opendatahub-io
diff --git a/‎.github/workflows/run-tests.yml‎
Lines changed: 13 additions & 7 deletions b/‎.github/workflows/run-tests.yml‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎.github/workflows/security.yml‎
Lines changed: 8 additions & 7 deletions b/‎.github/workflows/security.yml‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎.github/workflows/validate-deps.yml‎
Lines changed: 116 additions & 0 deletions b/‎.github/workflows/validate-deps.yml‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 8 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎Containerfile‎
Lines changed: 9 additions & 6 deletions b/‎Containerfile‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 8 additions & 8 deletions b/‎pyproject.toml‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎requirements-inline-extra.txt‎
Lines changed: 0 additions & 2 deletions b/‎requirements-inline-extra.txt‎
Lines changed: 0 additions & 2 deletions
@@ -1,4 +1,4 @@
-name: Run Tests
+name: Tier 1 - Unit Tests
 
 on:
   pull_request:
@@ -7,26 +7,32 @@ on:
     branches: [main]
 
 jobs:
-  test:
-    name: Run Tests
+  unit-tests:
+    name: Unit Tests
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
 
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          python -m pip install -e ".[dev,inline,server]"
+          python -m pip install --no-cache-dir -e ".[test]"
+
+      - name: Smoke-test imports
+        run: |
+          python -c "import numpy; print('numpy OK')"
+          python -c "import pandas; print('pandas OK')"
+          python -c "import llama_stack_provider_trustyai_garak; print('provider OK')"
 
       - name: Run tests
         env:
           PYTHONPATH: src
         run: |
-          pytest tests -v
+          pytest tests -v
@@ -10,24 +10,25 @@ jobs:
   trivy-scan:
     name: Trivy Security Scan
     runs-on: ubuntu-latest
+    container:
+      image: registry.access.redhat.com/ubi9/python-312:latest
+      options: --user root
     permissions:
       contents: read
       security-events: write
       actions: read
 
     steps:
+
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.12'
-
-      - name: Install dependencies
+      - name: Install runtime deps
         run: |
           python -m pip install --upgrade pip
-          python -m pip install -e ".[dev]"
+          python -m pip install --no-cache-dir \
+            -r requirements.txt
+          python -m pip install --no-cache-dir --no-deps .
 
       - name: Run Trivy filesystem scan
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
 
@@ -0,0 +1,116 @@
+name: Validate Dependencies
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+
+jobs:
+  sync-requirements:
+    name: Auto-sync requirements.txt
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        run: python -m pip install --upgrade pip uv
+
+      - name: Regenerate requirements.txt
+        run: |
+          uv pip compile \
+            --python-platform linux \
+            --extra inline \
+            --emit-index-url \
+            --default-index https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9-test/simple/ \
+            pyproject.toml \
+            --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9-test/simple/ \
+            -o requirements.txt
+
+      - name: Commit if changed
+        run: |
+          git diff --quiet requirements.txt && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add requirements.txt
+          git commit -m "chore: auto-sync requirements.txt from pyproject.toml"
+          git push
+
+  check-garak-drift:
+    name: Check garak midstream version drift
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Compare pyproject.toml garak version with latest midstream tag
+        run: |
+          PYPROJECT_VER=$(grep -oP 'garak==\K[^\s"]+' pyproject.toml)
+          echo "pyproject.toml garak version: $PYPROJECT_VER"
+
+          LATEST_TAG=$(git ls-remote --tags \
+            https://github.com/trustyai-explainability/garak.git \
+            | grep 'refs/tags/v' \
+            | grep -v '\^{}' \
+            | sed 's|.*refs/tags/v||' \
+            | sort -V \
+            | tail -1)
+          echo "Latest midstream tag: $LATEST_TAG"
+
+          if [ "$PYPROJECT_VER" != "$LATEST_TAG" ]; then
+            echo "::error::Garak version drift detected!"
+            echo "  pyproject.toml pins: $PYPROJECT_VER"
+            echo "  Latest midstream:    $LATEST_TAG"
+            echo "Update pyproject.toml, regenerate requirements.txt, and commit."
+            exit 1
+          fi
+
+          echo "Garak version is up-to-date with midstream."
+
+  container-build:
+    name: Container Build + Import Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build container image
+        run: |
+          docker build -f Containerfile -t provider-smoke-test:ci .
+
+      - name: Verify full import chain
+        run: |
+          docker run --rm provider-smoke-test:ci bash -c "\
+            python -c \"import numpy; print('numpy OK')\" && \
+            python -c \"import pandas; print('pandas OK')\" && \
+            python -c \"import garak; print('garak OK')\" && \
+            python -c \"import sdg_hub; print('sdg-hub OK')\" && \
+            python -c \"import llama_stack_provider_trustyai_garak; print('provider OK')\""
+
+      - name: Verify garak version matches pyproject.toml
+        run: |
+          EXPECTED=$(grep -oP 'garak==\K[^\s"]+' pyproject.toml)
+          INSTALLED=$(docker run --rm provider-smoke-test:ci python -c "from importlib.metadata import version; print(version('garak'))")
+          echo "Expected: $EXPECTED"
+          echo "Installed: $INSTALLED"
+          if [ "$EXPECTED" != "$INSTALLED" ]; then
+            echo "::error::Garak version mismatch! Containerfile installs $INSTALLED but pyproject.toml expects $EXPECTED"
+            exit 1
+          fi
+          echo "Garak version in container matches pyproject.toml."
@@ -1,4 +1,12 @@
 repos:
+  - repo: local
+    hooks:
+      - id: sync-requirements
+        name: Regenerate requirements.txt from pyproject.toml
+        entry: bash -c 'uv pip compile --python-platform linux --extra inline --emit-index-url --default-index https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9-test/simple/ pyproject.toml --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9-test/simple/ -o requirements.txt'
+        language: system
+        files: ^pyproject\.toml$
+        pass_filenames: false
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.11.4
     hooks:
 
@@ -4,16 +4,19 @@ WORKDIR /opt/app-root
 # Switch to root only for installing packages
 USER root
 
-COPY . .
+COPY pyproject.toml .
+COPY src src
 
 # Install cpu torch to reduce image size
 RUN pip install torch --index-url https://download.pytorch.org/whl/cpu
 
-# Install the package itself
-# Use [inline] to get garak dependency
-RUN pip install --no-cache-dir ".[inline]"
-# Install midstream garak and sdg-hub dependencies (tmp fix till we get release versions)
-RUN pip install --no-cache-dir -r requirements-inline-extra.txt
+# Install the package + sdg deps (everything except garak, which comes from git)
+RUN pip install --no-cache-dir ".[sdg]"
+# Install garak from midstream git (tag derived from pyproject.toml)
+RUN GARAK_VER=$(grep -oP 'garak==\K[^\s"]+' pyproject.toml) && \
+    pip install --no-cache-dir \
+    "garak @ git+https://github.com/trustyai-explainability/garak.git@v${GARAK_VER}"
+
 # Set XDG environment variables to use /tmp (always writable) for garak to write to
 ENV XDG_CACHE_HOME=/tmp/.cache
 ENV XDG_DATA_HOME=/tmp/.local/share
 
@@ -22,7 +22,6 @@ dependencies = [
     "eval-hub-sdk[adapter]>=0.1.2",
     "pandas>=2.3.3",
     "Jinja2>=3.1.6",
-    # "pytest>=9.0.2", # included in 'dev' extra
 ]
 
 [project.urls]
@@ -40,15 +39,16 @@ where = ["src"]
 "llama_stack_provider_trustyai_garak" = ["resources/*"]
 
 [project.optional-dependencies]
-inline = [
-    "pyasn1==0.6.2", # trivy high vul fix
-    "protobuf==6.33.5", # trivy high vul fix
+sdg = [
     "nest_asyncio>=1.6.0",
-    "garak>=0.14.0"
+    "sdg-hub>=0.8.8",
+]
+inline = [
+    "llama-stack-provider-trustyai-garak[sdg]",
+    "garak==0.14.1+rhaiv.6",
 ]
-# For intents, install:
-#   pip install -r requirements-inline-extra.txt
-dev = ["pytest", "pytest-cov", "pytest-asyncio", "ruff", "pre-commit"]
+test = ["pytest", "pytest-cov", "pytest-asyncio"]
+dev = ["llama-stack-provider-trustyai-garak[test]", "ruff", "pre-commit"]
 server = ["llama-stack>=0.5.0"]
 
 [tool.pytest.ini_options]