[ITEP-83030] CI for Tracker Service

.github/dependabot.yml

@@ -47,6 +47,7 @@ updates:
       - "/cluster_analytics"
       - "/controller/src/robot_vision"
       - "/mapping"
+      - "/tracker"
     schedule:
       interval: "monthly"
     commit-message:
@@ -64,6 +65,7 @@ updates:
       - "/tests/compose/dlstreamer"
       - "/tests/perf_tests/compose"
       - "/tools/ppl_runner"
+      - "/tracker/test/service"
     schedule:
       interval: "monthly"
     commit-message:
@@ -87,6 +89,7 @@ updates:
       - "/cluster_analytics"
       - "/mapping"
       - "/mapping/tests"
+      - "/tracker/test/service"
     schedule:
       interval: "monthly"
     commit-message:

.github/workflows/tracker-service.yaml

@@ -79,6 +79,85 @@ jobs:
       - name: "Lint Python files"
         run: make -C tracker lint-python
 
+  license-check:
+    name: "REUSE License Compliance"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "REUSE Compliance Check"
+        uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0
+
+  gitleaks-scan:
+    name: "Secrets Scanning"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Install gitleaks"
+        uses: open-edge-platform/orch-ci/.github/actions/bootstrap@8b0ae64836f0395b21ff9dd7d9438284e8e8beda
+        with:
+          bootstrap_tools: "gitleaks"
+
+      - name: "Clone CI repo"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: open-edge-platform/orch-ci
+          path: ci
+          persist-credentials: false
+
+      - name: "Scan for secrets in tracker directory"
+        run: |
+          gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json
+
+      - name: "Upload Gitleaks Report"
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: gitleaks-report
+          path: gitleaks.json
+
+  bandit-scan:
+    name: "Python Security Scan"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Run Bandit scan on Tracker Python code (CHANGED)"
+        if: github.event_name == 'pull_request'
+        uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda
+        with:
+          scan-scope: "changed"
+          severity-level: "HIGH"
+          output-format: "txt"
+          config_file: ".github/resources/bandit.config"
+          fail-on-findings: "true"
+
+      - name: "Run Bandit scan on Tracker Python code (ALL)"
+        if: github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+        uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda
+        with:
+          scan-scope: "all"
+          severity-level: "HIGH"
+          output-format: "txt"
+          config_file: ".github/resources/bandit.config"
+          fail-on-findings: "true"
+
   trivy-scan:
     name: "Trivy security scan (optional)"
     runs-on: ubuntu-latest