + echo "- Registry: \`oci://ghcr.io/${GITHUB_REPO}\`" >> $GITHUB_STEP_SUMMARY + echo "- Version: \`${HELM_CHART_TAG}\`" >> $GITHUB_STEP_SUMMARY + echo "- Pull command: \`helm pull oci://ghcr.io/${GITHUB_REPO}/dlstreamer-pipeline-server --version ${HELM_CHART_TAG}\`" >> $GITHUB_STEP_SUMMARY - name: Clean up if: always() run: | From 538eb624e7e39bd584dd7acb394326e0c5cb091f Mon Sep 17 00:00:00 2001 From: "Barabanov, Alexander" Date: Wed, 7 Jan 2026 11:26:04 +0000 Subject: [PATCH 4/5] fix zizmor findings Signed-off-by: Barabanov, Alexander --- .github/actions/common/code-style/action.yml | 4 +++- .github/workflows/timeseries-weekly-functional-tests.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/actions/common/code-style/action.yml b/.github/actions/common/code-style/action.yml index 89f39e924c..45ab806d63 100644 --- a/.github/actions/common/code-style/action.yml +++ b/.github/actions/common/code-style/action.yml @@ -37,12 +37,14 @@ runs: - name: Analyze code style results if: always() + env: + TARGET_DIR: ${{ inputs.target_dir }} run: | if [ "${{ steps.code-style-check.outputs.STYLE_ISSUES }}" == "true" ]; then # Count number of files with style issues if [ -f "_output/diff.html" ]; then # Try to count files from diff output - file_count=$(diff -u --recursive "${{ inputs.target_dir }}" "_styled/${{ inputs.target_dir }}" 2>/dev/null | grep -c "^diff -u" || echo "1+") + file_count=$(diff -u --recursive "${TARGET_DIR}" "_styled/${TARGET_DIR}" 2>/dev/null | grep -c "^diff -u" || echo "1+") echo "### Code Style Check Results" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/timeseries-weekly-functional-tests.yaml b/.github/workflows/timeseries-weekly-functional-tests.yaml index 69400efb79..c4b29f465e 100644 --- a/.github/workflows/timeseries-weekly-functional-tests.yaml +++ b/.github/workflows/timeseries-weekly-functional-tests.yaml @@ -30,6 +30,8 @@ jobs: path: edge-ai-libraries-repo - name: Run time-series-analytics-microservices function tests + env: + TEST_PATTERN: ${{ inputs.test_pattern || '.' }} run: | cd "${{ github.workspace }}" cd ./microservices/time-series-analytics/tests-functional @@ -39,7 +41,7 @@ jobs: echo "Running function tests" pip3 install -r requirements.txt rm -rf /tmp/test_report/report.html - pytest -q -vv --self-contained-html --html=/tmp/test_report/report.html ${{ inputs.test_pattern || '.' }} + pytest -q -vv --self-contained-html --html=/tmp/test_report/report.html "${TEST_PATTERN}" - name: Upload HTML test report to Github uses: actions/upload-artifact@v4 with: From e7b2c2fc4aaa7b4b68cf3e301d4c4c9a354e293f Mon Sep 17 00:00:00 2001 From: "Barabanov, Alexander" Date: Wed, 7 Jan 2026 11:34:24 +0000 Subject: [PATCH 5/5] update dependabot config Signed-off-by: Barabanov, Alexander --- .github/dependabot.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 508eb37b9a..ef5f63f22c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,14 +3,19 @@ version: 2 updates: - package-ecosystem: gitsubmodule directory: "/" + cooldown: + default-days: 7 schedule: interval: "weekly" - # update actions used in zizmor-scan.yaml on a weekly interval + # Update actions on a weekly interval - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" - allow: - - dependency-name: "*" + cooldown: + default-days: 7 + groups: + github-actions-dependency: + applies-to: version-updates patterns: - - ".github/workflows/zizmor-scan.yaml" + - "*"