Fix some security issues

.github/workflows/_build_image.yml

@@ -78,7 +78,7 @@ jobs:
           fi
 
       - name: Checkout out GenAIExamples
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0

.github/workflows/_get-image-list.yml

@@ -31,10 +31,10 @@ jobs:
       run_matrix: ${{ steps.get-matrix.outputs.run_matrix }}
     steps:
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Checkout GenAIComps Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           repository: opea-project/GenAIComps
           path: GenAIComps
@@ -45,7 +45,7 @@ jobs:
           image_list=[]
           run_matrix="{\"include\":["
           if [[ ! -z "${{ inputs.examples }}" ]]; then
-              pip install yq
+              pip install yq==3.4.3
               examples=($(echo ${{ inputs.examples }} | tr ',' ' '))
               for example in ${examples[@]}
               do

.github/workflows/_get-test-matrix.yml

@@ -47,7 +47,7 @@ jobs:
           echo "checkout ref ${{ env.CHECKOUT_REF }}"
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0

.github/workflows/_helm-e2e.yml

@@ -55,7 +55,7 @@ jobs:
           echo "checkout ref ${CHECKOUT_REF}"
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0
@@ -128,7 +128,7 @@ jobs:
           echo "checkout ref ${CHECKOUT_REF}"
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0

.github/workflows/_run-docker-compose.yml

@@ -61,7 +61,7 @@ jobs:
           echo "checkout ref ${CHECKOUT_REF}"
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0
@@ -150,7 +150,7 @@ jobs:
           docker images
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ needs.get-test-case.outputs.CHECKOUT_REF }}
           fetch-depth: 0
@@ -243,7 +243,7 @@ jobs:
 
       - name: Publish pipeline artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           name: ${{ inputs.hardware }}_${{ inputs.example }}_${{ matrix.test_case }}
           path: ${{ github.workspace }}/${{ inputs.example }}/tests/*.log

.github/workflows/_run-one-click.yml

@@ -60,7 +60,7 @@ jobs:
 
       - name: Checkout out Repo
         if: ${{ inputs.deploy_method == 'docker' }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -94,7 +94,7 @@ jobs:
 
       - name: Checkout out Repo
         if: ${{ inputs.deploy_method == 'k8s' }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -153,7 +153,7 @@ jobs:
           LVM_model: ${{ env.LVM_model }}
         run: |
           cd ${{ github.workspace }}/one_click_deploy
-          python3 -m pip install -r requirements.txt
+          python3 -m pip install --require-hashes -r requirements.txt
 
           if [ "${{ inputs.deploy_method }}" = "k8s" ]; then
             export OPEA_K8S_VLLM_SKIP_WARMUP=TRUE
@@ -205,7 +205,7 @@ jobs:
 
       - name: Publish pipeline artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           name: ${{ inputs.deploy_method }}
           path: ${{ github.workspace }}/${{ inputs.deploy_method }}-tests/test-results.log

.github/workflows/_trivy-scan.yml

@@ -43,7 +43,7 @@ jobs:
           sudo rm -rf ${{github.workspace}}/* || true
           docker system prune -f
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       - name: Install Dependencies
         run: |
           sudo apt-get update
@@ -91,7 +91,7 @@ jobs:
         shell: bash
 
       - name: Security Scan Container
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
         if: ${{ inputs.trivy_scan }}
         with:
           image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ inputs.image }}:${{ inputs.tag }}

.github/workflows/check-online-doc-build.yml

@@ -17,12 +17,12 @@ jobs:
     steps:
 
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         path: GenAIExamples
 
     - name: Checkout docs
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         repository: opea-project/docs
         path: docs

.github/workflows/daily-update-vllm-version.yml.disabled

@@ -32,7 +32,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
           ref: ${{ github.ref }}

.github/workflows/docker/code-scan.dockerfile

@@ -1,8 +1,8 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-ARG UBUNTU_VER=22.04
-FROM ubuntu:${UBUNTU_VER} as devel
+# ARG UBUNTU_VER=22.04
+FROM ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e as devel
 
 ENV LANG=C.UTF-8
 

.github/workflows/dockerhub-description.yml

@@ -84,25 +84,25 @@ jobs:
       fail-fast: false
     steps:
     - name: Checkout GenAIExamples
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         repository: opea-project/GenAIExamples
         path: GenAIExamples
 
     - name: Checkout GenAIComps
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         repository: opea-project/GenAIComps
         path: GenAIComps
 
