diff --git a/.github/actions/build-and-test-feature/action.yml b/.github/actions/build-and-test-feature/action.yml index 6f3e73ce6..9dbc8f292 100644 --- a/.github/actions/build-and-test-feature/action.yml +++ b/.github/actions/build-and-test-feature/action.yml @@ -25,10 +25,11 @@ runs: - name: Test feature shell: bash run: | - devcontainer features test ${{ inputs.args }} ./features; + devcontainer features test $ARGS ./features; env: NODE_NO_WARNINGS: 1 VAULT_S3_TTL: "900" # 15 minutes + ARGS: ${{ inputs.args }} gh_token: "${{ inputs.gh_token }}" aws_role_arn: "${{ inputs.aws_role_arn }}" rw_sccache_bucket: "${{ inputs.rw_sccache_bucket }}" diff --git a/.github/actions/build-windows-image/action.yml b/.github/actions/build-windows-image/action.yml index a22088bf2..f6e7d9082 100644 --- a/.github/actions/build-windows-image/action.yml +++ b/.github/actions/build-windows-image/action.yml @@ -38,11 +38,18 @@ runs: steps: - name: Build ${{ inputs.repo }}:${{ inputs.tag }} shell: powershell + env: + REPO: ${{ inputs.repo }} + CL: ${{ inputs.cl }} + CUDA: ${{ inputs.cuda }} + VERSION: ${{ inputs.version }} + ISOLATION: ${{ inputs.isolation }} + EDITION: ${{ inputs.edition }} run: | .\windows\build-windows-image.ps1 ` - -repo ${{ inputs.repo }} ` - -clVersion ${{ inputs.cl }} ` - -cudaVersion ${{ inputs.cuda }} ` - -repoVersion ${{ inputs.version }} ` - -isolation ${{ inputs.isolation }} ` - -edition windows${{ inputs.edition }} + -repo $env:REPO ` + -clVersion $env:CL ` + -cudaVersion $env:CUDA ` + -repoVersion $env:VERSION ` + -isolation $env:ISOLATION ` + -edition windows$env:EDITION diff --git a/.github/actions/devcontainer-json/action.yml b/.github/actions/devcontainer-json/action.yml index 53ba45da2..c6876f558 100644 --- a/.github/actions/devcontainer-json/action.yml +++ b/.github/actions/devcontainer-json/action.yml @@ -26,12 +26,16 @@ runs: - id: json name: Make image/.devcontainer/devcontainer.json shell: bash + env: + INPUT_OS: ${{ inputs.os }} + INPUT_FEATURES: ${{ inputs.features }} + INPUT_CONTAINER_ENV: ${{ inputs.container_env }} run: | bash --noprofile --norc -x -eo pipefail \ .github/actions/devcontainer-json/action.sh \ - '${{ inputs.os }}' \ - '${{ inputs.features }}' \ - '${{ inputs.container_env }}' \ + "$INPUT_OS" \ + "$INPUT_FEATURES" \ + "$INPUT_CONTAINER_ENV" \ 3>> "$GITHUB_OUTPUT" \ 4> image/.devcontainer/devcontainer.json.out ; diff --git a/.github/actions/feature-matrix/action.yml b/.github/actions/feature-matrix/action.yml index 3ebc2b7a8..c69b2cd47 100644 --- a/.github/actions/feature-matrix/action.yml +++ b/.github/actions/feature-matrix/action.yml @@ -36,14 +36,17 @@ runs: - name: Report changes if: inputs.full_matrix != 'true' shell: bash - run: echo '${{ toJSON(steps.changes.outputs) }}' + run: echo '${{ toJSON(steps.changes.outputs) }}' # zizmor: ignore[template-injection] - name: Determine the feature matrix id: matrix shell: bash + env: + FULL_MATRIX: ${{ inputs.full_matrix }} + CHANGED_FILES: ${{ steps.changes.outputs.all_changed_and_modified_files }} run: | bash --noprofile --norc -x -eo pipefail \ .github/actions/feature-matrix/action.sh \ - '${{ inputs.full_matrix }}' \ - '${{ steps.changes.outputs.all_changed_and_modified_files }}' \ + "$FULL_MATRIX" \ + "$CHANGED_FILES" \ | tee -a "$GITHUB_OUTPUT"; diff --git a/.github/actions/free-disk-space/action.yml b/.github/actions/free-disk-space/action.yml index d7ebb43da..d6f2b9d60 100644 --- a/.github/actions/free-disk-space/action.yml +++ b/.github/actions/free-disk-space/action.yml @@ -13,6 +13,8 @@ runs: steps: - name: Free up disk space shell: bash --noprofile --norc -x -eo pipefail {0} + env: + TOOL_CACHE: ${{ inputs.tool_cache }} run: | df -h; docker images; @@ -37,11 +39,11 @@ runs: sudo rm -rf /usr/local/share/chromium; sudo rm -rf /usr/local/share/powershell; sudo rm -rf /home/linuxbrew/.linuxbrew; - sudo rm -rf ${{ inputs.tool_cache }}/go; - sudo