sync changes from release branch

.github/workflows/check-circular-deps.yml

@@ -11,6 +11,8 @@ on:
       - .github/workflows/check-circular-deps.yml
       - '**.spec'
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Circular dependency check
@@ -20,6 +22,8 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check for circular dependencies
         run: |

.github/workflows/check-entangled-specs.yml

@@ -20,7 +20,9 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
         uses: actions/setup-python@v5

.github/workflows/check-license-map.yml

@@ -24,7 +24,9 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+
       - name: Setup Python 3.12
         uses: actions/setup-python@v5
         with:

.github/workflows/check-manifests.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
     - name: Define missing rpm macros

.github/workflows/check-package-cgmanifest.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
     - name: Check out code
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond
     - name: Define missing rpm macros
@@ -33,9 +35,12 @@ jobs:
     - name: Get base commit for PRs
       if: ${{ github.event_name == 'pull_request' }}
       run: |
-        git fetch origin ${{ github.base_ref }}
-        echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-        echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+        base_ref="${BASE_REF}"
+        git fetch origin $base_ref
+        echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+        echo "Merging ${{ github.sha }} into $base_ref"
+      env:
+        BASE_REF: ${{ github.base_ref }}
 
     - name: Get base commit for Pushes
       if: ${{ github.event_name == 'push' }}

.github/workflows/check-source-signatures.yml

@@ -11,6 +11,8 @@ on:
       - .github/workflows/check-source-signatures.yml
       - '**.spec'
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Source Signature Check
@@ -24,6 +26,7 @@ jobs:
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
@@ -38,8 +41,11 @@ jobs:
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+          base_ref="${BASE_REF}"
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}

.github/workflows/check-spec.yml

@@ -24,6 +24,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12
@@ -37,8 +38,11 @@ jobs:
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+          base_ref="${BASE_REF}"
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
@@ -63,6 +67,7 @@ jobs:
         with:
           ref: '3.0'
           path: '3.0-checkout'
+          persist-credentials: false
 
       - name: Verify .spec files
         if: ${{ env.updated-specs != '' }}

.github/workflows/check-static-glibc.yml

@@ -22,6 +22,8 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12

.github/workflows/go-test-coverage.yml

@@ -33,6 +33,8 @@ jobs:
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     - name: Check go.mod
       run: |

.github/workflows/lint-specs.yml

@@ -24,13 +24,17 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
-
+          base_ref="${BASE_REF}"
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
+
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
         run: |
@@ -50,6 +54,7 @@ jobs:
         with:
           ref: '3.0'
           path: '3.0-checkout'
+          persist-credentials: false
 
       # Our linter is based on the spec-cleaner tool from the folks at openSUSE
       # We apply a patch to modify it for our needs
@@ -59,6 +64,7 @@ jobs:
           repository: 'rpm-software-management/spec-cleaner'
           ref: 'spec-cleaner-1.2.0'
           path: 'spec-cleaner'
+          persist-credentials: false
 
       # For consistency, we use the same major/minor version of Python that Azure Linux ships
       - name: Setup Python 3.12

.github/workflows/lint.yml

@@ -16,6 +16,8 @@ on:
       - "**.spec"
       - "**.patch"
 
+permissions: read-all
+
 jobs:
   lint:
     name: Lint Workflows and Code
@@ -32,6 +34,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
+
       - name: Lint
         uses: github/super-linter/slim@v7
         env:

.github/workflows/merge-conflict-check.yml

@@ -7,6 +7,8 @@ on:
   pull_request:
     branches: [main, 3.0*]
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Github Merge Conflict Check
@@ -16,13 +18,18 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          git fetch origin ${{ github.base_ref }}
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
-          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+          base_ref="${BASE_REF}"
+          git fetch origin $base_ref
+          echo "base_sha=$(git rev-parse origin/$base_ref)" >> $GITHUB_ENV
+          echo "Merging ${{ github.sha }} into $base_ref"
+        env:
+          BASE_REF: ${{ github.base_ref }}
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}

.github/workflows/publish-docs.yml

@@ -19,7 +19,7 @@ permissions:
 jobs:
   build_microvisor-toolkit:
     if: ${{ (github.event.inputs.target == 'microvisor-toolkit') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@81b923cd8456c3efb633808611e09b4aed8ae3b1
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}

README.md

@@ -16,8 +16,8 @@ The currently published versions are:
 
 * Edge Microvisor Toolkit (immutable)
 * Edge Microvisor Toolkit with real time extensions (immutable)
-* Edge Microvisor Toolkit Standalone (immutable)
-* Edge Microvisor Toolkit Developer (mutable)
+* Edge Microvisor Toolkit Standalone (immutable) ([Download link](https://edgesoftwarecatalog.intel.com/details/?microserviceType=recipe&microserviceNameForUrl=edge-microvisor-toolkit-standalone-node))
+* Edge Microvisor Toolkit Developer (mutable) ([Download link](https://edgesoftwarecatalog.intel.com/details/?microserviceType=recipe&microserviceNameForUrl=edge--microvisor-toolkit-development-node))
 
 The Edge Microvisor Toolkit has undergone extensive validation across all Intel
 platforms such as  Xeon®, Intel® Core Ultra™, Intel Core™ and Intel® Atom®. It