From 6f5ae6b494fa7f793d62a26f2b3f34cf9636ae70 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 10:55:06 +0000
Subject: [PATCH 01/14] bump versions

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .../code_deployment/example_code/requirements-notebook.txt    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/interactive_ai/services/resource/app/code_deployment/example_code/requirements-notebook.txt b/interactive_ai/services/resource/app/code_deployment/example_code/requirements-notebook.txt
index 796b45cf3..a99553495 100644
--- a/interactive_ai/services/resource/app/code_deployment/example_code/requirements-notebook.txt
+++ b/interactive_ai/services/resource/app/code_deployment/example_code/requirements-notebook.txt
@@ -1,7 +1,7 @@
 # Requirements for running the `demo_notebook.ipynb` Jupyter notebook
 geti-sdk~=2.13
-jupyterlab>=3.6
+jupyterlab>=4.4.8
 opencv-python>=4.10
-Pillow>=9.4.0
+Pillow>=10.3.0
 ipython>=8.10.0
 ipywidgets~=8.1
\ No newline at end of file

From 6c4eec207a519eb92494f7ac8787971c011df5c2 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 11:32:43 +0000
Subject: [PATCH 02/14] minor updates in workflows

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/cleanup-old-packages.yml  | 26 ++++++++++-----------
 .github/workflows/component.yml             |  2 +-
 .github/workflows/main.yml                  |  8 +++----
 .github/workflows/package-distribution.yaml |  2 +-
 .github/workflows/web-ui.yml                |  2 +-
 5 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/cleanup-old-packages.yml b/.github/workflows/cleanup-old-packages.yml
index 6866d1f2e..4ab6fa5ce 100644
--- a/.github/workflows/cleanup-old-packages.yml
+++ b/.github/workflows/cleanup-old-packages.yml
@@ -1,12 +1,12 @@
 # GHCR cleanup workflow
 #
 # This workflow deletes untagged and old package daily builds from GHCR registry.
-# 
+#
 # Key Features:
 # - Deletes untagged and old package daily builds from GHCR registry
 # - Can be triggered manually or by other workflows
 # - Supports dry run mode to preview changes
-# 
+#
 # Process Stages:
 # 1. Prepare list of package versions to delete
 # 2. Delete old package versions
@@ -59,17 +59,17 @@ on:
         type: boolean
         default: true
 
-permissions:
-  contents: read
-  packages: write
+permissions: {} # No permissions by default on workflow level
 
 jobs:
   prepare-vars:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Prepare list of package ids to delete
         id: prepare-versions
-        env: 
+        env:
           MIN_VERSIONS_TO_KEEP: ${{ github.event.inputs.min_versions_to_keep }}
           PACKAGE_NAME: ${{ github.event.inputs.package_name }}
           GH_TOKEN: ${{ secrets.GHCR_CLEANUP_TOKEN }}
@@ -112,18 +112,18 @@ jobs:
 
       - name: Cleanup old packages
         if: ${{ github.event.inputs.dry_run != 'true' && steps.prepare-versions.outputs.package_version_ids != '' }}
-        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55  # v5.0.0
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
         with:
-          package-name: '${{ github.event.inputs.package_name }}'
-          package-type: 'container'
-          package-version-ids: '${{ steps.prepare-versions.outputs.package_version_ids }}'
+          package-name: "${{ github.event.inputs.package_name }}"
+          package-type: "container"
+          package-version-ids: "${{ steps.prepare-versions.outputs.package_version_ids }}"
           token: ${{ secrets.GHCR_CLEANUP_TOKEN }}
 
       - name: Cleanup untagged packages
         if: ${{ github.event.inputs.dry_run != 'true' }}
-        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55  # v5.0.0
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
         with:
-          package-name: '${{ github.event.inputs.package_name }}'
-          package-type: 'container'
+          package-name: "${{ github.event.inputs.package_name }}"
+          package-type: "container"
           token: ${{ secrets.GHCR_CLEANUP_TOKEN }}
           delete-only-untagged-versions: true
diff --git a/.github/workflows/component.yml b/.github/workflows/component.yml
index e8446a568..92ee72ef6 100644
--- a/.github/workflows/component.yml
+++ b/.github/workflows/component.yml
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      packages: write # to publish packages
     timeout-minutes: 30
     env:
       TAG: ${{ inputs.build_version || github.sha }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 2d790d013..b75900d89 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -204,7 +204,7 @@ jobs:
     needs: get-vars
     permissions:
       contents: read
-      packages: write
+      packages: write # to publish packages
     uses: ./.github/workflows/component.yml
     if: ${{ !contains(needs.get-vars.outputs.filtered-components-list, '[]') }}
     strategy:
@@ -224,7 +224,7 @@ jobs:
     needs: get-vars
     permissions:
       contents: read
-      packages: write
+      packages: write # to publish packages
     uses: ./.github/workflows/web-ui.yml
     if: ${{ contains(needs.get-vars.outputs.components-list, 'web_ui') }}
     with:
@@ -240,7 +240,7 @@ jobs:
       - web-ui-workflow
     permissions:
       contents: read
-      packages: write
+      packages: write # to publish packages
     uses: ./.github/workflows/package-distribution.yaml
     with:
       build_all: ${{ fromJSON(needs.get-vars.outputs.build_all) }} # fromJSON is required to cast string to boolean
@@ -257,7 +257,7 @@ jobs:
       - web-ui-workflow
       - package-distribution-workflow
     permissions:
-      discussions: write
+      discussions: write # to publish discussion/daily build
     runs-on: ubuntu-latest
     if: ${{ always() && !cancelled() }}
     env:
diff --git a/.github/workflows/package-distribution.yaml b/.github/workflows/package-distribution.yaml
index c06530aca..cd1dd273d 100644
--- a/.github/workflows/package-distribution.yaml
+++ b/.github/workflows/package-distribution.yaml
@@ -60,7 +60,7 @@ jobs:
     if: ${{ inputs.build_all }}
     permissions:
       contents: read
-      packages: write
+      packages: write # to publish packages
     env:
       TAG: ${{ inputs.build_version }}
       PLATFORM_VERSION: ${{ inputs.platform_version }}
diff --git a/.github/workflows/web-ui.yml b/.github/workflows/web-ui.yml
index 419645dde..37bc4d606 100644
--- a/.github/workflows/web-ui.yml
+++ b/.github/workflows/web-ui.yml
@@ -270,7 +270,7 @@ jobs:
     needs: [lint, unit-tests, merge-playwright-reports]
     permissions:
       contents: read # to checkout code
-      packages: write
+      packages: write # to publish packages
     uses: ./.github/workflows/component.yml
     with:
       build_version: ${{ inputs.build_version }}

From caf8f6a259da0ae828953acba2f30d5700be6938 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 11:37:03 +0000
Subject: [PATCH 03/14] pin container image

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 platform/services/account/Dockerfile.protoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform/services/account/Dockerfile.protoc b/platform/services/account/Dockerfile.protoc
index e193b1e5f..4e5d38e82 100644
--- a/platform/services/account/Dockerfile.protoc
+++ b/platform/services/account/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM golang:1.20.5
+FROM golang:1.20.5@sha256:fd9306e1c664bd49a11d4a4a04e41303430e069e437d137876e9290a555e06fb
 
 RUN apt-get update && \
     apt-get install --no-install-recommends -y \

From 2e2c31aa7cf7d2f98b15f270721721a115f732c0 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 12:13:36 +0000
Subject: [PATCH 04/14] pin syft

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/collect-source.yml | 97 ++++++++++++++++------------
 .github/workflows/tmp_syft_test.yml  | 37 +++++++++++
 2 files changed, 93 insertions(+), 41 deletions(-)
 create mode 100644 .github/workflows/tmp_syft_test.yml

diff --git a/.github/workflows/collect-source.yml b/.github/workflows/collect-source.yml
index d5a4cc371..3d2187108 100644
--- a/.github/workflows/collect-source.yml
+++ b/.github/workflows/collect-source.yml
@@ -65,7 +65,22 @@ jobs:
           TARGET: ${{ matrix.target }}
         run: |
           # install Syft
-          curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
+
+          VERSION=1.38.2
+          OS=linux
+          ARCH=amd64
+          BASE_URL="https://github.com/anchore/syft/releases/download/v${VERSION}"
+          curl -sL "${BASE_URL}/syft_${VERSION}_${OS}_${ARCH}.tar.gz" > syft_${VERSION}_${OS}_${ARCH}.tar.gz
+          curl -sL "${BASE_URL}/syft_${VERSION}_checksums.txt" | grep -E "syft_${VERSION}_${OS}_${ARCH}\\.tar\\.gz$" > checkSum.txt
+          if [ -s checkSum.txt ]; then
+            sha256sum -c checkSum.txt
+          else
+            echo "Checksum file not found or empty"
+            exit 1
+          fi
+          tar -zxvf syft_${VERSION}_${OS}_${ARCH}.tar.gz -C /usr/local/bin/ syft
+          echo "Syft $(syft version) installed successfully"
+
           NAME=$(echo "$TARGET" | cut -d'/' -f 4 | cut -d':' -f 1)
           echo "name=$NAME" >> $GITHUB_ENV
 
@@ -118,43 +133,43 @@ jobs:
     container:
       image: debian:bookworm-slim@sha256:b4aa902587c2e61ce789849cb54c332b0400fe27b1ee33af4669e1f7e7c3e22f
     steps:
-    - name: Add apt sources for deb-src
-      shell: bash
-      run: |
-        sed -Ei "s/^Types: deb$/Types: deb deb-src/" /etc/apt/sources.list.d/debian.sources
-        apt-get update
-
-    - name: Find GPL/MPL licensed packages
-      shell: bash
-      env:
-        PACKAGES: ${{ needs.get-unique-names.outputs.unique_package_names_oneline }}
-      run: |
-        OUTPUT_DIR="output"
-        ARCHIVE_NAME="source_code.tar.gz"
-        mkdir -p "$OUTPUT_DIR"
-        cd "$OUTPUT_DIR"
-        # Split comma-separated list into an array
-        IFS=',' read -r -a PACKAGES_ARR <<< "$PACKAGES"
-        # Collect missing packages
-        # Install GNU Parallel for faster downloads
-        apt-get update && apt-get install -y parallel
-
-        # Download sources for GPL/MPL packages in parallel with error handling
-        if [ ${#PACKAGES_ARR[@]} -gt 0 ]; then
-          export OUTPUT_DIR
-          printf "%s\n" "${PACKAGES_ARR[@]}" | parallel --jobs 4 '
-            echo "Downloading source for {}"
-            if ! apt-get source -q --download-only "{}"; then
-              echo "Warning: Source not available for {}" >&2
-            fi
-          '
-        fi
-        cd ..
-        tar -czf "$ARCHIVE_NAME" -C "$OUTPUT_DIR" .
-
-    - name: Upload source code archive
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      with:
-        name: source-code-archive
-        path: source_code.tar.gz
-        retention-days: 3
+      - name: Add apt sources for deb-src
+        shell: bash
+        run: |
+          sed -Ei "s/^Types: deb$/Types: deb deb-src/" /etc/apt/sources.list.d/debian.sources
+          apt-get update
+
+      - name: Find GPL/MPL licensed packages
+        shell: bash
+        env:
+          PACKAGES: ${{ needs.get-unique-names.outputs.unique_package_names_oneline }}
+        run: |
+          OUTPUT_DIR="output"
+          ARCHIVE_NAME="source_code.tar.gz"
+          mkdir -p "$OUTPUT_DIR"
+          cd "$OUTPUT_DIR"
+          # Split comma-separated list into an array
+          IFS=',' read -r -a PACKAGES_ARR <<< "$PACKAGES"
+          # Collect missing packages
+          # Install GNU Parallel for faster downloads
+          apt-get update && apt-get install -y parallel
+
+          # Download sources for GPL/MPL packages in parallel with error handling
+          if [ ${#PACKAGES_ARR[@]} -gt 0 ]; then
+            export OUTPUT_DIR
+            printf "%s\n" "${PACKAGES_ARR[@]}" | parallel --jobs 4 '
+              echo "Downloading source for {}"
+              if ! apt-get source -q --download-only "{}"; then
+                echo "Warning: Source not available for {}" >&2
+              fi
+            '
+          fi
+          cd ..
+          tar -czf "$ARCHIVE_NAME" -C "$OUTPUT_DIR" .
+
+      - name: Upload source code archive
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: source-code-archive
+          path: source_code.tar.gz
+          retention-days: 3
diff --git a/.github/workflows/tmp_syft_test.yml b/.github/workflows/tmp_syft_test.yml
new file mode 100644
index 000000000..323ff995d
--- /dev/null
+++ b/.github/workflows/tmp_syft_test.yml
@@ -0,0 +1,37 @@
+name: Syft test
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Image tag to filter images, e.g. '2.13.0-d90fa913'"
+        required: true
+
+permissions: {} # No permissions by default on workflow level
+
+jobs:
+  collect-packages-names:
+    needs: collect-images-list
+    timeout-minutes: 660
+    runs-on: ubuntu-latest
+    steps:
+      - name: syft Scan
+        shell: bash
+        run: |
+          # install Syft
+
+          VERSION=1.38.2
+          OS=linux
+          ARCH=amd64
+          BASE_URL="https://github.com/anchore/syft/releases/download/v${VERSION}"
+          curl -sL "${BASE_URL}/syft_${VERSION}_${OS}_${ARCH}.tar.gz" > syft_${VERSION}_${OS}_${ARCH}.tar.gz
+          curl -sL "${BASE_URL}/syft_${VERSION}_checksums.txt" | grep -E "syft_${VERSION}_${OS}_${ARCH}\\.tar\\.gz$" > checkSum.txt
+          if [ -s checkSum.txt ]; then
+            sha256sum -c checkSum.txt
+          else
+            echo "Checksum file not found or empty"
+            exit 1
+          fi
+          tar -zxvf syft_${VERSION}_${OS}_${ARCH}.tar.gz -C /usr/local/bin/ syft
+          echo "Syft $(syft version) installed successfully"
+          syft ghcr.io/open-edge-platform/geti/account-service:2.14.0-2bff6fc2

From 10fd76486a9ba4177c0b28b42f2604a26f8c5987 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 12:18:27 +0000
Subject: [PATCH 05/14] test syft

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/tmp_syft_test.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/tmp_syft_test.yml b/.github/workflows/tmp_syft_test.yml
index 323ff995d..835d8cc66 100644
--- a/.github/workflows/tmp_syft_test.yml
+++ b/.github/workflows/tmp_syft_test.yml
@@ -2,16 +2,11 @@ name: Syft test
 
 on:
   workflow_dispatch:
-    inputs:
-      tag:
-        description: "Image tag to filter images, e.g. '2.13.0-d90fa913'"
-        required: true
 
 permissions: {} # No permissions by default on workflow level
 
 jobs:
   collect-packages-names:
-    needs: collect-images-list
     timeout-minutes: 660
     runs-on: ubuntu-latest
     steps:

From d15e6c53d28a838250264139823bf19bba9ef257 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 12:20:56 +0000
Subject: [PATCH 06/14] test syft

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/tmp_syft_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tmp_syft_test.yml b/.github/workflows/tmp_syft_test.yml
index 835d8cc66..2fb2c443c 100644
--- a/.github/workflows/tmp_syft_test.yml
+++ b/.github/workflows/tmp_syft_test.yml
@@ -28,5 +28,5 @@ jobs:
             exit 1
           fi
           tar -zxvf syft_${VERSION}_${OS}_${ARCH}.tar.gz -C /usr/local/bin/ syft
-          echo "Syft $(syft version) installed successfully"
+          echo "Syft $(syft --version) installed successfully"
           syft ghcr.io/open-edge-platform/geti/account-service:2.14.0-2bff6fc2

From 0462e232c45fc1965e24992da69c369ac9cd8e7f Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 12:22:08 +0000
Subject: [PATCH 07/14] remove test

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/collect-source.yml |  2 +-
 .github/workflows/tmp_syft_test.yml  | 32 ----------------------------
 2 files changed, 1 insertion(+), 33 deletions(-)
 delete mode 100644 .github/workflows/tmp_syft_test.yml

diff --git a/.github/workflows/collect-source.yml b/.github/workflows/collect-source.yml
index 3d2187108..bf522f33a 100644
--- a/.github/workflows/collect-source.yml
+++ b/.github/workflows/collect-source.yml
@@ -79,7 +79,7 @@ jobs:
             exit 1
           fi
           tar -zxvf syft_${VERSION}_${OS}_${ARCH}.tar.gz -C /usr/local/bin/ syft
-          echo "Syft $(syft version) installed successfully"
+          echo "Syft $(syft --version) installed successfully"
 
           NAME=$(echo "$TARGET" | cut -d'/' -f 4 | cut -d':' -f 1)
           echo "name=$NAME" >> $GITHUB_ENV
diff --git a/.github/workflows/tmp_syft_test.yml b/.github/workflows/tmp_syft_test.yml
deleted file mode 100644
index 2fb2c443c..000000000
--- a/.github/workflows/tmp_syft_test.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: Syft test
-
-on:
-  workflow_dispatch:
-
-permissions: {} # No permissions by default on workflow level
-
-jobs:
-  collect-packages-names:
-    timeout-minutes: 660
-    runs-on: ubuntu-latest
-    steps:
-      - name: syft Scan
-        shell: bash
-        run: |
-          # install Syft
-
-          VERSION=1.38.2
-          OS=linux
-          ARCH=amd64
-          BASE_URL="https://github.com/anchore/syft/releases/download/v${VERSION}"
-          curl -sL "${BASE_URL}/syft_${VERSION}_${OS}_${ARCH}.tar.gz" > syft_${VERSION}_${OS}_${ARCH}.tar.gz
-          curl -sL "${BASE_URL}/syft_${VERSION}_checksums.txt" | grep -E "syft_${VERSION}_${OS}_${ARCH}\\.tar\\.gz$" > checkSum.txt
-          if [ -s checkSum.txt ]; then
-            sha256sum -c checkSum.txt
-          else
-            echo "Checksum file not found or empty"
-            exit 1
-          fi
-          tar -zxvf syft_${VERSION}_${OS}_${ARCH}.tar.gz -C /usr/local/bin/ syft
-          echo "Syft $(syft --version) installed successfully"
-          syft ghcr.io/open-edge-platform/geti/account-service:2.14.0-2bff6fc2

From 57bd0ecd528d973b1266d868e2d223fbcd9eb04f Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 13:25:13 +0000
Subject: [PATCH 08/14] pin deps

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/bdd-stylecheck.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bdd-stylecheck.yml b/.github/workflows/bdd-stylecheck.yml
index 02229b5c4..e0194e466 100644
--- a/.github/workflows/bdd-stylecheck.yml
+++ b/.github/workflows/bdd-stylecheck.yml
@@ -48,8 +48,8 @@ jobs:
       - name: Install swagger-cli and openapi-generator-cli
         run: |
           npm config set registry "http://registry.npmjs.org/"
-          npm install -g @apidevtools/swagger-cli
-          npm install -g @openapitools/openapi-generator-cli
+          npm install -g @apidevtools/swagger-cli@4.0.4
+          npm install -g @openapitools/openapi-generator-cli@2.25.0
 
       - name: Static code analysis
         working-directory: interactive_ai/tests/e2e

From 8038f67eee31fb1e60b5fa7f038d721818191f27 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 13:28:03 +0000
Subject: [PATCH 09/14] add OpenSSF score

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 184394561..ed9695875 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ LIMITED EDGE SOFTWARE DISTRIBUTION LICENSE
 [![python](https://img.shields.io/badge/python-3.10%2B-green)]()
 [![pytorch](https://img.shields.io/badge/pytorch-2.5%2B-orange)]()
 [![openvino](https://img.shields.io/badge/openvino-2025.1.0-purple)]()
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/open-edge-platform/geti/badge)](https://securityscorecards.dev/viewer/?uri=github.com/open-edge-platform/geti)
 
 </div>
 

From e422715b7b533992c4afeb85172e9be900d63825 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 13:47:01 +0000
Subject: [PATCH 10/14] revert pin

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/bdd-stylecheck.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bdd-stylecheck.yml b/.github/workflows/bdd-stylecheck.yml
index e0194e466..02229b5c4 100644
--- a/.github/workflows/bdd-stylecheck.yml
+++ b/.github/workflows/bdd-stylecheck.yml
@@ -48,8 +48,8 @@ jobs:
       - name: Install swagger-cli and openapi-generator-cli
         run: |
           npm config set registry "http://registry.npmjs.org/"
-          npm install -g @apidevtools/swagger-cli@4.0.4
-          npm install -g @openapitools/openapi-generator-cli@2.25.0
+          npm install -g @apidevtools/swagger-cli
+          npm install -g @openapitools/openapi-generator-cli
 
       - name: Static code analysis
         working-directory: interactive_ai/tests/e2e

From a0df991aa59330e73ef0708f6e3abc3b6ac8435a Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 14:00:20 +0000
Subject: [PATCH 11/14] update workflows

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/pr-security-scan.yaml |  4 ++--
 .github/workflows/security-scan.yml     | 15 ++++++++-------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/pr-security-scan.yaml b/.github/workflows/pr-security-scan.yaml
index c7df2f7be..44c8ec63f 100644
--- a/.github/workflows/pr-security-scan.yaml
+++ b/.github/workflows/pr-security-scan.yaml
@@ -47,7 +47,7 @@ jobs:
         uses: open-edge-platform/geti-ci/actions/bandit@3cdaaaa0fc400b63f52f4dbb007fa0b69939e0ab
         with:
           scan-scope: "changed"
-          severity-level: "HIGH"
-          confidence-level: "HIGH"
+          severity-level: "LOW"
+          confidence-level: "LOW"
           config_file: ".github/bandit_config.yml"
           fail-on-findings: true
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 97245067d..dcd7beeba 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -58,7 +58,6 @@ jobs:
           config_file: ".github/bandit_config.yml"
           fail-on-findings: false # reports only
 
-  # TODO: unify approach and migrate to reusable workflows/composite actions
   trivy-scan:
     runs-on: ubuntu-latest
     permissions:
@@ -74,13 +73,15 @@ jobs:
         with:
           persist-credentials: false
       - name: Run Trivy vulnerability scanner in config mode
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: open-edge-platform/geti-ci/actions/trivy@3cdaaaa0fc400b63f52f4dbb007fa0b69939e0ab
         with:
-          scan-type: "config"
-          scan-ref: "."
-          format: sarif
-          trivy-config: ".github/trivy_config.yml"
-          output: "trivy-results.sarif"
+          scan_type: "fs"
+          scan-scope: all
+          severity: "LOW"
+          scanners: "vuln,secret,config"
+          format: "sarif"
+          timeout: "15m"
+          ignore_unfixed: "true"
       - name: Upload to code-scanning
         uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:

From 1396c9add4ad6ad664dbb392d3308e060bda31a2 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 14:03:30 +0000
Subject: [PATCH 12/14] config update

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/security-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index dcd7beeba..e2c8bb560 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -78,7 +78,7 @@ jobs:
           scan_type: "fs"
           scan-scope: all
           severity: "LOW"
-          scanners: "vuln,secret,config"
+          scanners: "vuln,secret"
           format: "sarif"
           timeout: "15m"
           ignore_unfixed: "true"

From bb18d6e220bcf804797601c0342a5c0e1ac9b8cc Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 14:13:21 +0000
Subject: [PATCH 13/14] security workflow update

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/security-scan.yml | 35 ++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index e2c8bb560..7da6f1abe 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -58,7 +58,8 @@ jobs:
           config_file: ".github/bandit_config.yml"
           fail-on-findings: false # reports only
 
-  trivy-scan:
+  # TODO: unify approach and migrate to reusable workflows/composite actions
+  trivy-scan-config:
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -73,16 +74,38 @@ jobs:
         with:
           persist-credentials: false
       - name: Run Trivy vulnerability scanner in config mode
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        with:
+          scan-type: "config"
+          scan-ref: "."
+          format: sarif
+          trivy-config: ".github/trivy_config.yml"
+          output: "trivy-results.sarif"
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  trivy-scan-lock:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden the runner (audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+      - name: Run Trivy vulnerability scanner in vuln/secret modes
         uses: open-edge-platform/geti-ci/actions/trivy@3cdaaaa0fc400b63f52f4dbb007fa0b69939e0ab
         with:
           scan_type: "fs"
           scan-scope: all
           severity: "LOW"
           scanners: "vuln,secret"
-          format: "sarif"
+          format: "table" # Use plain text output format to omit uploading code scanning results to Security tab
           timeout: "15m"
           ignore_unfixed: "true"
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
-        with:
-          sarif_file: "trivy-results.sarif"

From cb4b62bbbbc285ff7bab783b134d048357483104 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 10 Dec 2025 14:40:20 +0000
Subject: [PATCH 14/14] update renovate config

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/renovate.json5 | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 6d48f394c..21c88334d 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -52,7 +52,7 @@
   postUpdateOptions: ["gomodTidy", "gomodUpdateImportPaths"],
 
   packageRules: [
-    // Enable pinning for container images
+    // Enable pinning for container images (main and supported release branches)
     // https://docs.renovatebot.com/presets-docker/#dockerpindigests
     {
       enabled: true,
@@ -63,7 +63,7 @@
       schedule: ["* * * * 0"], // weekly
     },
 
-    // Base images from dev_tools/builder_images
+    // Base images from dev_tools/builder_images (main branch)
     // are upgraded separately as it requires two steps
     {
       enabled: true,
@@ -73,6 +73,16 @@
       groupSlug: "pin-builders",
       schedule: ["* * 1 * *"], // every month
       matchPaths: ["dev_tools/builder_images/**"],
+      matchBaseBranches: ["main"],
+    },
+
+    // Disable dev_tools/builder_images images upgrades
+    // for non-main branch
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPaths: ["dev_tools/builder_images/**"],
+      matchBaseBranches: ["!main"],
     },
 
     // Disable non-security upgrades for go and npm.
@@ -155,7 +165,7 @@
       matchUpdateTypes: ["major", "minor", "patch"],
     },
 
-    // Group GitHub Actions updates
+    // Group GitHub Actions updates for main branch
     {
       enabled: true,
       separateMajorMinor: false,
@@ -163,6 +173,14 @@
       matchManagers: ["github-actions"],
       matchPackagePatterns: ["*"],
       schedule: ["* * 1,15 * *"], // twice a month
+      matchBaseBranches: ["main"],
+    },
+
+    // Disable upgrades for non-main branches
+    {
+      enabled: false,
+      matchManagers: ["github-actions"],
+      matchBaseBranches: ["!main"],
     },
 
     // Go version used in GitHub Actions is updated manually
@@ -190,7 +208,7 @@
       matchUpdateTypes: ["major", "minor", "patch"],
     },
 
-    // Group Go version upgrades
+    // Group Go version upgrades for main branch
     {
       enabled: true,
       matchPackageNames: ["golang", "go"],
@@ -198,6 +216,19 @@
       groupName: "Go version",
       groupSlug: "go-version",
       schedule: ["* * * * 0"], // weekly
+      matchBaseBranches: ["main"],
+    },
+
+    // Group Go version upgrades for supported release branch
+    // with necessary restrictions
+    {
+      enabled: true,
+      matchPackageNames: ["golang", "go"],
+      allowedVersions: "<1.24",
+      groupName: "Go version",
+      groupSlug: "go-version",
+      schedule: ["* * * * 0"], // weekly
+      matchBaseBranches: ["release-2.13"],
     },
 
     // Restrict uv version used in workflows, it will be updated manually