Add GSA

.github/actions/python_prepare/action.yaml

@@ -4,7 +4,7 @@ runs:
   using: "composite"
   steps:
     - name: Set up Python 3.10
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e
       with:
         python-version: 3.10.14
     - name: Install Poetry

.github/workflows/python_cd.yaml

@@ -17,18 +17,18 @@ jobs:
       packages: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. 
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages.
       # Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. 
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image.
       # The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta

.github/workflows/python_ci.yaml

@@ -10,7 +10,7 @@ jobs:
   mypy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
         with:
           submodules: true
       - uses: ./.github/actions/python_prepare
@@ -20,7 +20,7 @@ jobs:
   pytest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
         with:
           submodules: true
       - uses: ./.github/actions/python_prepare
@@ -30,11 +30,11 @@ jobs:
   pytest-docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - name: Extract environment variables for Docker container
         # No variables required right now, add them here if needed.
         run: |
-          echo "" >> .env 
+          echo "" >> .env
       - name: Build Dockerimage
         run: make build
       - name: Run pytest in Docker
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - name: Build and push Docker image
         uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
         with:
@@ -53,15 +53,15 @@ jobs:
   black:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: ./.github/actions/python_prepare
       - name: Check with black
         run: poetry run black --check .
 
   autoflake:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: ./.github/actions/python_prepare
       - name: Check with autoflake
         run: |
@@ -71,7 +71,7 @@ jobs:
   isort:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - uses: ./.github/actions/python_prepare
       - name: Check with isort
         run: |
@@ -85,7 +85,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
       - name: Cleanup old GHCR images
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security.yaml

@@ -0,0 +1,42 @@
+name: Security Gate
+
+on:
+    pull_request:
+
+jobs:
+    pip-audit:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+        steps:
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+            - uses: ./.github/actions/python_prepare
+            - name: Extract requirements from Poetry
+              run: poetry run pip freeze > requirements.txt
+            - uses: pypa/gh-action-pip-audit@1d2d6f2a660b0c6aa7f74ddc7fa05e1e07ea172f
+              with:
+                  inputs: requirements.txt
+                  ignore-vulns: |
+                      CVE-2026-25580
+
+    security:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+            - name: Checkout private action
+              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+              with:
+                  repository: gnosis/github-security-action
+                  token: ${{ secrets.GSA_GH_TOKEN }}
+                  path: .github/actions/github-security-action
+                  sparse-checkout-cone-mode: false
+                  sparse-checkout: |
+                      /*
+                      !/test*
+
+            - name: Run security action
+              uses: ./.github/actions/github-security-action
+              with:
+                  ai_api_key: ${{ secrets.GSA_AI_API_KEY }}
+                  gh_token: ${{ secrets.GSA_GH_TOKEN }}

CODEOWNERS

@@ -0,0 +1,4 @@
+# Default code owners for all files
+
+* @kongzii
+* @TS9001

labs_api/insights/insights.py

@@ -60,9 +60,9 @@ def tavily_response_to_summary(question: str, tavily_response: TavilyResponse) -
     contents = [result.content for result in tavily_response.results]
 
     llm = ChatOpenAI(
-        model="gpt-4o-2024-08-06",
+        model_name="gpt-4o-2024-08-06",
         temperature=LLM_SUPER_LOW_TEMPERATURE,
-        api_key=APIKeys().openai_api_key_secretstr_v1,
+        openai_api_key=APIKeys().openai_api_key,
     )
 
     prompt = ChatPromptTemplate.from_template(