Skip to content

feat: add dependabot, scorecard, container build CI, and CI timeout#72

Open
pdettori wants to merge 2 commits intomainfrom
orchestrate/ci
Open

feat: add dependabot, scorecard, container build CI, and CI timeout#72
pdettori wants to merge 2 commits intomainfrom
orchestrate/ci

Conversation

@pdettori
Copy link
Collaborator

@pdettori pdettori commented Mar 13, 2026

Summary

Phase 4 of repo orchestration — completes the CI baseline. The repo already has strong ci.yaml and security-scans.yaml workflows; this PR fills the remaining gaps.

New files:

  • .github/dependabot.yml: weekly automated dependency updates for:

    • GitHub Actions (SHA pins stay current)
    • Python/pip — root pyproject.toml
    • Python/pip — plugins/examples/nemocheck/pyproject.toml
    • Docker — root Dockerfile base image

  • .github/workflows/scorecard.yml: OpenSSF Scorecard analysis

    • Triggers: push to main + weekly Monday schedule
    • Publishes results to GitHub Security tab and OpenSSF API (enables public badge)
    • All actions SHA-pinned

  • .github/workflows/build.yml: container image build and push

    • Triggers: tag push (v*) and workflow_dispatch
    • Multi-arch: linux/amd64 + linux/arm64 via QEMU
    • Pushes to ghcr.io/kagenti/plugins-adapter
    • Supports optional plugin_deps input to bake in plugins at build time
    • GitHub Actions layer cache for faster rebuilds

Modified:

  • .github/workflows/ci.yaml: add timeout-minutes: 15 to prevent hung CI jobs

What was already in place (not changed)

Workflow Coverage
ci.yaml lint (pre-commit/ruff), unit tests (server + nemocheck), Python 3.11/3.12 matrix
security-scans.yaml dependency review, shellcheck, yamllint, hadolint, bandit, trivy, codeql, action pinning
stale.yaml org reusable stale issue/PR workflow
self-assign.yml org reusable self-assign workflow

Tier 3 (not included — optional)

  • Comment-triggered E2E (e2e-pr.yml) — not needed unless integration tests are added
  • Post-merge security SARIF upload — trivy already runs on PRs; post-merge upload can be added when Security tab is enabled

Test plan

  • Dependabot PRs appear within a week of merge
  • Scorecard workflow runs on merge to main (check Actions tab)
  • build.yml runs successfully on workflow_dispatch
  • CI matrix still passes (timeout added, no other changes)

@pdettori
feat: add dependabot, scorecard, container build CI, and CI timeout
9f016db 
Complete CI baseline for the repo:

- .github/dependabot.yml: weekly updates for GitHub Actions, Python
  dependencies (root + nemocheck plugin), and Docker base image
- .github/workflows/scorecard.yml: OpenSSF Scorecard on push to main
  and weekly schedule; publishes results to GitHub Security tab
- .github/workflows/build.yml: multi-arch (amd64+arm64) container image
  build and push to ghcr.io on tag push or manual trigger; supports
  optional PLUGIN_DEPS build-arg for baking in specific plugins
- .github/workflows/ci.yaml: add timeout-minutes: 15 to prevent hung jobs

All actions SHA-pinned (no tag-only references).

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
evaline-ju
evaline-ju reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

@evaline-ju evaline-ju left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build is a bit complicated for this repo currently but the other additions lgtm - perhaps we could leave that off for now?

.github/workflows/build.yml Outdated
Copy link
Contributor

@evaline-ju evaline-ju Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm currently testing a parallel of this (though not as generic) - image building here requires building some envoy protos which we've kept separately from the Dockerfile for now since the Python compilation was pretty messy

@pdettori
chore: drop build.yml per reviewer feedback
9a7abb6 
The multi-arch container build workflow is not needed at this stage.
Remove it per evaline-ju's suggestion in PR review.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
pdettori
pdettori commented Mar 13, 2026
View reviewed changes
Copy link
Collaborator Author

@pdettori pdettori left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call — removed build.yml in the latest commit. The PR now only contains dependabot.yml, scorecard.yml, and the timeout-minutes addition to ci.yaml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evaline-ju evaline-ju evaline-ju left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pdettori @evaline-ju