From 825ad803b36d68e31f5051e525f32cad7ea352ff Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:35:02 -0400 Subject: [PATCH 1/9] fix(ci): pin all third-party actions --- .github/actions/get-pr-info/action.yml | 2 +- .github/actions/install-devcontainers-cli/action.yml | 2 +- .github/actions/setup-runner-env/action.yml | 8 ++++---- .github/workflows/build-all-rapids-repos.yml | 2 +- .github/workflows/build-and-test-feature.yml | 4 ++-- .github/workflows/build-test-and-push-linux-image.yml | 6 +++--- .github/workflows/build-test-and-push-windows-image.yml | 4 ++-- .github/workflows/docs.yml | 4 ++-- .github/workflows/release-features.yml | 4 ++-- .github/workflows/release-linux.yml | 4 ++-- .github/workflows/release-windows.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/test-rapids-build-times.yml | 2 +- .github/workflows/test.yml | 8 ++++---- .github/workflows/trigger-breaking-change-alert.yaml | 2 +- 15 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/actions/get-pr-info/action.yml b/.github/actions/get-pr-info/action.yml index 737380bd2..e29b89987 100644 --- a/.github/actions/get-pr-info/action.yml +++ b/.github/actions/get-pr-info/action.yml @@ -13,7 +13,7 @@ outputs: runs: using: "composite" steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 id: get-pull-request with: retries: 3 diff --git a/.github/actions/install-devcontainers-cli/action.yml b/.github/actions/install-devcontainers-cli/action.yml index 2a14ffaf6..934c88ffc 100644 --- a/.github/actions/install-devcontainers-cli/action.yml +++ b/.github/actions/install-devcontainers-cli/action.yml @@ -6,7 +6,7 @@ runs: using: composite steps: - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' - name: Install devcontainers CLI diff --git a/.github/actions/setup-runner-env/action.yml b/.github/actions/setup-runner-env/action.yml index a6ede0d22..fd3519209 100644 --- a/.github/actions/setup-runner-env/action.yml +++ b/.github/actions/setup-runner-env/action.yml @@ -26,13 +26,13 @@ runs: - if: runner.environment == 'self-hosted' name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' - if: runner.environment != 'self-hosted' name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Create docker context shell: bash @@ -40,14 +40,14 @@ runs: - if: runner.environment != 'self-hosted' name: Setup docker buildx on github-hosted runners - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: buildkitd-flags: --debug endpoint: builder - if: runner.environment == 'self-hosted' name: Setup docker buildx on self-hosted runners - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: buildkitd-flags: --debug --config /etc/buildkit/buildkitd.toml endpoint: builder diff --git a/.github/workflows/build-all-rapids-repos.yml b/.github/workflows/build-all-rapids-repos.yml index 8279d0631..18fb7a24b 100644 --- a/.github/workflows/build-all-rapids-repos.yml +++ b/.github/workflows/build-all-rapids-repos.yml @@ -28,7 +28,7 @@ jobs: if: needs.check-event.outputs.ok == 'true' needs: check-event secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main + uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main # zizmor: ignore[unpinned-uses] permissions: actions: read packages: read diff --git a/.github/workflows/build-and-test-feature.yml b/.github/workflows/build-and-test-feature.yml index 390637a86..1608e3f91 100644 --- a/.github/workflows/build-and-test-feature.yml +++ b/.github/workflows/build-and-test-feature.yml @@ -22,12 +22,12 @@ jobs: arch: [amd64, arm64] steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/build-test-and-push-linux-image.yml b/.github/workflows/build-test-and-push-linux-image.yml index 86246f87c..8085db288 100644 --- a/.github/workflows/build-test-and-push-linux-image.yml +++ b/.github/workflows/build-test-and-push-linux-image.yml @@ -41,7 +41,7 @@ jobs: version: ${{ steps.json.outputs.version }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -58,7 +58,7 @@ jobs: container_env: "${{ inputs.container_env }}" - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} @@ -80,7 +80,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/build-test-and-push-windows-image.yml b/.github/workflows/build-test-and-push-windows-image.yml index 88ce0710d..7e2542c9f 100644 --- a/.github/workflows/build-test-and-push-windows-image.yml +++ b/.github/workflows/build-test-and-push-windows-image.yml @@ -37,7 +37,7 @@ jobs: - { edition: "2022", runner: "${{ github.repository != 'rapidsai/devcontainers' && 