diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml index 9cabc490d1..5b93f80dcd 100644 --- a/.github/workflows/build_docker_images.yml +++ b/.github/workflows/build_docker_images.yml @@ -23,6 +23,8 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v2 with: @@ -54,6 +56,8 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v1 with: @@ -85,6 +89,8 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v1 with: @@ -116,6 +122,8 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v1 with: @@ -147,6 +155,8 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v1 with: diff --git a/.github/workflows/integrations_tests.yml b/.github/workflows/integrations_tests.yml index 4bcf8d70cf..38ab96246e 100644 --- a/.github/workflows/integrations_tests.yml +++ b/.github/workflows/integrations_tests.yml @@ -19,6 +19,7 @@ jobs: with: ref: ${{ github.event.inputs.branch }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 with: @@ -27,8 +28,8 @@ jobs: cache-dependency-path: "setup.py" - name: print environment variables run: | - echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" - echo "env.CI_SHA = ${{ env.CI_SHA }}" + echo "env.CI_BRANCH = ${CI_BRANCH}" + echo "env.CI_SHA = ${CI_SHA}" - name: Install dependencies run: | python -m pip install --upgrade pip @@ -55,6 +56,7 @@ jobs: with: ref: ${{ github.event.inputs.branch }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 with: @@ -63,13 +65,13 @@ jobs: cache-dependency-path: "setup.py" - name: print environment variables run: | - echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}" - echo "env.CI_SHA = ${{ env.CI_SHA }}" + echo "env.CI_BRANCH = ${CI_BRANCH}" + echo "env.CI_SHA = ${CI_SHA}" - name: Install dependencies run: | python -m pip install --upgrade pip python -m pip install .[test] - + if [ "${{ matrix.diffusers-version }}" == "main" ]; then pip install -U git+https://github.com/huggingface/diffusers.git else diff --git a/.github/workflows/nightly-bnb.yml b/.github/workflows/nightly-bnb.yml index 797ac5a9b9..0fba12dfb9 100644 --- a/.github/workflows/nightly-bnb.yml +++ b/.github/workflows/nightly-bnb.yml @@ -33,6 +33,8 @@ jobs: shell: bash steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Pip install run: | source activate peft @@ -156,6 +158,8 @@ jobs: shell: bash steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Pip install run: | source activate peft diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d6637bed6f..7e6635b392 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -30,6 +30,8 @@ jobs: shell: bash steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Pip install run: | source activate peft @@ -78,6 +80,8 @@ jobs: shell: bash steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Pip install run: | source activate peft diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 02ef41c7ac..fc65794663 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -16,6 +16,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v4 diff --git a/.github/workflows/test-docker-build.yml b/.github/workflows/test-docker-build.yml index d47c059506..33a177bba2 100644 --- a/.github/workflows/test-docker-build.yml +++ b/.github/workflows/test-docker-build.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Get changed files id: changed-files uses: tj-actions/changed-files@1c8e6069583811afb28f97afeaf8e7da80c6be5c #v42 @@ -26,7 +28,7 @@ jobs: env: ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} run: | - echo "matrix=${{ steps.changed-files.outputs.all_changed_files}}" >> $GITHUB_OUTPUT + echo "matrix=${ALL_CHANGED_FILES}" >> $GITHUB_OUTPUT build_modified_files: needs: get_changed_files name: Build Docker images on modified files @@ -51,6 +53,8 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Check out code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Build Docker image uses: docker/build-push-action@v4 with: diff --git a/.github/workflows/tests-main.yml b/.github/workflows/tests-main.yml index 7fbc3670d3..1b06083e73 100644 --- a/.github/workflows/tests-main.yml +++ b/.github/workflows/tests-main.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Set up Python 3.11 uses: actions/setup-python@v4 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index dcd1997d21..d96f1f6f31 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 with: @@ -39,6 +41,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v4 with: diff --git a/.github/workflows/torch_compile_tests.yml b/.github/workflows/torch_compile_tests.yml index c12f8a0be8..f93d3760d6 100644 --- a/.github/workflows/torch_compile_tests.yml +++ b/.github/workflows/torch_compile_tests.yml @@ -25,6 +25,7 @@ jobs: PEFT_DEBUG_WITH_TORCH_COMPILE: 1 CUDA_VISIBLE_DEVICES: "0" TEST_TYPE: "single_gpu_huggingface/peft-gpu-bnb-latest:latest" + USE_PYTORCH_NIGHTLY: "${{ github.event.inputs.pytorch_nightly }}" container: image: "huggingface/peft-gpu-bnb-latest:latest" options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ @@ -36,13 +37,14 @@ jobs: with: ref: ${{ github.event.inputs.branch }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Pip install run: | source activate peft pip install -e . --no-deps pip install pytest-cov pytest-reportlog parameterized datasets scipy einops pip install "pytest>=7.2.0,<8.0.0" # see: https://github.com/huggingface/transformers/blob/ce4fff0be7f6464d713f7ac3e0bbaafbc6959ae5/setup.py#L148C6-L148C26 - if [ "${{ github.event.inputs.pytorch_nightly }}" = "true" ]; then + if [ "${USE_PYTORCH_NIGHTLY}" = "true" ]; then python -m pip install --upgrade --pre torch --index-url https://download.pytorch.org/whl/nightly/cpu fi - name: Test compile with pytest diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 9cbbf68037..9a613bb5b7 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -11,5 +11,6 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Secret Scanning uses: trufflesecurity/trufflehog@main diff --git a/.github/workflows/upload_pr_documentation.yml b/.github/workflows/upload_pr_documentation.yml index 9793b6bfbe..380f67550d 100644 --- a/.github/workflows/upload_pr_documentation.yml +++ b/.github/workflows/upload_pr_documentation.yml @@ -13,4 +13,4 @@ jobs: package_name: peft secrets: hf_token: ${{ secrets.HF_DOC_BUILD_PUSH }} - comment_bot_token: ${{ secrets.COMMENT_BOT_TOKEN }} \ No newline at end of file + comment_bot_token: ${{ secrets.COMMENT_BOT_TOKEN }} diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000000..c9ab11998c --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,28 @@ +name: CI security linting + +on: + push: + branches: ["main"] + paths: + - '.github/**' + pull_request: + branches: ["*"] + paths: + - '.github/**' + +jobs: + zizmor: + name: zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Install zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor .github/workflows diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..f83c7e2b12 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + dangerous-triggers: + ignore: + # this workflow is only triggered after maintainer approval + - upload_pr_documentation.yml:3:1