From 2d2a07a975eeaea1bfda2472f815b1982a84e1af Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:33:49 -0400 Subject: [PATCH 1/8] fix(ci): pin all third-party actions and workflows --- .github/workflows/build-cuvs-image.yml | 10 +++++----- .github/workflows/build-rapids-image.yml | 10 +++++----- .github/workflows/build-test-publish-images.yml | 16 ++++++++-------- .github/workflows/pr.yml | 6 +++--- .github/workflows/publish.yml | 4 ++-- .github/workflows/release-to-nvstaging.yml | 8 ++++---- .github/workflows/test-notebooks.yml | 6 +++--- .../workflows/trigger-breaking-change-alert.yaml | 2 +- .github/workflows/validate.yml | 6 +++--- 9 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build-cuvs-image.yml b/.github/workflows/build-cuvs-image.yml index b38e86f9..32e63278 100644 --- a/.github/workflows/build-cuvs-image.yml +++ b/.github/workflows/build-cuvs-image.yml @@ -55,7 +55,7 @@ jobs: runs-on: "linux-${{ matrix.ARCH }}-cpu4" steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Clean up condarc for release builds @@ -69,7 +69,7 @@ jobs: echo "Most recent tag is an alpha. Build will use nightly channels." fi - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN }} @@ -78,7 +78,7 @@ jobs: run: | docker context create builders - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: # Using the built-in config from NVIDIA's self-hosted runners means that 'docker build' # will use NVIDIA's self-hosted DockerHub pull-through cache, which should mean faster builds, @@ -95,7 +95,7 @@ jobs: PYTHON_VER: ${{ inputs.PYTHON_VER }} RAPIDS_VER: ${{ inputs.RAPIDS_VER }} - name: Build cuVS Benchmarks GPU image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: context file: cuvs-bench/gpu/Dockerfile @@ -109,7 +109,7 @@ jobs: outputs: type=registry,oci-mediatypes=true - name: Build cuVS Benchmarks CPU image if: inputs.BUILD_CUVS_BENCH_CPU_IMAGE - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: context file: cuvs-bench/cpu/Dockerfile diff --git a/.github/workflows/build-rapids-image.yml b/.github/workflows/build-rapids-image.yml index c78a093f..6b551d58 100644 --- a/.github/workflows/build-rapids-image.yml +++ b/.github/workflows/build-rapids-image.yml @@ -56,7 +56,7 @@ jobs: runs-on: "linux-${{ matrix.ARCH }}-cpu4" steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Clean up condarc for release builds @@ -70,7 +70,7 @@ jobs: echo "Most recent tag is an alpha. Build will use nightly channels." fi - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN }} @@ -79,7 +79,7 @@ jobs: run: | docker context create builders - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: # Using the built-in config from NVIDIA's self-hosted runners means that 'docker build' # will use NVIDIA's self-hosted DockerHub pull-through cache, which should mean faster builds, @@ -100,7 +100,7 @@ jobs: PYTHON_VER: ${{ inputs.PYTHON_VER }} RAPIDS_VER: ${{ inputs.RAPIDS_VER }} - name: Build base image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: context file: Dockerfile @@ -113,7 +113,7 @@ jobs: # ensure only OCI mediatypes are used: https://docs.docker.com/build/exporters/#oci-media-types outputs: type=registry,oci-mediatypes=true - name: Build notebooks image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: context file: Dockerfile diff --git a/.github/workflows/build-test-publish-images.yml b/.github/workflows/build-test-publish-images.yml index 29833df8..ff1653e2 100644 --- a/.github/workflows/build-test-publish-images.yml +++ b/.github/workflows/build-test-publish-images.yml @@ -43,13 +43,13 @@ jobs: - build-cuvs-multiarch-manifest - test secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main + uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main # zizmor: ignore[unpinned-uses] checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run pre-commit - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - name: Run hadolint run: | ci/lint-dockerfiles.sh @@ -70,7 +70,7 @@ jobs: ALPHA_TAG: ${{ steps.compute-rapids-ver.outputs.ALPHA_TAG }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Compute matrix @@ -206,11 +206,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN }} @@ -238,11 +238,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index df9eda93..61d16a37 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -16,7 +16,7 @@ jobs: needs: - check-nightly-ci - docker - uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main + uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main # zizmor: ignore[unpinned-uses] if: always() with: needs: ${{ toJSON(needs) }} @@ -30,9 +30,9 @@ jobs: steps: - name: Get PR Info id: get-pr-info - uses: nv-gha-runners/get-pr-info@main + uses: nv-gha-runners/get-pr-info@main # zizmor: ignore[unpinned-uses] - name: Check if nightly CI is passing - uses: rapidsai/shared-actions/check_nightly_success/dispatch@main + uses: rapidsai/shared-actions/check_nightly_success/dispatch@main # zizmor: ignore[unpinned-uses] with: # default is 7 days, but this repo is downstream of all of RAPIDS so allow a bit longer window max-days-without-success: 14 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index cb436bb4..836c844b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -37,10 +37,10 @@ jobs: - rapidsai/notebooks steps: - name: checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Update DockerHub README for ${{ matrix.repo_name }} - uses: peter-evans/dockerhub-description@v5 + uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} diff --git a/.github/workflows/release-to-nvstaging.yml b/.github/workflows/release-to-nvstaging.yml index 863096d6..dae55b0e 100644 --- a/.github/workflows/release-to-nvstaging.yml +++ b/.github/workflows/release-to-nvstaging.yml @@ -16,7 +16,7 @@ jobs: matrix: ${{ steps.generate-matrix.outputs.matrix }} steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Compute matrix id: generate-matrix @@ -33,16 +33,16 @@ jobs: matrix: ${{fromJson(needs.compute-matrix.outputs.matrix)}} steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN }} - name: Login to NGC - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: nvcr.io username: ${{ secrets.NGC_DOCKER_USER }} diff --git a/.github/workflows/test-notebooks.yml b/.github/workflows/test-notebooks.yml index a6746ca8..a8259258 100644 --- a/.github/workflows/test-notebooks.yml +++ b/.github/workflows/test-notebooks.yml @@ -75,7 +75,7 @@ jobs: curl \ git - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Install gha-tools @@ -83,7 +83,7 @@ jobs: context/scripts/install-gha-tools - name: Get RAPIDS GitHub Info id: get-rapids-github-info - uses: rapidsai/shared-actions/rapids-github-info@main + uses: rapidsai/shared-actions/rapids-github-info@main # zizmor: ignore[unpinned-uses] - name: Print environment run: | rapids-print-env @@ -95,7 +95,7 @@ jobs: if: '!cancelled()' run: | rapids-conda-retry install -n base awscli - - uses: aws-actions/configure-aws-credentials@v6 + - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6 if: '!cancelled()' with: role-to-assume: ${{ vars.AWS_ROLE_ARN }} diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 51b22a9c..5e0831f2 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -13,7 +13,7 @@ jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') secrets: inherit - uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main + uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: sender_login: ${{ github.event.sender.login }} sender_avatar: ${{ github.event.sender.avatar_url }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index ab1c2404..55239996 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -64,16 +64,16 @@ jobs: runs-on: "linux-${{ inputs.ARCH }}-cpu4" steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.GPUCIBOT_DOCKERHUB_USER }} password: ${{ secrets.GPUCIBOT_DOCKERHUB_TOKEN }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.25.x' - name: Install container-canary From 71ffffddd7f8aae2a1d3bbc49ca147e9d31c542e Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:40:02 -0400 Subject: [PATCH 2/8] fix: artipacked credential fixes --- .github/workflows/build-cuvs-image.yml | 1 + .github/workflows/build-rapids-image.yml | 1 + .github/workflows/build-test-publish-images.yml | 5 +++++ .github/workflows/publish.yml | 2 ++ .github/workflows/release-to-nvstaging.yml | 4 ++++ .github/workflows/test-notebooks.yml | 1 + .github/workflows/validate.yml | 1 + 7 files changed, 15 insertions(+) diff --git a/.github/workflows/build-cuvs-image.yml b/.github/workflows/build-cuvs-image.yml index 32e63278..0c3861c3 100644 --- a/.github/workflows/build-cuvs-image.yml +++ b/.github/workflows/build-cuvs-image.yml @@ -58,6 +58,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Clean up condarc for release builds run: | GIT_DESCRIBE_TAG="$(git describe --tags --first-parent --abbrev=0)" diff --git a/.github/workflows/build-rapids-image.yml b/.github/workflows/build-rapids-image.yml index 6b551d58..e347e09c 100644 --- a/.github/workflows/build-rapids-image.yml +++ b/.github/workflows/build-rapids-image.yml @@ -59,6 +59,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Clean up condarc for release builds run: | GIT_DESCRIBE_TAG="$(git describe --tags --first-parent --abbrev=0)" diff --git a/.github/workflows/build-test-publish-images.yml b/.github/workflows/build-test-publish-images.yml index ff1653e2..6ef320a4 100644 --- a/.github/workflows/build-test-publish-images.yml +++ b/.github/workflows/build-test-publish-images.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Run pre-commit uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - name: Run hadolint @@ -73,6 +75,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Compute matrix id: compute-matrix run: | @@ -209,6 +212,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: @@ -241,6 +245,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 836c844b..ce5fd48a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -38,6 +38,8 @@ jobs: steps: - name: checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Update DockerHub README for ${{ matrix.repo_name }} uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5 diff --git a/.github/workflows/release-to-nvstaging.yml b/.github/workflows/release-to-nvstaging.yml index dae55b0e..874e3042 100644 --- a/.github/workflows/release-to-nvstaging.yml +++ b/.github/workflows/release-to-nvstaging.yml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Compute matrix id: generate-matrix @@ -34,6 +36,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 diff --git a/.github/workflows/test-notebooks.yml b/.github/workflows/test-notebooks.yml index a8259258..fcb1062c 100644 --- a/.github/workflows/test-notebooks.yml +++ b/.github/workflows/test-notebooks.yml @@ -78,6 +78,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Install gha-tools run: | context/scripts/install-gha-tools diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 55239996..3dc49657 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -67,6 +67,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: From 6b8e1f6c61822c7d1490b87ed1126852b779cb18 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:48:11 -0400 Subject: [PATCH 3/8] fix: remove template injection sites --- .github/workflows/build-test-publish-images.yml | 12 +++++++++--- .github/workflows/release-to-nvstaging.yml | 10 ++++++---- .github/workflows/test-notebooks.yml | 8 +++++++- .github/workflows/validate.yml | 12 +++++++++--- 4 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-test-publish-images.yml b/.github/workflows/build-test-publish-images.yml index 6ef320a4..22cc53d3 100644 --- a/.github/workflows/build-test-publish-images.yml +++ b/.github/workflows/build-test-publish-images.yml @@ -83,9 +83,11 @@ jobs: echo "MATRIX=${MATRIX}" | tee -a ${GITHUB_OUTPUT} - name: Compute tag prefix id: compute-tag-prefix + env: + BUILD_TYPE: ${{ inputs.build_type }} run: | TAG_PREFIX="" - if [ "${{ inputs.build_type }}" = "pull-request" ]; then + if [ "$BUILD_TYPE" = "pull-request" ]; then pr_num="${GITHUB_REF_NAME##*/}" BASE_TAG_PREFIX="docker-${pr_num}-" NOTEBOOKS_TAG_PREFIX="docker-notebooks-${pr_num}-" @@ -98,12 +100,14 @@ jobs: echo "CUVS_BENCH_CPU_TAG_PREFIX=${CUVS_BENCH_CPU_TAG_PREFIX}" | tee -a ${GITHUB_OUTPUT} - name: Compute image repo id: compute-image-repo + env: + BUILD_TYPE: ${{ inputs.build_type }} run: | base_repo="base" notebooks_repo="notebooks" cuvs_bench_repo="cuvs-bench" cuvs_bench_cpu_repo="cuvs-bench-cpu" - if [ "${{ inputs.build_type }}" = "pull-request" ]; then + if [ "$BUILD_TYPE" = "pull-request" ]; then base_repo="staging" notebooks_repo="staging" cuvs_bench_repo="staging" @@ -129,8 +133,10 @@ jobs: echo "ALPHA_TAG=${ALPHA_TAG}" | tee -a ${GITHUB_OUTPUT} - name: Compute test matrix id: compute-test-matrix + env: + BUILD_TYPE: ${{ inputs.build_type }} run: | - TEST_MATRIX=$(yq '.${{ inputs.build_type }}' matrix-test.yaml) + TEST_MATRIX=$(yq ".$BUILD_TYPE" matrix-test.yaml) export TEST_MATRIX echo "TEST_MATRIX=$(yq -n -o json 'env(TEST_MATRIX)' | jq -c '{include: .}')" | tee --append "${GITHUB_OUTPUT}" diff --git a/.github/workflows/release-to-nvstaging.yml b/.github/workflows/release-to-nvstaging.yml index 874e3042..00a2b818 100644 --- a/.github/workflows/release-to-nvstaging.yml +++ b/.github/workflows/release-to-nvstaging.yml @@ -53,17 +53,19 @@ jobs: password: ${{ secrets.NGC_DOCKER_PASSWORD }} - name: Release to NGC + env: + CUDA_VER: ${{ matrix.CUDA_VER }} + PYTHON_VER: ${{ matrix.PYTHON_VER }} + RAPIDS_VER: ${{ inputs.RAPIDS_VER }} run: | #!/bin/bash set -e - CUDA_VER=${{ matrix.CUDA_VER }} CUDA_MAJOR=${CUDA_VER%%.*} - PYTHON_VER=${{ matrix.PYTHON_VER }} for type in base notebooks; do - source="rapidsai/$type:${{ inputs.RAPIDS_VER }}-cuda$CUDA_MAJOR-py$PYTHON_VER" - target="nvcr.io/nvstaging/rapids/$type:${{ inputs.RAPIDS_VER }}-cuda$CUDA_MAJOR-py$PYTHON_VER" + source="rapidsai/$type:${RAPIDS_VER}-cuda$CUDA_MAJOR-py$PYTHON_VER" + target="nvcr.io/nvstaging/rapids/$type:${RAPIDS_VER}-cuda$CUDA_MAJOR-py$PYTHON_VER" echo "$source => $target" docker run -v ~/.docker/config.json:/config.json quay.io/skopeo/stable:v1.20.0 copy --multi-arch all --dest-authfile=/config.json docker://$source docker://$target done diff --git a/.github/workflows/test-notebooks.yml b/.github/workflows/test-notebooks.yml index fcb1062c..b390d424 100644 --- a/.github/workflows/test-notebooks.yml +++ b/.github/workflows/test-notebooks.yml @@ -104,5 +104,11 @@ jobs: role-duration-seconds: 1800 # 30m - name: Upload notebook test outputs if: '!cancelled()' + env: + ARCH: ${{ inputs.ARCH }} + CUDA_VER: ${{ inputs.CUDA_VER }} + PYTHON_VER: ${{ inputs.PYTHON_VER }} + GPU: ${{ inputs.GPU }} + DRIVER: ${{ inputs.DRIVER }} run: | - rapids-upload-to-s3 test_notebooks_output_${{ inputs.ARCH }}_cuda${{ inputs.CUDA_VER }}_py${{ inputs.PYTHON_VER }}_${{ inputs.GPU }}-${{ inputs.DRIVER }}.tar.gz /home/rapids/notebooks_output + rapids-upload-to-s3 test_notebooks_output_${ARCH}_cuda${CUDA_VER}_py${PYTHON_VER}_${GPU}-${DRIVER}.tar.gz /home/rapids/notebooks_output diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 3dc49657..ecb7d5b8 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -78,19 +78,25 @@ jobs: with: go-version: '1.25.x' - name: Install container-canary + env: + CONTAINER_CANARY_VERSION: ${{ inputs.CONTAINER_CANARY_VERSION }} run: | - GOBIN=/tmp/canary-bin go install github.com/nvidia/container-canary@${{ inputs.CONTAINER_CANARY_VERSION }} + GOBIN=/tmp/canary-bin go install github.com/nvidia/container-canary@${CONTAINER_CANARY_VERSION} /tmp/canary-bin/container-canary version - name: (base) container-canary checks + env: + BASE_TAG: ${{ inputs.BASE_TAG }} run: | export PATH="/tmp/canary-bin:${PATH}" ./ci/run-validation-checks.sh \ --dask-scheduler \ - ${{ inputs.BASE_TAG }} + "${BASE_TAG}" - name: (notebooks) container-canary checks + env: + NOTEBOOKS_TAG: ${{ inputs.NOTEBOOKS_TAG }} run: | export PATH="/tmp/canary-bin:${PATH}" ./ci/run-validation-checks.sh \ --dask-scheduler \ --notebooks \ - ${{ inputs.NOTEBOOKS_TAG }} + "${NOTEBOOKS_TAG}" From dcb1561db4716f5e99c2ef6506adaa83b965f806 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:51:23 -0400 Subject: [PATCH 4/8] fix: explicitly request all needed permissions --- .github/workflows/pr.yml | 9 +++++++++ .github/workflows/publish.yml | 8 ++++++++ .github/workflows/release-to-nvstaging.yml | 4 ++++ .github/workflows/trigger-breaking-change-alert.yaml | 2 ++ 4 files changed, 23 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 61d16a37..2c738ff2 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -16,6 +16,9 @@ jobs: needs: - check-nightly-ci - docker + permissions: + checks: write + pull-requests: write uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main # zizmor: ignore[unpinned-uses] if: always() with: @@ -40,6 +43,12 @@ jobs: target-branch: ${{ fromJSON(steps.get-pr-info.outputs.pr-info).base.ref }} workflow-id: 'publish.yml' docker: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: ./.github/workflows/build-test-publish-images.yml with: build_type: pull-request diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ce5fd48a..df9da8de 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -21,6 +21,12 @@ concurrency: jobs: docker: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: ./.github/workflows/build-test-publish-images.yml with: build_type: branch @@ -30,6 +36,8 @@ jobs: runs-on: ubuntu-latest needs: docker if: startsWith(github.ref, 'refs/tags/v') + permissions: + contents: read strategy: matrix: repo_name: diff --git a/.github/workflows/release-to-nvstaging.yml b/.github/workflows/release-to-nvstaging.yml index 00a2b818..4651f86e 100644 --- a/.github/workflows/release-to-nvstaging.yml +++ b/.github/workflows/release-to-nvstaging.yml @@ -12,6 +12,8 @@ on: jobs: compute-matrix: runs-on: ubuntu-latest + permissions: + contents: read outputs: matrix: ${{ steps.generate-matrix.outputs.matrix }} steps: @@ -31,6 +33,8 @@ jobs: name: copy (${{ matrix.CUDA_VER }}, ${{ matrix.PYTHON_VER }}) needs: compute-matrix runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: ${{fromJson(needs.compute-matrix.outputs.matrix)}} steps: diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 5e0831f2..2755ed7e 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -12,6 +12,8 @@ on: jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') + permissions: + pull-requests: read secrets: inherit uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: From eb16aa5429ada5f3080efd6aa72066863da410aa Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 12:57:41 -0400 Subject: [PATCH 5/8] fix: ignore `secrets-inherit` where we want inherited secrets --- .github/workflows/build-test-publish-images.yml | 10 +++++----- .github/workflows/pr.yml | 2 +- .github/workflows/publish.yml | 2 +- .github/workflows/test-notebooks.yml | 2 +- .github/workflows/trigger-breaking-change-alert.yaml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-test-publish-images.yml b/.github/workflows/build-test-publish-images.yml index 22cc53d3..5d8811ed 100644 --- a/.github/workflows/build-test-publish-images.yml +++ b/.github/workflows/build-test-publish-images.yml @@ -42,7 +42,7 @@ jobs: - build-cuvs - build-cuvs-multiarch-manifest - test - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main # zizmor: ignore[unpinned-uses] checks: runs-on: ubuntu-latest @@ -145,7 +145,7 @@ jobs: strategy: matrix: ${{ fromJSON(needs.compute-matrix.outputs.MATRIX) }} fail-fast: false - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-rapids-image.yml # Referencing something from the 'matrix' context prevents GitHub auto-generating # a hard-to-read name with all the matrix input values. @@ -179,7 +179,7 @@ jobs: strategy: matrix: ${{ fromJSON(needs.compute-matrix.outputs.MATRIX) }} fail-fast: false - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/build-cuvs-image.yml # Referencing something from the 'matrix' context prevents GitHub auto-generating # a hard-to-read name with all the matrix input values. @@ -278,7 +278,7 @@ jobs: strategy: matrix: ${{ fromJSON(needs.compute-matrix.outputs.TEST_MATRIX) }} fail-fast: false - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/validate.yml # Referencing something from the 'matrix' context prevents GitHub auto-generating # a hard-to-read name with all the matrix input values. @@ -315,7 +315,7 @@ jobs: strategy: matrix: ${{ fromJSON(needs.compute-matrix.outputs.TEST_MATRIX) }} fail-fast: false - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/test-notebooks.yml # Referencing something from the 'matrix' context prevents GitHub auto-generating # a hard-to-read name with all the matrix input values. diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 2c738ff2..10cc1fb6 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -53,4 +53,4 @@ jobs: with: build_type: pull-request run_tests: true - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index df9da8de..0a211e7e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -31,7 +31,7 @@ jobs: with: build_type: branch run_tests: ${{ inputs.run_tests || false }} - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] readme: runs-on: ubuntu-latest needs: docker diff --git a/.github/workflows/test-notebooks.yml b/.github/workflows/test-notebooks.yml index b390d424..6e3dd490 100644 --- a/.github/workflows/test-notebooks.yml +++ b/.github/workflows/test-notebooks.yml @@ -63,7 +63,7 @@ jobs: name: test (${{ matrix.CUDA_VER }}, py${{ matrix.PYTHON_VER }}, ${{ matrix.ARCH }}, ${{ matrix.GPU}}, ${{ matrix.DRIVER }}) runs-on: "linux-${{ inputs.ARCH }}-gpu-${{ inputs.GPU }}-${{ inputs.DRIVER }}-1" container: - image: ${{ inputs.NOTEBOOKS_TAG }} + image: ${{ inputs.NOTEBOOKS_TAG }} # zizmor: ignore[unpinned-images] env: NVIDIA_VISIBLE_DEVICES: ${{ env.NVIDIA_VISIBLE_DEVICES }} RAPIDS_BUILD_TYPE: ${{ inputs.BUILD_TYPE }} diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 2755ed7e..ae7a2eda 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -14,7 +14,7 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'breaking') permissions: pull-requests: read - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main # zizmor: ignore[unpinned-uses] with: sender_login: ${{ github.event.sender.login }} From 346f64d28f0614347663f24acf00fe8b9adfa066 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:05:08 -0400 Subject: [PATCH 6/8] fix: ignore `dangerous-triggers` for breaking change alert --- .github/workflows/trigger-breaking-change-alert.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index ae7a2eda..4d61a36d 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -2,7 +2,10 @@ name: Trigger Breaking Change Notifications on: - pull_request_target: + # needs to be pull_request_target so the webhook token is available. no code + # gets checked out, only metadata, so there is no risk to executing this from + # fork PRs + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - closed - reopened From f8b139cee9a579b5309db1d5f3796f5a1ad5fd1a Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:08:36 -0400 Subject: [PATCH 7/8] fix: mark cache-poisoning warning as a non-issue --- .github/workflows/build-rapids-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-rapids-image.yml b/.github/workflows/build-rapids-image.yml index e347e09c..02947e37 100644 --- a/.github/workflows/build-rapids-image.yml +++ b/.github/workflows/build-rapids-image.yml @@ -80,7 +80,7 @@ jobs: run: | docker context create builders - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 # zizmor: ignore[cache-poisoning] with: # Using the built-in config from NVIDIA's self-hosted runners means that 'docker build' # will use NVIDIA's self-hosted DockerHub pull-through cache, which should mean faster builds, From 728414b3324643d2ba7bc58f29a4b497078bd7fd Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Fri, 24 Apr 2026 14:11:34 -0400 Subject: [PATCH 8/8] feat: add zizmor pre-commit hook --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7a1ad120..52a19cc1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,6 +18,10 @@ repos: hooks: - id: shellcheck args: ["--severity=warning", "--external-sources"] + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor - repo: https://github.com/rapidsai/pre-commit-hooks rev: v1.4.3 hooks: