🔧 chore(ci): enable Renovate and OpenSSF Scorecard reports (#2845)

AlexanderBarabanov · web-flow · commit 4a8117a2db44 · 2025-07-28T13:29:29.000+01:00
* enable renovate

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* disable dependabot

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* all deps

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* disable python upgrade

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* added Zizmor

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* added Zizmor

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* fix format

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* format

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* enable custom regexp

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* style

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* remove unnecessary block

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* added OpenSSF bage

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* added description

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

* style

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;

---------

Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;
diff --git a/.github/actions/security/zizmor/action.yaml b/.github/actions/security/zizmor/action.yaml
@@ -51,7 +51,8 @@ inputs:
   zizmor-version:
     description: "Zizmor version"
     required: false
-    default: "1.9.0"
+    # renovate: datasource=github-releases depName=zizmorcore/zizmor
+    default: 1.9.0
 
 outputs:
   scan_result:
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -0,0 +1,101 @@
+// Dependency Update Configuration
+//
+// See https://docs.renovatebot.com/configuration-options/
+// See https://json5.org/ for JSON5 syntax
+
+// [!] While updating the Renovate config, test changes on your own fork.
+//  1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork.
+//  2. Enable the Renovate GitHub app in your GitHub account.
+//     Verify that Renovate is activated in the repository settings within the Renovate Dashboard.
+//     To enable the dashboard set `dependencyDashboard` to true
+//  3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate.
+//  4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts.
+//  5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR,
+//     and include links in the description to share details about the testing you've conducted.
+
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["* * * * 0"], // weekly
+  },
+
+  extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"],
+  // https://docs.renovatebot.com/presets-default/#gitsignoff
+  // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests
+
+  // if necessary, add supported releases branches here
+  // it is possible to enable/disable specific upgrades per branch with
+  // `matchBaseBranches` in specific rule
+  baseBranches: ["main"],
+
+  enabledManagers: ["github-actions", "pep621", "custom.regex"],
+
+  // Set limit to 10
+  ignorePresets: [":prHourlyLimit2"],
+  prHourlyLimit: 10,
+
+  packageRules: [
+    // weekly dependencies upgrades
+    {
+      enabled: true,
+      matchManagers: ["pep621"],
+      schedule: ["* * * * 0"], // weekly
+    },
+
+    // Python version is upgraded manually
+    {
+      enabled: false,
+      matchDatasources: ["python-version"],
+      matchDepNames: ["python"],
+      matchDepTypes: ["requires-python"],
+    },
+
+    // disable open-clip-torch upgrades as
+    // open-clip-torch throws error on v2.26.1
+    {
+      enabled: false,
+      matchDatasources: ["pypi"],
+      matchDepNames: ["open-clip-torch"],
+      matchDepTypes: ["project.optional-dependencies"],
+    },
+
+    // Group GitHub Actions updates
+    {
+      enabled: true,
+      separateMajorMinor: false,
+      groupName: "GitHub Actions",
+      matchManagers: ["github-actions"],
+      matchPackagePatterns: ["*"],
+      schedule: ["* * 1 * *"], // every month
+    },
+
+    // Python version used in GitHub Actions is updated manually
+    {
+      enabled: false,
+      matchDatasources: ["github-releases"],
+      matchDepNames: ["python"],
+      matchDepTypes: ["uses-with"],
+    },
+  ],
+
+  // is used to upgrade Zizmor version
+  customManagers: [
+    {
+      fileMatch: ["^\\.github/actions/security/zizmor/[^/]+\\.ya?ml$"],
+      //   https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
+      matchStrings: [
+        "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+.+default: (?<currentValue>.*)",
+      ],
+    },
+  ],
+
+  // Enable security upgrades
+  vulnerabilityAlerts: {
+    enabled: true,
+  },
+  osvVulnerabilityAlerts: true,
+  dependencyDashboard: true,
+}
diff --git a/.github/workflows/_reusable-security-scan.yaml b/.github/workflows/_reusable-security-scan.yaml
@@ -115,16 +115,6 @@ jobs:
           fetch-depth: 0 # Required for changed files detection
           persist-credentials: false
 
