From 9f8144eeb84ba919a54667bd4e83ef2596b14872 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:20:01 +0300
Subject: [PATCH 01/11] feat: added k8s deployment hardening tests

---
 .github/workflows/run_hardering_tests.yaml | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/run_hardering_tests.yaml

diff --git a/.github/workflows/run_hardering_tests.yaml b/.github/workflows/run_hardering_tests.yaml
new file mode 100644
index 00000000..9b5378a1
--- /dev/null
+++ b/.github/workflows/run_hardering_tests.yaml
@@ -0,0 +1,42 @@
+name: Run Hardening Tests
+
+permissions:
+  contents: read
+  packages: read
+  actions: read
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+
+jobs:
+  Wait-for-images:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        workflow_name:
+          - build.yaml
+    steps:
+      - name: Wait for ${{ matrix.workflow_name }}
+        uses: netcracker/qubership-workflow-hub/actions/wait-for-workflow@3e428f45132119ce49d90f3770a45d4fe1d1078d
+        with:
+          workflow: ${{ matrix.workflow_name }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          poll-interval: 20
+  Hardening-Tests:
+    if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.user.login != 'dependabot[bot]' }}
+    needs: Wait-for-images
+    uses: Netcracker/qubership-test-pipelines/.github/workflows/pgskipper.yaml@feature/apps-hardening-scan
+    with:
+      repository_name: ${{ github.repository }}
+      service_branch: '${{ github.head_ref || github.ref_name }}'
+      pipeline_branch: 'feature/apps-hardening-scan' #this value must match the value after '@' in 'uses'
+      skip_tests: false
+      scope: 'hardening'
+    secrets:
+      AWS_S3_ACCESS_KEY_ID: ${{secrets.AWS_S3_ACCESS_KEY_ID}}
+      AWS_S3_ACCESS_KEY_SECRET: ${{secrets.AWS_S3_ACCESS_KEY_SECRET}}
+
+

From 83590deda99e75c8a4734caf66ac40e15c5351a8 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:28:47 +0300
Subject: [PATCH 02/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 04dc497b..3783c3e9 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,6 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
+    if: fromJson(needs.prepare.outputs.components)
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From 12c2b4d6f83251977c05ee115972574f107618d3 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:31:46 +0300
Subject: [PATCH 03/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 3783c3e9..e8395bca 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: fromJson(needs.prepare.outputs.components)
+    if: ${{ fromJson(needs.check.outputs.my_list)[0] != null }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From e72c2aac082d35a657cf1b099dcf60d3bb3513c6 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:33:19 +0300
Subject: [PATCH 04/11] chore: set trigger for hardening tests workflow

---
 .github/workflows/run_hardering_tests.yaml | 28 ++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/run_hardering_tests.yaml b/.github/workflows/run_hardering_tests.yaml
index 9b5378a1..bdb8d4ad 100644
--- a/.github/workflows/run_hardering_tests.yaml
+++ b/.github/workflows/run_hardering_tests.yaml
@@ -6,9 +6,33 @@ permissions:
   actions: read
 
 on:
+  push:
+    branches:
+      - "main"
+    paths-ignore:
+      - "docs/**"
+      - "CODE-OF-CONDUCT.md"
+      - "CONTRIBUTING.md"
+      - "LICENSE"
+      - "README.md"
+      - "SECURITY.md"
   pull_request:
-    types: [opened, synchronize, reopened]
-    branches: [main]
+    branches:
+      - "**"
+    paths-ignore:
+      - "docs/**"
+      - "CODE-OF-CONDUCT.md"
+      - "CONTRIBUTING.md"
+      - "LICENSE"
+      - "README.md"
+      - "SECURITY.md"
+  workflow_dispatch:
+    inputs:
+      publish_docker:
+        description: "Publish images to ghcr.io/netcracker"
+        type: boolean
+        default: false
+        required: false
 
 jobs:
   Wait-for-images:

From 3902e69661821115beb31ee0bea1ca869a06ab44 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:41:42 +0300
Subject: [PATCH 05/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index e8395bca..9b71a90c 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: ${{ fromJson(needs.check.outputs.my_list)[0] != null }}
+    if: ${{ fromJson(needs.check.outputs.components)[0] != null }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From 123bd5ea07793f28f856c845f0570c5d8db2b05e Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:45:38 +0300
Subject: [PATCH 06/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 9b71a90c..d4a26d2e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: ${{ fromJson(needs.check.outputs.components)[0] != null }}
+    if: ${{ needs.check.outputs.components != '[]' }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From 7859f00280a4499a7b7335f50578334548f9e29d Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:47:49 +0300
Subject: [PATCH 07/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d4a26d2e..f7e5ba33 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: ${{ needs.check.outputs.components != '[]' }}
+    if: ${{ fromJson(needs.check.outputs.components) != fromJson('[]') }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From fa859f5824d7416e31af8df662a20425527c2f6d Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:51:29 +0300
Subject: [PATCH 08/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f7e5ba33..d4a26d2e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: ${{ fromJson(needs.check.outputs.components) != fromJson('[]') }}
+    if: ${{ needs.check.outputs.components != '[]' }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From 18d0b8936e806a910aa96abea828f95b077d7fb2 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:54:04 +0300
Subject: [PATCH 09/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d4a26d2e..d54e483e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -81,6 +81,9 @@ jobs:
           echo "components=${components}"
           echo "components=${components}" >> "$GITHUB_OUTPUT"
           echo "platforms=$(jq -c '.platforms' .github/build-config.cfg)" >> "$GITHUB_OUTPUT"
+      - name: Debug
+        run: |
+          echo "Changed components: '${{ steps.load.outputs.components }}'"
 
       - name: Create tags for images
         uses: netcracker/qubership-workflow-hub/actions/metadata-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 #2.0.10

From 30623b2a722168f00149b3484fa933f898276a7c Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 16:55:41 +0300
Subject: [PATCH 10/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index d54e483e..f29d6179 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -81,9 +81,6 @@ jobs:
           echo "components=${components}"
           echo "components=${components}" >> "$GITHUB_OUTPUT"
           echo "platforms=$(jq -c '.platforms' .github/build-config.cfg)" >> "$GITHUB_OUTPUT"
-      - name: Debug
-        run: |
-          echo "Changed components: '${{ steps.load.outputs.components }}'"
 
       - name: Create tags for images
         uses: netcracker/qubership-workflow-hub/actions/metadata-action@8d542a426ce561c7dce745f6b9cee068d1d7e101 #2.0.10
@@ -94,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: ${{ needs.check.outputs.components != '[]' }}
+    if: ${{ needs.prepare.outputs.components != '[]' }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04

From c6c5a55966bbafce25a6d2860767fab3b8276b83 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 17:00:12 +0300
Subject: [PATCH 11/11] fix: fixed build.yaml workflow in case when no
 components changed in a commit

---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f29d6179..054630dc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -91,7 +91,7 @@ jobs:
           replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}}
 
   build:
-    if: ${{ needs.prepare.outputs.components != '[]' }}
+    if: ${{ needs.prepare.outputs.components != '[]' || (github.event_name == 'workflow_dispatch' || github.event_name == 'release') }}
     name: ${{ matrix.component.name }} Image Build
     needs: [prepare]
     runs-on: ubuntu-22.04