Updates permissions, secrets, and pins to action SHA (open-edge-platform#126)

alponsirenas · web-flow · commit d5ed768d753d · 2025-04-29T08:00:05.000-07:00
diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml
@@ -11,6 +11,11 @@ on:  # yamllint disable-line rule:truthy
       - release-*
   workflow_dispatch:
 
+permissions:
+  contents: read          # needed for actions/checkout
+  pull-requests: read     # needed for gh pr list
+  issues: write           # needed to post PR comment
+
 jobs:
   filter:
     runs-on: ubuntu-latest
@@ -21,6 +26,7 @@ jobs:
       object-store_changed: ${{ steps.filter.outputs.object-store }}
       chat-question-and-answer_changed: ${{ steps.filter.outputs.chat-question-and-answer }}
       visual-pipeline-platform-tool_changed: ${{ steps.filter.outputs.visual-pipeline-platform-tool }}
+      chat-question-and-answer-core_changed: ${{ steps.filter.outputs.chat-question-and-answer-core }}
     steps:
       - uses: actions/checkout@v4
       - name: Set paths filter
@@ -40,40 +46,76 @@ jobs:
               - 'sample-applications/chat-question-and-answer/docs**'
             visual-pipeline-platform-tool:
               - 'tools/visual-pipeline-and-platform-evaluation-tool/docs**'
+            chat-question-and-answer-core:
+              - 'sample-applications/chat-question-and-answer-core/docs**'
 
   build_dlstreamer-pipeline-server:
-    if: ${{ (github.event.inputs.target == 'dlstreamer-pipeline-server') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
-    secrets: inherit
+    needs: filter
+    if: ${{ needs.filter.outputs.dlstreamer-pipeline-server_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/dlstreamer-pipeline-server
   build_document-ingestion:
-    if: ${{ (github.event.inputs.target == 'document-ingestion') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
-    secrets: inherit
+    needs: filter
+    if: ${{ needs.filter.outputs.document-ingestion_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/document-ingestion
   build_model-registry:
-    if: ${{ (github.event.inputs.target == 'model-registry') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
-    secrets: inherit
+    needs: filter
+    if: ${{ needs.filter.outputs.model-registry_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/model-registry
   build_object-store:
-    if: ${{ (github.event.inputs.target == 'object-store') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
-    secrets: inherit
+    needs: filter
+    if: ${{ needs.filter.outputs.object-store_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/object-store
   build_chat-question-and-answer:
-    if: ${{ (github.event.inputs.target == 'chat-question-and-answer') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
-    secrets: inherit
+    needs: filter
+    if: ${{ needs.filter.outputs.chat-question-and-answer_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: sample-applications/chat-question-and-answer
   build_visual-pipeline-platform-tool:
-    if: ${{ (github.event.inputs.target == 'visual-pipeline-platform-tool') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
-    secrets: inherit
+    needs: filter
+    if: ${{ needs.filter.outputs.visual-pipeline-platform-tool_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: tools/visual-pipeline-and-platform-evaluation-tool
+  build_chat-question-and-answer-core:
+    needs: filter
+    if: ${{ needs.filter.outputs.chat-question-and-answer-core_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
+    with:
+      docs_directory: sample-applications/chat-question-and-answer-core
diff --git a/.github/workflows/pre-merge.yml b/.github/workflows/pre-merge.yml
@@ -11,6 +11,9 @@ on:  # yamllint disable-line rule:truthy
       - release-*
   workflow_dispatch:
 
