Add Snyk Security workflow to monitor multiple tags

[ChristianZaccaria]

Issue link

Jira: https://issues.redhat.com/browse/RHOAIENG-14391

What changes have been made

0. As part of setting this up, I performed a once-off task to import and monitor the codeflare-sdk tags that we continue to support in RHOAI. Snyk is now monitoring them here: [Snyk Dashboard]. For reference, the workflow used to generate this initial import/monitoring was ran here: [initial workflow run].

**RHOAI 2.8**
2023.2 py3.9 (Recommended) = vv0.14.1 # This is not a typo

**RHOAI 2.10**
2024.1 py3.9 (Recommended) = v0.16.4

**RHOAI 2.11**
2024.1 py3.9 (Recommended) = v0.16.4

**RHOAI 2.13**
2024.1 py3.9 (Recommended) = v0.19.1

**RHOAI 2.14**
2024.2 py3.11 (Recommended) = v0.21.1
2024.1 py3.9 = v0.21.1

**RHOAI 2.15**
2024.2 py3.11 (Recommended) = v0.22.0
2024.1 py3.9 = v0.22.0

The above list was created based off the list of RHOAI supported versions compared to the tags in the ImageStream annotations in the notebooks repository.

I've added the Snyk secrets for authentication.

1- Created "Snyk Security" workflow that will trigger on push events to main branch.

This workflow will authenticate with Snyk from our org. Then, it will monitor the codeflare-sdk dependencies from main branch.

2. The release workflow will take a snapshot of the new release tag and upload the snapshot to Snyk UI for monitoring. This is to monitor all new/recent releases.

Verification steps

Workflow run in my fork: https://github.com/ChristianZaccaria/codeflare-sdk/actions/runs/11610603721/job/32330214880

Example result:
Snyk - CodeFlare-SDK

Maintainability

In terms of new release tags the release workflow will add all subsequent new release tags to Snyk UI, this way monitoring all newest tags.

In terms of older tags, RHOAI releases and their support period are listed [here]. Sometimes, the support can be extended for some of the versions. It's best to manually remove unsupported tags from time to time. There's no harm in monitoring multiple tags.

Checks

• I've made sure the tests are passing.
• Testing Strategy
  • Unit tests
  • Manual tests
  • Testing is not required for this change

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.00%. Comparing base (eb5ce8d) to head (6c486b7).
Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #750   +/-   ##
=======================================
  Coverage   93.00%   93.00%           
=======================================
  Files          36       36           
  Lines        2403     2403           
=======================================
  Hits         2235     2235           
  Misses        168      168           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[KPostOffice]

Looks good, just a couple of comments 👍🏻

[varshaprasad96]

/lgtm
The PR looks good, just a couple of questions!

[ChristianZaccaria]

Enhancements based off this comment have been added:
#750 (comment)

[KPostOffice]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: KPostOffice, Ygnas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [KPostOffice]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment