Fix some security issues (opea-project#2289)

Signed-off-by: ZePan110 <ze.pan@intel.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>

Author: 2 people

.github/workflows/check-online-doc-build.yml

@@ -0,0 +1,35 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Check Online Document Building
+permissions: {}
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "**.md"
+      - "**.rst"
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+      with:
+        path: GenAIExamples
+
+    - name: Checkout docs
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+      with:
+        repository: opea-project/docs
+        path: docs
+
+    - name: Build Online Document
+      shell: bash
+      run: |
+        echo "build online doc"
+        cd docs
+        bash scripts/build.sh

.github/workflows/dockerhub-description.yml

@@ -0,0 +1,119 @@
+# Copyright (C) 2025 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+name: Update Docker Hub Description
+permissions:
+  contents: read
+on:
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+jobs:
+  get-images-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      examples_json: ${{ steps.extract.outputs.examples_json }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Extract images info and generate JSON matrix
+        id: extract
+        run: |
+          #!/bin/bash
+          set -e
+          images=$(awk -F'|' '/^\| *\[opea\// {
+            gsub(/^ +| +$/, "", $2);
+            gsub(/^ +| +$/, "", $4);
+            gsub(/^ +| +$/, "", $5);
+
+            # Extract the path portion of the dockerHub link from the Example Images column
+            match($2, /\(https:\/\/hub\.docker\.com\/r\/[^)]*\)/);
+            repository = substr($2, RSTART, RLENGTH);
+            # Remove the prefix and the trailing right bracket
+            sub(/^\(https:\/\/hub\.docker\.com\/r\//, "", repository);
+            sub(/\)$/, "", repository);
+
+            # Description Direct assignment
+            description = $4;
+
+            # Extract the content of the github link from the Readme column
+            match($5, /\(https:\/\/github\.com\/[^)]*\)/);
+            readme_url = substr($5, RSTART, RLENGTH);
+            # Remove the prefix and the trailing right bracket
+            sub(/^\(https:\/\/github\.com\//, "", readme_url);
+            sub(/\)$/, "", readme_url);
+            # Remove blob information, such as "blob/main/" or "blob/habana_main/"
+            gsub(/blob\/[^/]+\//, "", readme_url);
+            # Remove the organization name and keep only the file path, such as changing "opea-project/GenAIExamples/AudioQnA/README.md" to "GenAIExamples/AudioQnA/README.md"
+            sub(/^[^\/]+\//, "", readme_url);
+
+            # Generate JSON object string
+            printf "{\"repository\":\"%s\",\"short-description\":\"%s\",\"readme-filepath\":\"%s\"}\n", repository, description, readme_url;
+          }' docker_images_list.md)
+
+          # Concatenate all JSON objects into a JSON array, using paste to separate them with commas
+          json="[$(echo "$images" | paste -sd, -)]"
+          echo "$json"
+          # Set as output variable for subsequent jobs to use
+          echo "::set-output name=examples_json::$json"
+
+  check-images-matrix:
+    runs-on: ubuntu-latest
+    needs: get-images-matrix
+    if: ${{ needs.get-images-matrix.outputs.examples_json != '' }}
+    strategy:
+      matrix:
+        image: ${{ fromJSON(needs.get-images-matrix.outputs.examples_json) }}
+      fail-fast: false
+    steps:
+    - name: Check dockerhub description
+      run: |
+        echo "dockerhub description for ${{ matrix.image.repository }}"
+        echo "short-description: ${{ matrix.image.short-description }}"
+        echo "readme-filepath: ${{ matrix.image.readme-filepath }}"
+
+  dockerHubDescription:
+    runs-on: ubuntu-latest
+    needs: get-images-matrix
+    if: ${{ needs.get-images-matrix.outputs.examples_json != '' }}
+    strategy:
+      matrix:
+        image: ${{ fromJSON(needs.get-images-matrix.outputs.examples_json) }}
+      fail-fast: false
+    steps:
+    - name: Checkout GenAIExamples
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+      with:
+        repository: opea-project/GenAIExamples
+        path: GenAIExamples
+
+    - name: Checkout GenAIComps
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+      with:
+        repository: opea-project/GenAIComps
+        path: GenAIComps
+
+    - name: Checkout vllm-openvino
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+      with:
+        repository: vllm-project/vllm
+        path: vllm
+
+    - name: Checkout vllm-gaudi
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+      with:
+        repository: HabanaAI/vllm-fork
+        ref: habana_main
+        path: vllm-fork
+
+    - name: add dockerhub description
+      uses: peter-evans/dockerhub-description@v4
+      with:
+        username: ${{ secrets.DOCKERHUB_USER }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+        repository: ${{ matrix.image.repository }}
+        short-description: ${{ matrix.image.short-description }}
+        readme-filepath: ${{ matrix.image.readme-filepath }}
+        enable-url-completion: false

.github/workflows/pr-image-size.yml

@@ -128,7 +128,7 @@ jobs:
 
       - name: Download origin artifact log
         if: env.skip != 'true'
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4
         with:
           name: build-comments
           path: merged-files
@@ -159,7 +159,7 @@ jobs:
       all_comments: ${{ steps.summary.outputs.all_comments }}
     steps:
       - name: Download Summary
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4
         with:
           name: build-comments
           path: downloaded-files

ChatQnA/ui/docker/Dockerfile.react.openEuler

@@ -2,13 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Use node 20.11.1 as the base image
-FROM openeuler/node:20.11.1-oe2403lts as vite-app
-
+FROM openeuler/node:20.11.1-oe2403lts@sha256:25c790f93c2243b361919620c069812319f614fd697e32e433402ae706a19ffd as vite-app
+ 
 COPY react /usr/app/react
 WORKDIR /usr/app/react
 
-
-RUN ["npm", "install"]
+RUN ["npm", "install", "--package-lock-only"]
+RUN ["npm", "ci"]
 RUN ["npm", "run", "build"]
 
 
@@ -18,4 +18,4 @@ COPY --from=vite-app /usr/app/react/dist /usr/share/nginx/html
 COPY ./react/env.sh /docker-entrypoint.d/env.sh
 
 COPY ./react/nginx.conf /etc/nginx/conf.d/default.conf
-RUN chmod +x /docker-entrypoint.d/env.sh
+RUN chmod +x /docker-entrypoint.d/env.sh

CodeGen/ui/docker/Dockerfile.react.openEuler

@@ -2,13 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Use node 20.11.1 as the base image
-<<<<<<< HEAD
 FROM openeuler/node@sha256:25c790f93c2243b361919620c069812319f614fd697e32e433402ae706a19ffd as vite-app
 
-=======
-FROM openeuler/node:20.11.1-oe2403lts as vite-app
-
->>>>>>> 650571e8 (Fixed more CI Errors)
 COPY react /usr/app/react
 WORKDIR /usr/app/react