Skip to content

Commit

Permalink
use hash for actions; provide explicit job permissions (#922)
Browse files Browse the repository at this point in the history
  • Loading branch information
akashchi authored Jun 6, 2024
1 parent 87caec5 commit 659e519
Show file tree
Hide file tree
Showing 12 changed files with 79 additions and 53 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/assign_issue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
- created
- edited

permissions: read-all

jobs:
take-issue:
name: Take issue
Expand All @@ -15,7 +17,7 @@ jobs:
timeout-minutes: 10
steps:
- name: take an issue
uses: bdougie/take-action@v1.6.1
uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # v1.6.1
with:
message: Thank you for looking into this issue! Please let us know if you have any questions or require any help.
issueCurrentlyAssignedMessage: Thanks for being interested in this issue. It looks like this ticket is already assigned to a contributor. Please communicate with the assigned contributor to confirm the status of the issue.
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/code_style.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,16 @@ on:
- '.github/workflows/code_style.yml'
- 'modules/java_api/**'

permissions: read-all

jobs:
Java:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

- name: Fix code java style
uses: axel-op/googlejavaformat-action@v3
uses: axel-op/googlejavaformat-action@dbff853fb823671ec5781365233bf86543b13215 # v3
with:
args: "--set-exit-if-changed -a -i"
commit-message: "[github actions] Apply google-java-format code style fixes"
5 changes: 4 additions & 1 deletion .github/workflows/history_cuda.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,15 @@ on:
paths:
- 'modules/nvidia_plugin/**'
- '.github/workflows/history_cuda.yml'

permissions: read-all

jobs:
history:
runs-on: ubuntu-22.04
steps:
- name: checkout master branch
uses: actions/checkout@v3
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: master
fetch-depth: 0
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@ name: "Pull Request Labeler"
on:
- pull_request_target

permissions: read-all

jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
- uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
configuration-path: '.github/labeler.yml'
Expand Down
38 changes: 20 additions & 18 deletions .github/workflows/linux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ concurrency:
env:
PYTHON_VERSION: '3.11'

permissions: read-all

jobs:
Build_and_test:
name: Build and Test
Expand Down Expand Up @@ -51,21 +53,21 @@ jobs:
apt-get install --assume-yes --no-install-recommends git git-lfs ca-certificates
- name: Clone OpenVINO
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: 'openvinotoolkit/openvino'
path: ${{ env.OPENVINO_REPO }}
submodules: 'true'
ref: 'master'

- name: Clone OpenVINO Contrib
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
path: ${{ env.OPENVINO_CONTRIB_REPO }}
submodules: 'true'

- name: Clone Testdata
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: 'openvinotoolkit/testdata'
path: ${{ env.TEST_DATA }}
Expand All @@ -81,22 +83,22 @@ jobs:
bash ${OPENVINO_REPO}/install_build_dependencies.sh
# default-jdk - Java API; unzip for gradle installation
apt install --assume-yes --no-install-recommends default-jdk libopencv-dev unzip
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
with:
gradle-version: ${{ env.GRADLE_VER }}

- name: Setup Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Install python dependencies
run: python3 -m pip install -r ${OPENVINO_REPO}/src/bindings/python/wheel/requirements-dev.txt

- name: Setup ccache
uses: actions/cache@v4
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
# Should save cache only if run in the master branch of the base repo
# github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push
Expand Down Expand Up @@ -179,7 +181,7 @@ jobs:
popd
- name: Upload Test Results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ !cancelled() }}
with:
name: test-results-java
Expand All @@ -188,15 +190,15 @@ jobs:

- name: Upload openvino package
if: ${{ always() }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: openvino_package
path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz
if-no-files-found: 'error'

- name: Upload openvino developer package
if: ${{ always() }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: openvino_developer_package
path: ${{ env.BUILD_DIR }}/openvino_developer_package.tar.gz
Expand Down Expand Up @@ -232,7 +234,7 @@ jobs:
run: echo 'Acquire::Retries "10";' > /etc/apt/apt.conf.d/80-retries

- name: Fetch install_build_dependencies.sh
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
sparse-checkout: |
install_build_dependencies.sh
Expand All @@ -245,13 +247,13 @@ jobs:
run: apt update && apt install -y git ca-certificates

- name: Download OpenVINO package
uses: actions/download-artifact@v4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: openvino_package
path: ${{ env.INSTALL_DIR }}

- name: Download OpenVINO Developer package
uses: actions/download-artifact@v4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: openvino_developer_package
path: ${{ env.INSTALL_DIR }}
Expand All @@ -267,7 +269,7 @@ jobs:
popd
- name: Clone OpenVINO Contrib
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
path: ${{ env.OPENVINO_CONTRIB_REPO }}

Expand All @@ -281,7 +283,7 @@ jobs:
apt -y --no-install-recommends install software-properties-common curl
- name: Setup ccache
uses: actions/cache@v4
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
# Should save cache only if run in the master branch of the base repo
# github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push
Expand Down
14 changes: 8 additions & 6 deletions .github/workflows/llama_cpp_plugin_build_and_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,25 @@ on:
paths:
- 'modules/llama_cpp_plugin/**'

permissions: read-all

jobs:
build_ubuntu20:
runs-on: ubuntu-20.04-8-cores
steps:
- name: Setup cmake
uses: jwlawson/actions-setup-cmake@v1.14
uses: jwlawson/actions-setup-cmake@d06b37b47cfd043ec794ffa3e40e0b6b5858a7ec # v1.14.2
with:
cmake-version: '3.24.x'

- name: Checkout openvino_contrib
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
submodules: recursive
path: openvino_contrib

- name: Checkout openvino
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
submodules: recursive
repository: openvinotoolkit/openvino
Expand All @@ -35,7 +37,7 @@ jobs:


- name: Upload build artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: build_artifacts
path: ${{ github.workspace }}/openvino/bin/intel64/Release/
Expand All @@ -45,13 +47,13 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Download build artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: build_artifacts
path: ${{ github.workspace }}/binaries

- name: Prepare test data - checkout llama.cpp repo
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: ggerganov/llama.cpp
path: llama.cpp
Expand Down
16 changes: 9 additions & 7 deletions .github/workflows/mac.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ concurrency:
env:
PYTHON_VERSION: '3.11'

permissions: read-all

jobs:
Build_and_test:
name: Build and Test
Expand All @@ -41,20 +43,20 @@ jobs:
GRADLE_VER: '7.1.1'
steps:
- name: Clone OpenVINO
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: 'openvinotoolkit/openvino'
path: 'openvino'
submodules: 'true'
ref: 'master'

- name: Clone OpenVINO Contrib
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
path: 'openvino_contrib'

- name: Clone Testdata
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: 'openvinotoolkit/testdata'
path: 'testdata'
Expand All @@ -69,7 +71,7 @@ jobs:
run: brew install coreutils ninja scons automake gradle ccache

- name: Setup Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand All @@ -81,7 +83,7 @@ jobs:
#

- name: Setup ccache
uses: actions/cache@v4
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
# Should save cache only if run in the master branch of the base repo
# github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push
Expand Down Expand Up @@ -141,7 +143,7 @@ jobs:
popd
- name: Upload Test Results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ !cancelled() }}
with:
name: test-results-java
Expand All @@ -160,4 +162,4 @@ jobs:
contains(needs.*.result, 'failure') ||
contains(needs.*.result, 'cancelled')
}}
run: exit 1
run: exit 1
14 changes: 8 additions & 6 deletions .github/workflows/openvino_code.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,17 @@ defaults:
run:
working-directory: ./modules/openvino_code

permissions: read-all

jobs:
check_extension:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

- name: Use Node.js 16.x
uses: actions/setup-node@v3
uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
with:
node-version: '16.x'
cache: 'npm'
Expand All @@ -34,15 +36,15 @@ jobs:

- name: Run Lint
run: npm run lint:all

check_server:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

- name: Set up Python 3.8
uses: actions/setup-python@v4
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.8'
cache: 'pip'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/sanitizer_cuda.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
- 'modules/nvidia_plugin/**'
workflow_dispatch:

permissions: read-all

jobs:
cuda-compute-sanitizer:
runs-on: lohika-ci
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test_cuda.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
pull_request:
paths:
- 'modules/nvidia_plugin/**'

permissions: read-all

jobs:
build:
runs-on: lohika-ci
Expand Down
Loading

0 comments on commit 659e519

Please sign in to comment.