From 391ec2da12c946aa3012d43ebab0003e21136157 Mon Sep 17 00:00:00 2001 From: "oep-renovate[bot]" <212772560+oep-renovate[bot]@users.noreply.github.com> Date: Wed, 5 Nov 2025 02:34:59 +0000 Subject: [PATCH 1/3] chore(deps): update github actions Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/docs.yml | 2 +- .github/workflows/pre_commit.yml | 8 ++++---- .github/workflows/publish.yaml | 6 +++--- .github/workflows/renovate.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/security-scan.yml | 8 ++++---- .github/workflows/test_accuracy.yml | 2 +- .github/workflows/test_precommit.yml | 8 ++++---- 9 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 35fefdb4..875032b7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,13 +34,13 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index eda00951..8665ec41 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -22,7 +22,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Install dependencies run: | uv sync --locked --extra docs diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index ac495098..7aa72b62 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -26,11 +26,11 @@ jobs: with: python-version-file: ".python-version" - name: Set up Node.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: - node-version: 22 + node-version: 24 - name: Install uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Install dependencies run: | uv sync --locked --all-extras @@ -49,7 +49,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Install dependencies run: | uv sync --locked --extra tests diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 61f62073..ed65a8fc 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -26,14 +26,14 @@ jobs: - name: Build sdist run: | uv build --sdist - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: artifact-sdist path: dist/*.tar.gz - name: Build wheel run: | uv build --wheel - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: artifact-wheel path: dist/*.whl @@ -48,7 +48,7 @@ jobs: id-token: write # required by trusted publisher steps: - name: Download artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: path: dist pattern: artifact-* diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 7dacda66..02869f6a 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -72,7 +72,7 @@ jobs: private-key: ${{ secrets.RENOVATE_APP_PEM }} - name: Self-hosted Renovate - uses: renovatebot/github-action@2d941ef4e268e53affdc1f11365c69a73e544f50 # v43.0.14 + uses: renovatebot/github-action@ea850436a5fe75c0925d583c7a02c60a5865461d # v43.0.20 with: configurationFile: .github/renovate.json5 token: "${{ steps.get-github-app-token.outputs.token }}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index fba1ce1a..c2397bc0 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -35,6 +35,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: sarif_file: results.sarif diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 70699d74..073d464f 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -24,7 +24,7 @@ jobs: with: persist-credentials: false - name: Run Zizmor scan - uses: open-edge-platform/geti-ci/actions/zizmor@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/zizmor@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "all" severity-level: "LOW" @@ -42,7 +42,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/bandit@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/bandit@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "all" severity-level: "LOW" @@ -62,7 +62,7 @@ jobs: persist-credentials: false - name: Run Trivy scan id: trivy - uses: open-edge-platform/geti-ci/actions/trivy@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/trivy@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan_type: "fs" scan-scope: all @@ -84,7 +84,7 @@ jobs: persist-credentials: false - name: Run Semgrep scan id: semgrep - uses: open-edge-platform/geti-ci/actions/semgrep@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/semgrep@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "all" severity: "LOW" diff --git a/.github/workflows/test_accuracy.yml b/.github/workflows/test_accuracy.yml index d80c2ce5..8e9f4c06 100644 --- a/.github/workflows/test_accuracy.yml +++ b/.github/workflows/test_accuracy.yml @@ -19,7 +19,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Install dependencies run: | uv sync --locked --extra tests --extra-index-url https://download.pytorch.org/whl/cpu diff --git a/.github/workflows/test_precommit.yml b/.github/workflows/test_precommit.yml index 0d7a1d43..3af19d08 100644 --- a/.github/workflows/test_precommit.yml +++ b/.github/workflows/test_precommit.yml @@ -21,7 +21,7 @@ jobs: with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Install dependencies run: | uv sync --locked --extra tests --extra-index-url https://download.pytorch.org/whl/cpu @@ -41,7 +41,7 @@ jobs: with: persist-credentials: false - name: Run Zizmor scan - uses: open-edge-platform/geti-ci/actions/zizmor@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/zizmor@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "changed" severity-level: "LOW" @@ -57,7 +57,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/bandit@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/bandit@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "changed" severity-level: "LOW" @@ -75,7 +75,7 @@ jobs: with: persist-credentials: false - name: Run Bandit scan - uses: open-edge-platform/geti-ci/actions/semgrep@c2bb2697178bb2e50014420aef2351a45749b925 + uses: open-edge-platform/geti-ci/actions/semgrep@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "changed" severity: "LOW" From 90667eeaedb6cd5ce378174e57fb717f13f4db54 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 5 Nov 2025 13:57:24 +0000 Subject: [PATCH 2/3] semgrep upd Signed-off-by: Barabanov --- .github/workflows/test_precommit.yml | 1 + .semgrepignore | 1 + 2 files changed, 2 insertions(+) create mode 100644 .semgrepignore diff --git a/.github/workflows/test_precommit.yml b/.github/workflows/test_precommit.yml index 3af19d08..68b3bac4 100644 --- a/.github/workflows/test_precommit.yml +++ b/.github/workflows/test_precommit.yml @@ -74,6 +74,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false + fetch-depth: 0 - name: Run Bandit scan uses: open-edge-platform/geti-ci/actions/semgrep@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 00000000..75c41412 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ +**/uv.lock From c725527e2f8a88fb37727a7e6a6fff793b8cc626 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 5 Nov 2025 14:03:24 +0000 Subject: [PATCH 3/3] fix name Signed-off-by: Barabanov --- .github/workflows/test_precommit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_precommit.yml b/.github/workflows/test_precommit.yml index 68b3bac4..c38225bf 100644 --- a/.github/workflows/test_precommit.yml +++ b/.github/workflows/test_precommit.yml @@ -75,7 +75,7 @@ jobs: with: persist-credentials: false fetch-depth: 0 - - name: Run Bandit scan + - name: Run Semgrep scan uses: open-edge-platform/geti-ci/actions/semgrep@4ec90fb54c7be053e40b9e3ecdf399cf501596ca with: scan-scope: "changed"