From 103992fe98734a59cf18e822e1130950498dc927 Mon Sep 17 00:00:00 2001
From: Srikanth Ramakrishna <srikanth.ramakrishna@intel.com>
Date: Tue, 26 Aug 2025 13:40:31 -0700
Subject: [PATCH] address new lint errors

Signed-off-by: Srikanth Ramakrishna <srikanth.ramakrishna@intel.com>
---
 .github/workflows/apptainer-ci.yaml         |  5 +++-
 .github/workflows/chart-ci.yaml             |  4 ++-
 .github/workflows/container-ci.yaml         | 30 ++++++++++++++++-----
 .github/workflows/dependency-review.yaml    |  2 ++
 .github/workflows/dockerhub-description.yml |  3 +++
 .github/workflows/docs.yaml                 |  2 ++
 .github/workflows/integration-test.yaml     |  1 +
 .github/workflows/lint.yaml                 |  1 +
 .github/workflows/test-runner-ci.yaml       |  8 ++++--
 .github/workflows/weekly-test.yaml          |  2 ++
 10 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/apptainer-ci.yaml b/.github/workflows/apptainer-ci.yaml
index db01496f5..c12887cf1 100644
--- a/.github/workflows/apptainer-ci.yaml
+++ b/.github/workflows/apptainer-ci.yaml
@@ -37,6 +37,7 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Output Modified Group Directories
         id: group-list
         run: |
@@ -78,6 +79,8 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - uses: eWaterCycle/setup-apptainer@4bb22c52d4f63406c49e94c804632975787312b3 # v2.0.0
         with:
           apptainer-version: 1.3.4
@@ -86,7 +89,7 @@ jobs:
           APPTAINER_DOCKER_USERNAME: ${{ secrets.REGISTRY_USER }}
           APPTAINER_DOCKER_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
         run: apptainer registry login  -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }} docker://${{ secrets.REGISTRY }}
-      - uses: intel/ai-containers/apptainer@main
+      - uses: intel/ai-containers/apptainer@22527f085f2accb495bf4fed7475d683b4120927
         with:
           registry: oras://${{ secrets.REGISTRY }}
           repo: ${{ secrets.REPO }}-apptainer
diff --git a/.github/workflows/chart-ci.yaml b/.github/workflows/chart-ci.yaml
index db7bb274f..dd9243fcb 100644
--- a/.github/workflows/chart-ci.yaml
+++ b/.github/workflows/chart-ci.yaml
@@ -30,6 +30,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-    - uses: intel/ai-containers/workflows/charts@main
+      with:
+        persist-credentials: false
+    - uses: intel/ai-containers/workflows/charts@22527f085f2accb495bf4fed7475d683b4120927
       with:
         kubeconfig_path: ${{ secrets.KUBECONFIG_PATH }}
diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml
index 7db3d2d7e..bcff507c2 100644
--- a/.github/workflows/container-ci.yaml
+++ b/.github/workflows/container-ci.yaml
@@ -70,12 +70,18 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - name: Set Matrix
       id: build-matrix
-      run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT
+      run: echo "matrix=$(jq -c . < ${INPUTS_GROUP_DIR}/.actions.json)" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_GROUP_DIR: ${{ inputs.group_dir }}
     - name: Print Inputs
       if: ${{ inputs.env_overrides }}
-      run: echo "Overrides - ${{ inputs.env_overrides }}" >> $GITHUB_STEP_SUMMARY
+      run: echo "Overrides - ${INPUTS_ENV_OVERRIDES}" >> $GITHUB_STEP_SUMMARY
+      env:
+        INPUTS_ENV_OVERRIDES: ${{ inputs.env_overrides }}
   build-containers:
     needs: [setup-build]
     env: ${{ matrix }}
@@ -89,6 +95,8 @@ jobs:
     - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       if: ${{ !inputs.no_build }}
+      with:
+        persist-credentials: false
     - uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c # v2
       with:
         login-server: ${{ secrets.REGISTRY }}
@@ -103,7 +111,7 @@ jobs:
     - name: Build Container Group
       if: ${{ !inputs.no_build }}
       id: build-group
-      uses: intel/ai-containers/.github@main
+      uses: intel/ai-containers/.github@22527f085f2accb495bf4fed7475d683b4120927
       with:
         group_dir: ${{ inputs.group_dir }}
         env_overrides: ${{ inputs.env_overrides || env.env_overrides || '' }}
@@ -130,7 +138,9 @@ jobs:
         path: matrix
     - name: Set Matrix
       id: scan-matrix
-      run: echo "matrix=$(cat matrix/*-${{ needs.build-containers.outputs.group }}/*.txt | jq -R '.' | jq -sc '. | unique')" >> $GITHUB_OUTPUT
+      run: echo "matrix=$(cat matrix/*-${NEEDS_BUILD_CONTAINERS_OUTPUTS_GROUP}/*.txt | jq -R '.' | jq -sc '. | unique')" >> $GITHUB_OUTPUT
+      env:
+        NEEDS_BUILD_CONTAINERS_OUTPUTS_GROUP: ${{ needs.build-containers.outputs.group }}