'windows-2022' || 'windows-amd64-cpu4' }}" } steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -63,7 +63,7 @@ jobs: EOF - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER || vars.DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN || secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d935a3eee..ace81e3f2 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,7 +20,7 @@ jobs: pull-requests: write steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Copy common scripts into features uses: ./.github/actions/copy-common-scripts @@ -29,7 +29,7 @@ jobs: uses: ./.github/actions/install-devcontainers-cli - name: Generate feature docs - uses: devcontainers/action@v1 + uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1 with: generate-docs: true publish-features: false diff --git a/.github/workflows/release-features.yml b/.github/workflows/release-features.yml index 53b2e788a..2b20091a6 100644 --- a/.github/workflows/release-features.yml +++ b/.github/workflows/release-features.yml @@ -13,7 +13,7 @@ jobs: packages: write steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Copy common scripts into features uses: ./.github/actions/copy-common-scripts @@ -22,7 +22,7 @@ jobs: uses: ./.github/actions/install-devcontainers-cli - name: Release features - uses: devcontainers/action@v1 + uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1 with: generate-docs: true publish-features: true diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index a8daee82e..a45039d4c 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -17,7 +17,7 @@ jobs: scenarios: "${{ steps.matrix.outputs.scenarios }}" steps: - name: "Checkout ${{ github.repository }}" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -39,7 +39,7 @@ jobs: linux: ${{ steps.matrix.outputs.linux }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 3c29f7561..1a4cd3e31 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -16,7 +16,7 @@ jobs: windows: ${{ steps.matrix.outputs.windows }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5211d3bfc..e49d5c983 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: scenarios: "${{ steps.matrix.outputs.scenarios }}" steps: - name: "Checkout ${{ github.repository }}" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -64,7 +64,7 @@ jobs: windows: ${{ steps.matrix.outputs.windows }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/test-rapids-build-times.yml b/.github/workflows/test-rapids-build-times.yml index 020d4a045..ab9e4354f 100644 --- a/.github/workflows/test-rapids-build-times.yml +++ b/.github/workflows/test-rapids-build-times.yml @@ -32,7 +32,7 @@ jobs: if: needs.check-event.outputs.ok == 'true' needs: check-event secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main + uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main # zizmor: ignore[unpinned-uses] permissions: actions: read packages: read diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 99af3309f..c247091a3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false @@ -48,7 +48,7 @@ jobs: uses: ./.github/actions/install-devcontainers-cli - name: Validate devcontainer-feature.json files - uses: devcontainers/action@v1 + uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1 with: validate-only: true base-path-to-features: "./features/src" @@ -62,7 +62,7 @@ jobs: scenarios: ${{ steps.matrix.outputs.scenarios }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false @@ -134,7 +134,7 @@ jobs: windows: ${{ steps.matrix.outputs.windows }} steps: - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index c471e2a15..960f65d95 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -12,7 +12,7 @@ jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main + uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: sender_login: ${{ github.event.sender.login }} sender_avatar: ${{ github.event.sender.avatar_url }} From 9a2e7d518afc05e788d8a9104181384cfdcbf254 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:46:56 -0400 Subject: [PATCH 2/9] fix: replace all template injection sites with env vars --- .../actions/build-and-test-feature/action.yml | 3 +- .../actions/build-windows-image/action.yml | 19 +++++++---- .github/actions/devcontainer-json/action.yml | 10 ++++-- .github/actions/feature-matrix/action.yml | 7 ++-- .github/actions/free-disk-space/action.yml | 12 ++++--- .github/actions/image-matrix/action.yml | 13 +++++--- .github/actions/test-windows-image/action.yml | 19 +++++++---- .../build-test-and-push-windows-image.yml | 32 +++++++++++++------ 8 files changed, 79 insertions(+), 36 deletions(-) diff --git a/.github/actions/build-and-test-feature/action.yml b/.github/actions/build-and-test-feature/action.yml index 6f3e73ce6..9dbc8f292 100644 --- a/.github/actions/build-and-test-feature/action.yml +++ b/.github/actions/build-and-test-feature/action.yml @@ -25,10 +25,11 @@ runs: - name: Test feature shell: bash run: | - devcontainer features test ${{ inputs.args }} ./features; + devcontainer features test $ARGS ./features; env: NODE_NO_WARNINGS: 1 VAULT_S3_TTL: "900" # 15 minutes + ARGS: ${{ inputs.args }} gh_token: "${{ inputs.gh_token }}" aws_role_arn: "${{ inputs.aws_role_arn }}" rw_sccache_bucket: "${{ inputs.rw_sccache_bucket }}" diff --git a/.github/actions/build-windows-image/action.yml b/.github/actions/build-windows-image/action.yml index a22088bf2..f6e7d9082 100644 --- a/.github/actions/build-windows-image/action.yml +++ b/.github/actions/build-windows-image/action.yml @@ -38,11 +38,18 @@ runs: steps: - name: Build ${{ inputs.repo }}:${{ inputs.tag }} shell: powershell + env: + REPO: ${{ inputs.repo }} + CL: ${{ inputs.cl }} + CUDA: ${{ inputs.cuda }} + VERSION: ${{ inputs.version }} + ISOLATION: ${{ inputs.isolation }} + EDITION: ${{ inputs.edition }} run: | .\windows\build-windows-image.ps1 ` - -repo ${{ inputs.repo }} ` - -clVersion ${{ inputs.cl }} ` - -cudaVersion ${{ inputs.cuda }} ` - -repoVersion ${{ inputs.version }} ` - -isolation ${{ inputs.isolation }} ` - -edition windows${{ inputs.edition }} + -repo $env:REPO ` + -clVersion $env:CL ` + -cudaVersion $env:CUDA ` + -repoVersion $env:VERSION ` + -isolation $env:ISOLATION ` + -edition windows$env:EDITION diff --git a/.github/actions/devcontainer-json/action.yml b/.github/actions/devcontainer-json/action.yml index 53ba45da2..c6876f558 100644 --- a/.github/actions/devcontainer-json/action.yml +++ b/.github/actions/devcontainer-json/action.yml @@ -26,12 +26,16 @@ runs: - id: json name: Make image/.devcontainer/devcontainer.json shell: bash + env: + INPUT_OS: ${{ inputs.os }} + INPUT_FEATURES: ${{ inputs.features }} + INPUT_CONTAINER_ENV: ${{ inputs.container_env }} run: | bash --noprofile --norc -x -eo pipefail \ .github/actions/devcontainer-json/action.sh \ - '${{ inputs.os }}' \ - '${{ inputs.features }}' \ - '${{ inputs.container_env }}' \ + "$INPUT_OS" \ + "$INPUT_FEATURES" \ + "$INPUT_CONTAINER_ENV" \ 3>> "$GITHUB_OUTPUT" \ 4> image/.devcontainer/devcontainer.json.out ; diff --git a/.github/actions/feature-matrix/action.yml b/.github/actions/feature-matrix/action.yml index 3ebc2b7a8..29e4fb99b 100644 --- a/.github/actions/feature-matrix/action.yml +++ b/.github/actions/feature-matrix/action.yml @@ -41,9 +41,12 @@ runs: - name: Determine the feature matrix id: matrix shell: bash + env: + FULL_MATRIX: ${{ inputs.full_matrix }} + CHANGED_FILES: ${{ steps.changes.outputs.all_changed_and_modified_files }} run: | bash --noprofile --norc -x -eo pipefail \ .github/actions/feature-matrix/action.sh \ - '${{ inputs.full_matrix }}' \ - '${{ steps.changes.outputs.all_changed_and_modified_files }}' \ + "$FULL_MATRIX" \ + "$CHANGED_FILES" \ | tee -a "$GITHUB_OUTPUT"; diff --git a/.github/actions/free-disk-space/action.yml b/.github/actions/free-disk-space/action.yml index d7ebb43da..d6f2b9d60 100644 --- a/.github/actions/free-disk-space/action.yml +++ b/.github/actions/free-disk-space/action.yml @@ -13,6 +13,8 @@ runs: steps: - name: Free up disk space shell: bash --noprofile --norc -x -eo pipefail {0} + env: + TOOL_CACHE: ${{ inputs.tool_cache }} run: | df -h; docker images; @@ -37,11 +39,11 @@ runs: sudo rm -rf /usr/local/share/chromium; sudo rm -rf /usr/local/share/powershell; sudo rm -rf /home/linuxbrew/.linuxbrew; - sudo rm -rf ${{ inputs.tool_cache }}/go; - sudo rm -rf ${{ inputs.tool_cache }}/Ruby; - sudo rm -rf ${{ inputs.tool_cache }}/PyPy; - sudo rm -rf ${{ inputs.tool_cache }}/CodeQL; - sudo rm -rf ${{ inputs.tool_cache }}/Python; + sudo rm -rf $TOOL_CACHE/go; + sudo rm -rf $TOOL_CACHE/Ruby; + sudo rm -rf $TOOL_CACHE/PyPy; + sudo rm -rf $TOOL_CACHE/CodeQL; + sudo rm -rf $TOOL_CACHE/Python; docker rmi $(docker image ls -aq) || true; docker images; df -h; diff --git a/.github/actions/image-matrix/action.yml b/.github/actions/image-matrix/action.yml index 9c3588556..a87bb76a5 100644 --- a/.github/actions/image-matrix/action.yml +++ b/.github/actions/image-matrix/action.yml @@ -49,11 +49,16 @@ runs: - name: Determine the image matrix id: matrix shell: bash + env: + FULL_MATRIX: ${{ inputs.full_matrix }} + FEATURES: ${{ inputs.features || '[]' }} + SCENARIOS: ${{ inputs.scenarios || '[]' }} + CHANGED_FILES: ${{ steps.changes.outputs.all_changed_and_modified_files }} run: | bash --noprofile --norc -x -eo pipefail \ .github/actions/image-matrix/action.sh \ - '${{ inputs.full_matrix }}' \ - '${{ inputs.features || '[]' }}' \ - '${{ inputs.scenarios || '[]' }}' \ - '${{ steps.changes.outputs.all_changed_and_modified_files }}' \ + "$FULL_MATRIX" \ + "$FEATURES" \ + "$SCENARIOS" \ + "$CHANGED_FILES" \ | tee -a $GITHUB_OUTPUT; diff --git a/.github/actions/test-windows-image/action.yml b/.github/actions/test-windows-image/action.yml index 21c0b56fe..f59e9c5fb 100644 --- a/.github/actions/test-windows-image/action.yml +++ b/.github/actions/test-windows-image/action.yml @@ -38,11 +38,18 @@ runs: steps: - name: Test ${{ inputs.repo }}:${{ inputs.tag }} shell: powershell + env: + REPO: ${{ inputs.repo }} + CL: ${{ inputs.cl }} + CUDA: ${{ inputs.cuda }} + VERSION: ${{ inputs.version }} + ISOLATION: ${{ inputs.isolation }} + EDITION: ${{ inputs.edition }} run: | .github\actions\test-windows-image\action.ps1 ` - -repo ${{ inputs.repo }} ` - -clVersion ${{ inputs.cl }} ` - -cudaVersion ${{ inputs.cuda }} ` - -repoVersion ${{ inputs.version }} ` - -isolation ${{ inputs.isolation }} ` - -edition windows${{ inputs.edition }} + -repo $env:REPO ` + -clVersion $env:CL ` + -cudaVersion $env:CUDA ` + -repoVersion $env:VERSION ` + -isolation $env:ISOLATION ` + -edition windows$env:EDITION diff --git a/.github/workflows/build-test-and-push-windows-image.yml b/.github/workflows/build-test-and-push-windows-image.yml index 7e2542c9f..2e74c4409 100644 --- a/.github/workflows/build-test-and-push-windows-image.yml +++ b/.github/workflows/build-test-and-push-windows-image.yml @@ -45,8 +45,12 @@ jobs: - id: info name: Get container info shell: bash + env: + INPUT_REPO: ${{ inputs.repo }} + INPUT_OS: ${{ inputs.os }} + MATRIX_EDITION: ${{ matrix.edition }} run: | - repo="${{ inputs.repo }}"; + repo="$INPUT_REPO"; cl="${{ fromJSON(inputs.features)[1].version }}"; cuda="${{ fromJSON(inputs.features)[0].version }}"; version="$(git describe --abbrev=0 --tags | sed 's/[a-zA-Z]//g' | cut -d '.' -f -2)"; @@ -59,7 +63,7 @@ jobs: version=${version} base_tag=${base_tag} tag_without_os=${tag_without_os} - tag=${tag_without_os}-${{ inputs.os }}${{ matrix.edition }} + tag=${tag_without_os}-${INPUT_OS}${MATRIX_EDITION} EOF - name: Login to Docker Hub @@ -91,16 +95,26 @@ jobs: - if: inputs.push == 'true' name: Push ${{ steps.info.outputs.tag }} shell: powershell + env: + REPO: ${{ steps.info.outputs.repo }} + TAG: ${{ steps.info.outputs.tag }} + TAG_WITHOUT_OS: ${{ steps.info.outputs.tag_without_os }} run: | - docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag_without_os }} - docker push ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag_without_os }} - docker push ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} + docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:${env:TAG_WITHOUT_OS} + docker push ${env:REPO}:${env:TAG_WITHOUT_OS} + docker push ${env:REPO}:${env:TAG} - if: inputs.push == 'true' && github.ref_name == 'main' name: Push latest-${{ steps.info.outputs.base_tag }} shell: powershell + env: + REPO: ${{ steps.info.outputs.repo }} + TAG: ${{ steps.info.outputs.tag }} + BASE_TAG: ${{ steps.info.outputs.base_tag }} + INPUT_OS: ${{ inputs.os }} + MATRIX_EDITION: ${{ matrix.edition }} run: | - docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}-${{ inputs.os }}${{ matrix.edition }} - docker image tag ${{ steps.info.outputs.repo }}:${{ steps.info.outputs.tag }} ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }} - docker push ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }}-${{ inputs.os }}${{ matrix.edition }} - docker push ${{ steps.info.outputs.repo }}:latest-${{ steps.info.outputs.base_tag }} + docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:latest-${env:BASE_TAG}-${env:INPUT_OS}${env:MATRIX_EDITION} + docker image tag ${env:REPO}:${env:TAG} ${env:REPO}:latest-${env:BASE_TAG} + docker push ${env:REPO}:latest-${env:BASE_TAG}-${env:INPUT_OS}${env:MATRIX_EDITION} + docker push ${env:REPO}:latest-${env:BASE_TAG} From c10581665e1d8126a9124e0e63e702cc3d9afdd1 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:51:55 -0400 Subject: [PATCH 3/9] fix: suppress GITHUB_ENV warning (non-dangerous) --- .github/actions/setup-runner-env/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-runner-env/action.yml b/.github/actions/setup-runner-env/action.yml index fd3519209..ab2d112d8 100644 --- a/.github/actions/setup-runner-env/action.yml +++ b/.github/actions/setup-runner-env/action.yml @@ -20,7 +20,7 @@ runs: - if: runner.environment == 'self-hosted' name: Setup self-hosted runner environment shell: bash -eo pipefail {0} - run: | + run: | # zizmor: ignore[github-env] echo "HOME=${{ runner.workspace }}" >> $GITHUB_ENV; echo "TMPDIR=${{ runner.temp }}" >> $GITHUB_ENV; From 55b5c418c821298f2fc7a40d0383c746928d802c Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:58:17 -0400 Subject: [PATCH 4/9] fix: ignore dangerous-trigger warning Do we actually need pull_request_target here? Or would `pull_request` be good enough? --- .github/workflows/trigger-breaking-change-alert.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 960f65d95..c406c1eb5 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -1,7 +1,10 @@ name: Trigger Breaking Change Notifications on: - pull_request_target: + # needs to be pull_request_target so the webhook token is available. no code + # gets checked out, only metadata, so there is no risk to executing this from + # fork PRs + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - closed - reopened From a4e146bc0c135f9f54e7c479621b6123edfc8de8 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:06:05 -0400 Subject: [PATCH 5/9] fix: grant permissions explicitly per-job --- .github/workflows/build-all-rapids-repos.yml | 3 +++ .github/workflows/release-linux.yml | 8 ++++++ .github/workflows/release-windows.yml | 6 +++++ .github/workflows/release.yml | 14 ++++++++++ .github/workflows/test-rapids-build-times.yml | 3 +++ .github/workflows/test.yml | 27 +++++++++++++++++++ .../trigger-breaking-change-alert.yaml | 1 + 7 files changed, 62 insertions(+) diff --git a/.github/workflows/build-all-rapids-repos.yml b/.github/workflows/build-all-rapids-repos.yml index 18fb7a24b..7c87d1c60 100644 --- a/.github/workflows/build-all-rapids-repos.yml +++ b/.github/workflows/build-all-rapids-repos.yml @@ -5,9 +5,12 @@ on: - cron: '0 0 * * *' workflow_call: +permissions: {} + jobs: check-event: name: Check GH Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_gh_event.outputs.ok }} diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index a45039d4c..66b332352 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -7,10 +7,14 @@ concurrency: on: workflow_dispatch: +permissions: {} + jobs: features-matrix: name: Determine features matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: features: "${{ steps.matrix.outputs.features }}" @@ -34,6 +38,8 @@ jobs: image-matrix: name: Determine image matrix needs: features-matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: linux: ${{ steps.matrix.outputs.linux }} @@ -56,6 +62,8 @@ jobs: if: needs.image-matrix.outputs.linux != '{"include":[]}' name: ${{ matrix.name }} needs: image-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 1a4cd3e31..19731de08 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -7,10 +7,14 @@ concurrency: on: workflow_dispatch: +permissions: {} + jobs: image-matrix: name: Determine image matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: windows: ${{ steps.matrix.outputs.windows }} @@ -31,6 +35,8 @@ jobs: if: needs.image-matrix.outputs.windows != '{"include":[]}' name: ${{ matrix.name }} needs: image-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e49d5c983..b1b87620d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,9 +13,12 @@ on: tags: - "v[0-9][0-9].[0-9][0-9].[0-9][0-9]" +permissions: {} + jobs: check-event: name: Check GH Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_gh_event.outputs.ok }} @@ -35,6 +38,8 @@ jobs: name: Determine features matrix if: needs.check-event.outputs.ok == 'true' needs: check-event + permissions: + contents: read runs-on: ubuntu-latest outputs: features: "${{ steps.matrix.outputs.features }}" @@ -58,6 +63,8 @@ jobs: image-matrix: name: Determine image matrix needs: features-matrix + permissions: + contents: read runs-on: ubuntu-latest outputs: linux: ${{ steps.matrix.outputs.linux }} @@ -81,6 +88,8 @@ jobs: if: needs.image-matrix.outputs.linux != '{"include":[]}' name: ${{ matrix.name || 'Linux' }} needs: image-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: @@ -97,6 +106,8 @@ jobs: if: needs.image-matrix.outputs.windows != '{"include":[]}' name: ${{ matrix.name || 'Windows' }} needs: image-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: @@ -113,5 +124,8 @@ jobs: if: needs.features-matrix.outputs.features != '[]' || needs.features-matrix.outputs.scenarios != '[]' name: Features needs: features-matrix + permissions: + contents: read + packages: write secrets: inherit uses: ./.github/workflows/release-features.yml diff --git a/.github/workflows/test-rapids-build-times.yml b/.github/workflows/test-rapids-build-times.yml index ab9e4354f..8442c5de1 100644 --- a/.github/workflows/test-rapids-build-times.yml +++ b/.github/workflows/test-rapids-build-times.yml @@ -12,9 +12,12 @@ on: required: false default: cpu32 +permissions: {} + jobs: check-event: name: Check GH Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_gh_event.outputs.ok }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c247091a3..389d7518a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,9 +10,12 @@ on: branches: - "pull-request/[0-9]+" +permissions: {} + jobs: check-event: name: Check PR Event + permissions: {} runs-on: ubuntu-latest outputs: ok: ${{ steps.check_pr_event.outputs.ok }} @@ -30,6 +33,12 @@ jobs: if: needs.check-event.outputs.ok == 'true' && github.repository_owner == 'rapidsai' name: Build needs: check-event + permissions: + contents: read + actions: read + packages: read + id-token: write + pull-requests: read secrets: inherit uses: ./.github/workflows/build-all-rapids-repos.yml @@ -37,6 +46,8 @@ jobs: if: needs.check-event.outputs.ok == 'true' name: Validate Features needs: check-event + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout ${{ github.repository }} @@ -56,6 +67,9 @@ jobs: features-matrix: name: Determine features matrix needs: validate-features-json + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest outputs: features: ${{ steps.matrix.outputs.features }} @@ -91,6 +105,8 @@ jobs: if: needs.features-matrix.outputs.features != '[]' || needs.features-matrix.outputs.scenarios != '[]' name: Feature integration needs: features-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-and-test-feature.yml with: @@ -101,6 +117,8 @@ jobs: if: needs.features-matrix.outputs.scenarios != '[]' name: Test ${{ matrix.feature }} scenarios needs: features-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-and-test-feature.yml strategy: @@ -115,6 +133,8 @@ jobs: if: needs.features-matrix.outputs.features != '[]' name: Test ${{ matrix.feature }} feature needs: features-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-and-test-feature.yml strategy: @@ -128,6 +148,9 @@ jobs: image-matrix: name: Determine image matrix needs: features-matrix + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest outputs: linux: ${{ steps.matrix.outputs.linux }} @@ -164,6 +187,8 @@ jobs: if: needs.image-matrix.outputs.linux != '{"include":[]}' name: ${{ matrix.name || 'Linux' }} needs: image-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: @@ -180,6 +205,8 @@ jobs: if: needs.image-matrix.outputs.windows != '{"include":[]}' name: ${{ matrix.name || 'Windows' }} needs: image-matrix + permissions: + contents: read secrets: inherit uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index c406c1eb5..f6ea73efd 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -14,6 +14,7 @@ on: jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') + permissions: {} secrets: inherit uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: From 306b7ec04c5a276a5bed3cc1abb6b3bc51c36584 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:10:12 -0400 Subject: [PATCH 6/9] fix: suppress secrets-inherit warnings --- .github/workflows/build-all-rapids-repos.yml | 2 +- .github/workflows/release-linux.yml | 2 +- .github/workflows/release-windows.yml | 2 +- .github/workflows/release.yml | 6 +++--- .github/workflows/test-rapids-build-times.yml | 2 +- .github/workflows/test.yml | 12 ++++++------ .github/workflows/trigger-breaking-change-alert.yaml | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-all-rapids-repos.yml b/.github/workflows/build-all-rapids-repos.yml index 7c87d1c60..5bd11378f 100644 --- a/.github/workflows/build-all-rapids-repos.yml +++ b/.github/workflows/build-all-rapids-repos.yml @@ -30,7 +30,7 @@ jobs: name: ${{ matrix.libs }} if: needs.check-event.outputs.ok == 'true' needs: check-event - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main # zizmor: ignore[unpinned-uses] permissions: actions: read diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index 66b332352..e5dbd7166 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -64,7 +64,7 @@ jobs: needs: image-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: fail-fast: false diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 19731de08..f42e5328f 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -37,7 +37,7 @@ jobs: needs: image-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: fail-fast: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1b87620d..2c43f1e71 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -90,7 +90,7 @@ jobs: needs: image-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: fail-fast: false @@ -108,7 +108,7 @@ jobs: needs: image-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: fail-fast: false @@ -127,5 +127,5 @@ jobs: permissions: contents: read packages: write - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/release-features.yml diff --git a/.github/workflows/test-rapids-build-times.yml b/.github/workflows/test-rapids-build-times.yml index 8442c5de1..813f010e7 100644 --- a/.github/workflows/test-rapids-build-times.yml +++ b/.github/workflows/test-rapids-build-times.yml @@ -34,7 +34,7 @@ jobs: name: ${{ matrix.name }} if: needs.check-event.outputs.ok == 'true' needs: check-event - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/build-in-devcontainer.yaml@main # zizmor: ignore[unpinned-uses] permissions: actions: read diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 389d7518a..9e4a9760b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,7 +39,7 @@ jobs: packages: read id-token: write pull-requests: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-all-rapids-repos.yml validate-features-json: @@ -107,7 +107,7 @@ jobs: needs: features-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-and-test-feature.yml with: name: "{0}" @@ -119,7 +119,7 @@ jobs: needs: features-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-and-test-feature.yml strategy: fail-fast: false @@ -135,7 +135,7 @@ jobs: needs: features-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-and-test-feature.yml strategy: fail-fast: false @@ -189,7 +189,7 @@ jobs: needs: image-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-linux-image.yml strategy: fail-fast: false @@ -207,7 +207,7 @@ jobs: needs: image-matrix permissions: contents: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-test-and-push-windows-image.yml strategy: fail-fast: false diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index f6ea73efd..3bf87c9fc 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -15,7 +15,7 @@ jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') permissions: {} - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: sender_login: ${{ github.event.sender.login }} From 0e82ebff32b3f6d94b3467f6fa38978282599171 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:12:24 -0400 Subject: [PATCH 7/9] fix: disable `persist-credentials` to prevent credential leakage --- .github/workflows/docs.yml | 2 ++ .github/workflows/release-features.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ace81e3f2..b833cdc66 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout ${{ github.repository }} uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Copy common scripts into features uses: ./.github/actions/copy-common-scripts diff --git a/.github/workflows/release-features.yml b/.github/workflows/release-features.yml index 2b20091a6..f4bbd1c66 100644 --- a/.github/workflows/release-features.yml +++ b/.github/workflows/release-features.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout ${{ github.repository }} uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Copy common scripts into features uses: ./.github/actions/copy-common-scripts From 740b5309723fdfcc813b0a600c26a0d777e9e046 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:26:31 -0400 Subject: [PATCH 8/9] fix: remediate or ignore all template-injection warnings --- .github/actions/feature-matrix/action.yml | 2 +- .github/actions/get-pr-info/action.yml | 6 +++--- .github/actions/image-matrix/action.yml | 2 +- .github/actions/setup-runner-env/action.yml | 6 +++--- .github/workflows/build-test-and-push-windows-image.yml | 5 +++-- 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/actions/feature-matrix/action.yml b/.github/actions/feature-matrix/action.yml index 