Merge branch 'main' of github.com:stacklok/codegate into feat/555/version-endpoint

alex-mcgovern · alex-mcgovern · commit 5424fdcdc32a · 2025-01-16T14:52:02.000Z
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
@@ -81,6 +81,8 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
+          provenance: mode=max
+          sbom: true
           tags: ${{ steps.docker-metadata.outputs.tags }}
           labels: ${{ steps.docker-metadata.outputs.labels }}
           cache-from: type=gha
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,30 @@
+name: Security
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  dependencies:
+    runs-on: ubuntu-latest
+    name: Dependencies & Secrets Scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Code Security Scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          scan-type: 'fs'
+          scanners: vuln,secret
+          trivy-config: .trivy.yml
+          exit-code: 1
+          ignore-unfixed: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -7,42 +7,42 @@ authors = []
 
 [tool.poetry.dependencies]
 python = ">=3.12,<4.0"
-click = ">=8.1.0"
-PyYAML = ">=6.0.1"
-fastapi = ">=0.115.5"
-uvicorn = ">=0.32.1"
-structlog = ">=24.4.0"
-litellm = "^1.58.0"
-llama_cpp_python = ">=0.3.2"
-cryptography = "^44.0.0"
-sqlalchemy = "^2.0.37"
-aiosqlite = "^0.20.0"
-ollama = ">=0.4.4"
-pydantic-settings = "^2.7.1"
-numpy = ">=1.24.0"
-tree-sitter = ">=0.23.2"
-tree-sitter-go = ">=0.23.4"
-tree-sitter-java = ">=0.23.5"
-tree-sitter-javascript = ">=0.23.1"
-tree-sitter-python = ">=0.23.6"
-tree-sitter-rust = ">=0.23.2"
-sqlite-vec-sl-tmp = "^0.0.4"
-alembic = ">=1.14.0"
-pygments = "^2.19.1"
+click = "==8.1.8"
+PyYAML = "==6.0.2"
+fastapi = "==0.115.6"
+uvicorn = "==0.34.0"
+structlog = "==24.4.0"
+litellm = "==1.58.0"
+llama_cpp_python = "==0.3.5"
+cryptography = "==44.0.0"
+sqlalchemy = "==2.0.37"
+aiosqlite = "==0.20.0"
+ollama = "==0.4.6"
+pydantic-settings = "==2.7.1"
+numpy = "==2.2.1"
+tree-sitter = "==0.23.2"
+tree-sitter-go = "==0.23.4"
+tree-sitter-java = "==0.23.5"
+tree-sitter-javascript = "==0.23.1"
+tree-sitter-python = "==0.23.6"
+tree-sitter-rust = "==0.23.2"
+sqlite-vec-sl-tmp = "==0.0.4"
+alembic = "==1.14.0"
+pygments = "==2.19.1"
 
 [tool.poetry.group.dev.dependencies]
-pytest = ">=7.4.0"
-pytest-cov = ">=4.1.0"
-black = ">=23.7.0"
-ruff = ">=0.7.4"
-bandit = ">=1.7.10"
-build = ">=1.0.0"
-wheel = ">=0.40.0"
-litellm = ">=1.52.11"
-pytest-asyncio = "0.25.2"
+pytest = "==8.3.4"
+pytest-cov = "==6.0.0"
+black = "==24.10.0"
+ruff = "==0.9.1"
+bandit = "==1.8.2"
+build = "==1.2.2.post1"
+wheel = "==0.45.1"
+litellm = "==1.58.0"
+pytest-asyncio = "==0.25.2"
 llama_cpp_python = "==0.3.5"
-scikit-learn = ">=1.6.0"
-python-dotenv = ">=1.0.1"
+scikit-learn = "==1.6.1"
+python-dotenv = "==1.0.1"
 
 [build-system]
 requires = ["poetry-core"]
