open-edge-platform
diff --git a/‎.github/actions/pytest/action.yaml
Lines changed: 25 additions & 12 deletions b/‎.github/actions/pytest/action.yaml
Lines changed: 25 additions & 12 deletions
diff --git a/‎.github/actions/security/bandit/action.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/actions/security/bandit/action.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/actions/security/semgrep/action.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/actions/security/semgrep/action.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/actions/security/trivy/action.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/actions/security/trivy/action.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/actions/security/zizmor/action.yaml
Lines changed: 3 additions & 2 deletions b/‎.github/actions/security/zizmor/action.yaml
Lines changed: 3 additions & 2 deletions
diff --git a/‎.github/workflows/_reusable-artifact-builder.yaml
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/_reusable-artifact-builder.yaml
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/_reusable-code-quality.yaml
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/_reusable-code-quality.yaml
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/_reusable-production-release-process.yaml
Lines changed: 7 additions & 1 deletion b/‎.github/workflows/_reusable-production-release-process.yaml
Lines changed: 7 additions & 1 deletion
diff --git a/‎.github/workflows/_reusable-rc-release-process.yaml
Lines changed: 16 additions & 5 deletions b/‎.github/workflows/_reusable-rc-release-process.yaml
Lines changed: 16 additions & 5 deletions
diff --git a/‎.github/workflows/_reusable-release-publisher.yaml
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/_reusable-release-publisher.yaml
Lines changed: 4 additions & 0 deletions
@@ -117,8 +117,10 @@ runs:
     - name: Determine test scope
       id: test-scope
       shell: bash
+      env:
+        INPUTS_TEST_TYPE: ${{ inputs.test-type }}
       run: |
-        case "${{ inputs.test-type }}" in
+        case "$INPUTS_TEST_TYPE" in
           "unit")
             echo "path=tests/unit" >> $GITHUB_OUTPUT
             ;;
@@ -135,23 +137,27 @@ runs:
       id: test-execution
       shell: bash
       continue-on-error: true
+      env:
+        INPUTS_DEVICE: ${{ inputs.device }}
+        INPUTS_MAX_TEST_TIME: ${{ inputs.max-test-time }}
+        STEPS_TEST_SCOPE_OUTPUTS_PATH: ${{ steps.test-scope.outputs.path }}
       run: |
         source .venv/bin/activate
         start_time=$(date +%s)
 
         # Set device-specific pytest arguments
-        if [ "${{ inputs.device }}" = "cpu" ]; then
+        if [ "$INPUTS_DEVICE" = "cpu" ]; then
           marker="-m cpu"  # Only run CPU tests
         else
           marker=""  # Run all tests (both CPU and GPU marked tests)
         fi
 
         # Run pytest
-        PYTHONPATH=src pytest ${{ steps.test-scope.outputs.path }} \
+        PYTHONPATH=src pytest "$STEPS_TEST_SCOPE_OUTPUTS_PATH" \
           --numprocesses=0 \
           --durations=10 \
           --durations-min=1.0 \
-          --timeout=${{ inputs.max-test-time }} \
+          --timeout="$INPUTS_MAX_TEST_TIME" \
           --verbosity=1 \
           --cov=src \
           --cov-report=xml \
@@ -194,13 +200,15 @@ runs:
     - name: Check test duration
       if: always()
       shell: bash
+      env:
+        INPUTS_MAX_TEST_TIME: ${{ inputs.max-test-time }}
+        STEPS_TEST_EXECUTION_OUTPUTS_DURATION: ${{ steps.test-execution.outputs.duration }}
       run: |
-        duration="${{ steps.test-execution.outputs.duration }}"
-        if [ -n "$duration" ]; then
-          echo "Test Duration: $duration seconds"
+        if [ -n "$STEPS_TEST_EXECUTION_OUTPUTS_DURATION" ]; then
+          echo "Test Duration: $STEPS_TEST_EXECUTION_OUTPUTS_DURATION seconds"
 
-          if [ "$duration" -gt "${{ inputs.max-test-time }}" ]; then
-            echo "::warning::Test suite exceeded recommended duration of ${{ inputs.max-test-time }} seconds"
+          if [ "$STEPS_TEST_EXECUTION_OUTPUTS_DURATION" -gt "$INPUTS_MAX_TEST_TIME" ]; then
+            echo "::warning::Test suite exceeded recommended duration of $INPUTS_MAX_TEST_TIME seconds"
           fi
         else
           echo "Test Duration: Not available"
@@ -209,9 +217,14 @@ runs:
     - name: Upload coverage to Codecov
       if: success()
       shell: bash
+      env:
+        INPUTS_CODECOV_TOKEN: ${{ inputs.codecov-token }}
+        INPUTS_TEST_TYPE: ${{ inputs.test-type }}
+        INPUTS_PYTHON_VERSION: ${{ inputs.python-version }}
+
       run: |
         source .venv/bin/activate
-        codecov --token "${{ inputs.codecov-token }}" \
+        codecov --token "$INPUTS_CODECOV_TOKEN" \
                 --file coverage.xml \
-                --flags "${{ inputs.test-type }}_py${{ inputs.python-version }}" \
-                --name "${{ inputs.test-type }} tests (Python ${{ inputs.python-version }})"
+                --flags "$INPUTS_TEST_TYPE_py$INPUTS_PYTHON_VERSION" \
+                --name "$INPUTS_TEST_TYPE tests (Python $INPUTS_PYTHON_VERSION)"
@@ -119,7 +119,8 @@ runs:
         INPUTS_CONFIDENCE_LEVEL: ${{ inputs.confidence-level }}
         INPUTS_OUTPUT_FORMAT: ${{ inputs.output-format }}
         INPUTS_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
-      run: |
+      # zizmor ignore: all_changed_files is tj-actions/changed-files output
+      run: | # zizmor: ignore[template-injection]
         set +e
         REPORT_FILE="bandit-report.$INPUTS_OUTPUT_FORMAT"
 
 
@@ -108,7 +108,8 @@ runs:
         INPUTS_TIMEOUT: ${{ inputs.timeout }}
         INPUTS_OUTPUT_FORMAT: ${{ inputs.output-format }}
         INPUTS_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
-      run: |
+      # zizmor ignore: all_changed_files is tj-actions/changed-files output
+      run: | # zizmor: ignore[template-injection]
         set +e
         # Map standard severity levels to Semgrep's levels
         # Semgrep does not support hierarchy, levels must be set explicitly
 
@@ -144,7 +144,8 @@ runs:
         INPUTS_GENERATE_SBOM: ${{ inputs.generate_sbom }}
         INPUTS_SBOM_FORMAT: ${{ inputs.sbom_format }}
 
-      run: |
+      # zizmor ignore: all_changed_files is tj-actions/changed-files output
+      run: | # zizmor: ignore[template-injection]
         # Create output directory
         mkdir -p reports
         REPORT_FILE="reports/trivy-$INPUTS_SCAN_TYPE-$INPUTS_SCANNERS.sarif"
 
@@ -51,7 +51,7 @@ inputs:
   zizmor-version:
     description: "Zizmor version"
     required: false
-    default: "1.6.0"
+    default: "1.9.0"
 
 outputs:
   scan_result:
@@ -90,6 +90,7 @@ runs:
         INPUTS_OUTPUT_FORMAT: ${{ inputs.output-format }}
         INPUTS_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
         ZIZMOR_VERSION: ${{ inputs.zizmor-version }}
+        STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
 
       # For changed scope: if changes in .github/** are detected, we rescan all files because
       # providing individual non-workflow files (even yaml) to Zizmor causes errors ("invalid GitHub Actions workflow").
@@ -103,7 +104,7 @@ runs:
         SEVERITY=$(echo "$INPUTS_SEVERITY_LEVEL" | tr '[:upper:]' '[:lower:]')
         CONFIDENCE=$(echo "$INPUTS_CONFIDENCE_LEVEL" | tr '[:upper:]' '[:lower:]')
 
-        if [[ "$INPUTS_SCAN_SCOPE" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
+        if [[ "$INPUTS_SCAN_SCOPE" == "changed" && -n "$STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES" ]]; then
           echo "There are some changes detected in .github/, checking with Zizmor"
           uvx zizmor=="$ZIZMOR_VERSION" \
               --min-confidence ${CONFIDENCE} \
 
@@ -69,13 +69,18 @@ on:
         description: "Name of the uploaded artifact"
         value: ${{ jobs.build.outputs.artifact-name }}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     outputs:
       artifact-name: ${{ steps.set-artifact-name.outputs.name }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ inputs.python-version }}
 
@@ -54,6 +54,9 @@ on:
         type: string
         default: "3.10"
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
@@ -63,6 +66,7 @@ jobs:
         with:
           fetch-depth: 0
           lfs: true
+          persist-credentials: false
       - uses: ./.github/actions/code-quality/pre-commit
         with:
           python-version: ${{ inputs.python-version }}
@@ -61,13 +61,17 @@ on:
       pypi-token:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   validate-release-readiness:
     runs-on: ubuntu-latest
     steps:
       - name: Check for approved RC
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
-          VERSION="${{ inputs.version }}"
           ARTIFACTS_JSON=$(curl -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
             "$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/actions/artifacts")
 
@@ -101,6 +105,8 @@ jobs:
   publish:
     needs: [prepare-release]
     uses: ./.github/workflows/_reusable-release-publisher.yaml
+    permissions:
+      contents: write # is required by action-gh-release (nested)
     with:
       version: ${{ inputs.version }}
       artifact-name: production-release-artifacts
 
@@ -66,6 +66,9 @@ on:
       test-pypi-token:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   technical-review:
     environment:
@@ -139,14 +142,17 @@ jobs:
           fi
         env:
           VERSION: ${{ inputs.version }}
+          STEPS_VALIDATE_DEPLOYMENT_OUTPUTS_STATUS: ${{ steps.validate-deployment.outputs.status }}
 
       - name: Generate technical review report
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
           cat << EOF > technical-review-report.md
           # Technical Review Report
 
           ## Version Information
-          - Version: ${{ inputs.version }}
+          - Version: "$VERSION"
           - Package Name: $(ls dist/*.whl | head -n 1 | xargs basename)
 
           ## Test Results
@@ -165,7 +171,7 @@ jobs:
           \`\`\`
 
           ## Test PyPI Deployment
-          - Status: ${{ steps.validate-deployment.outputs.status }}
+          - Status: "$STEPS_VALIDATE_DEPLOYMENT_OUTPUTS_STATUS"
           - URL: https://test.pypi.org/project/${PACKAGE_NAME}/${VERSION#v}/
 
           EOF
@@ -195,11 +201,13 @@ jobs:
           path: qa-review
 
       - name: Generate QA dashboard
+        env:
+          NEEDS_TECHNICAL_REVIEW_OUTPUTS_DEPLOYMENT_STATUS: ${{ needs.technical-review.outputs.deployment-status }}
         run: |
           echo "QA Review Dashboard"
           echo "==================="
           echo
-          echo "Technical Review Status: ${{ needs.technical-review.outputs.deployment-status }}"
+          echo "Technical Review Status: $NEEDS_TECHNICAL_REVIEW_OUTPUTS_DEPLOYMENT_STATUS"
           echo
           echo "Review the full technical report at: qa-review/technical-review-report.md"
           echo
@@ -222,8 +230,10 @@ jobs:
           name: technical-review-report
 
       - name: Display release information
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
-          echo "Release Information for ${{ inputs.version }}"
+          echo "Release Information for $VERSION"
           echo "----------------------------------------"
           cat technical-review-report.md
 
@@ -236,8 +246,9 @@ jobs:
       - name: Record approval
         env:
           APPROVER: ${{ github.actor }}
+          VERSION: ${{ inputs.version }}
         run: |
           echo "RC Approval Record:"
-          echo "- Version: ${{ inputs.version }}"
+          echo "- Version: $VERSION"
           echo "- Timestamp: $(date -u +"%Y-%m-%dT%H:%M:%SZ")"
           echo "- Approver: $APPROVER"
@@ -74,10 +74,14 @@ on:
         required: false
         description: "Test PyPI token for pre-releases"
 
+permissions: {} # default permissions only on workflow level
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     environment: ${{ inputs.is-prerelease && 'staging' || 'production' }}
+    permissions:
+      contents: write # is required by action-gh-release
     steps:
       - uses: actions/download-artifact@v4
         with: