diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 600a98c2a..9092679b7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,43 @@ updates: interval: "weekly" commit-message: prefix: "chore" + + - package-ecosystem: docker + directory: /docker/kaito + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/inference/llama-2 + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/inference/tfs-onnx + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/inference/tfs + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/tuning + schedule: + interval: daily + + - package-ecosystem: gomod + directory: / + schedule: + interval: daily + + - package-ecosystem: pip + directory: /presets/inference/text-generation + schedule: + interval: daily + + - package-ecosystem: pip + directory: /presets/tuning/tfs + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1651267c0..9343379b8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 7 * * 1" # Mondays at 7:00 AM +permissions: + contents: read + jobs: analyze: name: Analyze @@ -17,6 +20,11 @@ jobs: actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -33,4 +41,3 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a - diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 94ab2953b..95f6b98b4 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} @@ -33,7 +33,7 @@ jobs: ref: ${{ github.event.client_payload.tag }} - name: Goreleaser - uses: goreleaser/goreleaser-action@v5 + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest args: release --rm-dist --timeout 60m --debug diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..3f3456223 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/e2e-preset-test.yml b/.github/workflows/e2e-preset-test.yml index cdd7e5746..0cb8c302d 100644 --- a/.github/workflows/e2e-preset-test.yml +++ b/.github/workflows/e2e-preset-test.yml @@ -37,10 +37,10 @@ jobs: full_matrix: ${{ steps.images.outputs.full_matrix }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - submodules: true - fetch-depth: 0 + submodules: true + fetch-depth: 0 # This script should output a JSON array of model names - name: Determine Affected Models diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 2df542691..05e06123e 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -16,6 +16,11 @@ jobs: publish-helm: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -24,7 +29,7 @@ jobs: ref: ${{ github.event.client_payload.tag }} - name: Publish Workspace Helm chart - uses: stefanprodan/helm-gh-pages@v1.7.0 + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 with: token: ${{ secrets.GITHUB_TOKEN }} charts_dir: charts/kaito diff --git a/.github/workflows/lint-go.yml b/.github/workflows/lint-go.yml index 5c523f766..3170149c7 100644 --- a/.github/workflows/lint-go.yml +++ b/.github/workflows/lint-go.yml @@ -15,6 +15,9 @@ on: env: GO_VERSION: '1.22' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -32,7 +35,7 @@ jobs: fetch-depth: 0 - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index 00e6c44f7..2fb144a3e 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -3,18 +3,26 @@ name: markdown link on: pull_request: paths: - - '**.md' - - 'docs/**' + - "**.md" + - "docs/**" + +permissions: + contents: read jobs: markdown-link-check: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: # this will only show errors in the output - use-quiet-mode: 'yes' + use-quiet-mode: "yes" # this will show detailed HTTP status for checked links - use-verbose-mode: 'yes' - config-file: '.github/markdown.links.config.json' + use-verbose-mode: "yes" + config-file: ".github/markdown.links.config.json" diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml index 160227fe1..397663dac 100644 --- a/.github/workflows/pr-title-lint.yml +++ b/.github/workflows/pr-title-lint.yml @@ -12,7 +12,12 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: thehanimo/pr-title-checker@v1.4.2 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: thehanimo/pr-title-checker@1d8cd483a2b73118406a187f54dca8a9415f1375 # v1.4.2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} pass_on_octokit_error: true diff --git a/.github/workflows/preset-image-build.yml b/.github/workflows/preset-image-build.yml index e0fb52696..32bdb7145 100644 --- a/.github/workflows/preset-image-build.yml +++ b/.github/workflows/preset-image-build.yml @@ -39,9 +39,9 @@ jobs: outputs: matrix: ${{ steps.affected_models.outputs.matrix }} is_matrix_empty: ${{ steps.check_matrix_empty.outputs.is_empty }} - steps: + steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 @@ -82,7 +82,7 @@ jobs: max-parallel: 3 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/publish-gh-image.yml b/.github/workflows/publish-gh-image.yml index 5b47a50b8..618e4b618 100644 --- a/.github/workflows/publish-gh-image.yml +++ b/.github/workflows/publish-gh-image.yml @@ -32,8 +32,13 @@ jobs: run: | echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3afaa2ff9..46eedd3ec 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,27 +1,27 @@ name: unit-tests concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true on: push: branches: [main] - paths-ignore: ['docs/**', '**.md', '**.mdx', '**.png', '**.jpg'] + paths-ignore: ["docs/**", "**.md", "**.mdx", "**.png", "**.jpg"] pull_request: branches: [main, release-**] - paths-ignore: ['docs/**', '**.md', '**.mdx', '**.png', '**.jpg'] + paths-ignore: ["docs/**", "**.md", "**.mdx", "**.png", "**.jpg"] permissions: contents: read packages: write - + env: - GO_VERSION: '1.22' + GO_VERSION: "1.22" jobs: unit-tests: - runs-on: ubuntu-latest + runs-on: ubuntu-latest environment: unit-tests steps: - name: Harden Runner @@ -35,8 +35,8 @@ jobs: submodules: true fetch-depth: 0 - - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + - name: Set up Go ${{ env.GO_VERSION }} + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} @@ -49,7 +49,7 @@ jobs: make inference-api-e2e - name: Upload Codecov report - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 with: ## Comma-separated list of files to upload files: ./coverage.txt diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..467d0e0e5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,22 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace + - repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint diff --git a/docker/kaito/Dockerfile b/docker/kaito/Dockerfile index 19a0fd30c..5970adc43 100644 --- a/docker/kaito/Dockerfile +++ b/docker/kaito/Dockerfile @@ -32,7 +32,7 @@ RUN --mount=type=cache,target=${GOCACHE} \ # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM --platform=$BUILDPLATFORM gcr.io/distroless/static:nonroot +FROM --platform=$BUILDPLATFORM gcr.io/distroless/static:nonroot@sha256:55c636171053dbc8ae07a280023bd787d2921f10e569f3e319f1539076dbba11 WORKDIR / COPY --from=builder /workspace/manager . USER 65532:65532 diff --git a/docker/presets/inference/llama-2/Dockerfile b/docker/presets/inference/llama-2/Dockerfile index 285cb122a..822119736 100644 --- a/docker/presets/inference/llama-2/Dockerfile +++ b/docker/presets/inference/llama-2/Dockerfile @@ -4,7 +4,7 @@ # --build-arg VERSION={{VERSION}} \ # --build-arg MODEL_TYPE={{MODEL_TYPE}} \ -FROM python:3.8-slim +FROM python:3.8-slim@sha256:95bfecec648356cdd0b28c8b00ce00009baff10c99d1126a82d1aca716453a1a WORKDIR /workspace # Install git diff --git a/docker/presets/inference/tfs/Dockerfile b/docker/presets/inference/tfs/Dockerfile index 5a322b8bd..e34309cb3 100644 --- a/docker/presets/inference/tfs/Dockerfile +++ b/docker/presets/inference/tfs/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.10-slim@sha256:684b1aaf96a7942b3c3af438d162e0baa3510aa7af25ad76d238e0c746bdec79 ARG WEIGHTS_PATH ARG MODEL_TYPE diff --git a/docker/presets/tuning/Dockerfile b/docker/presets/tuning/Dockerfile index 896deb85a..5a9a2d624 100644 --- a/docker/presets/tuning/Dockerfile +++ b/docker/presets/tuning/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.10-slim@sha256:684b1aaf96a7942b3c3af438d162e0baa3510aa7af25ad76d238e0c746bdec79 ARG WEIGHTS_PATH ARG MODEL_TYPE