epam · Oleksii-Klimov · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
@@ -0,0 +1,2 @@
+* @Oleksii-Klimov
+/.github/ @nepalevov @alexey-ban
@@ -0,0 +1 @@
+blank_issues_enabled: false
@@ -0,0 +1,18 @@
+**Description:**
+
+<SHORT_DESCRIPTION>
+
+Issues:
+
+- Issue #<TICKET_ID>
+
+**UI changes**
+
+<Please, provide Screenshots or Figma links>
+
+**Checklist:**
+
+- [ ] the pull request name complies with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
+- [ ] the pull request name starts with `fix(<scope>):`, `feat(<scope>):`, `feature(<scope>):`, `chore(<scope>):`, `hotfix(<scope>):` or `e2e(<scope>):`. If contains breaking changes then the pull request name must start with `fix(<scope>)!:`, `feat(<scope>)!:`, `feature(<scope>)!:`, `chore(<scope>)!:`, `hotfix(<scope>)!:` or `e2e(<scope>)!:` where `<scope>` is name of affected project: `chat`, `chat-e2e`, `overlay`, `shared`, `sandbox-overlay`, etc.
+- [ ] the pull request name ends with `(Issue #<TICKET_ID>)` (comma-separated list of issues)
+- [ ] I confirm that do not share any confidential information like API keys or any other secrets and private URLs
@@ -0,0 +1,28 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "poetry"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "09:00"
+    # Disable version updates, keep security updates only
+    open-pull-requests-limit: 0
+    commit-message:
+      # Prefix all commit messages with "chore: "
+      prefix: "chore"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "09:00"
+    commit-message:
+      # Prefix all commit messages with "chore: "
+      prefix: "chore"
+
@@ -0,0 +1,20 @@
+name: Cleanup untagged images
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  clean:
+    name: Delete untagged images
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
+        with:
+          account: ${{ github.repository_owner }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          image-names: ${{ github.event.repository.name }}
+          tag-selection: "untagged"
+          cut-off: "1d"
@@ -0,0 +1,16 @@
+name: Deploy dev trigger
+
+on:
+  registry_package:
+
+jobs:
+  gitlab-dev-deploy:
+    if: ${{ github.event.registry_package.package_version.container_metadata.tag.name == 'development' }}
+    uses: epam/ai-dial-ci/.github/workflows/[email protected]
+    with:
+      gitlab-project-id: "2350"
+      gitlab-project-ref: "master"
+    secrets:
+      DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+      DEPLOY_ACCESS_TOKEN: ${{ secrets.DEPLOY_ACCESS_TOKEN }}
+      DEPLOY_TRIGGER_TOKEN: ${{ secrets.DEPLOY_TRIGGER_TOKEN }}
@@ -0,0 +1,18 @@
+name: "Validate PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - reopened
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  pr-title-check:
+    uses: epam/ai-dial-ci/.github/workflows/[email protected]
+    secrets:
+      ACTIONS_BOT_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -0,0 +1,12 @@
+name: PR Workflow
+
+on:
+  pull_request:
+    branches: [development, release-*]
+
+jobs:
+  run_tests:
+    uses: epam/ai-dial-ci/.github/workflows/python_docker_pr.yml@eb9d2b30987d293df82f5d6b9269644a39c3e5e5
+    secrets: inherit
+    with:
+      bypass_ort: true
@@ -0,0 +1,16 @@
+name: Release Workflow
+
+on:
+  push:
+    branches: [development, release-*]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  release:
+    uses: epam/ai-dial-ci/.github/workflows/python_docker_release.yml@eb9d2b30987d293df82f5d6b9269644a39c3e5e5
+    secrets: inherit
+    with:
+      bypass_ort: true
@@ -2,18 +2,21 @@ FROM python:3.11-alpine AS builder
 
 ARG POETRY_VERSION=1.6.1
 
-RUN pip install --upgrade pip
-RUN pip install poetry==$POETRY_VERSION
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir poetry==$POETRY_VERSION
 
 RUN echo "Poetry version:" && poetry --version
 
 WORKDIR /builder
 
-COPY pyproject.toml poetry.lock poetry.toml .
+COPY pyproject.toml poetry.lock poetry.toml /builder/
 RUN poetry install --no-interaction --no-ansi --only main
 
 FROM python:3.11-alpine
 
+# fix CVE-2024-6345
+RUN pip install --no-cache-dir "setuptools==70.0.0"
+
 ENV DIAL_BASE_URL=''
 ENV SOURCES=''
 ENV PROFILE=''

@@ -1,6 +1,6 @@
 IMAGE_NAME ?= ai-dial-app-builder-python
 
-.PHONY: all install build clean lint format
+.PHONY: all install build test clean lint format
 
 all: build
 
@@ -10,6 +10,9 @@ install:
 build: install
 	poetry build
 
+test:
+	@echo "No tests yet"
+
 clean:
 	poetry env remove --all
 

@@ -0,0 +1,11 @@
+# Reporting Security Issues
+
+We take all security reports seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
+
+⚠️ Please do *not* file GitHub issues for security vulnerabilities as they are public! ⚠️
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/epam/HUH/security/advisories/new) tab. Tip: In this form, only the title and description are mandatory.
+
+We will send a response indicating the next steps in handling your report. After the initial reply to your report, we will keep you informed of the progress toward a fix and full announcement and may ask for additional information or guidance.
+
+When we receive such reports, we will investigate and subsequently address any potential vulnerabilities as quickly as possible.
@@ -5,7 +5,9 @@
 
 import requests
 
-from aidial_app_builder_python.validation.exceptions import AppValidationException
+from aidial_app_builder_python.validation.exceptions import (
+    AppValidationException,
+)
 
 
 def download_files(
@@ -86,7 +88,9 @@ def main():
 
 def validate(profile, target):
     if profile == "python-pip":
-        from aidial_app_builder_python.validation.python_pip.validation import validate_sources
+        from aidial_app_builder_python.validation.python_pip.validation import (
+            validate_sources,
+        )
 
         validate_sources(target)
 

@@ -28,7 +28,7 @@ responses = "^0.25.3"
 
 [tool.poetry.group.lint.dependencies]
 flake8 = "^6.0.0"
-black = "^23.3.0"
+black = "^24.3.0"
 isort = "^5.12.0"
 pyright = "^1.1.324"
 autoflake = "^2.2.0"
@@ -68,11 +68,11 @@ in_place = true
 recursive = true
 quiet = true
 exclude = [
-    '.git',
-    '.venv',
-    '.nox',
-    '.pytest_cache',
-    '__pycache__',
+    "\\.git",
+    "\\.venv",
+    "\\.nox",
+    "\\.pytest_cache",
+    "__pycache__",
 ]
 
 [build-system]

@@ -0,0 +1,14 @@
+# Trivy configuration file
+# https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/
+db:
+  no-progress: true
+  repository:
+    - mirror.gcr.io/aquasec/trivy-db:2
+    - public.ecr.aws/aquasecurity/trivy-db:2
+    - ghcr.io/aquasecurity/trivy-db:2
+  java-repository:
+    - mirror.gcr.io/aquasec/trivy-java-db:1
+    - public.ecr.aws/aquasecurity/trivy-java-db:1
+    - ghcr.io/aquasecurity/trivy-java-db:1
+misconfiguration:
+  checks-bundle-repository: mirror.gcr.io/aquasec/trivy-checks:1
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		* @Oleksii-Klimov
		/.github/ @nepalevov @alexey-ban