GENAI-New-worflows (open-edge-platform#834)

Co-authored-by: Raghu Bhat <raghavendra.bhat@intel.com>

Author: saikiransayabugari

.github/workflows/GEN-AI-Chat-qna-core.yaml

@@ -0,0 +1,361 @@
+---
+# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: "[GEN-AI] Chat-qna-core-CI"
+run-name: "[GEN-AI-Chat-qna-core-CI] PR  workflow (by @${{ github.actor }} via ${{ github.event_name }})"
+
+
+# Only run at most 1 workflow concurrently per PR, unlimited for branches
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'sample-applications/chat-question-and-answer-core/**'
+
+jobs:
+   
+  trivy-scan:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+        with:
+          persist-credentials: false
+      
+      - name: Build Docker images
+        run: |
+          docker build -f ./sample-applications/chat-question-and-answer-core/docker/Dockerfile -t chatqna-core-backend:latest ./sample-applications/chat-question-and-answer-core/
+          docker build -f ./sample-applications/chat-question-and-answer-core/ui/Dockerfile -t chatqna-core-frontend:latest ./sample-applications/chat-question-and-answer-core/ui/
+      
+      - name: Run Trivy Filesystem Scan
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        id: trivy-fs
+        with:
+          scan_type: "fs"  
+          scan-scope: "all"  
+          severity: "HIGH,CRITICAL" 
+          format: "json"
+          scan_target: "sample-applications/chat-question-and-answer-core/"
+          report_suffix: "-fs-chat-qna-core-CT7"
+      
+         
+      - name: Run trivy Scan - chat-qna-core-backend (HTML Report)
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        id: chat-qna-core-backend-html
+        with:
+          scan_type: "image"  
+          scan-scope: "all"
+          scan_target: "chatqna-core-backend:latest"  
+          severity: "HIGH,CRITICAL"  
+          format: "table"
+          report_suffix: "-image-chat-qna-core-backend-html-CT248"
+          generate_sbom: "false"
+
+      - name: Run trivy Scan - chat-qna-core-backend (SPDX SBOM)
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        id: chat-qna-core-backend-spdx
+        with:
+          scan_type: "image"  
+          scan-scope: "all"
+          scan_target: "chatqna-core-backend:latest"  
+          severity: "HIGH,CRITICAL"  
+          format: "spdx-json"
+          scanners: "vuln"
+          report_suffix: "-image-chat-qna-core-backend-spdx-CT248"
+          generate_sbom: "false"
+          
+
+      - name: Run trivy Scan - chat-qna-core-frontend (HTML Report)
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        id: chat-qna-core-frontend-html
+        with:
+          scan_type: "image"  
+          scan-scope: "all"
+          scan_target: "chatqna-core-frontend:latest"  
+          severity: "HIGH,CRITICAL"  
+          format: "table"
+          report_suffix: "-image-chat-qna-core-frontend-html-CT248"
+          generate_sbom: "false"
+
+      - name: Run trivy Scan - chat-qna-core-frontend (SPDX SBOM)
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        id: chat-qna-core-frontend-spdx
+        with:
+          scan_type: "image"  
+          scan-scope: "all"
+          scan_target: "chatqna-core-frontend:latest"  
+          severity: "HIGH,CRITICAL"  
+          format: "spdx-json"
+          scanners: "vuln"
+          report_suffix: "-image-chat-qna-core-frontend-spdx-CT248"
+          generate_sbom: "false"
+
+      
+      - name: Scan Dockerfile with Trivy-backend
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        with:
+          scan_type: "config"
+          scan_target: "sample-applications/chat-question-and-answer-core/"
+          severity: "HIGH,CRITICAL"
+          format: "json"
+          misconfig_scanners: "dockerfile"
+          report_suffix: "-config-chat-qna-core-backend-CT222"
+
+      - name: Scan Dockerfile with Trivy-frontend
+        uses: open-edge-platform/orch-ci/.github/actions/security/trivy@27276444a9bcf247a27369406686b689933bd1ff
+        with:
+          scan_type: "config"
+          scan_target: "sample-applications/chat-question-and-answer-core/ui/"
+          severity: "HIGH,CRITICAL"
+          format: "json"
+          misconfig_scanners: "dockerfile"
+          report_suffix: "-config-chat-qna-core-frontend-CT222"
+           
+      - name: Upload Report
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: trivy-report-chat-qna-core
+          path: security-results/trivy*
+
+  bandit-scan:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+      
+      - name: Run Bandit Scan
+        uses: open-edge-platform/orch-ci/.github/actions/security/bandit@27276444a9bcf247a27369406686b689933bd1ff
+        id: bandit
+        with:
+          scan-scope: "all"  
+          output-format: "txt" 
+          fail-on-findings: "false"
+          paths: "sample-applications/chat-question-and-answer-core/"
+          report_suffix: "-bandit-chat-qna-core-CT161"
+          
+      - name: Upload Report
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: bandit-report-core
+          path: bandit-report-*.txt
+        
+
+  clamav-scan:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+      
+      - name: Run ClamAV Scan
+        uses: open-edge-platform/orch-ci/.github/actions/security/clamav@27276444a9bcf247a27369406686b689933bd1ff
+        id: clamav
+        with:
+          scan-scope: "all"  
+          output-format: "txt" 
+          fail-on-findings: "false"
+          paths: "sample-applications/chat-question-and-answer-core/"
+          exclude_dirs: ".git,node_modules,venv,ui/test,tests"
+          
+      - name: Upload Report
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: clamav-report-chatqna-core
+          path: security-results/clamav*
+
+  # GitLeaks scanning job
+  gitleaks-scan:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+        with:
+          persist-credentials: false
+          
+      - name: Install gitleaks
+        uses: open-edge-platform/orch-ci/.github/actions/bootstrap@5f1c7f544b235db6ded508b6b4c6a2d3a78a38be
+        with:
+          bootstrap_tools: "gitleaks"
+          
+      - name: Get current timestamp
+        id: timestamp
+        run: echo "time=$(date +%s)" >> "$GITHUB_OUTPUT"
+        
+      - name: Clone CI repo
+        uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+        with:
+          repository: open-edge-platform/orch-ci
+          path: ci
+          persist-credentials: false
+          
+      - name: Scan for secrets
+        run: |
+          gitleaks dir "sample-applications/chat-question-and-answer-core/" -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks-chatqna-core.json -r gitleaks-chatqna-core.json || true
+          
+      - name: Upload Gitleaks Report
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: gitleaks-report-chat-qna-core-${{ steps.timestamp.outputs.time }}
+          path: gitleaks-chatqna-core.json
+
+  # Python linting with pylint
+  pylint-scan:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+      
+      - name: Setup Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        with:
+          python-version: '3.12'
+      
+      - name: Install Poetry
+        run: |
+          pip install poetry
+          
+      - name: Install dependencies and pylint
+        run: |
+          cd sample-applications/chat-question-and-answer-core/
+          poetry install || true
+          poetry add --group dev pylint
+      
+      - name: Run pylint
+        run: |
+          cd sample-applications/chat-question-and-answer-core/
+          mkdir -p security-results
+          echo "=== Pylint Scan Results ===" > security-results/pylint-report-chat-qna-core.txt
+          echo "Scan Date: $(date)" >> security-results/pylint-report-chat-qna-core.txt
+          echo "" >> security-results/pylint-report-chat-qna-core.txt
+          
+          # Create a basic pylint config
+          cat > .pylintrc << EOF
+          [MESSAGES CONTROL]
+          disable=C0111,C0103,R0903,R0913,W0613,W0622,R0801,R0902,R0914,R0915,R0912,C0301,C0302
+          
+          [FORMAT]
+          max-line-length=120
+          
+          [REPORTS]
+          output-format=text
+          reports=yes
+          EOF
+          
+          # Find all Python files and lint them
+          find app/ -type f -name "*.py" -exec poetry run pylint --rcfile=.pylintrc {} + >> security-results/pylint-report-chat-qna-core.txt 2>&1 || true
+          
+          echo "Pylint scan completed"
+      
+      - name: Upload pylint Report
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: pylint-report-chat-qna-core
+          path: sample-applications/chat-question-and-answer-core/security-results/pylint-report-chat-qna-core.txt
+
+  # ShellCheck scanning job
+  shellcheck-scan:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+      
+      - name: Setup environment with shellcheck
+        uses: open-edge-platform/orch-ci/.github/actions/bootstrap@5f1c7f544b235db6ded508b6b4c6a2d3a78a38be
+        with:
+          bootstrap_tools: "shellcheck"
+      
+      - name: Run ShellCheck
+        run: |
+          mkdir -p security-results
+          echo "=== ShellCheck Scan Results ===" > security-results/shellcheck-report-chat-qna-core.txt
+          echo "Scan Date: $(date)" >> security-results/shellcheck-report-chat-qna-core.txt
+          echo "" >> security-results/shellcheck-report-chat-qna-core.txt
+          
+          # Find all shell scripts and check them
+          find sample-applications/chat-question-and-answer-core/ -type f \( -name "*.sh" -o -name "*.bash" \) -print0 | while IFS= read -r -d '' file; do
+            echo "Checking: $file" >> security-results/shellcheck-report-chat-qna-core.txt
+            shellcheck "$file" >> security-results/shellcheck-report-chat-qna-core.txt 2>&1 || true
+            echo "---" >> security-results/shellcheck-report-chat-qna-core.txt
+          done
+          
+          echo "ShellCheck scan completed"
+      
+      - name: Upload ShellCheck Report
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: shellcheck-report-chat-qna-core
+          path: security-results/shellcheck-report-chat-qna-core.txt
+
+  # Run Unit test cases Frontend
+  run-unit-tests-frontend:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+      
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          
+      - name: Install dependencies and run tests
+        run: |
+          cd sample-applications/chat-question-and-answer-core/ui/
+          npm install || true
+          npm run coverage || true
+          
+      - name: Upload test results
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: chat-qna-core-frontend-results
+          path: sample-applications/chat-question-and-answer-core/ui/coverage/
+
+  # Run Unit test cases for Backend
+  run-unit-tests-backend:
+    runs-on: ubuntu-22.04-32core-128GB
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8edcb1bdb4e267140fa742c62e395cd74f332709
+
+      - name: Set up Python environment
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+    
+      - name: Run unit tests
+        run: |
+          cd sample-applications/chat-question-and-answer-core/
+          # Backend Coverage (including all production Python files)
+          python3.12 -m venv chat-qna-core-venv
+          source chat-qna-core-venv/bin/activate
+          pip install poetry
+          poetry install --with dev || true
+          poetry add --group dev pytest-cov || true
+          poetry run pytest tests/ \
+            --cov=app \
+            --cov-report=html:coverage-backend \
+            --cov-report=xml:coverage-backend.xml \
+            --cov-report=term-missing \
+            --cov-branch || true
+          deactivate
+          rm -rf chat-qna-core-venv
+
+      - name: Upload test results
+        uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8
+        with:
+          name: chat-qna-core-backend-test-results
+          path: sample-applications/chat-question-and-answer-core/coverage-backend/