Chore minor improvements (#130)

* chore: use `persist-credentials: false` for checkout where's possible

* chore: remove spam from trivy log

* chore: Do not perform dependency review on private repos

* chore: add output to stdout and job summary for semver action

* chore: add concurrency to examples in README.md

* chore: update Slash Command Dispatch reference in README.md

* chore: update self-dependencies

.github/workflows/generic_docker_pr.yml

@@ -56,7 +56,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected]
+          persist-credentials: false
+      - uses: epam/ai-dial-ci/actions/[email protected]
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

.github/workflows/generic_docker_release.yml

@@ -65,7 +65,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         id: semantic_versioning
 
   release:
@@ -78,14 +78,14 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -102,7 +102,7 @@ jobs:
             ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

.github/workflows/generic_docker_test.yml

@@ -36,6 +36,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
+          persist-credentials: false
       - name: Test
         continue-on-error: ${{ inputs.bypass_checks || inputs.bypass_style_checks }}
         shell: bash
@@ -49,6 +50,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
+          persist-credentials: false
       - uses: oss-review-toolkit/ort-ci-github-action@9acdf1e56f1b42972b12274ae56c35bf70a5f65b # v1.0.1
         env:
           CONTINUE_ON_ERROR: ${{ inputs.bypass_checks || inputs.bypass_ort }} # Hack to use the input below as a boolean

.github/workflows/java_dependency_review.yml

@@ -1,5 +1,6 @@
 name: Dependency Review
 
+# Designed to be triggered by `pull_request_target` event
 on:
   workflow_call:
     inputs:
@@ -20,7 +21,9 @@ permissions:
   contents: read
 
 jobs:
-  dependency-submission:
+  dependency-review:
+    # Do not perform dependency review on private repos - GitHub Advanced Security is not enabled
+    if: ${{ !github.event.repository.private }}
     runs-on: ubuntu-latest
     permissions:
       contents: write # to submit dependency graph
@@ -43,7 +46,7 @@ jobs:
           lfs: true
           persist-credentials: false
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}

.github/workflows/java_pr.yml

@@ -76,7 +76,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
@@ -88,7 +88,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected]
+          persist-credentials: false
+      - uses: epam/ai-dial-ci/actions/[email protected]
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

.github/workflows/java_release.yml

@@ -77,7 +77,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         id: semantic_versioning
 
   release:
@@ -90,22 +90,22 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
       - name: Set version
         shell: bash
         run: |
           sed -i -E "s/^([ \t]*version[ \t]*=[ \t]*)[\"'].*[\"']/\1\"${{ needs.calculate_version.outputs.next_version }}\"/g" build.gradle
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -123,7 +123,7 @@ jobs:
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
       - uses: gradle/actions/dependency-submission@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

.github/workflows/java_test.yml

@@ -52,7 +52,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}

.github/workflows/node_pr.yml

@@ -81,7 +81,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected]
+          persist-credentials: false
+      - uses: epam/ai-dial-ci/actions/[email protected]
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

.github/workflows/node_release.yml

@@ -86,7 +86,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         id: semantic_versioning
 
   release:
@@ -99,14 +99,14 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: true
@@ -115,7 +115,7 @@ jobs:
         shell: bash
         run: |
           npm version ${{ needs.calculate_version.outputs.next_version }} --no-git-tag-version || true # upstream branch may already be updated
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -155,7 +155,7 @@ jobs:
           IS_LATEST: ${{ needs.calculate_version.outputs.is_latest == 'true' }}
           IS_DEVELOPMENT_BRANCH: ${{ github.ref == 'refs/heads/development' }}
           IS_RELEASE_BRANCH: ${{ startsWith(github.ref, 'refs/heads/release-') }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

.github/workflows/node_test.yml

@@ -56,7 +56,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: "true"
@@ -73,7 +73,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: "true"
@@ -90,7 +90,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: "true"

.github/workflows/python_docker_pr.yml

@@ -76,7 +76,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected]
+          persist-credentials: false
+      - uses: epam/ai-dial-ci/actions/[email protected]
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

.github/workflows/python_docker_release.yml

@@ -78,7 +78,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         id: semantic_versioning
 
   release:
@@ -91,7 +91,7 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -102,7 +102,7 @@ jobs:
         shell: bash
         run: |
           sed -i "s/^version = .*/version = \"${{ needs.calculate_version.outputs.non_semver_next_version }}\"/g" pyproject.toml
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -119,7 +119,7 @@ jobs:
             ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

.github/workflows/python_docker_test.yml

@@ -52,7 +52,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           python_version: ${{ inputs.python_version }}
           poetry_version: ${{ inputs.poetry_version }}
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           python_version: ${{ inputs.python_version }}
           poetry_version: ${{ inputs.poetry_version }}

.github/workflows/python_package_pr.yml

@@ -82,7 +82,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           python_version: ${{ inputs.python_version }}
           poetry_version: ${{ inputs.poetry_version }}

.github/workflows/python_package_release.yml

@@ -79,7 +79,7 @@ jobs:
       non_semver_next_version: ${{ steps.semantic_versioning.outputs.non_semver_next_version }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         id: semantic_versioning
 
   release:
@@ -92,14 +92,14 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           python_version: ${{ inputs.python_version }}
           poetry_version: ${{ inputs.poetry_version }}
@@ -114,7 +114,7 @@ jobs:
           make publish
         env:
           PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           tag_version: ${{ needs.calculate_version.outputs.non_semver_next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

.github/workflows/python_package_test.yml

@@ -76,7 +76,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           python_version: ${{ inputs.python_version }}
           poetry_version: ${{ inputs.poetry_version }}
@@ -97,7 +97,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/[email protected].3
+      - uses: epam/ai-dial-ci/actions/[email protected].4
         with:
           python_version: ${{ matrix.python-version }}
           poetry_version: ${{ inputs.poetry_version }}
@@ -141,6 +141,8 @@ jobs:
           vuln-type: ${{ inputs.scan_vuln_type }}
           severity: ${{ inputs.scan_severity }}
         continue-on-error: ${{ inputs.bypass_trivy }}
+        env:
+          TRIVY_DISABLE_VEX_NOTICE: true
       - name: Run Trivy vulnerability scanner (SARIF, may fail)
         # Do not perform SARIF scan on private repos - GitHub Advanced Security is not enabled
         if: ${{ !github.event.repository.private }}
@@ -156,6 +158,8 @@ jobs:
           severity: ${{ inputs.scan_severity }}
           limit-severities-for-sarif: true
         continue-on-error: ${{ inputs.bypass_trivy }}
+        env:
+          TRIVY_DISABLE_VEX_NOTICE: true
       - name: Upload Trivy scan results to GitHub Security tab
         # Do not upload SARIF reports on private repos - GitHub Advanced Security is not enabled
         if: ${{ !cancelled() && inputs.enable_trivy && !github.event.repository.private }}