Fix some security issues (opea-project#2289)

Signed-off-by: ZePan110 <ze.pan@intel.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>

Author: 2 people

.github/workflows/_build_image.yml

@@ -78,7 +78,7 @@ jobs:
           fi
 
       - name: Checkout out GenAIExamples
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0

.github/workflows/_get-image-list.yml

@@ -31,10 +31,10 @@ jobs:
       run_matrix: ${{ steps.get-matrix.outputs.run_matrix }}
     steps:
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
 
       - name: Checkout GenAIComps Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           repository: opea-project/GenAIComps
           path: GenAIComps
@@ -45,7 +45,7 @@ jobs:
           image_list=[]
           run_matrix="{\"include\":["
           if [[ ! -z "${{ inputs.examples }}" ]]; then
-              pip install yq
+              pip install yq==3.4.3
               examples=($(echo ${{ inputs.examples }} | tr ',' ' '))
               for example in ${examples[@]}
               do

.github/workflows/_get-test-matrix.yml

@@ -47,7 +47,7 @@ jobs:
           echo "checkout ref ${{ env.CHECKOUT_REF }}"
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0

.github/workflows/_helm-e2e.yml

@@ -55,7 +55,7 @@ jobs:
           echo "checkout ref ${CHECKOUT_REF}"
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0
@@ -128,7 +128,7 @@ jobs:
           echo "checkout ref ${CHECKOUT_REF}"
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0

.github/workflows/_run-docker-compose.yml

@@ -61,7 +61,7 @@ jobs:
           echo "checkout ref ${CHECKOUT_REF}"
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0
@@ -150,7 +150,7 @@ jobs:
           docker images
 
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           ref: ${{ needs.get-test-case.outputs.CHECKOUT_REF }}
           fetch-depth: 0
@@ -243,7 +243,7 @@ jobs:
 
       - name: Publish pipeline artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           name: ${{ inputs.hardware }}_${{ inputs.example }}_${{ matrix.test_case }}
           path: ${{ github.workspace }}/${{ inputs.example }}/tests/*.log

.github/workflows/_run-one-click.yml

@@ -60,7 +60,7 @@ jobs:
 
       - name: Checkout out Repo
         if: ${{ inputs.deploy_method == 'docker' }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -94,7 +94,7 @@ jobs:
 
       - name: Checkout out Repo
         if: ${{ inputs.deploy_method == 'k8s' }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
 
@@ -153,7 +153,7 @@ jobs:
           LVM_model: ${{ env.LVM_model }}
         run: |
           cd ${{ github.workspace }}/one_click_deploy
-          python3 -m pip install -r requirements.txt
+          python3 -m pip install --require-hashes -r requirements.txt
 
           if [ "${{ inputs.deploy_method }}" = "k8s" ]; then
             export OPEA_K8S_VLLM_SKIP_WARMUP=TRUE
@@ -205,7 +205,7 @@ jobs:
 
       - name: Publish pipeline artifact
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
         with:
           name: ${{ inputs.deploy_method }}
           path: ${{ github.workspace }}/${{ inputs.deploy_method }}-tests/test-results.log

.github/workflows/_trivy-scan.yml

@@ -43,7 +43,7 @@ jobs:
           sudo rm -rf ${{github.workspace}}/* || true
           docker system prune -f
       - name: Checkout out Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       - name: Install Dependencies
         run: |
           sudo apt-get update
@@ -91,7 +91,7 @@ jobs:
         shell: bash
 
       - name: Security Scan Container
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
         if: ${{ inputs.trivy_scan }}
         with:
           image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ inputs.image }}:${{ inputs.tag }}

.github/workflows/check-online-doc-build.yml

@@ -17,12 +17,12 @@ jobs:
     steps:
 
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         path: GenAIExamples
 
     - name: Checkout docs
-      uses: actions/checkout@v4
+      uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
       with:
         repository: opea-project/docs
         path: docs

.github/workflows/daily-update-vllm-version.yml.disabled

@@ -32,7 +32,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
         with:
           fetch-depth: 0
           ref: ${{ github.ref }}

.github/workflows/docker/code-scan.dockerfile

@@ -1,8 +1,8 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-ARG UBUNTU_VER=22.04
-FROM ubuntu:${UBUNTU_VER} as devel
+# ARG UBUNTU_VER=22.04
+FROM ubuntu@sha256:4e0171b9275e12d375863f2b3ae9ce00a4c53ddda176bd55868df97ac6f21a6e as devel
 
 ENV LANG=C.UTF-8