   scan-containers:
     needs: [setup-scan]
     if: ${{ !inputs.no_build && github.event_name == 'pull_request' }}
@@ -146,6 +156,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c # v2
       with:
         login-server: ${{ secrets.REGISTRY }}
@@ -196,9 +208,13 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - name: Get Recipes
       id: test-matrix
-      run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
+      run: echo "matrix=$(find ${INPUTS_GROUP_DIR} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_GROUP_DIR: ${{ inputs.group_dir }}
   test-containers:
     needs: [setup-build, setup-test]
     if: ${{ needs.setup-test.outputs.matrix != '[]' }}
@@ -213,6 +229,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c # v2
       with:
         login-server: ${{ secrets.REGISTRY }}
@@ -224,7 +242,7 @@ jobs:
     #     username: ${{ secrets.REGISTRY_USER }}
     #     password: ${{ secrets.REGISTRY_TOKEN }}
     - name: Test Container Group
-      uses: intel/ai-containers/test-runner@main
+      uses: intel/ai-containers/test-runner@22527f085f2accb495bf4fed7475d683b4120927
       with:
         cache_registry: ${{ secrets.CACHE_REGISTRY }}
         recipe_dir: ${{ inputs.group_dir }}
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index f6aa33a78..b2bf2dab1 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -43,6 +43,8 @@ jobs:
           api.securityscorecards.dev:443
           github.com:443
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: actions/dependency-review-action@bc41886e18ea39df68b1b1245f4184881938e050 # v4.7.2
       with:
         comment-summary-in-pr: true
diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml
index 7e4789c05..4df2f54dd 100644
--- a/.github/workflows/dockerhub-description.yml
+++ b/.github/workflows/dockerhub-description.yml
@@ -30,6 +30,7 @@ jobs:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
           fetch-depth: 2
+          persist-credentials: false
     - name: Set Matrix data
       id: set-matrix
       run: |
@@ -55,6 +56,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 2784fae1c..3b0cae05c 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -41,6 +41,8 @@ jobs:
           github.com:443
           pypi.org:443
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: 3.8
diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml
index 2aa064d26..63b8350b4 100644
--- a/.github/workflows/integration-test.yaml
+++ b/.github/workflows/integration-test.yaml
@@ -34,6 +34,7 @@ jobs:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Output Modified Group Directories
       id: group-list
       run: |
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 84dda6f97..50ef56a96 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -39,6 +39,7 @@ jobs:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0
+        persist-credentials: false
     - uses: super-linter/super-linter/slim@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
       env:
         GITHUB_ACTIONS_COMMAND_ARGS: '-ignore SC.*'
diff --git a/.github/workflows/test-runner-ci.yaml b/.github/workflows/test-runner-ci.yaml
index b0c54d4a8..4e271e44f 100644
--- a/.github/workflows/test-runner-ci.yaml
+++ b/.github/workflows/test-runner-ci.yaml
@@ -19,7 +19,7 @@ on:
     - 'test-runner/**'
   push:
     branches:
-    - main
+    - 22527f085f2accb495bf4fed7475d683b4120927
 permissions: read-all
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -37,6 +37,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       with:
         driver: docker
@@ -85,6 +87,8 @@ jobs:
       with:
         egress-policy: audit
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       with:
         driver: docker
@@ -102,7 +106,7 @@ jobs:
       with:
         python-version: "3.10"
     - name: Test Container Group
-      uses: intel/ai-containers/test-runner@main
+      uses: intel/ai-containers/test-runner@22527f085f2accb495bf4fed7475d683b4120927
       with:
         cache_registry: ${{ secrets.CACHE_REGISTRY }}
         recipe_dir: test-runner
diff --git a/.github/workflows/weekly-test.yaml b/.github/workflows/weekly-test.yaml
index 4be5d257b..43b6aecc5 100644
--- a/.github/workflows/weekly-test.yaml
+++ b/.github/workflows/weekly-test.yaml
@@ -31,6 +31,8 @@ jobs:
         allowed-endpoints: >
           github.com:443
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
     - name: Output Group Directories
       id: group-list
       run: |