chore(ci): enable Renovate

.github/renovate.json5

@@ -0,0 +1,71 @@
+// Dependency Update Configuration
+//
+// See https://docs.renovatebot.com/configuration-options/
+// See https://json5.org/ for JSON5 syntax
+
+// [!] While updating the Renovate config, test changes on your own fork.
+//  1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork.
+//  2. Enable the Renovate GitHub app in your GitHub account.
+//     Verify that Renovate is activated in the repository settings within the Renovate Dashboard.
+//     To enable the dashboard set `dependencyDashboard` to true
+//  3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate.
+//  4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts.
+//  5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR,
+//     and include links in the description to share details about the testing you've conducted.
+
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["* * * * 0"], // weekly
+  },
+
+  extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"],
+  // https://docs.renovatebot.com/presets-default/#gitsignoff
+  // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests
+
+  // if necessary, add supported releases branches here
+  // it is possible to enable/disable specific upgrades per branch with
+  // `matchBaseBranches` in specific rule
+  baseBranches: ["master"],
+
+  enabledManagers: ["github-actions", "pep621"],
+
+  // Set limit to 10
+  ignorePresets: [":prHourlyLimit2"],
+  prHourlyLimit: 10,
+
+  packageRules: [
+    {
+      enabled: true,
+      matchManagers: ["pep621"],
+      schedule: ["* * * * 0"], // weekly
+    },
+
+    // Disable ultralytics notifications (based on previous Dependabot config)
+    {
+      enabled: false,
+      matchDatasources: ["pypi"],
+      matchDepNames: ["ultralytics"],
+    },
+
+    // Group GitHub Actions updates
+    {
+      enabled: true,
+      separateMajorMinor: false,
+      groupName: "GitHub Actions",
+      matchManagers: ["github-actions"],
+      matchPackagePatterns: ["*"],
+      schedule: ["* * 1 * *"], // every month
+    },
+  ],
+
+  // Enable security upgrades
+  vulnerabilityAlerts: {
+    enabled: true,
+  },
+  osvVulnerabilityAlerts: true,
+  dependencyDashboard: true,
+}

.github/workflows/docs.yml

@@ -70,22 +70,24 @@ jobs:
             echo "Branch gh-pages already exists"
           fi
       - name: Commit docs to gh-pages branch
+        env:
+          RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
         run: |
           git fetch
           git checkout gh-pages
           mkdir -p /tmp/docs_build
           cp -r docs/build/html/* /tmp/docs_build/
-          rm -rf ${{ env.RELEASE_VERSION }}/*
+          rm -rf "$RELEASE_VERSION"/*
           echo '<html><head><meta http-equiv="refresh" content="0; url=latest/" /></head></html>' > index.html
-          mkdir -p ${{ env.RELEASE_VERSION }}
-          cp -r /tmp/docs_build/* ./${{ env.RELEASE_VERSION }}
+          mkdir -p "$RELEASE_VERSION"
+          cp -r /tmp/docs_build/* ./"$RELEASE_VERSION"
           rm -rf /tmp/docs_build
           git config --local user.email "[email protected]"
           git config --local user.name "GitHub Action"
-          if [[ ${{ env.RELEASE_VERSION }} != 'test_build' ]]; then
-            ln -sfn ${{ env.RELEASE_VERSION }} latest
+          if [[ "$RELEASE_VERSION" != 'test_build' ]]; then
+            ln -sfn "$RELEASE_VERSION" latest
           fi
-          git add ./latest ${{ env.RELEASE_VERSION }}
+          git add ./latest "$RELEASE_VERSION"
           git add index.html
           git commit -m "Update documentation" -a || true
       - name: Push changes

.github/workflows/pre_commit.yml

@@ -69,8 +69,8 @@ jobs:
         uses: open-edge-platform/anomalib/.github/actions/security/zizmor@f6ec1c57363a9894ff57184a5bfb78efa8f3de1b
         with:
           scan-scope: "changed"
-          severity-level: "MEDIUM"
-          confidence-level: "HIGH"
+          severity-level: "LOW"
+          confidence-level: "LOW"
           fail-on-findings: true
   Bandit-Scan-PR:
     runs-on: ubuntu-latest

.github/workflows/renovate-config-validator.yml

@@ -0,0 +1,42 @@
+# Renovate configuration validator
+#
+# This workflow validates changes proposed into Renovate configuration file
+# (.github/renovate.json5) and prevents non-valid configuration to be used by Renovate.
+#
+# Required Secrets:
+# - None
+#
+# Automatically triggered on:
+# - Pull requests to .github/renovate.json5.
+#
+
+name: Validate Renovate configuration
+
+on:
+  pull_request:
+    paths:
+      - ".github/renovate.json5"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout configuration
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Validate configuration
+        run: |
+          # renovate: datasource=docker
+          export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11
+          docker run --rm --entrypoint "renovate-config-validator" \
+          -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \
+          ${RENOVATE_IMAGE} "/renovate.json5"

.github/workflows/renovate.yml

@@ -0,0 +1,84 @@
+# Dependencies Management Workflow
+#
+# This workflow automates the dependence management based on self-hosed Renovate
+# ensure the project's dependencies remains up-to-date and security fixes are delivered regularly.
+#
+# Key Features:
+# - Automated PR creation into pyproject.toml and uv.lock regeneration
+# - Dry-run for debug purposes
+# - Dependency dashboard (is available in GitHub issues) maintenance
+#
+# Process Stages:
+#
+# 1. Dependencies Management:
+#    - Runs on a daily schedule.
+#    - Identifies dependencies that may be updated based on .github/renovate.json5 configuration.
+#    - Opens corresponding PRs with respect to schedule defined in Renovate config file.
+#    - Updates Renovate Dependency dashboard that is available in GitHub issues.
+#
+# Required Secrets:
+# - RENOVATE_APP_ID: application ID
+# - RENOVATE_APP_PEM: application private key
+#
+# Example Usage:
+# 1. Scheduled Run:
+#    Automatically runs, daily
+#
+# 2. Manual Trigger:
+#    workflow_dispatch:
+#    inputs:
+#      dry-run:
+#        description: "Run Renovate in dry-run mode (no PR)"
+#        required: false
+#        default: false
+#        type: boolean
+#
+# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues.
+
+name: Renovate
+on:
+  schedule:
+    # daily
+    - cron: "0 2 * * *"
+
+  # allow to manually trigger this workflow
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode (no PR)"
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Get token
+        id: get-github-app-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PEM }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@13f127373fd3dc43b41b0979e37ba570d6c2b8f4 # v43.0.0
+        with:
+          configurationFile: .github/renovate.json5
+          token: "${{ steps.get-github-app-token.outputs.token }}"
+        env:
+          LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }}
+          # Dry run if the event is workflow_dispatch AND the dry-run input is true
+          RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}

.pre-commit-config.yaml

@@ -42,10 +42,10 @@ repos:
 
   # zizmor detects security issues in GitHub Actions workflows.
   - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.9.0
+    rev: v1.11.0
     hooks:
       - id: zizmor
-        args: ["--min-severity", "medium", "--min-confidence", "high"]
+        args: ["--min-severity", "low", "--min-confidence", "low"]
 
   # add bandit for security checks
   - repo: https://github.com/PyCQA/bandit

README.md

@@ -13,6 +13,7 @@
 [![Build Docs](https://github.com/open-edge-platform/model_api/actions/workflows/docs.yml/badge.svg)](https://github.com/open-edge-platform/model_api/actions/workflows/docs.yml)
 
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-edge-platform/model_api/badge)](https://scorecard.dev/viewer/?uri=github.com/open-edge-platform/model_api)
 
 ## Introduction