Merge branch 'main' into dependabot/github_actions/dot-github/actions/get-ecr-scan-result/aws-actions/configure-aws-credentials-5.1.0

Author: dvvanessastoiber

.github/actions/build-node-python/action.yml

@@ -59,6 +59,13 @@ inputs:
     description: "run node bundle"
     default: "false"
     required: false
+  trivy_enable:
+    description: "Enable trivy scans on lock files"
+    default: "false"  # Enable this by default?
+    required: false
+  trivy_severity:
+    description: "Severity level for trivy"
+    required: false
   chromatic_enable:
     description: "Enable Chromatic tests"
     required: false
@@ -287,6 +294,35 @@ runs:
         UV_SYSTEM_PYTHON: 1  # In case uv pip is used, install into the system python environment https://docs.astral.sh/uv/guides/integration/github/#using-uv-pip
         UV_HTTP_TIMEOUT: 300  # https://docs.astral.sh/uv/reference/environment/#uv_http_timeout
 
+    # Trivy
+    - name: Run Trivy vulnerability scanner on uv.lock
+      if: inputs.trivy_enable == 'true' && inputs.enable_python == 'true'
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: "fs"
+        scan-ref: "uv.lock"
+        exit-code: "1"
+        format: "table"
+        scanners: "vuln"
+        severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
+        ignore-unfixed: false
+        # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
+        cache: "false"
+      continue-on-error: false
+    - name: Run Trivy vulnerability scanner on yarn.lock
+      if: inputs.trivy_enable == 'true' && inputs.enable_node == 'true'
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: "fs"
+        scan-ref: "yarn.lock"
+        exit-code: "1"
+        format: "table"
+        scanners: "vuln"
+        severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
+        ignore-unfixed: false
+        # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
+        cache: "false"
+      continue-on-error: false
     # Node
     - name: Save yarn cache
       uses: actions/cache/save@v4

.github/actions/build-push-helm-chart/action.yml

@@ -54,7 +54,7 @@ runs:
       run: |
         cd $CURRENT_DIRECTORY
         helm dependency update
-        helm cm-push . chartmuseum
+        helm cm-push -f . chartmuseum
       env:
         CURRENT_DIRECTORY: ${{ inputs.current_directory }}
       shell: bash

.github/actions/build-push-image/action.yml

@@ -34,7 +34,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4.2.1
+      uses: aws-actions/configure-aws-credentials@v5.1.0
       with:
         role-to-assume: ${{ inputs.aws_role }}
         aws-region: ${{ inputs.aws_region }}

.github/actions/retag-image/action.yml

@@ -23,7 +23,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4.2.1
+      uses: aws-actions/configure-aws-credentials@v5.1.0
       with:
         role-to-assume: ${{ inputs.aws_role }}
         aws-region: ${{ inputs.aws_region }}

.github/workflows/build-docker-artifacts.yml

@@ -215,6 +215,10 @@ jobs:
       # Required for build secrets to work: https://docs.docker.com/build/ci/github-actions/secrets/#secret-mounts
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          # Disable caching of binfmt image
+          cache-image: false
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -447,7 +451,8 @@ jobs:
     name: Push images to push targets
     needs: [retag-images, get-flavors]
     # if? When should we do this? Always? Only for certain branches? If so, how should we define that, in the config.json?
-    if: ${{ fromJson(needs.get-flavors.outputs.result).skip_push != true && fromJson(needs.get-flavors.outputs.result).push_to != '' }}
+    # We need the always() && !cancelled() && !failure() because the test-images may have been skipped (which is fine), but this transitvely propagates through retag-images to here. See https://github.com/actions/runner/issues/491#issuecomment-1507495166
+    if: ${{ always() && !cancelled() && !failure() && fromJson(needs.get-flavors.outputs.result).skip_push != true && fromJson(needs.get-flavors.outputs.result).push_to != '' }}
     uses: datavisyn/github-workflows/.github/workflows/build-docker-artifacts-trigger-push.yml@main
     secrets: inherit
     with:

.github/workflows/build-node-python.yml

@@ -74,6 +74,15 @@ on:
         required: false
         description: Unique id per workflow run. Must be set to unique value if dispatched multiple times for a single workflow.
         default: ""
+      trivy_enable:
+        description: "Enable trivy scans on lock files"
+        default: false  # Enable this by default?
+        type: boolean
+        required: false
+      trivy_severity:
+        description: "Severity for the trivy scans"
+        type: string
+        required: false
       chromatic_enable:
         description: 'Enable Chromatic tests'
         required: false
@@ -151,6 +160,8 @@ jobs:
           enable_python: false
           # We probably won't need Rust on Node builds...
           # enable_rust: ${{ inputs.rust_enable }}
+          trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
           npm_registry: ${{ vars.NPM_REGISTRY }}
@@ -191,6 +202,8 @@ jobs:
         with:
           enable_node: false
           enable_python: true
+          trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
@@ -282,6 +295,8 @@ jobs:
       - name: Build node and python
         uses: ./tmp/github-workflows/.github/actions/build-node-python
         with:
+          trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
@@ -425,6 +440,8 @@ jobs:
       - name: Build node and python
         uses: ./tmp/github-workflows/.github/actions/build-node-python
         with:
+          trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           enable_rust: ${{ inputs.rust_enable }}
           run_parallel: ${{ inputs.run_parallel }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}

.github/workflows/build-node.yml

@@ -7,6 +7,15 @@ on:
         type: string
         required: false
         default: ${{ github.ref || github.head_ref }}
+      trivy_enable:
+        description: "Enable trivy scans on lock files"
+        default: false  # Enable this by default?
+        type: boolean
+        required: false
+      trivy_severity:
+        description: "Severity for the trivy scans"
+        type: string
+        required: false
       chromatic_enable:
         description: 'Enable Chromatic tests'
         required: false
@@ -69,6 +78,8 @@ jobs:
         with:
           enable_node: true
           enable_python: false
+          trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           node_version: ${{ vars.NODE_VERSION || inputs.node_version }}
           npm_registry: ${{ vars.NPM_REGISTRY }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}

.github/workflows/build-python.yml

@@ -7,6 +7,15 @@ on:
         type: string
         required: false
         default: ${{ github.ref || github.head_ref }}
+      trivy_enable:
+        description: "Enable trivy scans on lock files"
+        default: false  # Enable this by default?
+        type: boolean
+        required: false
+      trivy_severity:
+        description: "Severity for the trivy scans"
+        type: string
+        required: false
       runs_on:
         type: string
         required: false
@@ -56,6 +65,8 @@ jobs:
         with:
           enable_node: false
           enable_python: true
+          trivy_enable: ${{ inputs.trivy_enable }}
+          trivy_severity: ${{ inputs.trivy_severity }}
           github_ro_token: ${{ github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token  }}
           python_version: ${{ vars.PYTHON_VERSION || inputs.python_version }}
           enable_python_cache: ${{ inputs.runs_on != 'self-hosted' }}

.github/workflows/release-source.yml

@@ -90,7 +90,8 @@ jobs:
       - name: Check for pyproject.toml
         id: check-pyproject-toml
         run: |
-          if [ -f "pyproject.toml" ]; then
+          # Check if pyproject.toml exists and contains a version field
+          if [ -f "pyproject.toml" ] && grep -q "^version\s*=" "pyproject.toml"; then
             echo "has_pyproject_toml=true" >> "$GITHUB_OUTPUT"
           else
             echo "has_pyproject_toml=false" >> "$GITHUB_OUTPUT"