From c5868209cf81bf652be8e395ab1c14d9260a20d2 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 14:07:22 +0100 Subject: [PATCH 01/10] Dependabot Tracker dependencies --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 41adb07b2..5f59faea6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -47,6 +47,7 @@ updates: - "/cluster_analytics" - "/controller/src/robot_vision" - "/mapping" + - "/tracker" schedule: interval: "monthly" commit-message: @@ -64,6 +65,7 @@ updates: - "/tests/compose/dlstreamer" - "/tests/perf_tests/compose" - "/tools/ppl_runner" + - "/tracker/test/service" schedule: interval: "monthly" commit-message: @@ -87,6 +89,7 @@ updates: - "/cluster_analytics" - "/mapping" - "/mapping/tests" + - "/tracker/test/service" schedule: interval: "monthly" commit-message: From ed3331b57d3ad1cd98a5eb8c63c08793cf630735 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 14:40:31 +0100 Subject: [PATCH 02/10] Update tracker-service.yaml --- .github/workflows/tracker-service.yaml | 79 ++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index cf8aea0bf..f314c1991 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -79,6 +79,85 @@ jobs: - name: "Lint Python files" run: make -C tracker lint-python + license-check: + name: "REUSE License Compliance" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "REUSE Compliance Check" + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 + + gitleaks-scan: + name: "Secrets Scanning" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "Install gitleaks" + uses: open-edge-platform/orch-ci/.github/actions/bootstrap@8b0ae64836f0395b21ff9dd7d9438284e8e8beda + with: + bootstrap_tools: "gitleaks" + + - name: "Clone CI repo" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: open-edge-platform/orch-ci + path: ci + persist-credentials: false + + - name: "Scan for secrets in tracker directory" + run: | + gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json + + - name: "Upload Gitleaks Report" + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: gitleaks-report + path: gitleaks.json + + bandit-scan: + name: "Python Security Scan" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "Run Bandit scan on tracker Python code" + if: github.event_name == 'pull_request' + uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda + with: + scan-scope: "changed" + severity-level: "HIGH" + output-format: "txt" + config_file: ".github/resources/bandit.config" + fail-on-findings: "true" + + - name: "Run Bandit scan on tracker Python code" + if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' + uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda + with: + scan-scope: "all" + severity-level: "HIGH" + output-format: "txt" + config_file: ".github/resources/bandit.config" + fail-on-findings: "true" + trivy-scan: name: "Trivy security scan (optional)" runs-on: ubuntu-latest From 19836c9e254923c5e75c5db362f93c4a05101355 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 15:00:47 +0100 Subject: [PATCH 03/10] Update GitLeaks part --- .github/workflows/tracker-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index f314c1991..040085f1c 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -118,7 +118,7 @@ jobs: - name: "Scan for secrets in tracker directory" run: | - gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json + gitleaks dir tracker/ -v -c ci/.gitleaks.toml -r gitleaks.json - name: "Upload Gitleaks Report" if: always() From ec10543fe6500e993ce4423c2da89ba7dadb15e8 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 15:36:55 +0100 Subject: [PATCH 04/10] Coverity C++: For push events to main, compare commit to its parent --- .github/workflows/coverity.yml | 56 +++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4fb598b55..4a51035f6 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -46,35 +46,47 @@ jobs: echo "Manual dispatch: always run analysis." echo "run-analysis=true" >> $GITHUB_OUTPUT exit 0 + fi + + if [ -z "$GITHUB_SHA" ]; then + echo "Error: GITHUB_SHA is not set or empty." + exit 1 + fi + + # For push events to main, compare commit to its parent + if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "Push to main: comparing $GITHUB_SHA to its parent" + changed_files=$(git diff --name-only $GITHUB_SHA^..$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') else + # For other events (merge_group, etc), compare to main branch if [ "$(git rev-parse --abbrev-ref HEAD)" != "main" ]; then git fetch origin main:main echo "Fetched main branch" fi - if [ -z "$GITHUB_SHA" ]; then - echo "Error: GITHUB_SHA is not set or empty." - exit 1 - fi - changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') - if [ $? -ne 0 ]; then - echo "Error: git diff command failed." - exit 1 - fi - echo "Performed git diff" - if [ -z "$changed_files" ]; then - echo "No relevant changed files detected." - echo "run-analysis=false" >> $GITHUB_OUTPUT - exit 0 - else - run_analysis=true - fi - echo "Changed files:" - echo "$changed_files" - echo "Run analysis:" - echo "$run_analysis" - echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT + changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') + fi + + if [ $? -ne 0 ]; then + echo "Error: git diff command failed." + exit 1 fi + echo "Performed git diff" + + if [ -z "$changed_files" ]; then + echo "No relevant changed files detected." + echo "run-analysis=false" >> $GITHUB_OUTPUT + exit 0 + else + run_analysis=true + fi + + echo "Changed files:" + echo "$changed_files" + echo "Run analysis:" + echo "$run_analysis" + echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT + coverity-scan: name: "Coverity Scan" needs: detect-languages From f0698bc20027c4d0cff0b0f9cbd1475202756d69 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 15:52:08 +0100 Subject: [PATCH 05/10] Zizmor alert workaround --- .github/workflows/coverity.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4a51035f6..d5e1e871d 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -41,8 +41,11 @@ jobs: - name: "Detect changed languages" id: detect-langs + env: + EVENT_NAME: ${{ github.event_name }} + REF_NAME: ${{ github.ref }} run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + if [ "$EVENT_NAME" == "workflow_dispatch" ]; then echo "Manual dispatch: always run analysis." echo "run-analysis=true" >> $GITHUB_OUTPUT exit 0 @@ -54,7 +57,7 @@ jobs: fi # For push events to main, compare commit to its parent - if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/main" ]; then + if [ "$EVENT_NAME" == "push" ] && [ "$REF_NAME" == "refs/heads/main" ]; then echo "Push to main: comparing $GITHUB_SHA to its parent" changed_files=$(git diff --name-only $GITHUB_SHA^..$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') else From b2361d88818e4629fa5d3a2cde987067cccf26e7 Mon Sep 17 00:00:00 2001 From: Dmytro Yermolenko Date: Fri, 13 Feb 2026 15:53:12 +0100 Subject: [PATCH 06/10] Update .github/workflows/tracker-service.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/tracker-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index 040085f1c..f314c1991 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -118,7 +118,7 @@ jobs: - name: "Scan for secrets in tracker directory" run: | - gitleaks dir tracker/ -v -c ci/.gitleaks.toml -r gitleaks.json + gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json - name: "Upload Gitleaks Report" if: always() From 44d28b97e012b5feb3aa4f4501b36a57b2323d64 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 16:01:26 +0100 Subject: [PATCH 07/10] Change Bandit run names --- .github/workflows/tracker-service.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index f314c1991..863332416 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -138,7 +138,7 @@ jobs: with: persist-credentials: false - - name: "Run Bandit scan on tracker Python code" + - name: "Run Bandit scan on Tracker Python code (CHANGED)" if: github.event_name == 'pull_request' uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda with: @@ -148,7 +148,7 @@ jobs: config_file: ".github/resources/bandit.config" fail-on-findings: "true" - - name: "Run Bandit scan on tracker Python code" + - name: "Run Bandit scan on Tracker Python code (ALL)" if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda with: From 5b75b15f7194ffc636d7bf9e554758aec885d907 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Mon, 16 Feb 2026 11:29:06 +0100 Subject: [PATCH 08/10] revert Coverity changes --- .github/workflows/coverity.yml | 61 +++++++++++++--------------------- 1 file changed, 23 insertions(+), 38 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index d5e1e871d..4fb598b55 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -41,55 +41,40 @@ jobs: - name: "Detect changed languages" id: detect-langs - env: - EVENT_NAME: ${{ github.event_name }} - REF_NAME: ${{ github.ref }} run: | - if [ "$EVENT_NAME" == "workflow_dispatch" ]; then + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then echo "Manual dispatch: always run analysis." echo "run-analysis=true" >> $GITHUB_OUTPUT exit 0 - fi - - if [ -z "$GITHUB_SHA" ]; then - echo "Error: GITHUB_SHA is not set or empty." - exit 1 - fi - - # For push events to main, compare commit to its parent - if [ "$EVENT_NAME" == "push" ] && [ "$REF_NAME" == "refs/heads/main" ]; then - echo "Push to main: comparing $GITHUB_SHA to its parent" - changed_files=$(git diff --name-only $GITHUB_SHA^..$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') else - # For other events (merge_group, etc), compare to main branch if [ "$(git rev-parse --abbrev-ref HEAD)" != "main" ]; then git fetch origin main:main echo "Fetched main branch" fi - changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') - fi - - if [ $? -ne 0 ]; then - echo "Error: git diff command failed." - exit 1 - fi - - echo "Performed git diff" - - if [ -z "$changed_files" ]; then - echo "No relevant changed files detected." - echo "run-analysis=false" >> $GITHUB_OUTPUT - exit 0 - else - run_analysis=true + if [ -z "$GITHUB_SHA" ]; then + echo "Error: GITHUB_SHA is not set or empty." + exit 1 + fi + changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') + if [ $? -ne 0 ]; then + echo "Error: git diff command failed." + exit 1 + fi + echo "Performed git diff" + if [ -z "$changed_files" ]; then + echo "No relevant changed files detected." + echo "run-analysis=false" >> $GITHUB_OUTPUT + exit 0 + else + run_analysis=true + fi + echo "Changed files:" + echo "$changed_files" + echo "Run analysis:" + echo "$run_analysis" + echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT fi - echo "Changed files:" - echo "$changed_files" - echo "Run analysis:" - echo "$run_analysis" - echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT - coverity-scan: name: "Coverity Scan" needs: detect-languages From 4d9b22007db2235a8c6263fdfa2f9ea3e7765db5 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Mon, 16 Feb 2026 16:24:19 +0100 Subject: [PATCH 09/10] Remove duplicating workflows --- .github/workflows/tracker-service.yaml | 45 -------------------------- 1 file changed, 45 deletions(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index 863332416..d5bd6f519 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -79,20 +79,6 @@ jobs: - name: "Lint Python files" run: make -C tracker lint-python - license-check: - name: "REUSE License Compliance" - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "REUSE Compliance Check" - uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 - gitleaks-scan: name: "Secrets Scanning" runs-on: ubuntu-latest @@ -127,37 +113,6 @@ jobs: name: gitleaks-report path: gitleaks.json - bandit-scan: - name: "Python Security Scan" - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "Run Bandit scan on Tracker Python code (CHANGED)" - if: github.event_name == 'pull_request' - uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda - with: - scan-scope: "changed" - severity-level: "HIGH" - output-format: "txt" - config_file: ".github/resources/bandit.config" - fail-on-findings: "true" - - - name: "Run Bandit scan on Tracker Python code (ALL)" - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' - uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda - with: - scan-scope: "all" - severity-level: "HIGH" - output-format: "txt" - config_file: ".github/resources/bandit.config" - fail-on-findings: "true" - trivy-scan: name: "Trivy security scan (optional)" runs-on: ubuntu-latest From 51cbb2c86329edc95580b6907f518d1dfeaecf2c Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Wed, 18 Feb 2026 11:46:44 +0100 Subject: [PATCH 10/10] Refactor path changes to run workflow --- .github/workflows/tracker-service.yaml | 75 ++++++++++++-------------- 1 file changed, 35 insertions(+), 40 deletions(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index d5bd6f519..d49952fc3 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -11,15 +11,9 @@ on: # yamllint disable-line rule:truthy - main - release-* - tracker-service-* - paths: - - "tracker/**" - - ".github/workflows/tracker-service.yaml" push: branches: - main - paths: - - "tracker/**" - - ".github/workflows/tracker-service.yaml" workflow_dispatch: {} concurrency: @@ -30,8 +24,33 @@ permissions: contents: read jobs: + detect-changes: + name: "Detect Tracker Changes" + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + run-jobs: ${{ steps.changes.outputs.tracker }} + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + fetch-depth: 0 # Fetch all history for accurate diff + + - name: "Detect tracker changes" + id: changes + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + with: + filters: | + tracker: + - 'tracker/**' + - '.github/workflows/tracker-service.yaml' + lint-cpp-code: name: "Lint C++ code" + needs: detect-changes + if: ${{ github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run-jobs == 'true' }} runs-on: ubuntu-latest steps: - name: "Checkout code" @@ -49,6 +68,8 @@ jobs: lint-dockerfile: name: "Lint Dockerfile" + needs: detect-changes + if: ${{ github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run-jobs == 'true' }} runs-on: ubuntu-latest steps: - name: "Checkout code" @@ -66,6 +87,8 @@ jobs: lint-python: name: "Lint Python code" + needs: detect-changes + if: ${{ github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run-jobs == 'true' }} runs-on: ubuntu-latest steps: - name: "Checkout code" @@ -79,42 +102,10 @@ jobs: - name: "Lint Python files" run: make -C tracker lint-python - gitleaks-scan: - name: "Secrets Scanning" - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "Install gitleaks" - uses: open-edge-platform/orch-ci/.github/actions/bootstrap@8b0ae64836f0395b21ff9dd7d9438284e8e8beda - with: - bootstrap_tools: "gitleaks" - - - name: "Clone CI repo" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: open-edge-platform/orch-ci - path: ci - persist-credentials: false - - - name: "Scan for secrets in tracker directory" - run: | - gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json - - - name: "Upload Gitleaks Report" - if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: gitleaks-report - path: gitleaks.json - trivy-scan: name: "Trivy security scan (optional)" + needs: detect-changes + if: ${{ github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run-jobs == 'true' }} runs-on: ubuntu-latest steps: - name: "Checkout code" @@ -135,6 +126,8 @@ jobs: native-build-and-test: name: "Native build and unit tests" + needs: detect-changes + if: ${{ github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run-jobs == 'true' }} runs-on: ubuntu-latest steps: - name: "Checkout code" @@ -210,6 +203,8 @@ jobs: docker-build-and-test: name: "Docker build and service tests" + needs: detect-changes + if: ${{ github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run-jobs == 'true' }} runs-on: ubuntu-latest steps: - name: "Checkout code"