From 659e51903eb22a74d72decb41a280d0e12211bf5 Mon Sep 17 00:00:00 2001 From: Andrei Kashchikhin Date: Thu, 6 Jun 2024 14:48:42 +0100 Subject: [PATCH] use hash for actions; provide explicit job permissions (#922) --- .github/workflows/assign_issue.yml | 4 +- .github/workflows/code_style.yml | 6 ++- .github/workflows/history_cuda.yml | 5 ++- .github/workflows/labeler.yml | 4 +- .github/workflows/linux.yml | 38 ++++++++++--------- .../llama_cpp_plugin_build_and_test.yml | 14 ++++--- .github/workflows/mac.yml | 16 ++++---- .github/workflows/openvino_code.yml | 14 ++++--- .github/workflows/sanitizer_cuda.yml | 2 + .github/workflows/test_cuda.yml | 3 ++ .github/workflows/token_merging.yml | 8 ++-- .github/workflows/windows.yml | 18 +++++---- 12 files changed, 79 insertions(+), 53 deletions(-) diff --git a/.github/workflows/assign_issue.yml b/.github/workflows/assign_issue.yml index 236705e07..f466715f5 100644 --- a/.github/workflows/assign_issue.yml +++ b/.github/workflows/assign_issue.yml @@ -6,6 +6,8 @@ on: - created - edited +permissions: read-all + jobs: take-issue: name: Take issue @@ -15,7 +17,7 @@ jobs: timeout-minutes: 10 steps: - name: take an issue - uses: bdougie/take-action@v1.6.1 + uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # v1.6.1 with: message: Thank you for looking into this issue! Please let us know if you have any questions or require any help. issueCurrentlyAssignedMessage: Thanks for being interested in this issue. It looks like this ticket is already assigned to a contributor. Please communicate with the assigned contributor to confirm the status of the issue. diff --git a/.github/workflows/code_style.yml b/.github/workflows/code_style.yml index 382b816ea..3062416cb 100644 --- a/.github/workflows/code_style.yml +++ b/.github/workflows/code_style.yml @@ -8,14 +8,16 @@ on: - '.github/workflows/code_style.yml' - 'modules/java_api/**' +permissions: read-all + jobs: Java: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Fix code java style - uses: axel-op/googlejavaformat-action@v3 + uses: axel-op/googlejavaformat-action@dbff853fb823671ec5781365233bf86543b13215 # v3 with: args: "--set-exit-if-changed -a -i" commit-message: "[github actions] Apply google-java-format code style fixes" diff --git a/.github/workflows/history_cuda.yml b/.github/workflows/history_cuda.yml index fff641bdc..84121ce61 100644 --- a/.github/workflows/history_cuda.yml +++ b/.github/workflows/history_cuda.yml @@ -7,12 +7,15 @@ on: paths: - 'modules/nvidia_plugin/**' - '.github/workflows/history_cuda.yml' + +permissions: read-all + jobs: history: runs-on: ubuntu-22.04 steps: - name: checkout master branch - uses: actions/checkout@v3 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: master fetch-depth: 0 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index ce50c74b1..5d9f4d4df 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,8 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: read-all + jobs: triage: permissions: @@ -9,7 +11,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: '.github/labeler.yml' diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index b08b7275f..2fff2f20d 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -15,6 +15,8 @@ concurrency: env: PYTHON_VERSION: '3.11' +permissions: read-all + jobs: Build_and_test: name: Build and Test @@ -51,7 +53,7 @@ jobs: apt-get install --assume-yes --no-install-recommends git git-lfs ca-certificates - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino' path: ${{ env.OPENVINO_REPO }} @@ -59,13 +61,13 @@ jobs: ref: 'master' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_CONTRIB_REPO }} submodules: 'true' - + - name: Clone Testdata - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: ${{ env.TEST_DATA }} @@ -81,22 +83,22 @@ jobs: bash ${OPENVINO_REPO}/install_build_dependencies.sh # default-jdk - Java API; unzip for gradle installation apt install --assume-yes --no-install-recommends default-jdk libopencv-dev unzip - + - name: Setup Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 with: gradle-version: ${{ env.GRADLE_VER }} - + - name: Setup Python ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install python dependencies run: python3 -m pip install -r ${OPENVINO_REPO}/src/bindings/python/wheel/requirements-dev.txt - + - name: Setup ccache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: # Should save cache only if run in the master branch of the base repo # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push @@ -179,7 +181,7 @@ jobs: popd - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-java @@ -188,7 +190,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -196,7 +198,7 @@ jobs: - name: Upload openvino developer package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_developer_package path: ${{ env.BUILD_DIR }}/openvino_developer_package.tar.gz @@ -232,7 +234,7 @@ jobs: run: echo 'Acquire::Retries "10";' > /etc/apt/apt.conf.d/80-retries - name: Fetch install_build_dependencies.sh - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | install_build_dependencies.sh @@ -245,13 +247,13 @@ jobs: run: apt update && apt install -y git ca-certificates - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO Developer package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_developer_package path: ${{ env.INSTALL_DIR }} @@ -267,7 +269,7 @@ jobs: popd - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_CONTRIB_REPO }} @@ -281,7 +283,7 @@ jobs: apt -y --no-install-recommends install software-properties-common curl - name: Setup ccache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: # Should save cache only if run in the master branch of the base repo # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push diff --git a/.github/workflows/llama_cpp_plugin_build_and_test.yml b/.github/workflows/llama_cpp_plugin_build_and_test.yml index 5c1a49669..ae239085d 100644 --- a/.github/workflows/llama_cpp_plugin_build_and_test.yml +++ b/.github/workflows/llama_cpp_plugin_build_and_test.yml @@ -5,23 +5,25 @@ on: paths: - 'modules/llama_cpp_plugin/**' +permissions: read-all + jobs: build_ubuntu20: runs-on: ubuntu-20.04-8-cores steps: - name: Setup cmake - uses: jwlawson/actions-setup-cmake@v1.14 + uses: jwlawson/actions-setup-cmake@d06b37b47cfd043ec794ffa3e40e0b6b5858a7ec # v1.14.2 with: cmake-version: '3.24.x' - name: Checkout openvino_contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: recursive path: openvino_contrib - name: Checkout openvino - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: recursive repository: openvinotoolkit/openvino @@ -35,7 +37,7 @@ jobs: - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: build_artifacts path: ${{ github.workspace }}/openvino/bin/intel64/Release/ @@ -45,13 +47,13 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: build_artifacts path: ${{ github.workspace }}/binaries - name: Prepare test data - checkout llama.cpp repo - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: ggerganov/llama.cpp path: llama.cpp diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml index 131f5b1e0..efcf159b7 100644 --- a/.github/workflows/mac.yml +++ b/.github/workflows/mac.yml @@ -15,6 +15,8 @@ concurrency: env: PYTHON_VERSION: '3.11' +permissions: read-all + jobs: Build_and_test: name: Build and Test @@ -41,7 +43,7 @@ jobs: GRADLE_VER: '7.1.1' steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino' path: 'openvino' @@ -49,12 +51,12 @@ jobs: ref: 'master' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino_contrib' - name: Clone Testdata - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: 'testdata' @@ -69,7 +71,7 @@ jobs: run: brew install coreutils ninja scons automake gradle ccache - name: Setup Python ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ env.PYTHON_VERSION }} @@ -81,7 +83,7 @@ jobs: # - name: Setup ccache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: # Should save cache only if run in the master branch of the base repo # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push @@ -141,7 +143,7 @@ jobs: popd - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-java @@ -160,4 +162,4 @@ jobs: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} - run: exit 1 \ No newline at end of file + run: exit 1 diff --git a/.github/workflows/openvino_code.yml b/.github/workflows/openvino_code.yml index 9b6772fa4..f68758fe4 100644 --- a/.github/workflows/openvino_code.yml +++ b/.github/workflows/openvino_code.yml @@ -15,15 +15,17 @@ defaults: run: working-directory: ./modules/openvino_code +permissions: read-all + jobs: check_extension: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Use Node.js 16.x - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: '16.x' cache: 'npm' @@ -34,15 +36,15 @@ jobs: - name: Run Lint run: npm run lint:all - + check_server: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 - + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Set up Python 3.8 - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.8' cache: 'pip' diff --git a/.github/workflows/sanitizer_cuda.yml b/.github/workflows/sanitizer_cuda.yml index b1463e88a..890425ee6 100644 --- a/.github/workflows/sanitizer_cuda.yml +++ b/.github/workflows/sanitizer_cuda.yml @@ -7,6 +7,8 @@ on: - 'modules/nvidia_plugin/**' workflow_dispatch: +permissions: read-all + jobs: cuda-compute-sanitizer: runs-on: lohika-ci diff --git a/.github/workflows/test_cuda.yml b/.github/workflows/test_cuda.yml index d2c7b38c3..da96f1bcf 100644 --- a/.github/workflows/test_cuda.yml +++ b/.github/workflows/test_cuda.yml @@ -6,6 +6,9 @@ on: pull_request: paths: - 'modules/nvidia_plugin/**' + +permissions: read-all + jobs: build: runs-on: lohika-ci diff --git a/.github/workflows/token_merging.yml b/.github/workflows/token_merging.yml index 158763b04..c24cdde1e 100644 --- a/.github/workflows/token_merging.yml +++ b/.github/workflows/token_merging.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: read-all + jobs: Precommit: strategy: @@ -25,9 +27,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.python-version }} - name: Create and start a virtual environment @@ -42,4 +44,4 @@ jobs: - name: Run test run: | source venv/bin/activate - python -m pytest modules/token_merging/tests/ \ No newline at end of file + python -m pytest modules/token_merging/tests/ diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 9ab97d732..464a608f3 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -16,6 +16,8 @@ concurrency: env: PYTHON_VERSION: '3.11' +permissions: read-all + jobs: Build_and_test: name: Build and Test @@ -43,7 +45,7 @@ jobs: run: git config --system core.longpaths true - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino' path: ${{ env.OPENVINO_REPO }} @@ -51,13 +53,13 @@ jobs: ref: 'master' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_CONTRIB_REPO }} submodules: 'true' - name: Clone Testdata - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: ${{ env.TEST_DATA }} @@ -69,12 +71,12 @@ jobs: # - name: Setup Gradle - uses: gradle/actions/setup-gradle@v3 + uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 with: gradle-version: ${{ env.GRADLE_VER }} - name: Setup Python ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ env.PYTHON_VERSION }} cache: 'pip' @@ -97,7 +99,7 @@ jobs: # - name: Configure Developer Command Prompt for Microsoft Visual C++ - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Download and install ccache run: | @@ -107,7 +109,7 @@ jobs: Add-Content -Path $env:GITHUB_PATH -Value "C:\ccache" - name: Setup ccache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: # Should save cache only if run in the master branch of the base repo # github.ref_name is 'ref/PR_#' in case of the PR, and 'branch_name' when executed on push @@ -184,7 +186,7 @@ jobs: CUSTOM_OP_LIB: ${{ env.OPENVINO_REPO }}/bin/intel64/${{ env.CMAKE_BUILD_TYPE }}/user_ov_extensions.dll - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-java