rm -rf ${{ inputs.tool_cache }}/Ruby; - sudo rm -rf ${{ inputs.tool_cache }}/PyPy; - sudo rm -rf ${{ inputs.tool_cache }}/CodeQL; - sudo rm -rf ${{ inputs.tool_cache }}/Python; + sudo rm -rf $TOOL_CACHE/go; + sudo rm -rf $TOOL_CACHE/Ruby; + sudo rm -rf $TOOL_CACHE/PyPy; + sudo rm -rf $TOOL_CACHE/CodeQL; + sudo rm -rf $TOOL_CACHE/Python; docker rmi $(docker image ls -aq) || true; docker images; df -h; diff --git a/.github/actions/get-pr-info/action.yml b/.github/actions/get-pr-info/action.yml index 737380bd2..57992d174 100644 --- a/.github/actions/get-pr-info/action.yml +++ b/.github/actions/get-pr-info/action.yml @@ -13,7 +13,7 @@ outputs: runs: using: "composite" steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 id: get-pull-request with: retries: 3 @@ -23,12 +23,12 @@ runs: repo: context.repo.repo, owner: context.repo.owner, pull_number: (() => { - switch('${{ github.event_name }}') { + switch(context.eventName) { case 'pull_request': case 'pull_request_target': - return '${{ github.ref }}'.split('/')[2]; + return context.ref.split('/')[2]; case 'push': - const branch = '${{ github.ref_name }}'; + const branch = context.ref.replace(/^refs\/(heads|tags)\//, ''); if (!branch.match(new RegExp('^pull-request/[0-9]+$'))) { throw new Error(`${branch} does not match PR branch pattern.`); } diff --git a/.github/actions/image-matrix/action.yml b/.github/actions/image-matrix/action.yml index 9c3588556..c5e64a2ba 100644 --- a/.github/actions/image-matrix/action.yml +++ b/.github/actions/image-matrix/action.yml @@ -44,16 +44,21 @@ runs: - name: Report changes if: inputs.full_matrix != 'true' shell: bash - run: echo '${{ toJSON(steps.changes.outputs) }}' + run: echo '${{ toJSON(steps.changes.outputs) }}' # zizmor: ignore[template-injection] - name: Determine the image matrix id: matrix shell: bash + env: + FULL_MATRIX: ${{ inputs.full_matrix }} + FEATURES: ${{ inputs.features || '[]' }} + SCENARIOS: ${{ inputs.scenarios || '[]' }} + CHANGED_FILES: ${{ steps.changes.outputs.all_changed_and_modified_files }} run: | bash --noprofile --norc -x -eo pipefail \ .github/actions/image-matrix/action.sh \ - '${{ inputs.full_matrix }}' \ - '${{ inputs.features || '[]' }}' \ - '${{ inputs.scenarios || '[]' }}' \ - '${{ steps.changes.outputs.all_changed_and_modified_files }}' \ + "$FULL_MATRIX" \ + "$FEATURES" \ + "$SCENARIOS" \ + "$CHANGED_FILES" \ | tee -a $GITHUB_OUTPUT; diff --git a/.github/actions/install-devcontainers-cli/action.yml b/.github/actions/install-devcontainers-cli/action.yml index 2a14ffaf6..934c88ffc 100644 --- a/.github/actions/install-devcontainers-cli/action.yml +++ b/.github/actions/install-devcontainers-cli/action.yml @@ -6,7 +6,7 @@ runs: using: composite steps: - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' - name: Install devcontainers CLI diff --git a/.github/actions/setup-runner-env/action.yml b/.github/actions/setup-runner-env/action.yml index a6ede0d22..3d819c598 100644 --- a/.github/actions/setup-runner-env/action.yml +++ b/.github/actions/setup-runner-env/action.yml @@ -7,7 +7,7 @@ runs: steps: - name: Dump environment shell: bash -eo pipefail {0} - run: | + run: | # zizmor: ignore[template-injection] echo "env: ${{ toJSON(env) }}" echo "runner: '${{ toJSON(runner) }}'" @@ -20,19 +20,19 @@ runs: - if: runner.environment == 'self-hosted' name: Setup self-hosted runner environment shell: bash -eo pipefail {0} - run: | - echo "HOME=${{ runner.workspace }}" >> $GITHUB_ENV; - echo "TMPDIR=${{ runner.temp }}" >> $GITHUB_ENV; + run: | # zizmor: ignore[github-env] + echo "HOME=$RUNNER_WORKSPACE" >> "$GITHUB_ENV"; + echo "TMPDIR=$RUNNER_TEMP" >> "$GITHUB_ENV"; - if: runner.environment == 'self-hosted' name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' - if: runner.environment != 'self-hosted' name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Create docker context shell: bash @@ -40,14 +40,14 @@ runs: - if: runner.environment != 'self-hosted' name: Setup docker buildx on github-hosted runners - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: buildkitd-flags: --debug endpoint: builder - if: runner.environment == 'self-hosted' name: Setup docker buildx on self-hosted runners - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: buildkitd-flags: --debug --config /etc/buildkit/buildkitd.toml endpoint: builder diff --git a/.github/actions/test-windows-image/action.yml b/.github/actions/test-windows-image/action.yml index 21c0b56fe..f59e9c5fb 100644 --- a/.github/actions/test-windows-image/action.yml +++ b/.github/actions/test-windows-image/action.yml @@ -38,11 +38,18 @@ runs: steps: - name: Test ${{ inputs.repo }}:${{ inputs.tag }} shell: powershell + env: + REPO: ${{ inputs.repo }} + CL: ${{ inputs.cl }} + CUDA: ${{ inputs.cuda }} + VERSION: ${{ inputs.version }} + ISOLATION: ${{ inputs.isolation }} + EDITION: ${{ inputs.edition }} run: | .github\actions\test-windows-image\action.ps1 ` - -repo ${{ inputs.repo }} ` - -clVersion ${{ inputs.cl }} ` - -cudaVersion ${{ inputs.cuda }} ` - -repoVersion ${{ inputs.version }} ` - -isolation ${{ inputs.isolation }} ` - -edition windows${{ inputs.edition }} + -repo $env:REPO ` + -clVersion $env:CL ` + -cudaVersion $env:CUDA ` + -repoVersion $env:VERSION ` + -isolation $env:ISOLATION ` + -edition windows$env:EDITION diff --git a/.github/workflows/build-all-rapids-repos.yml b/.github/workflows/build-all-rapids-repos.yml index 8279d0631..5bd11378f 100644 --- a/.github/workflows/build-all-rapids-repos.yml +++ b/.github/workflows/build-all-rapids-repos.yml @@ -5,9 +5,12 @@ on: - cron: '0 0 * * *' workflow_call: +permissions: {} + jobs: check-event: name: Check GH Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_gh_event.outputs.ok }} @@ -27,8 +30,8 @@ jobs: name: ${{ matrix.libs }} if: needs.check-event.outputs.ok == 'true' needs: check-event - secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main + secrets: inherit # zizmor: ignore[secrets-inherit] + uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main # zizmor: ignore[unpinned-uses] permissions: actions: read packages: read diff --git a/.github/workflows/build-and-test-feature.yml b/.github/workflows/build-and-test-feature.yml index 390637a86..1608e3f91 100644 --- a/.github/workflows/build-and-test-feature.yml +++ b/.github/workflows/build-and-test-feature.yml @@ -22,12 +22,12 @@ jobs: arch: [amd64, arm64] steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/build-test-and-push-linux-image.yml b/.github/workflows/build-test-and-push-linux-image.yml index 86246f87c..8085db288 100644 --- a/.github/workflows/build-test-and-push-linux-image.yml +++ b/.github/workflows/build-test-and-push-linux-image.yml @@ -41,7 +41,7 @@ jobs: version: ${{ steps.json.outputs.version }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -58,7 +58,7 @@ jobs: container_env: "${{ inputs.container_env }}" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} @@ -80,7 +80,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/build-test-and-push-windows-image.yml b/.github/workflows/build-test-and-push-windows-image.yml index 88ce0710d..78beabcce 100644 --- a/.github/workflows/build-test-and-push-windows-image.yml +++ b/.github/workflows/build-test-and-push-windows-image.yml @@ -37,7 +37,7 @@ jobs: - { edition: "2022", runner: "${{ github.repository != 'rapidsai/devcontainers' && 'windows-2022' || 'windows-amd64-cpu4' }}" } steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -45,10 +45,15 @@ jobs: - id: info name: Get container info shell: bash + env: + INPUT_REPO: ${{ inputs.repo }} + INPUT_OS: ${{ inputs.os }} + MATRIX_EDITION: ${{ matrix.edition }} + INPUT_FEATURES: ${{ inputs.features }} run: | - repo="${{ inputs.repo }}"; - cl="${{ fromJSON(inputs.features)[1].version }}"; - cuda="${{ fromJSON(inputs.features)[0].version }}"; + repo="$INPUT_REPO"; + cl="$(echo "$INPUT_FEATURES" | jq -r '.[1].version')"; + cuda="$(echo "$INPUT_FEATURES" | jq -r '.[0].version')"; version="$(git describe --abbrev=0 --tags | sed 's/[a-zA-Z]//g' | cut -d '.' -f -2)"; base_tag="cuda${cuda}-cl${cl}"; tag_without_os="${version}-${base_tag}"; @@ -59,11 +64,11 @@ jobs: version=${version} base_tag=${base_tag} tag_without_os=${tag_without_os} - tag=${tag_without_os}-${{ inputs.os }}${{ matrix.edition }} + tag=${tag_without_os}-${INPUT_OS}${MATRIX_EDITION} EOF - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} @@ -91,16 +96,26 @@ jobs: - if: inputs.push == 'true' name: Push ${{ steps.info.outputs.tag }} shell: powershell + env: + REPO: ${{ steps.info.outputs.repo }} + TAG: ${{ steps.info.outputs.tag }} + TAG_WITHOUT_OS: ${{ steps.info.outputs.tag_without_os }} run: | - docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag_without_os }} - docker push ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag_without_os }} - docker push ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} + docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:${env:TAG_WITHOUT_OS} + docker push ${env:REPO}:${env:TAG_WITHOUT_OS} + docker push ${env:REPO}:${env:TAG} - if: inputs.push == 'true' && github.ref_name == 'main' name: Push latest-${{ steps.info.outputs.base_tag }} shell: powershell + env: + REPO: ${{ steps.info.outputs.repo }} + TAG: ${{ steps.info.outputs.tag }} + BASE_TAG: ${{ steps.info.outputs.base_tag }} + INPUT_OS: ${{ inputs.os }} + MATRIX_EDITION: ${{ matrix.edition }} run: | - docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}-${{ inputs.os }}${{ matrix.edition }} - docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }} - docker push ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}-${{ inputs.os }}${{ matrix.edition }} - docker push ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }} + docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:latest-${env:BASE_TAG}-${env:INPUT_OS}${env:MATRIX_EDITION} + docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:latest-${env:BASE_TAG} + docker push ${env:REPO}:latest-${env:BASE_TAG}-${env:INPUT_OS}${env:MATRIX_EDITION} + docker push ${env:REPO}:latest-${env:BASE_TAG} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d935a3eee..b833cdc66 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,7 +20,9 @@ jobs: pull-requests: write steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Copy common scripts into features uses: ./.github/actions/copy-common-scripts @@ -29,7 +31,7 @@ jobs: uses: ./.github/actions/install-devcontainers-cli - name: Generate feature docs - uses: devcontainers/action@v1 + uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1 with: generate-docs: true publish-features: false diff --git a/.github/workflows/release-features.yml b/.github/workflows/release-features.yml index 53b2e788a..f4bbd1c66 100644 --- a/.github/workflows/release-features.yml +++ b/.github/workflows/release-features.yml @@ -13,7 +13,9 @@ jobs: packages: write steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Copy common scripts into features uses: ./.github/actions/copy-common-scripts @@ -22,7 +24,7 @@ jobs: uses: ./.github/actions/install-devcontainers-cli - name: Release features - uses: devcontainers/action@v1 + uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1 with: generate-docs: true publish-features: true diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index a8daee82e..e5dbd7166 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -7,17 +7,21 @@ concurrency: on: workflow_dispatch: +permissions: {} + jobs: features-matrix: name: Determine features matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: features: "${{ steps.matrix.outputs.features }}" scenarios: "${{ steps.matrix.outputs.scenarios }}" steps: - name: "Checkout ${{ github.repository }}" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -34,12 +38,14 @@ jobs: image-matrix: name: Determine image matrix needs: features-matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: linux: ${{ steps.matrix.outputs.linux }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -56,7 +62,9 @@ jobs: if: needs.image-matrix.outputs.linux != '{"include":[]}' name: ${{ matrix.name }} needs: image-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: fail-fast: false diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 3c29f7561..f42e5328f 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -7,16 +7,20 @@ concurrency: on: workflow_dispatch: +permissions: {} + jobs: image-matrix: name: Determine image matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: windows: ${{ steps.matrix.outputs.windows }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -31,7 +35,9 @@ jobs: if: needs.image-matrix.outputs.windows != '{"include":[]}' name: ${{ matrix.name }} needs: image-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: fail-fast: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5211d3bfc..2c43f1e71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,9 +13,12 @@ on: tags: - "v[0-9][0-9].[0-9][0-9].[0-9][0-9]" +permissions: {} + jobs: check-event: name: Check GH Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_gh_event.outputs.ok }} @@ -35,13 +38,15 @@ jobs: name: Determine features matrix if: needs.check-event.outputs.ok == 'true' needs: check-event + permissions: + contents: read runs-on: ubuntu-latest outputs: features: "${{ steps.matrix.outputs.features }}" scenarios: "${{ steps.matrix.outputs.scenarios }}" steps: - name: "Checkout ${{ github.repository }}" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -58,13 +63,15 @@ jobs: image-matrix: name: Determine image matrix needs: features-matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: linux: ${{ steps.matrix.outputs.linux }} windows: ${{ steps.matrix.outputs.windows }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -81,7 +88,9 @@ jobs: if: needs.image-matrix.outputs.linux != '{"include":[]}' name: ${{ matrix.name || 'Linux' }} needs: image-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: fail-fast: false @@ -97,7 +106,9 @@ jobs: if: needs.image-matrix.outputs.windows != '{"include":[]}' name: ${{ matrix.name || 'Windows' }} needs: image-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: fail-fast: false @@ -113,5 +124,8 @@ jobs: if: needs.features-matrix.outputs.features != '[]' || needs.features-matrix.outputs.scenarios != '[]' name: Features needs: features-matrix - secrets: inherit + permissions: + contents: read + packages: write + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/release-features.yml diff --git a/.github/workflows/test-rapids-build-times.yml b/.github/workflows/test-rapids-build-times.yml index 020d4a045..813f010e7 100644 --- a/.github/workflows/test-rapids-build-times.yml +++ b/.github/workflows/test-rapids-build-times.yml @@ -12,9 +12,12 @@ on: required: false default: cpu32 +permissions: {} + jobs: check-event: name: Check GH Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_gh_event.outputs.ok }} @@ -31,8 +34,8 @@ jobs: name: ${{ matrix.name }} if: needs.check-event.outputs.ok == 'true' needs: check-event - secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main + secrets: inherit # zizmor: ignore[secrets-inherit] + uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main # zizmor: ignore[unpinned-uses] permissions: actions: read packages: read diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 99af3309f..9800a7b4b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,9 +10,12 @@ on: branches: - "pull-request/[0-9]+" +permissions: {} + jobs: check-event: name: Check PR Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_pr_event.outputs.ok }} @@ -26,21 +29,43 @@ jobs: && echo "ok=true" | tee -a "$GITHUB_OUTPUT" \ || echo "ok=false" | tee -a "$GITHUB_OUTPUT"; + pre-commit: + name: pre-commit + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout ${{ github.repository }} + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Run pre-commit + run: pip install pre-commit && pre-commit run --all-files + build-all-rapids-repos: if: needs.check-event.outputs.ok == 'true' && github.repository_owner == 'rapidsai' name: Build needs: check-event - secrets: inherit + permissions: + contents: read + actions: read + packages: read + id-token: write + pull-requests: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-all-rapids-repos.yml validate-features-json: if: needs.check-event.outputs.ok == 'true' name: Validate Features needs: check-event + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false @@ -48,7 +73,7 @@ jobs: uses: ./.github/actions/install-devcontainers-cli - name: Validate devcontainer-feature.json files - uses: devcontainers/action@v1 + uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1 with: validate-only: true base-path-to-features: "./features/src" @@ -56,13 +81,16 @@ jobs: features-matrix: name: Determine features matrix needs: validate-features-json + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest outputs: features: ${{ steps.matrix.outputs.features }} scenarios: ${{ steps.matrix.outputs.scenarios }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -91,7 +119,9 @@ jobs: if: needs.features-matrix.outputs.features != '[]' || needs.features-matrix.outputs.scenarios != '[]' name: Feature integration needs: features-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-and-test-feature.yml with: name: "{0}" @@ -101,7 +131,9 @@ jobs: if: needs.features-matrix.outputs.scenarios != '[]' name: Test ${{ matrix.feature }} scenarios needs: features-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-and-test-feature.yml strategy: fail-fast: false @@ -115,7 +147,9 @@ jobs: if: needs.features-matrix.outputs.features != '[]' name: Test ${{ matrix.feature }} feature needs: features-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-and-test-feature.yml strategy: fail-fast: false @@ -128,13 +162,16 @@ jobs: image-matrix: name: Determine image matrix needs: features-matrix + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest outputs: linux: ${{ steps.matrix.outputs.linux }} windows: ${{ steps.matrix.outputs.windows }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -164,7 +201,9 @@ jobs: if: needs.image-matrix.outputs.linux != '{"include":[]}' name: ${{ matrix.name || 'Linux' }} needs: image-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: fail-fast: false @@ -180,7 +219,9 @@ jobs: if: needs.image-matrix.outputs.windows != '{"include":[]}' name: ${{ matrix.name || 'Windows' }} needs: image-matrix - secrets: inherit + permissions: + contents: read + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: fail-fast: false diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index c471e2a15..3bf87c9fc 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -1,7 +1,10 @@ name: Trigger Breaking Change Notifications on: - pull_request_target: + # needs to be pull_request_target so the webhook token is available. no code + # gets checked out, only metadata, so there is no risk to executing this from + # fork PRs + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - closed - reopened @@ -11,8 +14,9 @@ on: jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') - secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main + permissions: {} + secrets: inherit # zizmor: ignore[secrets-inherit] + uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: sender_login: ${{ github.event.sender.login }} sender_avatar: ${{ github.event.sender.avatar_url }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..08d5d88a6 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,6 @@ +--- +repos: + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor