Merge branch 'main' into kubeadm_intel

Author: Julia Okuniewska

.github/dependabot.yml

@@ -3,19 +3,29 @@
 
 ---
 version: 2
-registries:
-  github:
-    type: git
-    url: https://github.com
-    username: x-access-token
-    password: ${{ secrets.SYS_ORCH_GITHUB }}
 updates:
   - package-ecosystem: "gomod"
-    directory: "/"
-    registries:
-      - github
+    directories:
+      - "/"
     schedule:
       interval: daily
-    open-pull-requests-limit: 2
+    open-pull-requests-limit: 3
     commit-message:
-      prefix: "[gomod] "
+      prefix: "[gomod] "
+    groups:
+      dependencies:
+        patterns:
+          - "*"
+        exclude-patterns:  # Internal dependencies are update into separate PRs.
+          - "*open-edge-platform*"
+      internal-dependencies:
+        patterns:
+          - "*open-edge-platform*"
+  - package-ecosystem: "github-actions"
+    directories:
+      - "/"  # this enables searching only in /.github/workflows directory
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "[gha] "

.github/workflows/auto-close.yml

@@ -12,12 +12,16 @@ on:
   schedule:
     - cron: '30 1 * * *'  # run every day
   workflow_dispatch: {}
-
+permissions: {}
 jobs:
   stale-auto-close:
-    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
+    permissions:
+      contents: read # branch delete will be handled by the repo settings
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v5.1.1
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-pr-message: 'This pull request is stale because it has been open 30 days with no activity. Make a comment or update the PR to avoid closing PR after 15 days.'

.github/workflows/auto-update.yml

@@ -14,15 +14,26 @@ on:
       - main
       - release-*
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  Auto-Update-PR:
+  update-pull-requests:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
+
     steps:
-      - uses: tibdex/[email protected]
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
-          github_token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
+      - name: Update pull requests
+        uses: open-edge-platform/orch-ci/.github/actions/pr_updater@f341738d975c38b2b91f25d405baeb2d39bf2ddb  # 0.1.14
+        with:
+          github_token: ${{ secrets.SYS_ORCH_GITHUB }}

.github/workflows/co-integration-test.yaml

@@ -14,33 +14,39 @@ on:
 
 jobs:
   integration-smoke-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04-16core-64GB
     if: true
     env:
       VERSION: ${{ github.head_ref }}  # Use the component branch that triggered the action for the test
     steps:
       - name: Checkout orch ci
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: open-edge-platform/orch-ci
           path: ci
           ref: "main"
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Checkout cluster-tests for integration tests
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: open-edge-platform/cluster-tests
           path: cluster-tests
           ref: "main"
           token: ${{ secrets.SYS_ORCH_GITHUB }}
+          persist-credentials: false
 
       - name: Bootstrap CI environment
         uses: ./ci/.github/actions/bootstrap
         with:
           gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
 
       - name: Run make test with additional config
+        env:
+          VERSION: ${{ env.VERSION }}
         run: |
           cd cluster-tests
-          ADDITIONAL_CONFIG="{\"components\":[{\"name\":\"cluster-manager\", \"skip-local-build\": false, \"git-repo\": {\"version\":\"${{ env.VERSION }}\"}}]}" make test
+          ADDITIONAL_CONFIG="{\"components\":[{\"name\":\"cluster-manager\", \"skip-local-build\": false, \"git-repo\": {\"version\":\"${VERSION}\"}}]}" make test

.github/workflows/dev-artifacts-push.yml

@@ -0,0 +1,54 @@
+# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+---
+
+name: Push development artifacts to the Release Service
+
+on:
+  # manual trigger from the Actions tab
+  workflow_dispatch:
+
+env:
+  VERSION_SUFFIX: -test
+
+permissions: {}
+
+jobs:
+  dev-artifacts-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Build Docker image
+        run: |
+          make docker-build
+
+      - name: Build Helm chart
+        run: |
+          make helm-build
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.0.1
+        with:
+          aws-access-key-id: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
+          aws-secret-access-key: ${{ secrets.NO_AUTH_ECR_PUSH_PASSWD }}
+          aws-region: us-west-2
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076  # v2.0.1
+        with:
+          registries: "080137407410"
+
+      - name: Push Docker image
+        run: |
+          make docker-push
+
+      - name: Push Helm chart
+        run: |
+          make helm-push

.github/workflows/post-merge.yml

@@ -11,13 +11,16 @@ on:
       - main
       - release-*
   workflow_dispatch: 
-
+permissions: {}
 jobs:
   post-merge:
-    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
     with:
       run_build: true
-      run_security_scans: true
       run_version_check: true
       run_dep_version_check: true
       cache_go: true
@@ -29,4 +32,4 @@ jobs:
       run_docker_push: true
       run_helm_build: true
       run_helm_push: true
-    secrets: inherit
+    secrets: inherit  # zizmor: ignore[secrets-inherit]

.github/workflows/pre-merge.yml

@@ -12,17 +12,22 @@ on:
       - release-*
   workflow_dispatch: 
 
+permissions: {}
+
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout PR
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: "Setup"
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
         bootstrap_tools: "go,gotools,nodejs"
@@ -33,7 +38,7 @@ jobs:
         echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
     
     - name: Cache build artifact
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: |
           ${{ env.GOCACHE }}
@@ -45,15 +50,18 @@ jobs:
       run: make lint
 
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout PR
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: "Setup"
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
         bootstrap_tools: "go,gotools"
@@ -64,7 +72,7 @@ jobs:
         echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
 
     - name: Cache build artifact
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: |
           ${{ env.GOCACHE }}
@@ -75,15 +83,18 @@ jobs:
       run: make build
 
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout PR
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: "Setup"
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
         bootstrap_tools: "go,gotools" 
@@ -94,7 +105,7 @@ jobs:
         echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
 
     - name: Cache build artifact
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: |
           ${{ env.GOCACHE }}
@@ -105,6 +116,8 @@ jobs:
       run: make test
 
   pre-merge:
+    permissions:
+      contents: read
     needs: [lint, build, test]
     uses: open-edge-platform/orch-ci/.github/workflows/pre-merge.yml@main
     with:
@@ -119,5 +132,8 @@ jobs:
       run_test: false
       run_validate_clean_folder: false
       run_docker_build: true
-      run_scan_containers: false
-    secrets: inherit
+      run_docker_push: false
+      run_helm_build: true
+      run_helm_push: false
+      version_suffix: "-pr-${{ github.event.number }}"
+    secrets: inherit

.github/workflows/service-test.yml

@@ -4,7 +4,9 @@
 ---
 
 name: Run service tests
-  
+
+permissions: {}
+
 on:
   pull_request:
     branches:
@@ -14,17 +16,38 @@ on:
 
 jobs:
   integration-smoke-test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout orch ci
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.head_ref }}
+        persist-credentials: false
 
     - name: Bootstrap CI environment
-      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@main
+      uses: open-edge-platform/orch-ci/.github/actions/bootstrap@13722579bc8edfb712203cb8e88fcc404d2218bc  # 0.1.9
       with:
         gh_token: ${{ secrets.SYS_ORCH_GITHUB }}
 
     - name: Run service test
-      run: make run-service-test
+      run: make run-service-test
+
+    - name: Gather logs from every pod
+      if: always()
+      run: |
+        mkdir -p service-test-logs
+        for pod_and_namespace in $(kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.name}{";"}{.metadata.namespace}{"\n"}{end}'); do
+          pod=$(echo "$pod_and_namespace" | awk -F';' '{print $1}')
+          namespace=$(echo "$pod_and_namespace" | awk -F';' '{print $2}')
+          echo "Gathering logs for pod $pod in namespace $namespace"
+          kubectl logs "$pod" -n "$namespace" > "./service-test-logs/${pod}.log" || echo "Failed to get logs for $pod in namespace $namespace"
+        done
+
+    - name: Upload pod logs as evidence
+      if: always()
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      with:
+        name: service-test-logs
+        path: service-test-logs