+permissions:
+  contents: read          # needed for actions/checkout
+
 jobs:
   filter:
     runs-on: ubuntu-latest
@@ -21,6 +24,7 @@ jobs:
       object-store_changed: ${{ steps.filter.outputs.object-store }}
       chat-question-and-answer_changed: ${{ steps.filter.outputs.chat-question-and-answer }}
       visual-pipeline-platform-tool_changed: ${{ steps.filter.outputs.visual-pipeline-platform-tool }}
+      chat-question-and-answer-core_changed: ${{ steps.filter.outputs.chat-question-and-answer-core }}
     steps:
       - uses: actions/checkout@v4
       - name: Set paths filter
@@ -40,46 +44,76 @@ jobs:
               - 'sample-applications/chat-question-and-answer/docs**'
             visual-pipeline-platform-tool:
               - 'tools/visual-pipeline-and-platform-evaluation-tool/docs**'
+            chat-question-and-answer-core:
+              - 'sample-applications/chat-question-and-answer-core/docs**'
   build_dlstreamer-pipeline-server:
     needs: filter
     if: ${{ needs.filter.outputs.dlstreamer-pipeline-server_changed == 'true' }}
-    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@main
-    secrets: inherit
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/dlstreamer-pipeline-server
   build_document-ingestion:
     needs: filter
     if: ${{ needs.filter.outputs.document-ingestion_changed == 'true' }}
-    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@main
-    secrets: inherit
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/document-ingestion
   build_model-registry:
     needs: filter
     if: ${{ needs.filter.outputs.model-registry_changed == 'true' }}
-    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@main
-    secrets: inherit
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/model-registry
   build_object-store:
     needs: filter
     if: ${{ needs.filter.outputs.object-store_changed == 'true' }}
-    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@main
-    secrets: inherit
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: microservices/object-store
   build_chat-question-and-answer:
     needs: filter
     if: ${{ needs.filter.outputs.chat-question-and-answer_changed == 'true' }}
-    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@main
-    secrets: inherit
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: sample-applications/chat-question-and-answer
   build_visual-pipeline-platform-tool:
     needs: filter
     if: ${{ needs.filter.outputs.visual-pipeline-platform-tool_changed == 'true' }}
-    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@main
-    secrets: inherit
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
     with:
       docs_directory: tools/visual-pipeline-and-platform-evaluation-tool
+  build_chat-question-and-answer-core:
+    needs: filter
+    if: ${{ needs.filter.outputs.chat-question-and-answer-core_changed == 'true' }}
+    uses: open-edge-platform/orch-ci/.github/workflows/build-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
+    secrets:
+      SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
+      DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
+      DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }}
+    with:
+      docs_directory: sample-applications/chat-question-and-answer-core
 
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -16,10 +16,15 @@ on:
         - visual-pipeline-platform-tool
         - chat-question-and-answer-core
 
+permissions:
+  contents: read          # needed for actions/checkout
+  pull-requests: read     # needed for gh pr list
+  issues: write           # needed to post PR comment
+
 jobs:
   build_dlstreamer-pipeline-server:
     if: ${{ (github.event.inputs.target == 'dlstreamer-pipeline-server') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
@@ -28,7 +33,7 @@ jobs:
       docs_directory: microservices/dlstreamer-pipeline-server
   build_document-ingestion:
     if: ${{ (github.event.inputs.target == 'document-ingestion') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
@@ -37,7 +42,7 @@ jobs:
       docs_directory: microservices/document-ingestion
   build_model-registry:
     if: ${{ (github.event.inputs.target == 'model-registry') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
@@ -46,7 +51,7 @@ jobs:
       docs_directory: microservices/model-registry
   build_object-store:
     if: ${{ (github.event.inputs.target == 'object-store') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
@@ -55,7 +60,7 @@ jobs:
       docs_directory: microservices/object-store
   build_chat-question-and-answer:
     if: ${{ (github.event.inputs.target == 'chat-question-and-answer') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
@@ -64,7 +69,7 @@ jobs:
       docs_directory: sample-applications/chat-question-and-answer
   build_visual-pipeline-platform-tool:
     if: ${{ (github.event.inputs.target == 'visual-pipeline-platform-tool') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
@@ -73,7 +78,7 @@ jobs:
       docs_directory: tools/visual-pipeline-and-platform-evaluation-tool
   build_chat-question-and-answer-core:
     if: ${{ (github.event.inputs.target == 'chat-question-and-answer-core') || (github.event.inputs.target == 'all-documentation') }}
-    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@main
+    uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403
     secrets:
       SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }}
       DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }}
