revert actions to pr

Author: tylertitsworth

.github/action.yml

@@ -45,6 +45,10 @@ inputs:
     required: false
     default: false
     type: boolean
+outputs:
+  container-group:
+    description: "Container Group"
+    value: ${{ steps.container-output.outputs.group }}
 runs:
   using: composite
   steps:
@@ -69,6 +73,26 @@ runs:
         COMPOSE_PROJECT_NAME=${{ env.project-number }} \
         ${{ inputs.env_overrides }} docker compose -p ${{ env.project-number }} up --build --force-recreate --always-recreate-deps --no-start
       working-directory: ${{ inputs.group_dir }}
+    - name: Print Containers
+      id: container-output
+      shell: bash
+      run: |
+        mkdir matrix
+        images=$(REGISTRY=${{ inputs.registry }} \
+        REPO=${{ inputs.repo }} \
+        COMPOSE_PROJECT_NAME=${{ env.project-number }} \
+        ${{ inputs.env_overrides }} docker compose -p ${{ env.project-number }} images --format json)
+        for image in $(echo $images | jq -r --arg registry "$REGISTRY" '.[] | select(.Repository | contains($registry)) | .Tag'); do
+          echo "$image" > matrix/$image.txt
+        done
+        echo "group=${{ inputs.group_dir }}" | tr '/' '_' >> $GITHUB_OUTPUT
+      working-directory: ${{ inputs.group_dir }}
+    - uses: actions/upload-artifact@v4
+      with:
+        name: ${{ env.project-number }}-${{ steps.container-output.outputs.group }}
+        path: ${{ inputs.group_dir }}/matrix/*
+        retention-days: 1
+        overwrite: true
     - name: Push Containers
       shell: bash
       if: ${{ !fromJson(inputs.no-push) }}

.github/scan/action.yml

@@ -0,0 +1,35 @@
+# Copyright (c) 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Aqua Security Trivy'
+description: 'Scans container images for vulnerabilities with Trivy without building the image. For use behind firewalls.'
+author: 'tyler.titsworth@intel.com'
+inputs:
+  image-ref:
+    description: 'image reference(for backward compatibility)'
+    required: true
+  output:
+    description: 'writes results to a file with the specified file name'
+    required: true
+runs:
+  using: 'docker'
+  image: "docker://ghcr.io/aquasecurity/trivy"
+  entrypoint: trivy
+  args:
+    - '--timeout=30m'
+    - image
+    - '--format=sarif'
+    - '--no-progress'
+    - '--output=${{ inputs.output }}'
+    - ${{ inputs.image-ref }}

.github/workflows/chart-ci.yaml

@@ -15,9 +15,7 @@
 name: Helm Chart CI
 on:
   merge_group: null
-  pull_request_target:
-    types: [opened, edited, reopened, synchronize]
-    branches: [main]
+  pull_request:
     paths:
     - 'workflows/charts/**'
 permissions: read-all
@@ -33,15 +31,6 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'pull_request_target' }}
-      with:
-        fetch-depth: 0
-        ref: "refs/pull/${{ github.event.number }}/merge"
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'merge_group' }}
-      with:
-        fetch-depth: 0
-        ref: ${{ github.event.merge_group.head_ref }}
     - uses: intel/ai-containers/workflows/charts@main
       with:
         kubeconfig_path: ${{ secrets.KUBECONFIG_PATH }}

.github/workflows/container-ci.yaml

@@ -25,11 +25,6 @@ on:
         description: 'Enter Bash Env Variable Overrides in `KEY=VAL KEY2=VAL2` format:'
         required: false
         type: string
-      ref:
-        description: 'Enter Git Ref:'
-        required: true
-        default: 'main'
-        type: string
       runner_label:
         description: 'Enter Validation Runner Label:'
         default: test-runner
@@ -61,13 +56,10 @@ on:
       no_start:
         required: false
         type: boolean
-      ref:
-        required: true
-        type: string
 jobs:
-  ####################################################################################################
-  # Compose Build
-  ####################################################################################################
+####################################################################################################
+# Compose Build
+####################################################################################################
   setup-build:
     outputs:
       matrix: ${{ steps.build-matrix.outputs.matrix }}
@@ -78,8 +70,6 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        ref: ${{ inputs.ref }}
     - name: Set Matrix
       id: build-matrix
       run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT
@@ -93,10 +83,10 @@ jobs:
     strategy:
       matrix: ${{ fromJson(needs.setup-build.outputs.matrix) }}
       fail-fast: false
+    outputs:
+      group: ${{ steps.build-group.outputs.container-group }}
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        ref: ${{ inputs.ref }}
       if: ${{ !inputs.no_build }}
     - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
@@ -115,9 +105,63 @@ jobs:
         repo: ${{ secrets.REPO }}
         no-push: ${{ inputs.no_push }}
         no-start: ${{ inputs.no_start }}
-        ####################################################################################################
-        # Generic Test Runner
-        ####################################################################################################
+####################################################################################################
+# Trivy Scan
+####################################################################################################
+  setup-scan:
+    needs: [build-containers]
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.scan-matrix.outputs.matrix }}
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      with:
+        path: matrix
+    - name: Set Matrix
+      id: scan-matrix
+      run: echo "matrix=$(cat matrix/*-${{ needs.build-containers.outputs.group }}/*.txt | jq -R '.' | jq -sc '. | unique')" >> $GITHUB_OUTPUT
+  scan-containers:
+    needs: [setup-scan]
+    if: ${{ !inputs.no_build }}
+    runs-on: k8-runners
+    permissions:
+      actions: read
+      packages: read
+      pull-requests: write
+      security-events: write
+    strategy:
+      matrix:
+        container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }}
+      fail-fast: false
+    steps:
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+      with:
+        registry: ${{ secrets.REGISTRY }}
+        username: ${{ secrets.REGISTRY_USER }}
+        password: ${{ secrets.REGISTRY_TOKEN }}
+    - name: Pull Image
+      run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
+    - name: Scan Container
+      uses: intel/ai-containers/.github/scan@5c68c9c8ff7f634fff3abcc17c46970e0b9b0dde # main
+      with:
+        image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
+        output: ${{ matrix.container }}-scan.sarif
+    - name: Cleanup
+      if: always()
+      run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
+    - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+      with:
+        sarif_file: '${{ matrix.container }}-scan.sarif'
+        category: '${{ matrix.container }}'
+      continue-on-error: true
+####################################################################################################
+# Generic Test Runner
+####################################################################################################
   setup-test:
     needs: [build-containers]
     runs-on: ubuntu-latest
@@ -129,8 +173,6 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        ref: ${{ inputs.ref }}
     - name: Get Recipes
       id: test-matrix
       run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
@@ -148,8 +190,6 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        ref: ${{ inputs.ref }}
     - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
         registry: ${{ secrets.REGISTRY }}
@@ -159,9 +199,8 @@ jobs:
       uses: intel/ai-containers/test-runner@main
       with:
         cache_registry: ${{ secrets.CACHE_REGISTRY }}
-        perf_repo: ${{ secrets.PERF_REPO }}
         recipe_dir: ${{ inputs.group_dir }}
         registry: ${{ secrets.REGISTRY }}
         repo: ${{ secrets.REPO }}
         test_dir: ${{ matrix.tests }}
-        token: ${{ secrets.PERF_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependency-review.yaml

@@ -22,9 +22,7 @@
 # Source repository: https://github.com/actions/dependency-review-action
 name: 'Dependency Review'
 on:
-  pull_request_target:
-    types: [opened, edited, reopened, synchronize]
-    branches: [main]
+  pull_request: null
 permissions:
   contents: read
 concurrency:

.github/workflows/docs.yaml

@@ -15,9 +15,7 @@
 name: Docs
 on:
   merge_group: null
-  pull_request_target:
-    types: [opened, edited, reopened, synchronize]
-    branches: [main]
+  pull_request: null
   push:
     branches:
     - main
@@ -38,17 +36,6 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'push' }}
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'pull_request_target' }}
-      with:
-        fetch-depth: 0
-        ref: "refs/pull/${{ github.event.number }}/merge"
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'merge_group' }}
-      with:
-        fetch-depth: 0
-        ref: ${{ github.event.merge_group.head_ref }}
     - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
       with:
         python-version: 3.8

.github/workflows/integration-test.yaml

@@ -14,9 +14,7 @@
 
 name: Integration Tests
 on:
-  pull_request_target:
-    types: [opened, edited, reopened, synchronize]
-    branches: [main]
+  pull_request: null
 permissions: read-all
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -32,15 +30,12 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        fetch-depth: 0
-        ref: "refs/pull/${{ github.event.number }}/merge"
     - name: Output Modified Group Directories
       id: group-list
       run: |
         # Get diff array filtered by specific filetypes
         DIFF=$(git diff --diff-filter=d \
-            --name-only ${{ github.event.merge_group.base_sha || github.event.pull_request.base.sha }}...${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }} \
+            --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} \
             -- '*/*Dockerfile' '*.py' '*.yaml' '*.yml' '*.sh' '*/*requirements.txt' '*.json' | \
             jq -R '.' | jq -sc '.' \
         )
@@ -71,7 +66,6 @@ jobs:
     uses: intel/ai-containers/.github/workflows/container-ci.yaml@main
     with:
       group_dir: ${{ matrix.group }}
-      ref: "refs/pull/${{ github.event.number }}/merge"
     secrets: inherit
   status-check:
     needs: [group-diff, pipeline-ci]

.github/workflows/lint.yaml

@@ -30,14 +30,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'pull_request' }}
       with:
         fetch-depth: 0
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      if: ${{ github.event_name == 'merge_group' }}
-      with:
-        fetch-depth: 0
-        ref: ${{ github.event.merge_group.head_ref }}
     - uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589 # v6.6.0
       env:
         # To report GitHub Actions status checks

.github/workflows/merge_check.yaml

@@ -26,22 +26,22 @@ jobs:
           checkName: helm-ci
           ref: ${{ github.event.merge_group.head_ref }}
           timeoutSeconds: 1800
-          token: ${{ secrets.ACTION_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be
         if: ${{ steps.helm-ci.outputs.conclusion == 'success' }}
         id: integration-test
         with:
           checkName: integration-test
           ref: ${{ github.event.merge_group.head_ref }}
           timeoutSeconds: 1800
-          token: ${{ secrets.ACTION_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be
         if: ${{ steps.integration-test.outputs.conclusion == 'success' }}
         id: coverage
         with:
           checkName: coverage
           ref: ${{ github.event.merge_group.head_ref }}
           timeoutSeconds: 1800
-          token: ${{ secrets.ACTION_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - if: ${{ steps.coverage.outputs.conclusion != 'success' }}
         run: exit 1

.github/workflows/scorecard.yaml

@@ -46,7 +46,7 @@ jobs:
       with:
         results_file: results.sarif
         results_format: sarif
-        repo_token: ${{ secrets.ACTION_TOKEN }}
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
         publish_results: true
     - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with: