chore: update dependencies (#551)

* chore: update dependencies

Signed-off-by: Rene Leonhardt <[email protected]>

* review: use previous (release) branches

Signed-off-by: Rene Leonhardt <[email protected]>

* review: restore duplicated matrix entries

Signed-off-by: Rene Leonhardt <[email protected]>

* review: configure APP_VERSION for docker build

Signed-off-by: Rene Leonhardt <[email protected]>

---------

Signed-off-by: Rene Leonhardt <[email protected]>

Author: reneleonhardt

.github/dependabot.yml

@@ -13,16 +13,24 @@
 # limitations under the License.
 
 version: 2
-# See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.
+# See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
 updates:
   - package-ecosystem: "pip"
-    directory: "/"
+    directories:
+      - "/"
+#      - "slsa_for_models/install"  # requirement lockfiles have to be maintained manually
     schedule:
       interval: "weekly"
     groups:
       all:
         patterns:
         - "*"
+  - package-ecosystem: "docker"
+    directories:
+      - "/"
+      - "slsa_for_models/kubeflow/images/*"
+    schedule:
+      interval: "weekly"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -31,3 +39,8 @@ updates:
       all:
         patterns:
         - "*"
+    allow:
+      - dependency-name: "pypa/hatch"
+        versions: [ "install" ] # stay on "install" branch
+      - dependency-name: "github/codeql-action"
+        versions: [ ">=4.0.0" ] # stay on "v4" tag (and "v5" in the future)

.github/workflows/codeql.yml

@@ -54,7 +54,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f9a7c6738f28efb36e31d49c53a201a9c5d6a476 # v2.14.2
+      uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@f9a7c6738f28efb36e31d49c53a201a9c5d6a476 # v2.14.2
+      uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f9a7c6738f28efb36e31d49c53a201a9c5d6a476 # v2.14.2
+      uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/cross_os.yml

@@ -73,7 +73,7 @@ jobs:
           name: model.zip
           path: model_root/
       - name: Set up Hatch
-        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
       - name: store beacon token into oidc-token.txt
         uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@b517a742e5a3db9e3cbf8e2e1c792b36982f78db # main
       - name: Sign the model
@@ -109,7 +109,7 @@ jobs:
         with:
           name: ${{ matrix.signed-with-os }}-model.sig
       - name: Set up Hatch
-        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
       - name: Verify the model
         run: |
           hatch run python -m model_signing verify sigstore model_root/ --use_staging --signature model.sig \

.github/workflows/docs.yml

@@ -34,7 +34,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Hatch
-        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
       - name: build docs
         run: hatch run docs:build
       - name: upload docs artifact

.github/workflows/integration.yml

@@ -44,7 +44,7 @@ jobs:
       with:
         persist-credentials: false
     - name: Set up Hatch
-      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
     - name: Run integration tests
       run: |
         set -euxo pipefail

.github/workflows/lint.yml

@@ -78,7 +78,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Hatch
-        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
       - name: Register pytype problem matcher
         run: echo "::add-matcher::$GITHUB_WORKSPACE/.github/pytype-problem-matcher.json"
       - name: Run type check
@@ -95,7 +95,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Hatch
-        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
       - name: Run python linting
         run: hatch fmt --check
         env:

.github/workflows/release.yml

@@ -33,7 +33,7 @@ jobs:
       with:
         persist-credentials: false
     - name: Set up Hatch
-      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
     - name: Build artifacts
       run: hatch build
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -83,6 +83,12 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Convert tag to version
+        run: |
+          tag="${{ github.event.release.tag_name }}"
+          version=${tag#v}  # Remove leading 'v' prefix
+          echo "APP_VERSION=${version}" >> $GITHUB_ENV
+
       - name: Build minimal image
         id: build_minimal_image
         uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
@@ -95,6 +101,7 @@ jobs:
           oci: false
           build-args: |
             BUILD_TYPE=minimal
+            APP_VERSION=${{ env.APP_VERSION }}
 
       - id: docker_meta_minimal
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -129,6 +136,7 @@ jobs:
           oci: false
           build-args: |
             BUILD_TYPE=full
+            APP_VERSION=${{ env.APP_VERSION }}
 
       - id: docker_meta_full
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0

.github/workflows/scorecard.yml

@@ -82,6 +82,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
         with:
           sarif_file: results.sarif

.github/workflows/unit_tests.yml

@@ -40,7 +40,7 @@ jobs:
       with:
         persist-credentials: false
     - name: Set up Hatch
-      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc
+      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
     - name: Run unit tests (with coverage report at the end)
       run: |
         set -euxo pipefail

Containerfile

@@ -15,7 +15,9 @@
 # Default
 ARG BUILD_TYPE=minimal
 
-FROM python:3.13-slim AS base_builder
+FROM python:3.13-slim AS base
+
+FROM base AS base_builder
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
@@ -32,11 +34,11 @@ WORKDIR /app
 COPY . /app
 RUN pip install .[pkcs11,otel]
 
-FROM python:3.13-slim AS minimal_image
+FROM base AS minimal_image
 COPY --from=minimal_install /usr/local/bin /usr/local/bin
 COPY --from=minimal_install /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
 
-FROM python:3.13-slim AS full_image
+FROM base AS full_image
 COPY --from=full_install /usr/local/bin /usr/local/bin
 COPY --from=full_install /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
 
@@ -45,7 +47,7 @@ FROM ${BUILD_TYPE}_image AS final_image
 ENTRYPOINT ["model_signing"]
 CMD ["--help"]
 
-ARG APP_VERSION="1.0.1"
+ARG APP_VERSION="1.1.1"
 
 LABEL org.opencontainers.image.title="Model Transparency Library" \
       org.opencontainers.image.description="Supply chain security for ML" \