29e4fb99b..c69b2cd47 100644 --- a/.github/actions/feature-matrix/action.yml +++ b/.github/actions/feature-matrix/action.yml @@ -36,7 +36,7 @@ runs: - name: Report changes if: inputs.full_matrix != 'true' shell: bash - run: echo '${{ toJSON(steps.changes.outputs) }}' + run: echo '${{ toJSON(steps.changes.outputs) }}' # zizmor: ignore[template-injection] - name: Determine the feature matrix id: matrix diff --git a/.github/actions/get-pr-info/action.yml b/.github/actions/get-pr-info/action.yml index e29b89987..57992d174 100644 --- a/.github/actions/get-pr-info/action.yml +++ b/.github/actions/get-pr-info/action.yml @@ -23,12 +23,12 @@ runs: repo: context.repo.repo, owner: context.repo.owner, pull_number: (() => { - switch('${{ github.event_name }}') { + switch(context.eventName) { case 'pull_request': case 'pull_request_target': - return '${{ github.ref }}'.split('/')[2]; + return context.ref.split('/')[2]; case 'push': - const branch = '${{ github.ref_name }}'; + const branch = context.ref.replace(/^refs\/(heads|tags)\//, ''); if (!branch.match(new RegExp('^pull-request/[0-9]+$'))) { throw new Error(`${branch} does not match PR branch pattern.`); } diff --git a/.github/actions/image-matrix/action.yml b/.github/actions/image-matrix/action.yml index a87bb76a5..c5e64a2ba 100644 --- a/.github/actions/image-matrix/action.yml +++ b/.github/actions/image-matrix/action.yml @@ -44,7 +44,7 @@ runs: - name: Report changes if: inputs.full_matrix != 'true' shell: bash - run: echo '${{ toJSON(steps.changes.outputs) }}' + run: echo '${{ toJSON(steps.changes.outputs) }}' # zizmor: ignore[template-injection] - name: Determine the image matrix id: matrix diff --git a/.github/actions/setup-runner-env/action.yml b/.github/actions/setup-runner-env/action.yml index ab2d112d8..3d819c598 100644 --- a/.github/actions/setup-runner-env/action.yml +++ b/.github/actions/setup-runner-env/action.yml @@ -7,7 +7,7 @@ runs: steps: - name: Dump environment shell: bash -eo pipefail {0} - run: | + run: | # zizmor: ignore[template-injection] echo "env: ${{ toJSON(env) }}" echo "runner: '${{ toJSON(runner) }}'" @@ -21,8 +21,8 @@ runs: name: Setup self-hosted runner environment shell: bash -eo pipefail {0} run: | # zizmor: ignore[github-env] - echo "HOME=${{ runner.workspace }}" >> $GITHUB_ENV; - echo "TMPDIR=${{ runner.temp }}" >> $GITHUB_ENV; + echo "HOME=$RUNNER_WORKSPACE" >> "$GITHUB_ENV"; + echo "TMPDIR=$RUNNER_TEMP" >> "$GITHUB_ENV"; - if: runner.environment == 'self-hosted' name: Setup Node.js diff --git a/.github/workflows/build-test-and-push-windows-image.yml b/.github/workflows/build-test-and-push-windows-image.yml index 2e74c4409..78beabcce 100644 --- a/.github/workflows/build-test-and-push-windows-image.yml +++ b/.github/workflows/build-test-and-push-windows-image.yml @@ -49,10 +49,11 @@ jobs: INPUT_REPO: ${{ inputs.repo }} INPUT_OS: ${{ inputs.os }} MATRIX_EDITION: ${{ matrix.edition }} + INPUT_FEATURES: ${{ inputs.features }} run: | repo="$INPUT_REPO"; - cl="${{ fromJSON(inputs.features)[1].version }}"; - cuda="${{ fromJSON(inputs.features)[0].version }}"; + cl="$(echo "$INPUT_FEATURES" | jq -r '.[1].version')"; + cuda="$(echo "$INPUT_FEATURES" | jq -r '.[0].version')"; version="$(git describe --abbrev=0 --tags | sed 's/[a-zA-Z]//g' | cut -d '.' -f -2)"; base_tag="cuda${cuda}-cl${cl}"; tag_without_os="${version}-${base_tag}"; From 2cd929c1afac106336fb7175c64abeb34d80b2fd Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 27 Apr 2026 09:46:15 -0400 Subject: [PATCH 9/9] feat: add pre-commit run to `test.yml` --- .github/workflows/test.yml | 14 ++++++++++++++ .pre-commit-config.yaml | 6 ++++++ 2 files changed, 20 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9e4a9760b..9800a7b4b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,6 +29,20 @@ jobs: && echo "ok=true" | tee -a "$GITHUB_OUTPUT" \ || echo "ok=false" | tee -a "$GITHUB_OUTPUT"; + pre-commit: + name: pre-commit + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout ${{ github.repository }} + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Run pre-commit + run: pip install pre-commit && pre-commit run --all-files + build-all-rapids-repos: if: needs.check-event.outputs.ok == 'true' && github.repository_owner == 'rapidsai' name: Build diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..08d5d88a6 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,6 @@ +--- +repos: + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor