NO-JIRA: chore(gha, tools): update deps versions for tooling and actions

[jiridanek]

Description

How Has This Been Tested?

Self checklist (all need to be checked):

• Ensure that you have run make test (gmake on macOS) before asking for review
• Changes to everything except Dockerfile.konflux files should be done in odh/notebooks and automatically synced to rhds/notebooks. For Konflux-specific changes, modify Dockerfile.konflux files directly in rhds/notebooks as these require special attention in the downstream repository and flow to the upcoming RHOAI release.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• New Features
  • Added a reusable vulnerability-scanning action that standardizes scans and produces markdown reports.
• Tests
  • Added a workflow to validate image and filesystem scan modes using the new scanner.
• Chores
  • Updated CI security scan and workflow references and bumped pre-commit/lint hook versions.
• Bug Fixes
  • Updated artifact upload action to the latest released version.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

Adds a reusable Trivy composite action, replaces inline Trivy steps in workflows with that action, updates Trivy/action versions and pre-commit hook revisions, and adds a workflow to test image and filesystem scans using Podman.

Changes

Cohort / File(s)	Summary
New Trivy composite action ​.github/actions/trivy-scan-action/action.yml	Adds a composite GitHub Action that runs Trivy (image or filesystem) via Podman. Declares inputs (scan-type, scan-target, trivy-version, podman-socket, workspace-path, report-template, scanners, ignore-unfixed, timeout, exit-code) and output report-file. Implements steps to prepare report dir, run Trivy inside Podman with mounts/args, render/write a report, export the path, and append it to the GitHub job summary.
Workflows updated to use the action / bump versions ​.github/workflows/build-notebooks-TEMPLATE.yaml, ​.github/workflows/security.yaml	Replaces inline Podman-based Trivy execution in build-notebooks-TEMPLATE.yaml with the local composite action and updates TRIVY_VERSION to 0.68.2. Updates action references in security.yaml (astral-sh/setup-uv v6 → v7; aquasecurity/trivy-action ref updated to a newer commit / 0.33.1). Also updates actions/upload-artifact usages to v6.
Workflow to test the action ​.github/workflows/test-trivy-scan-action.yaml	Adds a new test workflow with two jobs: test-scan-type-image (installs Podman/ACL utilities, configures Podman socket access, pulls a test image, runs the local action with scan-type: image) and test-scan-type-fs (runs the local action with scan-type: fs against the repository root).
Pre-commit hooks ​.pre-commit-config.yaml	Bumps pre-commit hook revisions: uv-pre-commit 0.9.13 → 0.9.18 and ruff-pre-commit v0.14.6 → v0.14.10; no other config changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Pay special attention to .github/actions/trivy-scan-action/action.yml (argument handling, Podman socket and volume mounts, template rendering, report file ownership/permissions, and output export).
• Verify the test workflow's Podman installation, ACL/socket setup commands, and that they work on the intended runner images.
• Confirm workflows pass correct inputs to the new action and that job-summary append logic safely handles missing/empty reports.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is incomplete. While it follows the template structure, all required sections (Description, How Has This Been Tested?) are empty with only placeholder comments, and all merge criteria checkboxes remain unchecked.	Complete the Description section explaining what versions were updated and why, provide detailed testing information including test results, and verify all self-checklist and merge-criteria items before merge.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: dependency version updates for GitHub Actions tooling. It clearly summarizes the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jiridanek]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between be9831f and f5e4332.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/build-notebooks-TEMPLATE.yaml (1 hunks)
• .github/workflows/security.yaml (2 hunks)
• .pre-commit-config.yaml (1 hunks)

🔇 Additional comments (4)

.pre-commit-config.yaml (2)

11-11: Ruff-pre-commit version v0.14.10 exists and is valid.

The version bump is current (released Dec 18, 2025) and safe—patch releases contain only bug fixes without breaking changes per Ruff's versioning scheme.

---

6-6: Verify uv-pre-commit 0.9.18 tag exists in the astral-sh/uv-pre-commit repository.

The latest confirmed uv-pre-commit release is 0.9.1 (dated 09 Oct 2025). While uv 0.9.18 was released on 2025-12-16, the corresponding uv-pre-commit tag for this version has not been confirmed. Pre-commit will fail to fetch a non-existent tag. Ensure the 0.9.18 release has been created in the uv-pre-commit repository before merging.

.github/workflows/build-notebooks-TEMPLATE.yaml (1)

47-48: LGTM! Trivy version updated with helpful documentation.

Trivy 0.68.2 is a valid, recently released version with no identified breaking changes. The version bump improves security scanning capabilities and code maintainability through both the version update and the added documentation comment.

.github/workflows/security.yaml (1)

35-35: Commit hash verified for trivy-action v0.33.1

The commit hash b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 correctly corresponds to the v0.33.1 release.

[jiridanek]

@coderabbitai check I did not miss any github action that could be updated

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/test-trivy-scan-action.yaml (1)

27-42: Consider documenting runner requirements for setfacl.

The Podman socket setup uses setfacl to grant permissions, which is the correct approach. However, setfacl availability should be documented or verified.

🔎 Optional: Add verification for setfacl availability

       - name: Install and configure Podman
         run: |
+          # Verify setfacl is available
+          if ! command -v setfacl &> /dev/null; then
+            echo "Installing acl package for setfacl..."
+            sudo apt-get install -y acl
+          fi
+
           sudo apt-get install -y podman

.github/actions/trivy-scan-action/action.yml (2)

67-81: Consider adding error handling for template copy.

The setup step copies the report template but doesn't verify it exists first. If the template is missing, the action will fail with an unclear error.

🔎 Optional: Add template existence check

     - name: Setup report directory
       id: setup
       shell: bash
       run: |
+        # Verify template exists
+        if [[ ! -f "${{ inputs.report-template }}" ]]; then
+          echo "Error: Report template not found at ${{ inputs.report-template }}"
+          exit 1
+        fi
+
         REPORT_FOLDER=${{ inputs.workspace-path }}/trivy-report
         REPORT_FILE=trivy-report.md
         REPORT_TEMPLATE=$(basename ${{ inputs.report-template }})

---

95-122: Consider quoting SCAN_TARGET for defensive programming.

While the current implementation likely works for expected inputs, quoting the SCAN_TARGET variable would prevent issues if paths contain spaces or special characters.

🔎 Suggested improvement

         podman run --rm \
             --security-opt label=disable \
             $PODMAN_ARGS \
             -v ${REPORT_FOLDER}:/report \
             docker.io/aquasec/trivy:${{ inputs.trivy-version }} \
               $SCAN_TYPE \
               $SCAN_ARGS \
               --scanners ${{ inputs.scanners }} \
               ${{ inputs.ignore-unfixed == 'true' && '--ignore-unfixed' || '' }} \
               --exit-code ${{ inputs.exit-code }} \
               --timeout ${{ inputs.timeout }} \
               --format template --template "@/report/$REPORT_TEMPLATE" \
               -o /report/$REPORT_FILE \
-              $SCAN_TARGET
+              "$SCAN_TARGET"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f5e4332 and da7f572.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/actions/trivy-scan-action/action.yml (1 hunks)
• .github/workflows/build-notebooks-TEMPLATE.yaml (2 hunks)
• .github/workflows/security.yaml (2 hunks)
• .github/workflows/test-trivy-scan-action.yaml (1 hunks)
• .pre-commit-config.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .pre-commit-config.yaml
• .github/workflows/security.yaml

🔇 Additional comments (7)

.github/workflows/build-notebooks-TEMPLATE.yaml (2)

364-372: LGTM! Clean refactoring to reusable action.

The inline Trivy scan logic has been successfully extracted into a reusable composite action. All necessary inputs (scan-type, scan-target, trivy-version, podman-socket) are correctly passed from the workflow context.

---

47-48: Trivy version 0.68.2 is valid and current. No known security vulnerabilities exist for this version. It is the latest stable release as of December 17, 2025.

.github/workflows/test-trivy-scan-action.yaml (3)

1-15: LGTM! Appropriate test workflow structure.

The workflow triggers and path filters are well-configured to test the Trivy action on relevant changes.

---

43-54: LGTM! Image scan test is correctly implemented.

The test properly sets up the test image in rootful Podman storage and invokes the action with appropriate parameters.

---

55-66: LGTM! Filesystem scan test provides good coverage.

The test correctly exercises the filesystem scanning pathway without unnecessary Podman setup.

.github/actions/trivy-scan-action/action.yml (2)

18-58: LGTM! Well-structured input definitions.

The inputs are clearly documented with sensible defaults. The validation of scan-type values is appropriately handled in the script logic rather than at the input level.

---

126-134: LGTM! Report summary step is correctly implemented.

The step appropriately checks for report existence and provides feedback. Note that this step won't run if the scan step fails, which is likely the intended behavior.

If you want the report to be added even when scans fail (e.g., when exit-code is non-zero), consider adding if: always() to this step.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/test-trivy-scan-action.yaml (2)

17-53: Consider adding validation steps to verify action success.

The Podman setup and action invocation are correct. However, the test doesn't include any assertions or validation steps after running the action. Consider adding steps to:

• Verify the action completed successfully
• Check that Trivy report artifacts were generated
• Validate the output format

🔎 Example validation steps to add after the action

       - name: Test Trivy scan on container image
         uses: ./.github/actions/trivy-scan-action
         with:
           scan-type: image
           scan-target: ${{ env.TEST_IMAGE }}
           podman-socket: /var/run/podman/podman.sock
+
+      - name: Verify scan completed successfully
+        run: |
+          # Add checks here to verify the action succeeded
+          # For example: check for report files, parse outputs, etc.
+          echo "Verification: Trivy scan completed"

---

55-66: Consider adding validation steps to verify action success.

Similar to the image scan test, this job would benefit from validation steps to ensure the filesystem scan completed successfully and produced expected outputs.

🔎 Example validation steps to add after the action

       - name: Test Trivy scan on filesystem
         uses: ./.github/actions/trivy-scan-action
         with:
           scan-type: fs
           scan-target: './'
+
+      - name: Verify scan completed successfully
+        run: |
+          # Add checks here to verify the action succeeded
+          # For example: check for report files, validate output format, etc.
+          echo "Verification: Trivy filesystem scan completed"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da7f572 and 7286070.

📒 Files selected for processing (3)

• .github/actions/trivy-scan-action/action.yml (1 hunks)
• .github/workflows/build-notebooks-TEMPLATE.yaml (2 hunks)
• .github/workflows/test-trivy-scan-action.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/actions/trivy-scan-action/action.yml

🔇 Additional comments (3)

.github/workflows/test-trivy-scan-action.yaml (1)

1-14: LGTM: Well-configured workflow triggers.

The workflow triggers are well-designed:

• Manual dispatch for ad-hoc testing
• Automated runs on PR and push for relevant file changes
• Path filters ensure efficient CI execution

.github/workflows/build-notebooks-TEMPLATE.yaml (2)

47-48: Trivy version 0.68.2 is valid and represents an appropriate upgrade.

Trivy version 0.68.2 was released on December 17, 2025 and is the latest stable release. The version is available through official channels including Docker. The version update from 0.64.1 to 0.68.2 represents a progression of four minor versions released over several months, which is normal for an actively maintained project. No known vulnerabilities have been identified for this version.

---

364-371: The Trivy scan action parameters are correct.

All four parameters passed in the workflow—scan-type, scan-target, trivy-version, and podman-socket—are properly defined in the action's inputs. The action handles both image and filesystem scanning modes correctly, with the podman-socket parameter appropriately routed to image scans and workspace-path supporting filesystem scans.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all GitHub Actions workflow files
fd -e yaml -e yml . .github/workflows/

# List all GitHub Actions used in workflow files with their versions
echo "=== All GitHub Actions used in workflows ==="
rg -n "uses:" .github/workflows/ --no-heading | sort | uniq

Length of output: 7867

---

🌐 Web query:

actions/add-to-project latest version 2025

💡 Result:

The latest release tag for actions/add-to-project is v1.0.2 (as of December 19, 2025). [1][2]

Sources:
[1] actions/add-to-project repository README.
[2] Example workflows and community usage referencing actions/[email protected].

---

🌐 Web query:

actions/upload-artifact latest version v4 v5 2025

💡 Result:

The current/latest release is actions/upload-artifact@v6. [1][2]

Notes: v6 runs on Node.js 24 and requires Actions runner >= 2.327.1; v4 is a prior major with significant backend changes and v3/v2 were deprecated. [1][2]

Sources:
[1] actions/upload-artifact repo (README, v4/v6 notes).
[2] GitHub Changelog — deprecation/Pages notice (Jan 30, 2025).

---

🌐 Web query:

repo-sync/pull-request latest version v2 v3 2025

💡 Result:

The action's latest published release is v2.12.1 (released Jan 21, 2023); the repo was archived Aug 2, 2023 and there is no v3 release as of Dec 19, 2025. [1]

Sources:
[1] repo-sync/pull-request GitHub (releases & README).

---

🌐 Web query:

peter-evans/create-pull-request latest version 2025

💡 Result:

As of Dec 19, 2025 the latest release of peter-evans/create-pull-request is v8.0.0. [1][2]

Usage example:

• uses: peter-evans/create-pull-request@v8

Sources:
[1] Releases (v8.0.0) — peter-evans/create-pull-request. [2] README / GitHub Marketplace entry for the action.

---

🌐 Web query:

snok/container-retention-policy latest version v3 2025

💡 Result:

The repository's v3 release is published as v3.0.0 (examples use snok/[email protected]; the GHCR image also shows v3.0.0-alpha2). [1]

Sources:
[1] GitHub — snok/container-retention-policy (README & usage examples referencing v3.0.0 / ghcr image v3.0.0-alpha2).

---

🌐 Web query:

getsentry/action-github-app-token latest version v3 v4 2025

💡 Result:

As of Dec 19, 2025 the getsentry/action-github-app-token action is published at v3 (examples reference uses like getsentry/[email protected]). [1]

Sources:
[1] getsentry/action-github-app-token (GitHub repository README).

---

🏁 Script executed:

#!/bin/bash
# Get more details on the specific actions that might need updates
echo "=== actions/add-to-project usage ==="
rg -n "actions/add-to-project" .github/workflows/

echo -e "\n=== actions/upload-artifact usage ==="
rg -n "actions/upload-artifact" .github/workflows/

echo -e "\n=== peter-evans/create-pull-request usage ==="
rg -n "peter-evans/create-pull-request" .github/workflows/

Length of output: 552

---

@jiridanek I found a few GitHub Actions that could be updated:

Actions that can be updated:

1. actions/add-to-project

   • Current: v0.5.0
   • Latest: v1.0.2
   • Files: .github/workflows/auto-add-issue-to-project.yml (2 occurrences)

2. actions/upload-artifact

   • Current: v4
   • Latest: v6
   • Files: .github/workflows/build-notebooks-TEMPLATE.yaml
   • Note: v6 requires Actions runner >= 2.327.1 and runs on Node.js 24

3. peter-evans/create-pull-request

   • Current: c5a7806660adbe173f04e3e038b0ccdcd758773c (v6.1.0)
   • Latest: v8.0.0
   • Files: .github/workflows/sync-branches-through-pr.yml

Other notable findings:

• repo-sync/pull-request@v2 in sec-scan.yml - This repository was archived in August 2023, so no newer versions are available. You might want to consider migrating to an alternative action in the future.

• snok/container-retention-policy appears to be using the correct SHA for v3.0.0

• getsentry/action-github-app-token@v3 appears current (v3.1 exists but v3 tag may track it)

• Other actions like actions/checkout@v5, actions/setup-go@v5, actions/setup-python@v5, actions/github-script@v7, docker/login-action@v3, and github/codeql-action/upload-sarif@v3 all appear to be on their latest major versions.

The three actions listed above (add-to-project, upload-artifact, and create-pull-request) involve major version updates, so you may want to review their changelogs for any breaking changes.

[jiridanek]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ide-developer
Once this PR has been reviewed and has the lgtm label, please assign ysok for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/actions/trivy-scan-action/action.yml (2)

67-80: Consider adding shell options and quoting variables for robustness.

The script lacks set -e (or set -Eeuo pipefail) which means errors in intermediate commands won't cause the step to fail. Additionally, paths containing spaces would break due to unquoted variable expansions.

🔎 Suggested improvement

     - name: Setup report directory
       id: setup
       shell: bash
       run: |
+        set -Eeuo pipefail
-        REPORT_FOLDER=${{ inputs.workspace-path }}/trivy-report
+        REPORT_FOLDER="${{ inputs.workspace-path }}/trivy-report"
         REPORT_FILE=trivy-report.md
-        REPORT_TEMPLATE=$(basename ${{ inputs.report-template }})
+        REPORT_TEMPLATE=$(basename "${{ inputs.report-template }}")

-        mkdir -p $REPORT_FOLDER
-        cp ${{ inputs.report-template }} $REPORT_FOLDER/
+        mkdir -p "$REPORT_FOLDER"
+        cp "${{ inputs.report-template }}" "$REPORT_FOLDER/"

         echo "report-folder=$REPORT_FOLDER" >> $GITHUB_OUTPUT
         echo "report-file=$REPORT_FILE" >> $GITHUB_OUTPUT
         echo "report-template=$REPORT_TEMPLATE" >> $GITHUB_OUTPUT

---

82-123: Same quoting improvements apply to the scan step.

Unquoted variables and missing set -e could cause subtle failures, especially if scan-target contains spaces.

🔎 Key improvements for the scan step

     - name: Run Trivy vulnerability scanner
       id: scan
       shell: bash
       run: |
+        set -Eeuo pipefail
-        REPORT_FOLDER=${{ steps.setup.outputs.report-folder }}
+        REPORT_FOLDER="${{ steps.setup.outputs.report-folder }}"
         # ... similar quoting for other variables
         
-        SCAN_TARGET=${{ inputs.scan-target }}
+        SCAN_TARGET="${{ inputs.scan-target }}"

For the podman run command, consider using arrays or ensuring proper quoting to handle edge cases in paths.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between be9831f and 4612ee2.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/actions/trivy-scan-action/action.yml (1 hunks)
• .github/workflows/build-notebooks-TEMPLATE.yaml (3 hunks)
• .github/workflows/security.yaml (2 hunks)
• .github/workflows/test-trivy-scan-action.yaml (1 hunks)
• .pre-commit-config.yaml (1 hunks)

🔇 Additional comments (9)

.pre-commit-config.yaml (1)

6-6: LGTM! Routine pre-commit hook version updates.

Both uv-pre-commit (0.9.13 → 0.9.18) and ruff-pre-commit (v0.14.6 → v0.14.10) are incremental updates that should be backwards compatible.

Also applies to: 11-11

.github/workflows/security.yaml (1)

35-35: Good practice: Pinning action to commit SHA with version annotation.

Pinning aquasecurity/trivy-action to a specific commit hash while documenting the version in a comment improves supply chain security and maintains readability.

.github/workflows/build-notebooks-TEMPLATE.yaml (3)

47-48: LGTM! Trivy version update with documentation.

The version aligns with the default in the new composite action (0.68.2), and the comment linking to the Trivy repository improves discoverability.

---

366-371: Good refactor: Migrating to the reusable Trivy scan action.

The inline Trivy execution is now replaced with the composite action, passing appropriate inputs. This improves maintainability by centralizing the scanning logic.

---

465-465: Verify actions/upload-artifact@v6 compatibility.

This action requires a minimum Actions Runner version of 2.327.1 and runs on Node.js 24. The workflow runs on ubuntu-24.04 which, as a GitHub-hosted runner, is automatically maintained with compatible runner versions, so this requirement should be met.

Note: This is a major version jump from v5 to v6 (not v4 to v6).

.github/workflows/test-trivy-scan-action.yaml (2)

1-14: Good workflow structure with appropriate path filters.

The workflow triggers are well-scoped to only run when the action definition, test workflow, or report template changes, avoiding unnecessary CI runs.

---

71-82: Podman is pre-installed on Ubuntu 24.04, confirming filesystem scan compatibility.

The ubuntu-24.04 runner includes Podman 4.9.3, so the test-scan-type-fs job will execute successfully without requiring an explicit Podman installation step. The trivy-scan-action uses podman run to containerize Trivy for both scan types, but filesystem scans only require the Podman CLI—not a running daemon—since the action mounts the workspace folder directly rather than the Podman socket.

.github/actions/trivy-scan-action/action.yml (2)

1-17: Well-documented action with clear requirements.

The description clearly outlines features, requirements, and usage constraints. Good practice for composite actions.

---

125-133: LGTM! Defensive check before appending report.

The step correctly verifies the report file exists before attempting to append it to the job summary, with a warning message for debugging if missing.

[openshift-ci]

New changes are detected. LGTM label has been removed.