tkatila · dependabot · May 20, 2024 · May 20, 2024 · May 21, 2024 · Jun 12, 2024
@@ -12,5 +12,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      # Check for updates to GitHub Actions every weekday
-      interval: "daily"
+      # Check for updates to GitHub Actions every week on Sunday
+      interval: "weekly"
+      day: "sunday"
@@ -0,0 +1,47 @@
+name: Update demo bases
+on:
+  schedule:
+    - cron: '0 0 1 * *' # once a month
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  demo_base_update:
+    name: Create a PR for demo image updates
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: Install frizbee
+        run: |
+          export FRIZBEE_HASH=cda91f86d0c96d0bc3c464c57a601ca414e0b2415372eb19b9a4c82fa3d4f802
+          export FRIZBEE_VERSION=0.0.15
+
+          mkdir /tmp/frizbee
+          wget -q https://github.com/stacklok/frizbee/releases/download/v${FRIZBEE_VERSION}/frizbee_${FRIZBEE_VERSION}_linux_amd64.tar.gz -O /tmp/frizbee/frizbee.tar.gz
+          cd /tmp/frizbee
+          echo "$FRIZBEE_HASH frizbee.tar.gz" | sha256sum -c -
+          tar xzf frizbee.tar.gz
+          chmod +x /tmp/frizbee/frizbee
+      - name: Run update script
+        run: |
+          export PATH=$PATH:/tmp/frizbee
+          cd demo
+          bash update-shas.sh
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6
+        with:
+          commit-message: "demo: update base images ${{ steps.date.outputs.date }}"
+          title: "Update demo base images (${{ steps.date.outputs.date }})"
+          token: ${{ secrets.GH_PR_TOKEN }}
+          branch: demo-base-update-${{ steps.date.outputs.date }}
+          body: >
+            PR is auto-generated by GH action.
+
+
+
@@ -34,22 +34,3 @@ jobs:
       id-token: write
       security-events: write
     uses: "./.github/workflows/lib-scorecard.yaml"
-
-  build:
-    needs:
-      - validate
-      - trivy
-    uses: "./.github/workflows/lib-build.yaml"
-
-  e2e:
-    needs:
-      - build
-    uses: "./.github/workflows/lib-e2e.yaml"
-
-  # devel image push
-  publish:
-    needs:
-      - e2e
-      - build
-    uses: "./.github/workflows/lib-publish.yaml"
-    secrets: inherit
@@ -45,8 +45,8 @@ jobs:
           - dlb-libdlb-demo
         builder: [buildah, docker]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true

@@ -18,19 +18,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
       with:
         go-version-file: go.mod
         check-latest: true
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@187e591bef188a41dd329c95d7905134173654ae # v3
       with:
         languages: 'go'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@187e591bef188a41dd329c95d7905134173654ae # v3
       with:
         category: "/language:go"
@@ -67,7 +67,7 @@ jobs:
       IMAGES: ${{ join(matrix.images, ' ') }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           fetch-depth: 0
       - name: Describe test environment

@@ -42,8 +42,8 @@ jobs:
           #- crypto-perf
           #- opae-nlb-demo
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -54,7 +54,7 @@ jobs:
         run: |
           REG=intel/ make ${IMAGE_NAME} BUILDER=docker
       - name: Trivy scan for image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
         with:
           scan-type: image
           image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }}
@@ -64,7 +64,7 @@ jobs:
         if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
         run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
       - name: Login
-        uses: docker/login-action@v3
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_PASS }}

@@ -16,18 +16,18 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
         with:
           persist-credentials: false
 
       - name: "Analyze project"
-        uses: ossf/[email protected]
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true
 
       - name: "Upload results to security"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
         with:
           sarif_file: results.sarif
@@ -30,10 +30,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
     - name: Run Trivy in config mode for deployments
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: config
         scan-ref: deployments/
@@ -49,10 +49,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
     - name: Run Trivy in config mode for dockerfiles
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: config
         scan-ref: build/docker/
@@ -64,10 +64,10 @@ jobs:
     name: Scan licenses
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
     - name: Run Trivy in fs mode
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: fs
         scan-ref: .
@@ -83,11 +83,11 @@ jobs:
     name: Scan vulnerabilities
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
     - name: Run Trivy in fs mode
       continue-on-error: true
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: fs
         scan-ref: .
@@ -97,7 +97,7 @@ jobs:
         output: trivy-report.json
 
     - name: Show report in human-readable format
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: convert
         vuln-type: ''
@@ -107,7 +107,7 @@ jobs:
 
     - name: Convert report to sarif
       if: ${{ inputs.upload-to-github-security-tab }}
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: convert
         vuln-type: ''
@@ -118,13 +118,13 @@ jobs:
 
     - name: Upload sarif report to GitHub Security tab
       if: ${{ inputs.upload-to-github-security-tab }}
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@187e591bef188a41dd329c95d7905134173654ae # v3
       with:
        sarif_file: trivy-report.sarif
 
     - name: Convert report to csv
       if: ${{ inputs.export-csv }}
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
       with:
         scan-type: convert
         vuln-type: ''
@@ -136,7 +136,7 @@ jobs:
 
     - name: Upload CSV report as an artifact
       if: ${{ inputs.export-csv }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
       with:
         name: trivy-report
         path: trivy-report.csv
@@ -14,7 +14,7 @@ jobs:
       run: |
         sudo apt-get update
         sudo apt-get install -y python3-venv
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
         fetch-depth: 0
     - name: Set up doc directory
@@ -35,13 +35,13 @@ jobs:
     name: lint
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6
         with:
           version: v1.57.2
           args: -v --timeout 5m
@@ -50,8 +50,8 @@ jobs:
     name: Build and check device plugins
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true
@@ -74,8 +74,8 @@ jobs:
           - 1.29.x
           - 1.30.x
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
         with:
           go-version-file: go.mod
           check-latest: true

@@ -23,7 +23,7 @@ jobs:
       run: |
         sudo apt-get update
         sudo apt-get install -y python3-venv git
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
         fetch-depth: 0
         ref: main
@@ -44,7 +44,7 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html/* $HOME/output/
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
         fetch-depth: 0
         ref: release-0.28
@@ -55,7 +55,7 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html $HOME/output/0.28
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
         fetch-depth: 0
         ref: release-0.29
@@ -66,7 +66,7 @@ jobs:
         rm -rf _work/venv
         make vhtml
         mv _build/html $HOME/output/0.29
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
         fetch-depth: 0
         ref: release-0.30

@@ -11,7 +11,7 @@ along with a number of device plugin implementations utilizing that framework.
 The [v0.30 release](https://github.com/intel/intel-device-plugins-for-kubernetes/releases/latest)
 is the latest feature release with its documentation available [here](https://intel.github.io/intel-device-plugins-for-kubernetes/0.30/).
 
-Table of Contents
+Table of Content(s)
 
 * [Prerequisites](#prerequisites)
 * [Plugins](#plugins)

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM debian:unstable-slim AS builder
+FROM debian:unstable-slim@sha256:af74cdf95de28a354b88a41ddc167ecc3d8bed2fa121a642bcdfb83310afd25e AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends libaccel-config-dev \
     gcc g++ nasm make cmake autoconf automake libtool pkg-config git ca-certificates uuid-dev
@@ -29,7 +29,7 @@ RUN cd / && git clone --recurse-submodules --depth 1 --branch v1.5.0 https://git
     cmake -DLOG_HW_INIT=ON .. && \
     make install
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:af74cdf95de28a354b88a41ddc167ecc3d8bed2fa121a642bcdfb83310afd25e
 
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends pciutils accel-config accel-config-test kmod && rm -rf /var/lib/apt/lists/\*
 

@@ -1,4 +1,4 @@
-FROM debian:unstable-slim as builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb as builder
 
 ARG DIR=/dpdk-build
 WORKDIR $DIR
@@ -37,7 +37,7 @@ RUN mkdir -p /install_root/licenses/dpdk && \
     cd /install_root/licenses/dpdk && \
     apt-get source --download-only -y libatomic1 libnuma1
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libipsec-mb1 libnuma1 libatomic1 && ldconfig -v
 COPY --from=builder /install_root /
 COPY run-dpdk-test /usr/bin/