     - name: Checkout vllm-openvino
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         repository: vllm-project/vllm
         path: vllm
 
     - name: Checkout vllm-gaudi
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         repository: HabanaAI/vllm-fork
         ref: habana_main

.github/workflows/manual-docker-scan.yml

@@ -59,7 +59,7 @@ jobs:
     runs-on: "docker-build-${{ inputs.node }}"
     if: always()
     steps:
-      - uses: actions/upload-artifact@v4.3.4
+      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
         with:
           name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
           path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt

.github/workflows/manual-freeze-tag.yml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
           ref: ${{ github.ref }}

.github/workflows/mix-trellix.yml

@@ -17,7 +17,7 @@ jobs:
         run: sudo rm -rf ${{github.workspace}}/*
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Run Trellix Scanner
         env:
@@ -26,6 +26,6 @@ jobs:
 
       - name: Publish pipeline artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           path: ${{ github.workspace }}/.github/workflows/scripts/codeScan/report.html

.github/workflows/pr-chart-e2e.yml

@@ -28,7 +28,7 @@ jobs:
       run_matrix: ${{ steps.get-test-matrix.outputs.run_matrix }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: "refs/pull/${{ github.event.number }}/merge"
           fetch-depth: 0

.github/workflows/pr-check-duplicated-image.yml

@@ -27,11 +27,11 @@ jobs:
         run: sudo rm -rf ${{github.workspace}}/*
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Check all the docker image build files
         run: |
-          pip install PyYAML
+          pip install PyYAML==6.0.3
           cd ${{github.workspace}}
           build_files=""
           for f in `find . -path "*/docker_image_build/build.yaml"`; do

.github/workflows/pr-code-scan.yml

@@ -34,7 +34,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Check Dangerous Command Injection
         uses: opea-project/validation/actions/check-cmd@main
@@ -62,7 +62,7 @@ jobs:
 
       - name: Publish pipeline artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           name: ${{ matrix.job_name }}
           path: ${{ github.workspace }}/.github/workflows/scripts/codeScan/${{ matrix.job_name }}.*
@@ -74,7 +74,7 @@ jobs:
       contents: read
     steps:
       - name: Repository checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -98,7 +98,7 @@ jobs:
       - name: ShellCheck
         # if: ${{ env.changed_files != '' }}
         if: steps.get-changed-files.outputs.changed_files_exist == 'true'
-        uses: ludeeus/action-shellcheck@2.0.0
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38
         env:
           SHELLCHECK_OPTS: -e SC2164 -e SC2154 -e SC2034 -e SC2155 -e SC1090 -e SC2153 -e SC2046
         with:

.github/workflows/pr-dependency-review.yml

@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:

.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml

@@ -17,7 +17,7 @@ jobs:
         run: sudo rm -rf ${{github.workspace}}/*
 
       - name: Checkout Repo GenAIExamples
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Clone Repo GenAIComps
         run: |
@@ -50,7 +50,7 @@ jobs:
         run: sudo rm -rf ${{github.workspace}}/*
 
       - name: Checkout Repo GenAIExamples
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -85,11 +85,11 @@ jobs:
         run: sudo rm -rf ${{github.workspace}}/*
 
       - name: Checkout Repo GenAIExamples
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Check name agreement in build.yaml
         run: |
-          pip install ruamel.yaml
+          pip install ruamel.yaml==0.18.6
           cd ${{github.workspace}}
           consistency="TRUE"
           build_yamls=$(find . -name 'build.yaml')

.github/workflows/pr-image-size.yml

@@ -23,7 +23,7 @@ jobs:
       files: ${{ steps.changed-dockerfiles.outputs.files }}
     steps:
       - name: Checkout PR branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -50,12 +50,12 @@ jobs:
       skip: ${{ steps.build-check.outputs.skip }}
     steps:
       - name: Checkout PR branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
 
       - name: Build and check image sizes
         id: build-check
@@ -128,7 +128,7 @@ jobs:
 
       - name: Download origin artifact log
         if: env.skip != 'true'
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4
         with:
           name: build-comments
           path: merged-files
@@ -143,7 +143,7 @@ jobs:
 
       - name: Save Summary as Artifact
         if: env.skip != 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           name: build-comments
           path: merged-files/
@@ -159,7 +159,7 @@ jobs:
       all_comments: ${{ steps.summary.outputs.all_comments }}
     steps:
       - name: Download Summary
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4
         with:
           name: build-comments
           path: downloaded-files