Merge remote-tracking branch 'origin/dina/hf_remove_ssh'

Author: cdwhq

.github/workflows/chart-ci.yaml

@@ -26,10 +26,10 @@ jobs:
     runs-on: kubectl
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - uses: intel/ai-containers/workflows/charts@main
       with:
         kubeconfig_path: ${{ secrets.KUBECONFIG_PATH }}

.github/workflows/container-ci.yaml

@@ -63,13 +63,13 @@ jobs:
   setup-build:
     outputs:
       matrix: ${{ steps.build-matrix.outputs.matrix }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Set Matrix
       id: build-matrix
       run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT
@@ -87,18 +87,13 @@ jobs:
       group: ${{ steps.build-group.outputs.container-group }}
     steps:
     - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       if: ${{ !inputs.no_build }}
-    - uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c # v2
+    - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
-        login-server: ${{ secrets.REGISTRY }}
+        registry: ${{ secrets.REGISTRY }}
         username: ${{ secrets.REGISTRY_USER }}
         password: ${{ secrets.REGISTRY_TOKEN }}
-    # - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-    #   with:
-    #     registry: ${{ secrets.REGISTRY }}
-    #     username: ${{ secrets.REGISTRY_USER }}
-    #     password: ${{ secrets.REGISTRY_TOKEN }}
       if: ${{ !inputs.no_build }}
     - name: Build Container Group
       if: ${{ !inputs.no_build }}
@@ -117,15 +112,15 @@ jobs:
   setup-scan:
     needs: [build-containers]
     if: ${{ github.event_name == 'pull_request' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     outputs:
       matrix: ${{ steps.scan-matrix.outputs.matrix }}
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         path: matrix
     - name: Set Matrix
@@ -140,44 +135,27 @@ jobs:
         container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }}
       fail-fast: false
     steps:
-    - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c # v2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
-        login-server: ${{ secrets.REGISTRY }}
+        registry: ${{ secrets.REGISTRY }}
         username: ${{ secrets.REGISTRY_USER }}
         password: ${{ secrets.REGISTRY_TOKEN }}
-    # - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-    #   with:
-    #     registry: ${{ secrets.REGISTRY }}
-    #     username: ${{ secrets.REGISTRY_USER }}
-    #     password: ${{ secrets.REGISTRY_TOKEN }}
     - name: Pull Image
       run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
-    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-      with:
-        path: ${{ github.workspace }}/.cache/trivy
-        key: ${{ github.head_ref || github.ref_name }}-trivy
     - name: Scan Container
-      uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
-      env:
-        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
-        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
+      uses: intel/ai-containers/.github/scan@main
       with:
-        cache: true
-        format: sarif
-        github-pat: ${{ secrets.GITHUB_TOKEN }}
         image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
         output: ${{ matrix.container }}-scan.sarif
-        timeout: 30m0s
     - name: Cleanup
       if: always()
       run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
-    - uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+    - uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
       with:
         sarif_file: '${{ matrix.container }}-scan.sarif'
         category: '${{ matrix.container }}'
@@ -187,15 +165,15 @@ jobs:
       ####################################################################################################
   setup-test:
     needs: [build-containers]
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     outputs:
       matrix: ${{ steps.test-matrix.outputs.matrix }}
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Get Recipes
       id: test-matrix
       run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
@@ -209,20 +187,15 @@ jobs:
         experimental: [true]
       fail-fast: false
     steps:
-    - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+    - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c # v2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
-        login-server: ${{ secrets.REGISTRY }}
+        registry: ${{ secrets.REGISTRY }}
         username: ${{ secrets.REGISTRY_USER }}
         password: ${{ secrets.REGISTRY_TOKEN }}
-    # - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-    #   with:
-    #     registry: ${{ secrets.REGISTRY }}
-    #     username: ${{ secrets.REGISTRY_USER }}
-    #     password: ${{ secrets.REGISTRY_TOKEN }}
     - name: Test Container Group
       uses: intel/ai-containers/test-runner@main
       with:

.github/workflows/dependency-review.yaml

@@ -34,15 +34,10 @@ jobs:
       pull-requests: write
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
-        egress-policy: block
-        allowed-endpoints: >
-          api.deps.dev:443
-          api.github.com:443
-          api.securityscorecards.dev:443
-          github.com:443
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        egress-policy: audit
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
       with:
         comment-summary-in-pr: true

.github/workflows/dockerhub-description.yml

@@ -19,43 +19,31 @@ on:
 permissions: read-all
 jobs:
   setup-matrix:
-    runs-on: ubuntu-latest
+    runs-on: intel-ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-          fetch-depth: 2
-    - name: Set Matrix data
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - name: Set matrix data
       id: set-matrix
-      run: |
-        # Get the list of files changed in the latest commit(s)
-        changed_files=$(git diff --name-only HEAD~1 ${{ github.sha }} | sed 's|^|./|' | jq -R . | jq -s .)
-        echo "Changed files: $changed_files"
-
-        # If there are changed files, filter the JSON using jq
-        matrix=$(jq -c --argjson changed "$changed_files" \
-          '.readmes |= map(select(.fname as $fname | any($changed[]; . == $fname)))' \
-          .github/dockerhub-readmes.json)
-        echo "matrix=$matrix" >> $GITHUB_OUTPUT
+      run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT
   publish-dockerhub-description:
     runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     needs: setup-matrix
-    if: ${{ needs.setup-matrix.outputs.matrix != '{"readmes":[]}' }}
     strategy:
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
       fail-fast: false
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
         egress-policy: audit
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/docs.yaml

@@ -32,16 +32,11 @@ jobs:
       pages: write
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          files.pythonhosted.org:443
-          github.com:443
-          pypi.org:443
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        egress-policy: audit
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
       with:
         python-version: 3.8
         cache: pip

.github/workflows/integration-test.yaml

@@ -21,17 +21,15 @@ concurrency:
   cancel-in-progress: true
 jobs:
   group-diff:
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     outputs:
       groups: ${{ steps.group-list.outputs.FOLDERS }}
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
       with:
-        egress-policy: block
-        allowed-endpoints: >
-          github.com:443
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        egress-policy: audit
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: 0
     - name: Output Modified Group Directories
@@ -74,51 +72,40 @@ jobs:
   merge-logs:
     # download all artifacts across containers
     needs: [pipeline-ci]
-    if: success() || failure()
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
-    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.0
+    - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.0
       id: download_artifact_outputs
       with:
         pattern: test-runner-summary*
         merge-multiple: true
-    - name: Find Summary
-      id: summary
+    - name: Check for JSON files
       shell: bash
       run: |
-        SUMMARY=$(find . -maxdepth 1 -name '*summary.json' -print)
-        if [[ -n "$SUMMARY" ]]; then
-          echo "summary=true" >> $GITHUB_OUTPUT
-          echo "Files matching the pattern ./*summary.json"
-          jq -s '[.[] | .[]]' ./*summary.json > combined.json
-          echo "Files found in the directory"
+        if [[ -n "$(find . -maxdepth 1 -name 'test-runner-summary*.json' -print -quit)" ]]; then
+          echo "has_matching_json_files=true" >> "$GITHUB_OUTPUT"
+          echo "Files matching the pattern test-runner-summary*.json found in the directory"
         else
-          echo "summary=false" >> $GITHUB_OUTPUT
-          echo "No files matching the pattern ./*summary.json"
+          echo "has_matching_json_files=false" >> "$GITHUB_OUTPUT"
+          echo "No files matching the pattern test-runner-summary*.json found in the directory"
         fi
+      id: check_matching_json_files
+    - name: Combine JSON files
+      if: ${{ steps.check_matching_json_files.outputs.has_matching_json_files == 'true' }}
+      run: |
+        jq -s '[.[] | .[]]' *.json > combined.json
+        echo "Files found in the directory"
     - name: Generate TXT file
-      if: ${{ steps.summary.outputs.summary != 'false' }}
+      if: ${{ steps.check_matching_json_files.outputs.has_matching_json_files == 'true' }}
       run: |
-        {
-          echo "### Integration Test Results"
-          echo "Groups Tested: $(jq -r 'map(.Group) | unique | join(", ")' combined.json)"
-          echo -e "\n<details>"
-          echo -e "  <summary>Results</summary>\n"
-          echo "  | Test-Group    | Test        | Status   |"
-          echo "  |:----:|:---:|:---:|"
-          jq -r '.[] | "  | \(.Group) | \(.Test) | \(.Status) |"' combined.json
-          echo -e "\n</details>\n"
-          if jq -e 'all(.[]; .Status == "PASS")' combined.json > /dev/null; then
-            echo "#### Overall Result: PASS ✅"
-          else
-            echo "#### Overall Result: FAIL ❌"
-          fi
-        } >> output.txt
+        echo "| Test-Group    | Test        | Status   |" > output.txt
+        echo "|---------------|-------------|----------|" >> output.txt
+        jq -r '.[] | "| \(.Group) | \(.Test) | \(.Status) |" ' combined.json >> output.txt
     - name: PR-comment
-      if: ${{ steps.summary.outputs.summary != 'false' }}
-      uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+      if: ${{ steps.check_matching_json_files.outputs.has_matching_json_files == 'true' }}
+      uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
       with:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         number: ${{ github.event.pull_request.number }}
@@ -127,9 +114,13 @@ jobs:
         recreate: true
   status-check:
     needs: [group-diff, pipeline-ci, merge-logs]
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     if: always()
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      with:
+        egress-policy: audit
     - run: exit 1
       if: >-
         ${{