feat(ci): add Zizmor

.github/actions/common/code-style/action.yml

@@ -37,12 +37,14 @@ runs:
 
     - name: Analyze code style results
       if: always()
+      env:
+        TARGET_DIR: ${{ inputs.target_dir }}
       run: |
         if [ "${{ steps.code-style-check.outputs.STYLE_ISSUES }}" == "true" ]; then
           # Count number of files with style issues
           if [ -f "_output/diff.html" ]; then
             # Try to count files from diff output
-            file_count=$(diff -u --recursive "${{ inputs.target_dir }}" "_styled/${{ inputs.target_dir }}" 2>/dev/null | grep -c "^diff -u" || echo "1+")
+            file_count=$(diff -u --recursive "${TARGET_DIR}" "_styled/${TARGET_DIR}" 2>/dev/null | grep -c "^diff -u" || echo "1+")
 
             echo "### Code Style Check Results" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY

.github/dependabot.yml

@@ -3,5 +3,19 @@ version: 2
 updates:
   - package-ecosystem: gitsubmodule
     directory: "/"
+    cooldown:
+      default-days: 7
     schedule:
       interval: "weekly"
+  # Update actions on a weekly interval
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
+    groups:
+      github-actions-dependency:
+        applies-to: version-updates
+        patterns:
+          - "*"

.github/workflows/dlsps-package-helm-weekly.yaml

@@ -26,7 +26,7 @@ jobs:
         path: edge-ai-libraries-repo
         persist-credentials: false
     - name: Install Helm
-      uses: azure/setup-helm@v4
+      uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 #v4.3.1
       with:
         version: v3.15.2
     - name: Log in to GitHub Container Registry
@@ -37,20 +37,28 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Package Helm Chart
+      env:
+        HELM_CHART_TAG: ${{ inputs.helm-chart-tag }}
       run: |
         cd edge-ai-libraries-repo/microservices/dlstreamer-pipeline-server/helm
-        helm package . --version ${{ inputs.helm-chart-tag }} --app-version ${{ inputs.helm-chart-tag }}
+        helm package . --version "${HELM_CHART_TAG}" --app-version "${HELM_CHART_TAG}"
     - name: Push to GHCR
+      env:
+        HELM_CHART_TAG: ${{ inputs.helm-chart-tag }}
+        GITHUB_REPO: ${{ github.repository }}
       run: |
-        CHART_PACKAGE=$(ls edge-ai-libraries-repo/microservices/dlstreamer-pipeline-server/helm/dlstreamer-pipeline-server-${{ inputs.helm-chart-tag }}.tgz)
-        helm push $CHART_PACKAGE oci://ghcr.io/${{ github.repository }}/
+        CHART_PACKAGE=$(ls edge-ai-libraries-repo/microservices/dlstreamer-pipeline-server/helm/dlstreamer-pipeline-server-"${HELM_CHART_TAG}".tgz)
+        helm push $CHART_PACKAGE oci://ghcr.io/${GITHUB_REPO}/
 
     - name: Update Github Summary
+      env:
+        HELM_CHART_TAG: ${{ inputs.helm-chart-tag }}
+        GITHUB_REPO: ${{ github.repository }}
       run: |
         echo "### ✅ DLStreamerPipelineServer helm chart published to github container registry" >> $GITHUB_STEP_SUMMARY
-          echo "- Registry: \`oci://ghcr.io/${{ github.repository }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- Version: \`${{ inputs.helm-chart-tag }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- Pull command: \`helm pull oci://ghcr.io/${{ github.repository }}/dlstreamer-pipeline-server --version ${{ inputs.helm-chart-tag }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Registry: \`oci://ghcr.io/${GITHUB_REPO}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Version: \`${HELM_CHART_TAG}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Pull command: \`helm pull oci://ghcr.io/${GITHUB_REPO}/dlstreamer-pipeline-server --version ${HELM_CHART_TAG}\`" >> $GITHUB_STEP_SUMMARY
     - name: Clean up
       if: always()
       run: |

.github/workflows/timeseries-weekly-functional-tests.yaml

@@ -30,6 +30,8 @@ jobs:
         path: edge-ai-libraries-repo
 
     - name: Run time-series-analytics-microservices function tests
+      env:
+        TEST_PATTERN: ${{ inputs.test_pattern || '.' }}
       run: |
         cd "${{ github.workspace }}"
         cd ./microservices/time-series-analytics/tests-functional
@@ -39,7 +41,7 @@ jobs:
         echo "Running function tests"
         pip3 install -r requirements.txt
         rm -rf /tmp/test_report/report.html
-        pytest -q -vv --self-contained-html --html=/tmp/test_report/report.html ${{ inputs.test_pattern || '.' }}
+        pytest -q -vv --self-contained-html --html=/tmp/test_report/report.html "${TEST_PATTERN}"
     - name: Upload HTML  test report to Github
       uses: actions/upload-artifact@v4
       with:

.github/workflows/zizmor-scan.yaml

@@ -0,0 +1,41 @@
+# This workflow scans repo with Zizmor (static analysis tool for GitHub Actions),
+# comments PR and outputs results into GitHub security tab
+
+name: Zizmor scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+    types:
+      - edited
+      - opened
+      - ready_for_review
+      - synchronize
+  schedule:
+    # Run security checks every day at 2 AM UTC
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Needed to upload the results to code-scanning dashboard
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+      - name: Run Zizmor scan
+        uses: open-edge-platform/geti-ci/actions/zizmor@cdb7239fe84ee55b8d3640fa6177da1ff3f97d02
+        with:
+          scan-scope: ${{ github.event_name == 'pull_request' && 'changed' || 'all' }}
+          severity-level: ${{ github.event_name == 'pull_request' && 'HIGH' || 'LOW' }}
+          fail-on-findings: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}