Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/actions_autoupdate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
- cron: "0 0 * * 0"
workflow_dispatch:

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
update-github-actions:
runs-on: ubuntu-latest
Expand All @@ -15,7 +18,7 @@
token: ${{ secrets.WORKFLOW_SECRET }}

- name: Run GitHub Actions Version Updater
uses: saadmk11/github-actions-version-updater@v0.9.0

Check failure on line 21 in .github/workflows/actions_autoupdate.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
with:
token: ${{ secrets.WORKFLOW_SECRET }}
update_version_with: "release-commit-sha"
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/bom-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,17 @@
type: string

env:
LUXONIS_TELEMETRY_ENABLED: "false"
DISTINCT_ID: ${{ github.event.inputs.distinct_id }}
DEPTHAI_VERSION: ${{ github.event.inputs.depthai_version }}
OS_VERSION: ${{ github.event.inputs.os_version }}
HIL_FRAMEWORK_TOKEN: ${{ secrets.HIL_FRAMEWORK_TOKEN }}

Check failure on line 34 in .github/workflows/bom-test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

A secret is exposed in the workflow-level `env:` block, making it available to every job and step in this workflow — including any untrusted code run in pull-request workflows. Scope secrets as narrowly as possible: prefer step-level `env:` so the secret is only available where it is actually needed.
HUBAI_API_KEY: ${{ secrets.HUBAI_API_KEY }}

Check failure on line 35 in .github/workflows/bom-test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

A secret is exposed in the workflow-level `env:` block, making it available to every job and step in this workflow — including any untrusted code run in pull-request workflows. Scope secrets as narrowly as possible: prefer step-level `env:` so the secret is only available where it is actually needed.
RESERVATION_NAME: ${{ github.event.inputs.reservation_name }}
HOLD_RESERVATION: ${{ github.event.inputs.hold_reservation }}
ADDITIONAL_OPTIONS: ${{ github.event.inputs.additional_options }}
INFLUX_BUCKET: fps_metrics
INFLUX_TOKEN: ${{ secrets.INFLUX_TOKEN }}

Check failure on line 40 in .github/workflows/bom-test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

A secret is exposed in the workflow-level `env:` block, making it available to every job and step in this workflow — including any untrusted code run in pull-request workflows. Scope secrets as narrowly as possible: prefer step-level `env:` so the secret is only available where it is actually needed.

jobs:
id:
Expand Down Expand Up @@ -77,8 +78,11 @@
OS_VERSION_OPTION="--os-version $OS_VERSION"
fi

if [[ "$DEPTHAI_VERSION" =~ ^3\.[0-9]{1,2}\.[0-9]{1,2}$ ]]; then
if [[ "$DEPTHAI_VERSION" =~ ^3\.(8|9|[1-9][0-9])\.[0-9]{1,2}$ ]]; then
DEPTHAI_VERSION_CHECKED="$DEPTHAI_VERSION"
else
echo "DEPTHAI_VERSION must be within >=3.8.0,<4.0.0; got: $DEPTHAI_VERSION" >&2
exit 1
fi
: "${INFLUX_TOKEN:?INFLUX_TOKEN is required on the runner}"
: "${INFLUX_BUCKET:?INFLUX_BUCKET must be set by the workflow}"
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/hailo_publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@
branches:
- main

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
hailo-publish:
strategy:
Expand All @@ -16,7 +19,7 @@
version: ["2024.10", "2025.01", "2025.04"]

uses: ./.github/workflows/publish.yaml
secrets: inherit

Check failure on line 22 in .github/workflows/hailo_publish.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

This workflow uses `secrets: inherit` to pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the `secrets:` map, e.g. `secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }`.
with:
package: hailo
version: ${{ matrix.version }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/hailo_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
hailo-test:
strategy:
Expand All @@ -28,7 +31,7 @@
version: ["2024.10", "2025.01", "2025.04"]

uses: ./.github/workflows/modelconverter_test.yaml
secrets: inherit

Check failure on line 34 in .github/workflows/hailo_test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

This workflow uses `secrets: inherit` to pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the `secrets:` map, e.g. `secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }`.
with:
package: hailo
version: ${{ matrix.version }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/modelconverter_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,10 @@
packages: read

env:
LUXONIS_TELEMETRY_ENABLED: "false"
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

Check failure on line 30 in .github/workflows/modelconverter_test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

A secret is exposed in the workflow-level `env:` block, making it available to every job and step in this workflow — including any untrusted code run in pull-request workflows. Scope secrets as narrowly as possible: prefer step-level `env:` so the secret is only available where it is actually needed.
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Check failure on line 31 in .github/workflows/modelconverter_test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

A secret is exposed in the workflow-level `env:` block, making it available to every job and step in this workflow — including any untrusted code run in pull-request workflows. Scope secrets as narrowly as possible: prefer step-level `env:` so the secret is only available where it is actually needed.
AWS_S3_ENDPOINT_URL: ${{ secrets.AWS_S3_ENDPOINT_URL }}

Check failure on line 32 in .github/workflows/modelconverter_test.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

A secret is exposed in the workflow-level `env:` block, making it available to every job and step in this workflow — including any untrusted code run in pull-request workflows. Scope secrets as narrowly as possible: prefer step-level `env:` so the secret is only available where it is actually needed.
PACKAGE: ${{ inputs.package }}
VERSION: ${{ inputs.version }}

Expand Down
1 change: 1 addition & 0 deletions .github/workflows/publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ permissions:
packages: write

env:
LUXONIS_TELEMETRY_ENABLED: "false"
GAR_LOCATION: us-central1
PACKAGE: ${{ inputs.package }}
NAME: luxonis/modelconverter-${{ inputs.package }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/python-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
permissions:
contents: read

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
deploy:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rvc2_publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@
branches:
- main

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
rvc2-publish:
strategy:
Expand All @@ -16,7 +19,7 @@
version: ["2021.4.0", "2022.3.0"]

uses: ./.github/workflows/publish.yaml
secrets: inherit

Check failure on line 22 in .github/workflows/rvc2_publish.yaml

View workflow job for this annotation

GitHub Actions / semgrep/ci

Semgrep Issue

This workflow uses `secrets: inherit` to pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the `secrets:` map, e.g. `secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }`.
with:
package: rvc2
version: ${{ matrix.version }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rvc2_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
rvc2-test:
strategy:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rvc3_publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
branches:
- main

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
rvc3-publish:
uses: ./.github/workflows/publish.yaml
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rvc3_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
rvc3-test:
uses: ./.github/workflows/modelconverter_test.yaml
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rvc4_publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
branches:
- main

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
rvc4-publish:
strategy:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rvc4_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
rvc4-test:
strategy:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/semgrep.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Semgrep SAST Scan
on:
pull_request:

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
semgrep:
# User definable name of this GitHub Actions job.
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/unittests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
LUXONIS_TELEMETRY_ENABLED: "false"

jobs:
utils-test:
runs-on: ubuntu-latest
Expand Down
10 changes: 10 additions & 0 deletions docker/rvc2/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,16 @@ ENV IN_DOCKER=
ENV VERSION=${VERSION}
ENV LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/python3.8/site-packages/openvino/libs/

RUN <<EOF

set -e

apt-get update
apt-get install -y --no-install-recommends git
rm -rf /var/lib/apt/lists/*

EOF


COPY --link --from=base \
/usr/lib/x86_64-linux-gnu/libcurl.so.4 \
Expand Down
10 changes: 10 additions & 0 deletions docker/rvc3/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,16 @@ WORKDIR /app
ENV IN_DOCKER=
ENV LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/python3.8/site-packages/openvino/libs/

RUN <<EOF

set -e

apt-get update
apt-get install -y --no-install-recommends git
rm -rf /var/lib/apt/lists/*

EOF

COPY --link --from=base \
/usr/lib/x86_64-linux-gnu/libcurl.so.4 \
/usr/lib/x86_64-linux-gnu/libnghttp2.so.14 \
Expand Down
Loading