Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
0a12af4
Merge pull request #4426 from dell/pub/q2_dev
abhishek-sa1 May 14, 2026
db7f5e2
catalog changes and bug fixes (#4431)
Rajeshkumar-s2 May 14, 2026
ddb39c1
Merge branch 'dell:pub/build_stream' into pub/build_stream
Rajeshkumar-s2 May 26, 2026
acb5054
Merge pull request #4784 from dell/staging
abhishek-sa1 Jun 23, 2026
97a86f9
cleanup k8s script files also
Nagachandan-P Jun 23, 2026
6e97680
lint issue fix
Nagachandan-P Jun 23, 2026
4c064e3
mpi env set for default
Nagachandan-P Jun 24, 2026
0896719
Merge pull request #4785 from Nagachandan-P/pub/q2_upgrade
jagadeeshnv Jun 24, 2026
74b038e
Merge pull request #4788 from dell/pub/q2_upgrade
abhishek-sa1 Jun 24, 2026
d0356ac
PR1: Move playbooks/ and common/ to src/, update all paths
abhishek-sa1 Jun 24, 2026
b34a4ca
PR2: Move build_stream/ to src/build_stream/
abhishek-sa1 Jun 25, 2026
10c32e2
PR3: Move input/ and examples/ to src/, add q3_main to CI workflows
abhishek-sa1 Jun 25, 2026
723f175
Merge branch 'dell:pub/build_stream' into pub/build_stream
Rajeshkumar-s2 Jun 25, 2026
019b7e2
Merge pull request #4789 from abhishek-sa1/feature/mono-pr1-playbooks…
sujit-jadhav Jun 25, 2026
ceffd1c
Merge pull request #4790 from abhishek-sa1/feature/mono-pr2-buildstre…
sujit-jadhav Jun 25, 2026
82215bb
Merge pull request #4791 from abhishek-sa1/feature/mono-pr3-input-exa…
sujit-jadhav Jun 25, 2026
3685502
Add SDD CI/CD workflows for Omnia Public Code Repo
Rajeshkumar-s2 Jun 25, 2026
8c68e45
Dummy changes to invoke CI/CD pipeline
Rajeshkumar-s2 Jun 29, 2026
77e2cdc
Fix the lint failures and add gitleaks license
Rajeshkumar-s2 Jun 29, 2026
51d379d
Fix the lint warnings and use gitleaks binary
Rajeshkumar-s2 Jun 29, 2026
cf11cf3
Update to use gitleaks binary
Rajeshkumar-s2 Jun 29, 2026
92ccba2
Use opensource gitleaks (non enterprise without license)
Rajeshkumar-s2 Jun 29, 2026
725b29c
Using open source gitleaks from docker
Rajeshkumar-s2 Jun 29, 2026
8a11abe
Update gitleaks.toml config
Rajeshkumar-s2 Jun 29, 2026
e04ddc5
Feature/mono pr4 build and path fixes (#4795)
abhishek-sa1 Jun 29, 2026
53acb22
Sync omnia q2 fixes to q3_main (#4801)
abhishek-sa1 Jun 29, 2026
86fb49e
Configure Gitleaks with granular regex patterns
Rajeshkumar-s2 Jul 2, 2026
1265444
Merge upstream/q3_main into pub/build_stream
Rajeshkumar-s2 Jul 2, 2026
352a3a3
Update CI/CD workflows for new directory structure from q3_main
Rajeshkumar-s2 Jul 2, 2026
7804a73
Fix yamllint and UTs
Rajeshkumar-s2 Jul 2, 2026
1220f44
Fix lint and UT issues
Rajeshkumar-s2 Jul 2, 2026
3196c62
Exclude Jinja2 templates from ShellCheck to avoid false positives
Rajeshkumar-s2 Jul 2, 2026
2b488aa
Move ShellCheck report to end of output
Rajeshkumar-s2 Jul 2, 2026
aea16b6
Fix ansible-lint issues: comments, document starts, blank lines
Rajeshkumar-s2 Jul 2, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
141 changes: 141 additions & 0 deletions .github/workflows/.gitleaks.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
title = "Gitleaks config for Omnia"

[allowlist]
description = "Ignore known false positives for infra repos"

paths = [
'''(^|/)\.git/'''
]

regexTarget = "match"
regexes = [
# Test/Example/Demo credentials
'''example[_-]?(password|secret|token|key)''',
'''dummy[_-]?(password|secret|token|key)''',
'''test[_-]?(password|secret|token|key)''',
'''demo[_-]?(password|secret|token|key)''',
'''CHANGEME''',
'''changeme''',
'''password:\s*dell\d+''',
'''PASSWORD\s*=\s*dell\d+''',
'''PASSWORD\s*=\s*"dell\d+''',
'''password:\s*slurmPassword''',
'''password:\s*"slurmPassword''',
'''VAULT_PASSWORD.*omnia_test''',
'''PASSWORD\s*=\s*"omnia_test''',
'''password\s*=\s*"correct_password"''',

# Ansible/Jinja2 variable references
'''password:\s*"?\{\{.*\}\}"?''',
'''ansible_.*password.*\{\{''',
'''password:\s*"hostvars''',
'''password:\s*hostvars''',
'''password:\s*\$\{''',
'''password:\s*\$[A-Z_]+''',

# Variable names (not values)
'''(token|secret|password)\s*=\s*[a-z_]+''',
'''password:\s*[a-z_]+(password|secret|key|token)''',
'''secret:\s*[a-z_]+(password|secret|key|token)''',
'''token:\s*[a-z_]+(password|secret|key|token)''',
'''password:\s*\{\s*password:''',
'''docker_password_cipher''',
'''load_docker_credentials''',
'''password:\s*s3_secret_key''',
'''password:\s*minio_s3_password''',
'''password:\s*switch_snmp3_password''',
'''password:\s*"mysql_.*_password''',
'''password:\s*"grafana_.*_password''',
'''password:\s*"switch_.*_password''',
'''password:\s*"kerberos_admin_password''',
'''password:\s*"directory_manager_password''',
'''secret:\s*"grafana_.*''',

# Validation/Success messages
'''success_msg.*password.*validated''',
'''fail_msg.*password''',
'''_password.*successfully.*validated''',
'''_password.*validated''',
'''msg.*password.*valid''',

# Database connection strings (localhost/templates)
'''postgresql://.*@localhost''',
'''postgresql://.*@127\.0\.0\.1''',
'''postgresql://user:pass@host''',
'''postgresql://.*%\([^)]+\)s''',
'''%\([^)]+\)s''',
'''timescaledb_password:\s*postgres''',
'''password:\s*postgres''',
'''PASSWORD:\s*postgres''',

# Shell commands and scripts
'''passwd:\s*\$''',
'''passwd:\$\(''',
'''passwd=\$\(openssl''',
'''hashed_passwd=\$\(openssl''',
'''openssl passwd''',
'''passwd:key=''',

# Configuration/Documentation fields
'''password:\s*Optional''',
'''password:\s*Password''',
'''password:\s*"Password''',
'''password:\s*password''',
'''password:\s*"password"''',
'''password:\s*"Openldap''',
'''password:\s*"Registration''',
'''password:\s*Registration''',
'''password\s*=\s*IntegrationTestConfig''',
'''password:.*description''',
'''password:.*request_args''',
'''password:.*database''',
'''password\s*=\s*AUTH_PASSWORD''',
'''password\s*=\s*\$MINIO_PASSWORD''',
'''password:\s*$''',
'''password:\s+description''',
'''password:\s+required''',
'''password:\s+type:''',
'''password=None''',
'''password:\n\s+request_args''',
'''password:\n\s*database''',
'''password:\ndatabase''',

# Documentation examples (xxx placeholders)
'''TOKEN=hf_x+''',
'''vault_password="x+''',
'''Password:\s*\d{8}''',
'''secret\s*=\s*"bld_s_[A-Za-z0-9_-]+"''',

# Known test/example tokens
'''1c8572f630701e8792bede122ec9c417''',
'''secretToken.*1c8572f6''',
'''cookieSecret.*1c8572f6''',

# Certificate references
'''secret:.*-cert''',
'''secret:.*-ca-cert'''
]

[[rules]]
id = "generic-password"
description = "Generic Password Detection"
regex = '''(?i)(password|passwd|pwd)\s*[:=]\s*["']?[A-Za-z0-9!@#$%^&*()_+=\-]{8,}["']?'''
tags = ["password"]

[[rules]]
id = "credentials-in-url"
description = "Credentials in URL"
regex = '''(?i)\b\w+:\/\/[^:\s]+:[^@\s]+@[^:\s]+'''
tags = ["credentials", "url"]

[[rules]]
id = "generic-token"
description = "Generic Token/Secret"
regex = '''(?i)(secret|token|api[_-]?key)\s*[:=]\s*["']?[A-Za-z0-9_\-]{16,}["']?'''
tags = ["token", "secret"]

[[rules]]
id = "ansible-secret"
description = "Ansible hardcoded secret"
regex = '''(?i)(ansible_.*password|vault_password)\s*[:=]\s*["'][^"']{6,}["']'''
tags = ["ansible", "secret"]
52 changes: 38 additions & 14 deletions .github/workflows/ansible-lint.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
---
name: Ansible Lint

on:
'on':
pull_request:
branches:
- main
- staging
- release_1.7.1
- pub/build_stream
- pub/q2_dev
- pub/telemetry
- pub/q2_upgrade
- pub/q2_ansible
- q3_main

jobs:
build:
Expand All @@ -19,22 +20,45 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.x'
fetch-depth: 0

- name: Install Ansible and Ansible Lint
- name: Get changed Ansible files (excluding deleted)
id: changed-files
run: |
python -m pip install --upgrade pip
pip install ansible-core
git fetch origin ${{ github.base_ref }}
CHANGED=$(git diff --name-only --diff-filter=d \
origin/${{ github.base_ref }} HEAD -- \
'*.yml' '*.yaml' || true)

- name: Install Ansible Collections from requirements.yml
run: |
ansible-galaxy collection install -r .config/requirements.yml --force --clear-response-cache
FILES=""
for f in $CHANGED; do
if [ -f "$f" ]; then
# Include only Ansible-relevant files
# (playbooks, roles, tasks, handlers, vars,
# defaults, meta, templates)
# Exclude CI workflow files, config files,
# and other non-Ansible YAML
case "$f" in
.github/*|.config/*|.readthedocs*|\
src/build_stream/*) continue ;;
*) FILES="$FILES $f" ;;
esac
fi
done

FILES=$(echo "$FILES" | xargs)
echo "Filtered files: $FILES"
echo "files=$FILES" >> "$GITHUB_OUTPUT"

- name: Run ansible-lint
- name: Run ansible-lint on changed files
if: steps.changed-files.outputs.files != ''
uses: ansible/ansible-lint@main
with:
args: --config=.config/ansible-lint.yml
args: --config=.config/ansible-lint.yml ${{ steps.changed-files.outputs.files }}

- name: No Ansible files changed
if: steps.changed-files.outputs.files == ''
run: |
echo "No Ansible files changed in this PR."
echo "Skipping ansible-lint."
69 changes: 69 additions & 0 deletions .github/workflows/bandit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
name: Bandit Security Scan

'on':
pull_request:
branches:
- main
- staging
- release_1.7.1
- pub/build_stream
- pub/q2_dev
- pub/telemetry
- pub/q2_upgrade
- pub/q2_ansible
- q3_main

jobs:
bandit:
name: Bandit Python SAST
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Get changed Python files (excluding deleted)
id: changed-files
run: |
git fetch origin ${{ github.base_ref }}
CHANGED=$(git diff --name-only --diff-filter=d \
origin/${{ github.base_ref }} HEAD -- '*.py' || true)

FILES=""
for f in $CHANGED; do
if [ -f "$f" ]; then
# Exclude test files — Bandit SAST is for product code
case "$f" in
*/tests/*|*/test_*|*_test.py) continue ;;
*) FILES="$FILES $f" ;;
esac
fi
done

FILES=$(echo "$FILES" | xargs)
echo "Filtered files: $FILES"
echo "files=$FILES" >> "$GITHUB_OUTPUT"

- name: Set up Python
if: steps.changed-files.outputs.files != ''
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Install Bandit
if: steps.changed-files.outputs.files != ''
run: pip install bandit

- name: Run Bandit on changed files
if: steps.changed-files.outputs.files != ''
run: |
echo "Running Bandit on: ${{ steps.changed-files.outputs.files }}"
bandit ${{ steps.changed-files.outputs.files }} -ll -ii -f txt

- name: No Python product files changed
if: steps.changed-files.outputs.files == ''
run: |
echo "No Python product files changed in this PR."
echo "Skipping Bandit."
42 changes: 42 additions & 0 deletions .github/workflows/gitleaks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
name: Secret Leak Scan

'on':
pull_request:
branches:
- main
- staging
- release_1.7.1
- pub/build_stream
- pub/q2_dev
- pub/telemetry
- pub/q2_upgrade
- pub/q2_ansible
- q3_main

jobs:
gitleaks:
name: Scan for secrets
runs-on: ubuntu-latest

permissions:
contents: read

steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Run Gitleaks scan using Docker
run: |
docker run --rm \
-v ${{ github.workspace }}:/repo \
-w /repo \
ghcr.io/gitleaks/gitleaks:latest \
detect \
--source /repo \
--config /repo/.github/workflows/.gitleaks.toml \
--log-opts="origin/${{ github.base_ref }}..${{ github.sha }}" \
--verbose \
--no-git
57 changes: 57 additions & 0 deletions .github/workflows/pip-audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
name: Dependency Vulnerability Scan

'on':
pull_request:
branches:
- main
- staging
- release_1.7.1
- pub/build_stream
- pub/q2_dev
- pub/telemetry
- pub/q2_upgrade
- pub/q2_ansible
- q3_main

jobs:
pip-audit:
name: pip-audit Dependency Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Check for changed requirements files
id: changed-files
run: |
git fetch origin ${{ github.base_ref }}
CHANGED=$(git diff --name-only --diff-filter=d \
origin/${{ github.base_ref }} HEAD -- \
'src/build_stream/requirements*.txt' || true)

FILES=$(echo "$CHANGED" | xargs)
echo "Changed requirements files: $FILES"
echo "files=$FILES" >> "$GITHUB_OUTPUT"

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'

- name: Install pip-audit
run: pip install pip-audit

- name: Audit build_stream dependencies
run: |
echo "Auditing src/build_stream/requirements.txt"
echo "for known vulnerabilities..."
pip-audit -r src/build_stream/requirements.txt \
--desc on || true
echo ""
echo "Auditing src/build_stream/requirements-dev.txt"
echo "for known vulnerabilities..."
pip-audit -r src/build_stream/requirements-dev.txt \
--desc on || true
Loading
Loading