-      # These steps are required to lock dependencies in requirements.txt that will by used by Trivy
-      - name: Set up Python
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
-        with:
-          python-version: "3.10"
-      - name: Install dependencies
-        run: python -m pip install pip-tools
-      - name: Freeze dependencies
-        run: pip-compile --extra=full -o requirements.txt pyproject.toml
-
       - name: Run Trivy scan
         id: trivy
         uses: ./.github/actions/security/trivy
diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml
@@ -0,0 +1,51 @@
+# Renovate configuration validator
+#
+# This workflow validates changes proposed into Renovate configuration file,
+# located .github/renovate.json5.
+#
+# Key Features:
+# - Validate changes and prevent non-valid configuration to be used by Renovate.
+#
+# Process Stages:
+# Configuration validation:
+#    - Runs on PR into .github/renovate.json5 and validate changes.
+#
+# Required Secrets:
+# - None
+#
+# Example Usage:
+# Automatically triggered on:
+# - Pull requests to .github/renovate.json5.
+#
+# Note: None.
+
+name: Validate Renovate configuration
+
+on:
+  pull_request:
+    paths:
+      - ".github/renovate.json5"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout configuration
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Validate configuration
+        run: |
+          # renovate: datasource=docker
+          export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11
+          docker run --rm --entrypoint "renovate-config-validator" \
+          -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \
+          ${RENOVATE_IMAGE} "/renovate.json5"
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -0,0 +1,85 @@
+# Dependencies Management Workflow
+#
+# This workflow automates the dependence management based on self-hosed Renovate
+# ensure the project's dependencies remains up-to-date and
+# security fixes are delivered regularly.
+#
+# Key Features:
+# - Automated PR creation into pyproject.toml and uv.lock regeneration
+# - Dry-run for debug purposes
+# - Dependency dashboard (is available in GitHub issues) maintenance
+#
+# Process Stages:
+#
+# 1. Dependencies Management:
+#    - Runs on a daily schedule.
+#    - Identifies dependencies that may be updated based on .github/renovate.json5 configuration.
+#    - Opens corresponding PRs with respect to schedule defined in Renovate config file.
+#    - Updates Renovate Dependency dashboard that is available in GitHub issues.
+#
+# Required Secrets:
+# - RENOVATE_APP_ID: application ID
+# - RENOVATE_APP_PEM: application private key
+#
+# Example Usage:
+# 1. Scheduled Run:
+#    Automatically runs, daily
+#
+# 2. Manual Trigger:
+#    workflow_dispatch:
+#    inputs:
+#      dry-run:
+#        description: "Run Renovate in dry-run mode (no PR)"
+#        required: false
+#        default: false
+#        type: boolean
+#
+# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues.
+
+name: Renovate
+on:
+  schedule:
+    # daily
+    - cron: "0 2 * * *"
+
+  # allow to manually trigger this workflow
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode (no PR)"
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Get token
+        id: get-github-app-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PEM }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@13f127373fd3dc43b41b0979e37ba570d6c2b8f4 # v43.0.0
+        with:
+          configurationFile: .github/renovate.json5
+          token: "${{ steps.get-github-app-token.outputs.token }}"
+        env:
+          LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }}
+          # Dry run if the event is workflow_dispatch AND the dry-run input is true
+          RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -0,0 +1,61 @@
+# OpenSSF Scorecard Checks Workflow
+#
+# This workflow uses ossf/scorecard-action action to check repo based on
+# OpenSSF Scorecard requirements / best practices
+#
+# Key Features:
+# - Check the repo based on OpenSSF Scorecard requirements
+# - Upload results into Security tab and OpenSSF
+# - Scheduled daily scans
+#
+# Process Stages:
+# 1. Scheduled Execution (Daily at 2 AM UTC)
+# 2. Manual Execution
+#
+# Required Permissions:
+# - id-token: write
+# - security-events: write
+#
+# Note: Results are available in the Security tab and
+# https://scorecard.dev/viewer/?uri=github.com/open-edge-platform/anomalib
+
+name: Scorecards supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  schedule:
+    # Run security checks every day at 2 AM UTC
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard
+      security-events: write
+      # Needed to publish results and get a badge
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results to GitHub's code scanning dashboard
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@
 [![codecov](https://codecov.io/gh/open-edge-platform/anomalib/branch/main/graph/badge.svg?token=Z6A07N1BZK)](https://codecov.io/gh/open-edge-platform/anomalib)
 [![Downloads](https://static.pepy.tech/personalized-badge/anomalib?period=total&units=international_system&left_color=grey&right_color=green&left_text=PyPI%20Downloads)](https://pepy.tech/project/anomalib)
 [![snyk](https://snyk.io/advisor/python/anomalib/badge.svg)](https://snyk.io/advisor/python/anomalib)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8330/badge)](https://www.bestpractices.dev/projects/8330)
 
 [![ReadTheDocs](https://readthedocs.org/projects/anomalib/badge/?version=latest)](https://anomalib.readthedocs.io/en/latest/?badge=latest)
 [![Anomalib - Gurubase docs](https://img.shields.io/badge/Gurubase-Ask%20Anomalib%20Guru-006BFF)](https://gurubase.io/g/anomalib)
diff --git a/docs/source/examples b/docs/source/examples
@@ -1 +1 @@
-../../examples
+../../examples
