stacklok
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,6 +4,10 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      otel:
+        patterns:
+          - "presidio-*"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
       run: git lfs pull
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -36,7 +36,7 @@ jobs:
 
     - name: Load cached venv
       id: cached-poetry-dependencies
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: .venv
         key: venv-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}

diff --git a/.github/workflows/feature-launcher.yml b/.github/workflows/feature-launcher.yml
@@ -1,24 +1,67 @@
 name: Automate Engineering Feature Release Campaigns
-
 on:
   issues:
     types: [labeled]
-
 jobs:
   notify-discord:
-    if: github.event.label.name == 'feature-release'
+    if: github.event.label.name == 'feature-spotlight'
     runs-on: ubuntu-latest
     steps:
       - name: Send Feature Release Notification to Discord
         env:
           DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+          SLACK_COMMUNITY_RELEASE_WEBHOOK: ${{ secrets.SLACK_COMMUNITY_RELEASE_WEBHOOK }}
+          SLACK_COMMUNITY_ENGAGEMENT_WEBHOOK: ${{ secrets.SLACK_COMMUNITY_ENGAGEMENT_WEBHOOK }}
           ISSUE_TITLE: ${{ github.event.issue.title }}
           ISSUE_BODY: ${{ github.event.issue.body }}
           ISSUE_URL: ${{ github.event.issue.html_url }}
         run: |
-          curl -H "Content-Type: application/json" \
-          -X POST \
-          -d '{
-            "content": "**🚀 New Feature Launched!**\n\n🎉 *${{ env.ISSUE_TITLE }}* is now available to try!\n📖 Description: ${{ env.ISSUE_BODY }}\n🔗 [Check it out here](${{ env.ISSUE_URL }})"
-          }' \
-          $DISCORD_WEBHOOK
+          node -e "
+            const https = require('https');
+            const discordWebhook = new URL(process.env.DISCORD_WEBHOOK);
+            const slackCommunityReleaseWebhook = new URL(process.env.SLACK_COMMUNITY_RELEASE_WEBHOOK);
+            const slackCommunityEngagementWebhook = new URL(process.env.SLACK_COMMUNITY_ENGAGEMENT_WEBHOOK);
+            const issueTitle = process.env.ISSUE_TITLE;
+            const issueBody = process.env.ISSUE_BODY;
+            const issueUrl = process.env.ISSUE_URL;
+
+            const discordPayload = {
+              content: [
+                '**🚀 ' + issueTitle + ' has been released!**',
+                '',
+                '**🌟 Whats new in CodeGate:**',
+                issueBody,
+                '',
+                'We would 🤍 your feedback! 🔗 [Here\'s the GitHub issue](' + issueUrl + ')'
+              ].join('\n')
+            };
+
+            const slackCommunityReleasePayload = {
+              text: '🚀 ' + issueTitle + ' has been released!\\n\\n 🔗 <' + issueUrl + '|Here\'s the GitHub issue>'
+            };
+            
+            const slackCommunityEngagementPayload = {
+              text: '📢 Feature ' + issueTitle + ' has been released! 🔗 <' + issueUrl + '|Here\'s the GitHub issue> \\n\\n • Reddit Advocacy Group check it out and help us spread the word! \\n\\n • Feature anchors, please engage with folks in the <https://discord.com/channels/1184987096302239844/1342205741926318080|#feature-spotlight> post for our new feature, and follow-up with interested users in <https://discord.com/channels/1184987096302239844/1331415710278221846|#ideas-and-issues> and <https://discord.com/channels/1184987096302239844/1340110387453886515|#codegate-users>'
+            };
+
+            function sendNotification(webhookUrl, payload) {
+              const req = https.request(webhookUrl, {
+                method: 'POST',
+                headers: {
+                  'Content-Type': 'application/json'
+                }
+              });
+
+              req.on('error', (error) => {
+                console.error('Error:', error);
+                process.exit(1);
+              });
+
+              req.write(JSON.stringify(payload));
+              req.end();
+            }
+
+            sendNotification(discordWebhook, discordPayload);
+            sendNotification(slackCommunityReleaseWebhook, slackCommunityReleasePayload);
+            sendNotification(slackCommunityEngagementWebhook, slackCommunityEngagementPayload);
+          "
diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -19,7 +19,7 @@ permissions:
 jobs:
   docker-image:
     name: Check docker image build
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.platform == 'linux/arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
     env:
       IMAGE_NAME: stacklok/codegate
       IMAGE_TAG: dev
@@ -29,12 +29,12 @@ jobs:
       - name: Set up QEMU for cross-platform builds
         # Only set up QEMU if the platform is not linux/amd64
         if: ${{ inputs.platform != 'linux/amd64' }}
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
       - name: Download artifact
         id: download-artifact
-        uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
+        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
         with:
           github_token: ${{ github.token }}
           workflow: ".github/workflows/import_packages.yml"
@@ -53,7 +53,7 @@ jobs:
           git lfs pull
       - name: Test build - ${{ inputs.platform }}
         id: docker_build
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v5
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v5
         with:
           context: .
           file: ./Dockerfile
@@ -76,7 +76,7 @@ jobs:
       - name: Upload Docker image artifact
         # Only upload the image if the build was for linux/amd64, as we only need it for the integration tests
         if: ${{ inputs.platform == 'linux/amd64' }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ inputs.artifact-name }}
           path: image.tar
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
@@ -22,23 +22,23 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up QEMU for cross-platform builds
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
       - name: Compute version number
         id: version-string
         run: |
           DATE="$(date +%Y%m%d)"
           COMMIT="$(git rev-parse --short HEAD)"
           echo "tag=0.$DATE.$GITHUB_RUN_NUMBER-ref.$COMMIT" >> "$GITHUB_OUTPUT"
       - name: Login to GHCR
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set container metadata
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
         id: docker-metadata
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -57,7 +57,7 @@ jobs:
             type=semver,pattern=v{{major}}.{{minor}}
       - name: Download artifact
         id: download-artifact
-        uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
+        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
         with:
           github_token: ${{ github.token }}
           workflow: ".github/workflows/import_packages.yml"
@@ -76,7 +76,7 @@ jobs:
           git lfs pull
       - name: Build and Push Image
         id: image-build
-        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -96,7 +96,7 @@ jobs:
           echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }})" >> "$GITHUB_OUTPUT"
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
       - name: Sign the images with GitHub OIDC Token
         env:
           DIGEST: ${{ steps.image-build.outputs.digest }}

diff --git a/.github/workflows/import_packages.yml b/.github/workflows/import_packages.yml
@@ -17,7 +17,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4    
-    - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
+    - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
       with:
         python-version: '3.12'    
     - name: Install dependencies
@@ -47,6 +47,7 @@ jobs:
         MALICIOUS_KEY=$(jq -r '.latest.malicious_packages' manifest.json)
         DEPRECATED_KEY=$(jq -r '.latest.deprecated_packages' manifest.json)
         ARCHIVED_KEY=$(jq -r '.latest.archived_packages' manifest.json)
+        VULNERABLE_KEY=$(jq -r '.latest.vulnerable_packages' manifest.json)
         
         echo "Malicious key: $MALICIOUS_KEY"
         echo "Deprecated key: $DEPRECATED_KEY"
@@ -58,6 +59,7 @@ jobs:
         aws s3 cp s3://codegate-data-prod/$MALICIOUS_KEY /tmp/jsonl-files/malicious.jsonl --region $AWS_REGION
         aws s3 cp s3://codegate-data-prod/$DEPRECATED_KEY /tmp/jsonl-files/deprecated.jsonl --region $AWS_REGION
         aws s3 cp s3://codegate-data-prod/$ARCHIVED_KEY /tmp/jsonl-files/archived.jsonl --region $AWS_REGION
+        aws s3 cp s3://codegate-data-prod/$VULNERABLE_KEY /tmp/jsonl-files/vulnerable.jsonl --region $AWS_REGION
 
     - name: Install Poetry
       run: |
@@ -76,7 +78,7 @@ jobs:
         poetry run python scripts/import_packages.py --jsonl-dir /tmp/jsonl-files --vec-db-path /tmp/sqlite_data/vectordb.db
 
     - name: 'Upload SQLite Vector DB File'
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: sqlite_data
         path: /tmp/sqlite_data/vectordb.db

diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -53,7 +53,7 @@ jobs:
           chmod -R 777 ./codegate_volume
 
       - name: Download the CodeGate container image
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
         with:
           name: ${{ inputs.artifact-name }}
 
@@ -80,6 +80,7 @@ jobs:
             -e CODEGATE_APP_LOG_LEVEL=$CODEGATE_LOG_LEVEL \
             -e CODEGATE_OLLAMA_URL=$LOCAL_OLLAMA_URL \
             -e CODEGATE_VLLM_URL=$LOCAL_VLLM_URL \
+            -e CODEGATE_DEV_ENV=true \
             --restart unless-stopped $DOCKER_IMAGE
 
           # Confirm the container started
@@ -135,7 +136,7 @@ jobs:
           sudo update-ca-certificates
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
+        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -148,7 +149,7 @@ jobs:
 
       - name: Load cached venv
         id: cached-poetry-dependencies
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: .venv
           key: venv-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}

diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
     - name: Set up Python 3.12
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5
       with:
         python-version: "3.12" 
 

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -14,7 +14,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Code Security Scan
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
         with:
           scan-type: 'fs'
           scanners: vuln,secret

diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@ wheels/
 
 # Virtual Environment
 venv/
+.venv/
 env/
 ENV/
 

diff --git a/Dockerfile b/Dockerfile
@@ -27,7 +27,7 @@ COPY . /app
 RUN sed -i "s/_VERSION =.*/_VERSION = \"${CODEGATE_VERSION}\"/g" /app/src/codegate/__init__.py
 
 # Build the webapp
-FROM docker.io/library/node:23-slim@sha256:f498ea1bec900d539ddba9ae881bf5f69d9052fdefc28e50479b85e284fac54c AS webbuilder
+FROM docker.io/library/node:23-slim@sha256:b89d748ea010f4d276c9d45c750fa5f371cef3fcc7486f739f07e5aad1b998a8 AS webbuilder
 
 
 
@@ -72,6 +72,7 @@ FROM python:3.12-slim AS runtime
 RUN apt-get update && apt-get install -y --no-install-recommends \
     libgomp1 \
     nginx \
+    gettext-base \  
     && rm -rf /var/lib/apt/lists/*
 
 # Create a non-root user
@@ -81,6 +82,7 @@ RUN useradd -m -u 1000 -r codegate
 # Set permissions for user codegate to run nginx
 RUN chown -R codegate /var/lib/nginx && \
     chown -R codegate /var/log/nginx && \
+    chown -R codegate /etc/nginx && \
     chown -R codegate /run
 
 COPY nginx.conf /etc/nginx/nginx.conf
@@ -100,6 +102,10 @@ COPY --from=builder /app /app
 
 # Copy necessary artifacts from the webbuilder stage
 COPY --from=webbuilder /usr/src/webapp/dist /var/www/html
+USER root
+RUN chown -R codegate /var/www/html
+USER codegate
+
 # Expose nginx
 EXPOSE 9090
-Original file line number
+Diff line change
@@ @@ -22,6 +22,7 @@ wheels/ @@
     # Virtual Environment
     venv/
+    .venv/
     env/
     ENV/