open-edge-platform
diff --git a/‎.github/components-path-filters.yml‎
Lines changed: 21 additions & 0 deletions b/‎.github/components-path-filters.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/renovate.json5‎
Lines changed: 12 additions & 0 deletions b/‎.github/renovate.json5‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎.github/workflows/bdd-stylecheck.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/bdd-stylecheck.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/builder-images.yml‎
Lines changed: 105 additions & 0 deletions b/‎.github/workflows/builder-images.yml‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/collect-source.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/collect-source.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/component.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/component.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/libs_test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/libs_test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/renovate.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/renovate.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scorecards.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/scorecards.yml‎
Lines changed: 2 additions & 2 deletions
@@ -7,6 +7,8 @@ platform/services/auth_proxy:
   - .github/workflows/component.yml
 platform/services/credit:
   - platform/services/credit/**
+  - libs/kafka_tools/**
+  - libs/telemetry_tools/**
   - libs/grpc_interfaces/pyproject.toml
   - libs/grpc_interfaces/credit_system/**
   - libs/grpc_interfaces/account_service/**
@@ -15,6 +17,7 @@ platform/services/credit:
   - .github/workflows/component.yml
 platform/services/observability:
   - platform/services/observability/**
+  - libs/telemetry_tools/**
   - Makefile.shared-python
   - Makefile.shared
   - .github/workflows/component.yml
@@ -29,11 +32,14 @@ platform/services/onboarding:
   - .github/workflows/component.yml
 platform/services/notifier:
   - platform/services/notifier/**
+  - libs/kafka_tools/**
+  - libs/telemetry_tools/**
   - Makefile.shared-python
   - Makefile.shared
   - .github/workflows/component.yml
 platform/services/user_directory:
   - platform/services/user_directory/**
+  - platform/libs/users_handler/**
   - libs/telemetry_tools/**
   - libs/spicedb_tools/**
   - libs/grpc_interfaces/pyproject.toml
@@ -78,6 +84,7 @@ platform/services/opa_bundle:
   - .github/workflows/component.yml
 platform/services/installer:
   - platform/services/installer/**
+  - libs/k8s_tools/**
   - Makefile.shared-python
   - Makefile.shared
   - .github/workflows/component.yml
@@ -87,9 +94,12 @@ interactive_ai/services/auto_train:
   - interactive_ai/services/auto_train/**
   - interactive_ai/libs/iai_core_py/**
   - interactive_ai/supported_models/**
+  - libs/grpc_interfaces/pyproject.toml
+  - libs/grpc_interfaces/job_submission/**
   - libs/types/**
   - libs/telemetry_tools/**
   - libs/feature_tools/**
+  - libs/configuration_tools/**
   - Makefile.shared-python
   - Makefile.shared
   - .github/workflows/component.yml
@@ -178,6 +188,9 @@ interactive_ai/services/resource:
   - interactive_ai/services/resource/**
   - interactive_ai/libs/iai_core_py/**
   - interactive_ai/libs/media_utils/**
+  - interactive_ai/supported_models/**
+  - libs/grpc_interfaces/pyproject.toml
+  - libs/grpc_interfaces/model_registration/**
   - libs/types/**
   - libs/telemetry_tools/**
   - libs/feature_tools/**
@@ -218,11 +231,14 @@ interactive_ai/workflows/common:
   - libs/kafka_tools/**
   - libs/telemetry_tools/**
   - libs/types/**
+  - libs/grpc_interfaces/pyproject.toml
+  - libs/grpc_interfaces/job_update/**
   - Makefile.shared-python
   - Makefile.shared
   - .github/workflows/component.yml
 interactive_ai/workflows/dataset_ie:
   - interactive_ai/workflows/dataset_ie/**
+  - interactive_ai/workflows/common/pyproject.toml
   - interactive_ai/workflows/common/jobs_common
   - interactive_ai/workflows/common/jobs_common_extras/datumaro_conversion
   - interactive_ai/libs/iai_core_py/**
@@ -237,6 +253,7 @@ interactive_ai/workflows/dataset_ie:
   - .github/workflows/component.yml
 interactive_ai/workflows/project_ie:
   - interactive_ai/workflows/project_ie/**
+  - interactive_ai/workflows/common/pyproject.toml
   - interactive_ai/workflows/common/jobs_common
   - interactive_ai/workflows/common/jobs_common_extras/datumaro_conversion
   - interactive_ai/data_migration/**
@@ -252,6 +269,7 @@ interactive_ai/workflows/project_ie:
   - .github/workflows/component.yml
 interactive_ai/workflows/model_test:
   - interactive_ai/workflows/model_test/**
+  - interactive_ai/workflows/common/pyproject.toml
   - interactive_ai/workflows/common/jobs_common
   - interactive_ai/workflows/common/jobs_common_extras/evaluation
   - interactive_ai/libs/iai_core_py/**
@@ -264,12 +282,14 @@ interactive_ai/workflows/model_test:
   - .github/workflows/component.yml
 interactive_ai/workflows/optimize:
   - interactive_ai/workflows/optimize/**
+  - interactive_ai/workflows/common/pyproject.toml
   - interactive_ai/workflows/common/jobs_common
   - interactive_ai/workflows/common/jobs_common_extras/evaluation
   - interactive_ai/workflows/common/jobs_common_extras/shard_dataset
   - interactive_ai/libs/iai_core_py/**
   - interactive_ai/libs/media_utils/**
   - libs/k8s_tools/**
+  - libs/kafka_tools/**
   - libs/telemetry_tools/**
   - libs/types/**
   - Makefile.shared-python
@@ -279,6 +299,7 @@ interactive_ai/workflows/train:
   - interactive_ai/supported_models/**
   - interactive_ai/workflows/train/job/**
   - interactive_ai/workflows/train/tests/**
+  - interactive_ai/workflows/common/pyproject.toml
   - interactive_ai/workflows/common/jobs_common
   - interactive_ai/workflows/common/jobs_common_extras/evaluation
   - interactive_ai/workflows/common/jobs_common_extras/experiments
 
@@ -63,6 +63,18 @@
       schedule: ["* * * * 0"], // weekly
     },
 
+    // Base images from dev_tools/builder_images
+    // are upgraded separately as it requires two steps
+    {
+      enabled: true,
+      matchDatasources: ["docker"],
+      pinDigests: true,
+      groupName: "Pin builder images",
+      groupSlug: "pin-builders",
+      schedule: ["* * 1 * *"], // every month
+      matchPaths: ["dev_tools/builder_images/**"],
+    },
+
     // Disable non-security upgrades for go and npm.
     // We will enable it in the next phase
     {
 
@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Install uv
-        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
         with:
           version: "0.7.13"
 
 
@@ -0,0 +1,105 @@
+# This workflow builds and publishes builder container images for Python and Go.
+# These images contain all the tools required to build applications and are used
+# both in GitHub Actions workflows and for local development. The workflow checks
+# for changes in the builder image directories, builds the relevant images if needed,
+# and pushes them to the GitHub Container Registry. This ensures that up-to-date
+# builder images are available for creating product images in CI/CD pipelines and
+# for developers working locally.
+#
+# NOTICE:
+# Whenever you make changes to the builder image directories,
+# you MUST bump the BUILDER_TAG in the corresponding Makefile.
+# This ensures that the new image is tagged and published correctly.
+
+name: Build and Publish Builder Images
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'dev_tools/builder_images/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'dev_tools/builder_images/**'
+
+permissions: {}
+
+jobs:
+  check_paths:
+    name: Check if workflow should run
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      build_list: ${{ steps.changed-files-yaml.outputs.modified_keys }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Get all paths that should trigger the workflow
+        id: changed-files-yaml
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        with:
+          files_yaml: |
+            go:
+              - dev_tools/builder_images/go-builder/**
+            python:
+              - dev_tools/builder_images/python-builder/**
+  
+  create_builder:
+    name: Create and push builder images
+    needs: check_paths
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write # To push to GitHub Container Registry
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - path: dev_tools/builder_images/go-builder
+            run_condition: ${{ contains(needs.check_paths.outputs.build_list, 'go')}}
+          - path: dev_tools/builder_images/python-builder
+            run_condition: ${{ contains(needs.check_paths.outputs.build_list, 'python')}}
+    env:
+      REGISTRY: ghcr.io/open-edge-platform
+    steps:
+      - name: Checkout repository
+        if: ${{ matrix.run_condition }}
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Check if Docker image exists
+        if: ${{ matrix.run_condition }}
+        run: |
+          IMAGE=$(make -C ${{ matrix.path }} list-image | grep $REGISTRY)
+          if docker manifest inspect "${IMAGE}" > /dev/null 2>&1; then
+            echo Image ${IMAGE} exists please bump the BUILDER_TAG in the Makefile
+            exit 1
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build image
+        if: ${{ matrix.run_condition}}
+        run: |
+          make -C ${{ matrix.path }} build-image
+
+      - name: Log in to GitHub Container Registry
+        if: ${{ matrix.run_condition && github.event_name == 'push'}}
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
+        if: ${{ matrix.run_condition && github.event_name == 'push'}}
+        run: |
+          make -C ${{ matrix.path }} push-image
@@ -66,13 +66,13 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
           queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           category: "/language:${{matrix.language}}"
@@ -116,7 +116,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: get-unique-names
     container:
-      image: debian:bookworm-slim@sha256:df52e55e3361a81ac1bead266f3373ee55d29aa50cf0975d440c2be3483d8ed3
+      image: debian:bookworm-slim@sha256:7e490910eea2861b9664577a96b54ce68ea3e02ce7f51d89cb0103a6f9c386e0
     steps:
     - name: Add apt sources for deb-src
       shell: bash
 
@@ -52,6 +52,9 @@ jobs:
     env:
       TAG: ${{ inputs.build_version || github.sha }}
       REGISTRY: ${{ secrets.REGISTRY }}
+      # Update these when the tags in dev_tools/builder_images/*/Makefile are updated.
+      # Remember that new tags will be available only after the code with the change is merged
+      # and the builder image workflow is run and completed successfully.
       PYTHON_BUILDER_IMAGE: builder-images/python-builder:v0.1
       GO_BUILDER_IMAGE: builder-images/go-builder:v0.1
     steps:
 
@@ -51,7 +51,7 @@ jobs:
           sudo -E apt install -y ffmpeg
 
       - name: Install uv
-        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
         with:
           version: "0.7.13"
 
 
@@ -40,7 +40,7 @@ jobs:
           private-key: ${{ secrets.RENOVATE_APP_PEM }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@9ba84f1ade243f8c2ce5b223df61cf23dc094584 # v43.0.13
+        uses: renovatebot/github-action@2d941ef4e268e53affdc1f11365c69a73e544f50 # v43.0.14
         with:
           configurationFile: .github/renovate.json5
           token: "${{ steps.get-github-app-token.outputs.token }}"
 
@@ -32,14 +32,14 @@ jobs:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       # Upload the results to GitHub's code scanning dashboard
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: results.sarif