From 391bbccc5a8ce0b445987236c95afd9d9210276f Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 14:43:49 -0400 Subject: [PATCH 1/9] feat: add zizmor config and pre-commit --- .github/zizmor.yml | 9 +++++++++ .pre-commit-config.yaml | 4 ++++ 2 files changed, 13 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..1b6ea1e53 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + # We require SHA-pinning for all workflows and actions _except_ for those from + # rapidsai/shared-workflows and rapidsai/shared-actions + "rapidsai/shared-workflows/*": any + "rapidsai/shared-actions/*": any + "*": hash-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 24ea8782d..4b5c57d69 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -99,6 +99,10 @@ repos: ^[.]cursor-plugin/plugin[.]json$| ^[.]claude-plugin/marketplace[.]json$| ^gemini-extension[.]json$ + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor - repo: local hooks: - id: update-versions From 30254306bc6fdea161664aad3a5edc67057e723a Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 14:48:54 -0400 Subject: [PATCH 2/9] fix: allow inheriting secrets for shared-workflows --- .github/workflows/build.yaml | 30 +++++++++---------- .../workflows/build_test_publish_images.yaml | 4 +-- .github/workflows/pr.yaml | 24 +++++++-------- .github/workflows/test.yaml | 2 +- .../trigger-breaking-change-alert.yaml | 2 +- 5 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7a9807941..09d21224c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -44,7 +44,7 @@ concurrency: jobs: cpp-build: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -54,7 +54,7 @@ jobs: script: ci/build_cpp.sh python-build: needs: [cpp-build] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-python-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -64,7 +64,7 @@ jobs: script: ci/build_python.sh upload-conda: needs: [cpp-build, python-build] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-upload-packages.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -72,7 +72,7 @@ jobs: date: ${{ inputs.date }} sha: ${{ inputs.sha }} wheel-build-cuopt-mps-parser: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -87,7 +87,7 @@ jobs: matrix_filter: 'group_by([.ARCH, (.PY_VER |split(".") | map(tonumber))])|map(max_by([(.CUDA_VER|split(".")|map(tonumber))]))' wheel-publish-cuopt-mps-parser: needs: wheel-build-cuopt-mps-parser - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -98,7 +98,7 @@ jobs: package-type: python wheel-build-libcuopt: needs: wheel-build-cuopt-mps-parser - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -111,7 +111,7 @@ jobs: matrix_filter: group_by([.ARCH, (.CUDA_VER|split(".")|map(tonumber)|.[0])]) | map(max_by(.PY_VER|split(".")|map(tonumber))) wheel-publish-libcuopt: needs: wheel-build-libcuopt - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -122,7 +122,7 @@ jobs: package-type: cpp wheel-build-cuopt: needs: [wheel-build-cuopt-mps-parser, wheel-build-libcuopt] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -134,7 +134,7 @@ jobs: package-type: python wheel-publish-cuopt: needs: wheel-build-cuopt - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -144,7 +144,7 @@ jobs: package-name: cuopt package-type: python wheel-build-cuopt-server: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -159,7 +159,7 @@ jobs: matrix_filter: map(select(.ARCH == "amd64")) | group_by(.CUDA_VER|split(".")|map(tonumber)|.[0]) | map(max_by([(.PY_VER|split(".")|map(tonumber)), (.CUDA_VER|split(".")|map(tonumber))])) wheel-publish-cuopt-server: needs: wheel-build-cuopt-server - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -170,7 +170,7 @@ jobs: package-type: python docs-build: needs: [python-build] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -184,7 +184,7 @@ jobs: container_image: "rapidsai/ci-conda:26.06-latest" script: "ci/build_docs.sh" wheel-build-cuopt-sh-client: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -200,7 +200,7 @@ jobs: matrix_filter: '[map(select(.ARCH == "amd64")) | min_by((.PY_VER | split(".") | map(tonumber)), (.CUDA_VER | split(".") | map(-tonumber)))]' wheel-publish-cuopt-sh-client: needs: wheel-build-cuopt-sh-client - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: build_type: ${{ inputs.build_type || 'branch' }} @@ -274,7 +274,7 @@ jobs: - wheel-publish-cuopt-server - wheel-publish-cuopt-sh-client uses: ./.github/workflows/build_test_publish_images.yaml - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] with: branch: ${{ inputs.branch }} sha: ${{ inputs.sha }} diff --git a/.github/workflows/build_test_publish_images.yaml b/.github/workflows/build_test_publish_images.yaml index 85bea2547..0d574563c 100644 --- a/.github/workflows/build_test_publish_images.yaml +++ b/.github/workflows/build_test_publish_images.yaml @@ -106,7 +106,7 @@ jobs: build-images: name: Build images needs: compute-matrix - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] strategy: matrix: ${{ fromJson(needs.compute-matrix.outputs.MATRIX) }} uses: ./.github/workflows/build_images.yaml @@ -162,7 +162,7 @@ jobs: test-images: name: Test images needs: [build-cuopt-multiarch-manifest, compute-matrix] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] strategy: matrix: CUDA_VER: ${{ fromJson(needs.compute-matrix.outputs.MATRIX).cuda_ver }} diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 4a1f29319..bf31275ea 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -33,7 +33,7 @@ jobs: - wheel-build-cuopt-mps-parser - wheel-build-cuopt-sh-client - test-self-hosted-server - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main if: always() with: @@ -110,7 +110,7 @@ jobs: fi changed-files: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@main with: files_yaml: | @@ -355,7 +355,7 @@ jobs: - '!ucf/**' - '!utilities/**' checks: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/checks.yaml@main with: enable_check_generated_files: false @@ -366,7 +366,7 @@ jobs: fromJSON(needs.changed-files.outputs.changed_file_groups).test_cpp || fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_conda || fromJSON(needs.changed-files.outputs.changed_file_groups).build_docs - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-build.yaml@main with: build_type: pull-request @@ -393,7 +393,7 @@ jobs: if: >- fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_conda || fromJSON(needs.changed-files.outputs.changed_file_groups).build_docs - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-python-build.yaml@main with: build_type: pull-request @@ -417,7 +417,7 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} docs-build: needs: [conda-python-build, changed-files] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main if: fromJSON(needs.changed-files.outputs.changed_file_groups).build_docs with: @@ -432,7 +432,7 @@ jobs: needs: [compute-matrix-filters, changed-files] # All wheel-build-* jobs feed the wheel test jobs, so they gate on the same group. if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: pull-request @@ -445,7 +445,7 @@ jobs: wheel-build-libcuopt: needs: [wheel-build-cuopt-mps-parser, compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: # build for every combination of arch and CUDA version, but only for the latest Python @@ -457,7 +457,7 @@ jobs: wheel-build-cuopt: needs: [wheel-build-cuopt-mps-parser, wheel-build-libcuopt, compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: pull-request @@ -483,7 +483,7 @@ jobs: wheel-build-cuopt-server: needs: [checks, compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: pull-request @@ -496,7 +496,7 @@ jobs: wheel-build-cuopt-sh-client: needs: [compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: build_type: pull-request @@ -524,7 +524,7 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} test-self-hosted-server: needs: [wheel-build-cuopt, wheel-build-cuopt-server, changed-files] - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/self_hosted_service_test.yaml if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels with: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 467d4b7f1..427e7b483 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -92,7 +92,7 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} conda-notebook-tests: - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main with: build_type: ${{ inputs.build_type }} diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 57b178740..2fee7d0de 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -14,7 +14,7 @@ on: jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') - secrets: inherit + secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main with: sender_login: ${{ github.event.sender.login }} From abab5150a86f60bf6154deb752564a63816e4b77 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 14:57:44 -0400 Subject: [PATCH 3/9] fix(ci): grant explicit permissions per job --- .github/workflows/build.yaml | 97 ++++++++++++++++ .github/workflows/cloud_ci.yaml | 7 +- .github/workflows/inactivity_reminder.yaml | 7 +- .github/workflows/issue_automation.yaml | 8 +- .github/workflows/nightly-summary.yaml | 4 + .github/workflows/nightly.yaml | 5 + .github/workflows/pr.yaml | 105 ++++++++++++++++++ .github/workflows/test.yaml | 34 ++++++ .../trigger-breaking-change-alert.yaml | 8 ++ 9 files changed, 272 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 09d21224c..108ed272b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -42,8 +42,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: cpp-build: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-build.yaml@main with: @@ -54,6 +62,12 @@ jobs: script: ci/build_cpp.sh python-build: needs: [cpp-build] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-python-build.yaml@main with: @@ -64,6 +78,12 @@ jobs: script: ci/build_python.sh upload-conda: needs: [cpp-build, python-build] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-upload-packages.yaml@main with: @@ -72,6 +92,12 @@ jobs: date: ${{ inputs.date }} sha: ${{ inputs.sha }} wheel-build-cuopt-mps-parser: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -87,6 +113,12 @@ jobs: matrix_filter: 'group_by([.ARCH, (.PY_VER |split(".") | map(tonumber))])|map(max_by([(.CUDA_VER|split(".")|map(tonumber))]))' wheel-publish-cuopt-mps-parser: needs: wheel-build-cuopt-mps-parser + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: @@ -98,6 +130,12 @@ jobs: package-type: python wheel-build-libcuopt: needs: wheel-build-cuopt-mps-parser + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -111,6 +149,12 @@ jobs: matrix_filter: group_by([.ARCH, (.CUDA_VER|split(".")|map(tonumber)|.[0])]) | map(max_by(.PY_VER|split(".")|map(tonumber))) wheel-publish-libcuopt: needs: wheel-build-libcuopt + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: @@ -122,6 +166,12 @@ jobs: package-type: cpp wheel-build-cuopt: needs: [wheel-build-cuopt-mps-parser, wheel-build-libcuopt] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -134,6 +184,12 @@ jobs: package-type: python wheel-publish-cuopt: needs: wheel-build-cuopt + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: @@ -144,6 +200,12 @@ jobs: package-name: cuopt package-type: python wheel-build-cuopt-server: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -159,6 +221,12 @@ jobs: matrix_filter: map(select(.ARCH == "amd64")) | group_by(.CUDA_VER|split(".")|map(tonumber)|.[0]) | map(max_by([(.PY_VER|split(".")|map(tonumber)), (.CUDA_VER|split(".")|map(tonumber))])) wheel-publish-cuopt-server: needs: wheel-build-cuopt-server + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: @@ -170,6 +238,12 @@ jobs: package-type: python docs-build: needs: [python-build] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main with: @@ -184,6 +258,12 @@ jobs: container_image: "rapidsai/ci-conda:26.06-latest" script: "ci/build_docs.sh" wheel-build-cuopt-sh-client: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -200,6 +280,12 @@ jobs: matrix_filter: '[map(select(.ARCH == "amd64")) | min_by((.PY_VER | split(".") | map(tonumber)), (.CUDA_VER | split(".") | map(-tonumber)))]' wheel-publish-cuopt-sh-client: needs: wheel-build-cuopt-sh-client + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main with: @@ -220,6 +306,9 @@ jobs: - wheel-publish-cuopt-sh-client - wheel-publish-libcuopt if: inputs.trigger-tests + permissions: + actions: write + contents: read runs-on: ubuntu-latest # ref: https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable env: @@ -248,6 +337,8 @@ jobs: - tests - build-images - docs-build + permissions: + contents: read runs-on: linux-amd64-cpu4 container: image: python:3.14-slim @@ -273,6 +364,12 @@ jobs: - wheel-publish-cuopt - wheel-publish-cuopt-server - wheel-publish-cuopt-sh-client + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: ./.github/workflows/build_test_publish_images.yaml secrets: inherit # zizmor: ignore[secrets-inherit] with: diff --git a/.github/workflows/cloud_ci.yaml b/.github/workflows/cloud_ci.yaml index ff73fb1f8..0a571b486 100644 --- a/.github/workflows/cloud_ci.yaml +++ b/.github/workflows/cloud_ci.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2025-2026, NVIDIA CORPORATION. All rights reserved. # SPDX-License-Identifier: Apache-2.0 name: cloud_ci_checker @@ -8,8 +8,13 @@ on: - ${GITHUB_REF##*/} paths: - 'cloud-scripts' + +permissions: {} + jobs: conditional_step: + permissions: + contents: read runs-on: 'ubuntu-22.04' steps: - run: echo "Starting GitHub Actions Job for Cloud CI test notification" diff --git a/.github/workflows/inactivity_reminder.yaml b/.github/workflows/inactivity_reminder.yaml index 8b65b7806..3cc9bf15a 100644 --- a/.github/workflows/inactivity_reminder.yaml +++ b/.github/workflows/inactivity_reminder.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2025-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 name: Inactivity Reminder with Different Times @@ -7,8 +7,13 @@ on: schedule: - cron: '0 9 * * *' # Runs daily at 09:00 UTC +permissions: {} + jobs: remind: + permissions: + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - name: Remind inactive issues and PRs diff --git a/.github/workflows/issue_automation.yaml b/.github/workflows/issue_automation.yaml index 00e75ba8d..f8083a703 100644 --- a/.github/workflows/issue_automation.yaml +++ b/.github/workflows/issue_automation.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2025-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 name: Auto-label and Round-Robin Assign Issues @@ -7,8 +7,12 @@ on: issues: types: [opened] +permissions: {} + jobs: auto-label: + permissions: + issues: write runs-on: ubuntu-latest steps: - name: Add awaiting response label to new issues @@ -35,6 +39,8 @@ jobs: } round-robin-assign: + permissions: + issues: write runs-on: ubuntu-latest steps: - name: Assign issue round-robin only if unassigned diff --git a/.github/workflows/nightly-summary.yaml b/.github/workflows/nightly-summary.yaml index 857e6f1f4..3736eb967 100644 --- a/.github/workflows/nightly-summary.yaml +++ b/.github/workflows/nightly-summary.yaml @@ -50,8 +50,12 @@ on: CUOPT_SLACK_CHANNEL_ID: required: false +permissions: {} + jobs: nightly-summary: + permissions: + contents: read runs-on: linux-amd64-cpu4 container: image: python:3.14-slim diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index b64016851..4005188b8 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -9,8 +9,13 @@ on: - cron: "0 5 * * *" # 5am UTC / 1am EST +permissions: {} + jobs: trigger-nightly-builds-and-tests: + permissions: + actions: write + contents: read runs-on: ubuntu-latest timeout-minutes: 30 strategy: diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index bf31275ea..c15ec6b4d 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -12,6 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: pr-builder: needs: @@ -33,12 +35,21 @@ jobs: - wheel-build-cuopt-mps-parser - wheel-build-cuopt-sh-client - test-self-hosted-server + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main if: always() with: needs: ${{ toJSON(needs) }} check-lean-ci: + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest outputs: lean_ci_enabled: ${{ steps.check-label.outputs.lean_ci_enabled }} @@ -62,6 +73,8 @@ jobs: fi prevent-merge-with-lean-ci: + permissions: + contents: read runs-on: ubuntu-latest needs: check-lean-ci steps: @@ -78,6 +91,8 @@ jobs: fi compute-matrix-filters: needs: check-lean-ci + permissions: + contents: read runs-on: ubuntu-latest outputs: conda_lean_filter: ${{ steps.set-filters.outputs.conda_lean_filter }} @@ -110,6 +125,12 @@ jobs: fi changed-files: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@main with: @@ -355,6 +376,12 @@ jobs: - '!ucf/**' - '!utilities/**' checks: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/checks.yaml@main with: @@ -366,6 +393,12 @@ jobs: fromJSON(needs.changed-files.outputs.changed_file_groups).test_cpp || fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_conda || fromJSON(needs.changed-files.outputs.changed_file_groups).build_docs + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-build.yaml@main with: @@ -374,6 +407,12 @@ jobs: matrix_filter: ${{ needs.compute-matrix-filters.outputs.conda_lean_filter }} conda-cpp-tests: needs: [conda-cpp-build, changed-files, compute-matrix-filters] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-tests.yaml@main if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_cpp with: @@ -393,6 +432,12 @@ jobs: if: >- fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_conda || fromJSON(needs.changed-files.outputs.changed_file_groups).build_docs + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-python-build.yaml@main with: @@ -401,6 +446,12 @@ jobs: matrix_filter: ${{ needs.compute-matrix-filters.outputs.conda_test_filter }} conda-python-tests: needs: [conda-python-build, changed-files, compute-matrix-filters] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/conda-python-tests.yaml@main if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_conda with: @@ -417,6 +468,12 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} docs-build: needs: [conda-python-build, changed-files] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main if: fromJSON(needs.changed-files.outputs.changed_file_groups).build_docs @@ -432,6 +489,12 @@ jobs: needs: [compute-matrix-filters, changed-files] # All wheel-build-* jobs feed the wheel test jobs, so they gate on the same group. if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -445,6 +508,12 @@ jobs: wheel-build-libcuopt: needs: [wheel-build-cuopt-mps-parser, compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -457,6 +526,12 @@ jobs: wheel-build-cuopt: needs: [wheel-build-cuopt-mps-parser, wheel-build-libcuopt, compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -467,6 +542,12 @@ jobs: matrix_filter: ${{ needs.compute-matrix-filters.outputs.wheel_lean_filter }} wheel-tests-cuopt: needs: [wheel-build-cuopt, wheel-build-cuopt-mps-parser, wheel-build-cuopt-sh-client, changed-files, compute-matrix-filters] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels with: @@ -483,6 +564,12 @@ jobs: wheel-build-cuopt-server: needs: [checks, compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -496,6 +583,12 @@ jobs: wheel-build-cuopt-sh-client: needs: [compute-matrix-filters, changed-files] if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main with: @@ -509,6 +602,12 @@ jobs: matrix_filter: ${{ needs.compute-matrix-filters.outputs.cuopt_sh_client_filter }} wheel-tests-cuopt-server: needs: [wheel-build-cuopt, wheel-build-cuopt-server, changed-files, compute-matrix-filters] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels with: @@ -524,6 +623,12 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} test-self-hosted-server: needs: [wheel-build-cuopt, wheel-build-cuopt-server, changed-files] + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: ./.github/workflows/self_hosted_service_test.yaml if: fromJSON(needs.changed-files.outputs.changed_file_groups).test_python_wheels diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 427e7b483..fecb84784 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -25,8 +25,16 @@ on: type: string default: nightly +permissions: {} + jobs: conda-cpp-tests: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-tests.yaml@main with: build_type: ${{ inputs.build_type }} @@ -43,6 +51,12 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} conda-python-tests: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/conda-python-tests.yaml@main with: run_codecov: false @@ -60,6 +74,12 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} wheel-tests-cuopt: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main with: build_type: ${{ inputs.build_type }} @@ -76,6 +96,12 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} wheel-tests-cuopt-server: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main with: build_type: ${{ inputs.build_type }} @@ -92,6 +118,12 @@ jobs: script-env-secret-3-value: ${{ secrets.CUOPT_AWS_SECRET_ACCESS_KEY }} conda-notebook-tests: + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main with: @@ -104,6 +136,8 @@ jobs: container_image: "rapidsai/ci-conda:26.06-latest" script: ci/test_notebooks.sh nightly-summary: + permissions: + contents: read if: ${{ always() && inputs.build_type == 'nightly' }} needs: - conda-cpp-tests diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 2fee7d0de..f2dd2e09c 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -11,9 +11,17 @@ on: - labeled - unlabeled +permissions: {} + jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') + permissions: + actions: read + contents: read + id-token: write + packages: read + pull-requests: read secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main with: From 3083ca4629e14cc5de9805ce3396203cb79c053b Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 15:00:05 -0400 Subject: [PATCH 4/9] fix(ci): suppress dangerous-triggers warning --- .github/workflows/trigger-breaking-change-alert.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index f2dd2e09c..74f4f5afe 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -3,7 +3,10 @@ name: Trigger Breaking Change Notifications -on: +# `zizmor` always flags these triggers because they are easy to use +# incorrectly. These usages are ok and don't execute any PR-specific +# code (and so aren't susceptible to exploits from forked PRs) +on: # zizmor: ignore[dangerous-triggers] pull_request_target: types: - closed From ba95d5808cd0528eca5aa74e25031ad3e91d3b19 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 15:47:13 -0400 Subject: [PATCH 5/9] fix: pin all third-party actions --- .github/workflows/build.yaml | 2 +- .github/workflows/build_images.yaml | 10 +++++----- .github/workflows/build_test_publish_images.yaml | 8 ++++---- .github/workflows/cloud_ci.yaml | 2 +- .github/workflows/inactivity_reminder.yaml | 2 +- .github/workflows/issue_automation.yaml | 4 ++-- .github/workflows/nightly-summary.yaml | 2 +- .github/workflows/nightly.yaml | 2 +- .github/workflows/self_hosted_service_test.yaml | 6 +++--- .github/workflows/test_images.yaml | 4 ++-- 10 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 108ed272b..20f687812 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -343,7 +343,7 @@ jobs: container: image: python:3.14-slim steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.sha }} - name: Install dependencies diff --git a/.github/workflows/build_images.yaml b/.github/workflows/build_images.yaml index 78a965efd..81b1261b7 100644 --- a/.github/workflows/build_images.yaml +++ b/.github/workflows/build_images.yaml @@ -41,12 +41,12 @@ jobs: runs-on: "linux-${{ matrix.ARCH }}-cpu4" steps: - name: Checkout code repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 ref: ${{ inputs.sha }} - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.CUOPT_DOCKERHUB_USERNAME }} password: ${{ secrets.CUOPT_DOCKERHUB_TOKEN }} @@ -61,7 +61,7 @@ jobs: git rev-parse HEAD > ./ci/docker/context/COMMIT_SHA git log -n1 --pretty='%ct' > ./ci/docker/context/COMMIT_TIME - name: Login to NGC - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: "nvcr.io" username: "$oauthtoken" @@ -71,7 +71,7 @@ jobs: run: | docker context create builders - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: driver: docker endpoint: ./ci/docker/context @@ -81,7 +81,7 @@ jobs: echo "CUDA_SHORT=$(echo '${{ inputs.CUDA_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT echo "PYTHON_SHORT=$(echo '${{ inputs.PYTHON_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT - name: Build image and push to DockerHub and NGC - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: ./ci/docker/context file: ./ci/docker/Dockerfile diff --git a/.github/workflows/build_test_publish_images.yaml b/.github/workflows/build_test_publish_images.yaml index 0d574563c..7461508f6 100644 --- a/.github/workflows/build_test_publish_images.yaml +++ b/.github/workflows/build_test_publish_images.yaml @@ -63,7 +63,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # unshallow fetch for setuptools-scm persist-credentials: false @@ -129,17 +129,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.sha }} fetch-depth: 0 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.CUOPT_DOCKERHUB_USERNAME }} password: ${{ secrets.CUOPT_DOCKERHUB_TOKEN }} - name: Login to NGC - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: "nvcr.io" username: "$oauthtoken" diff --git a/.github/workflows/cloud_ci.yaml b/.github/workflows/cloud_ci.yaml index 0a571b486..26d04e17a 100644 --- a/.github/workflows/cloud_ci.yaml +++ b/.github/workflows/cloud_ci.yaml @@ -18,7 +18,7 @@ jobs: runs-on: 'ubuntu-22.04' steps: - run: echo "Starting GitHub Actions Job for Cloud CI test notification" - - uses: cinotify/github-action@main + - uses: cinotify/github-action@89d5abbbfb50cdba9d4b462d47d9378d7d204d75 # main with: to: 'cuopt-eng@nvidia.com' subject: 'Cloud scripts change notification' diff --git a/.github/workflows/inactivity_reminder.yaml b/.github/workflows/inactivity_reminder.yaml index 3cc9bf15a..a52cdccbe 100644 --- a/.github/workflows/inactivity_reminder.yaml +++ b/.github/workflows/inactivity_reminder.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Remind inactive issues and PRs - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | const MS_IN_DAY = 24 * 60 * 60 * 1000; diff --git a/.github/workflows/issue_automation.yaml b/.github/workflows/issue_automation.yaml index f8083a703..7253629f0 100644 --- a/.github/workflows/issue_automation.yaml +++ b/.github/workflows/issue_automation.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Add awaiting response label to new issues - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | // Only process issues (not PRs) @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Assign issue round-robin only if unassigned - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | // Only process issues (not PRs) diff --git a/.github/workflows/nightly-summary.yaml b/.github/workflows/nightly-summary.yaml index 3736eb967..9e2c4c0e2 100644 --- a/.github/workflows/nightly-summary.yaml +++ b/.github/workflows/nightly-summary.yaml @@ -60,7 +60,7 @@ jobs: container: image: python:3.14-slim steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.sha }} - name: Install dependencies diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 4005188b8..a93fa30cf 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -24,7 +24,7 @@ jobs: - "main" - "release/26.06" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Trigger Pipeline env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/self_hosted_service_test.yaml b/.github/workflows/self_hosted_service_test.yaml index 0761a653f..8a436ce77 100644 --- a/.github/workflows/self_hosted_service_test.yaml +++ b/.github/workflows/self_hosted_service_test.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: Copyright (c) 2023-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2023-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 name: Test self-hosted service on local-setup @@ -66,7 +66,7 @@ jobs: - /tmp/asset_dir/:/tmp/asset_dir/ - /tmp/response_dir/:/tmp/response_dir/ steps: - - uses: aws-actions/configure-aws-credentials@v1-node16 + - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16 with: role-to-assume: ${{ vars.AWS_ROLE_ARN }} aws-region: ${{ vars.AWS_REGION }} @@ -78,7 +78,7 @@ jobs: run: printf 'machine pypi.k8s.rapids.ai\n\tlogin cibuildwheel\n\tpassword ${{ secrets.RAPIDSAI_PYPI_CI_PASSWORD }}\n' > ~/.netrc - name: checkout code repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ inputs.repo }} ref: ${{ inputs.sha }} diff --git a/.github/workflows/test_images.yaml b/.github/workflows/test_images.yaml index 66cbce036..ef85bd110 100644 --- a/.github/workflows/test_images.yaml +++ b/.github/workflows/test_images.yaml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-FileCopyrightText: Copyright (c) 2025-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -58,7 +58,7 @@ jobs: image: "nvidia/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ needs.prepare.outputs.CUDA_SHORT }}-py${{ needs.prepare.outputs.PYTHON_SHORT }}" steps: - name: Checkout code repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 ref: ${{ inputs.sha }} From a86b4990ff3ecaddea348e131db7cbea845019b4 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 16:17:39 -0400 Subject: [PATCH 6/9] fix: resolve template injection risks --- .github/workflows/build.yaml | 2 +- .github/workflows/build_images.yaml | 16 +++++++++++---- .../workflows/build_test_publish_images.yaml | 20 +++++++++++++------ .github/workflows/pr.yaml | 10 +++++++--- .../workflows/self_hosted_service_test.yaml | 4 +++- .github/workflows/test_images.yaml | 7 +++++-- 6 files changed, 42 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 20f687812..789300d0c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -324,7 +324,7 @@ jobs: # to pull the actual cuOpt source code from gh workflow run \ --repo NVIDIA/cuopt \ - --ref "${{ github.ref }}" \ + --ref "$GITHUB_REF" \ 'test.yaml' \ -f branch="${INPUT_BRANCH}" \ -f build_type="${INPUT_BUILD_TYPE}" \ diff --git a/.github/workflows/build_images.yaml b/.github/workflows/build_images.yaml index 81b1261b7..8466bfce2 100644 --- a/.github/workflows/build_images.yaml +++ b/.github/workflows/build_images.yaml @@ -77,9 +77,12 @@ jobs: endpoint: ./ci/docker/context - name: Trim CUDA and Python versions id: trim + env: + CUDA_VER: ${{ inputs.CUDA_VER }} + PYTHON_VER: ${{ inputs.PYTHON_VER }} run: | - echo "CUDA_SHORT=$(echo '${{ inputs.CUDA_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT - echo "PYTHON_SHORT=$(echo '${{ inputs.PYTHON_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT + echo "CUDA_SHORT=$(echo "$CUDA_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT + echo "PYTHON_SHORT=$(echo "$PYTHON_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT - name: Build image and push to DockerHub and NGC uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: @@ -99,6 +102,11 @@ jobs: tags: nvidia/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }} - name: Push image to NGC + env: + IMAGE_TAG_PREFIX: ${{ inputs.IMAGE_TAG_PREFIX }} + ARCH: ${{ matrix.ARCH }} + CUDA_SHORT: ${{ steps.trim.outputs.CUDA_SHORT }} + PYTHON_SHORT: ${{ steps.trim.outputs.PYTHON_SHORT }} run: | - docker tag nvidia/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }} nvcr.io/nvstaging/nvaie/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }} - docker push nvcr.io/nvstaging/nvaie/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }} + docker tag "nvidia/cuopt:${IMAGE_TAG_PREFIX}-cuda${CUDA_SHORT}-py${PYTHON_SHORT}-${ARCH}" "nvcr.io/nvstaging/nvaie/cuopt:${IMAGE_TAG_PREFIX}-cuda${CUDA_SHORT}-py${PYTHON_SHORT}-${ARCH}" + docker push "nvcr.io/nvstaging/nvaie/cuopt:${IMAGE_TAG_PREFIX}-cuda${CUDA_SHORT}-py${PYTHON_SHORT}-${ARCH}" diff --git a/.github/workflows/build_test_publish_images.yaml b/.github/workflows/build_test_publish_images.yaml index 7461508f6..8817f66ac 100644 --- a/.github/workflows/build_test_publish_images.yaml +++ b/.github/workflows/build_test_publish_images.yaml @@ -71,13 +71,18 @@ jobs: - name: Compute matrix id: compute-matrix + env: + ARCH: ${{ inputs.arch }} + CUDA_VER: ${{ inputs.cuda_ver }} + PYTHON_VER: ${{ inputs.python_ver }} + LINUX_VER: ${{ inputs.linux_ver }} run: | MATRIX=$(jq -c '.' <> $GITHUB_OUTPUT - echo "PYTHON_SHORT=$(echo '${{ matrix.PYTHON_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT + echo "CUDA_SHORT=$(echo "$CUDA_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT + echo "PYTHON_SHORT=$(echo "$PYTHON_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT - name: Create multiarch manifest shell: bash env: diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index c15ec6b4d..1a2679ab9 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -60,7 +60,7 @@ jobs: GH_TOKEN: ${{ github.token }} run: | # Extract PR number from branch name (pull-request/123 -> 123) - PR_NUMBER=$(echo "${{ github.ref }}" | sed 's|refs/heads/pull-request/||') + PR_NUMBER=$(echo "$GITHUB_REF" | sed 's|refs/heads/pull-request/||') echo "Checking PR #$PR_NUMBER for lean-ci label..." # Check if the PR has the 'lean-ci' label @@ -79,8 +79,10 @@ jobs: needs: check-lean-ci steps: - name: Check lean-ci status + env: + LEAN_CI: ${{ steps.check-lean-ci.outputs.lean_ci_enabled }} run: | - if [ "${{ needs.check-lean-ci.outputs.lean_ci_enabled }}" == "true" ]; then + if [ "$LEAN_CI" == "true" ]; then echo "❌ ERROR: This PR has the 'lean-ci' label enabled." echo "Lean CI is only for testing purposes and should not be merged." echo "Please remove the 'lean-ci' label and run full CI before merging." @@ -105,8 +107,10 @@ jobs: steps: - name: Set matrix filters id: set-filters + env: + LEAN_CI: ${{ steps.check-lean-ci.outputs.lean_ci_enabled }} run: | - if [ "${{ needs.check-lean-ci.outputs.lean_ci_enabled }}" == "true" ]; then + if [ "$LEAN_CI" == "true" ]; then echo "conda_lean_filter=[map(select(.ARCH == \"amd64\" and .PY_VER == \"3.11\")) | max_by(.CUDA_VER | split(\".\") | map(tonumber))]" >> $GITHUB_OUTPUT echo "conda_test_filter=[map(select(.ARCH == \"amd64\" and .PY_VER == \"3.13\")) | max_by(.CUDA_VER | split(\".\") | map(tonumber))]" >> $GITHUB_OUTPUT echo "wheel_lean_filter=[map(select(.ARCH == \"amd64\" and .PY_VER == \"3.12\")) | max_by(.CUDA_VER | split(\".\") | map(tonumber))]" >> $GITHUB_OUTPUT diff --git a/.github/workflows/self_hosted_service_test.yaml b/.github/workflows/self_hosted_service_test.yaml index 8a436ce77..4843cb3ab 100644 --- a/.github/workflows/self_hosted_service_test.yaml +++ b/.github/workflows/self_hosted_service_test.yaml @@ -94,4 +94,6 @@ jobs: sha: ${{ inputs.sha }} - name: Run tests - run: ${{ inputs.script }} + env: + SCRIPT: ${{ inputs.script }} + run: bash "$SCRIPT" diff --git a/.github/workflows/test_images.yaml b/.github/workflows/test_images.yaml index ef85bd110..a4bcb946f 100644 --- a/.github/workflows/test_images.yaml +++ b/.github/workflows/test_images.yaml @@ -43,9 +43,12 @@ jobs: steps: - name: Trim versions id: trim + env: + CUDA_VER: ${{ inputs.CUDA_VER }} + PYTHON_VER: ${{ inputs.PYTHON_VER }} run: | - CUDA_SHORT=$(echo "${{ inputs.CUDA_VER }}" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/') - PYTHON_SHORT=$(echo "${{ inputs.PYTHON_VER }}" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/') + CUDA_SHORT=$(echo "$CUDA_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/') + PYTHON_SHORT=$(echo "$PYTHON_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/') echo "CUDA_SHORT=$CUDA_SHORT" >> $GITHUB_OUTPUT echo "PYTHON_SHORT=$PYTHON_SHORT" >> $GITHUB_OUTPUT From d30b11e61d82397ee7bfe9960a66c094a4d6fd2d Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Mon, 4 May 2026 16:49:23 -0400 Subject: [PATCH 7/9] fix: don't persist credentials unless needed --- .github/workflows/build.yaml | 1 + .github/workflows/build_images.yaml | 1 + .github/workflows/build_test_publish_images.yaml | 1 + .github/workflows/nightly-summary.yaml | 1 + .github/workflows/nightly.yaml | 2 ++ .github/workflows/test_images.yaml | 1 + 6 files changed, 7 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 789300d0c..5563039e0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -346,6 +346,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.sha }} + persist-credentials: false - name: Install dependencies run: apt-get update && apt-get install -y --no-install-recommends curl - name: Send build summary diff --git a/.github/workflows/build_images.yaml b/.github/workflows/build_images.yaml index 8466bfce2..650da5c5f 100644 --- a/.github/workflows/build_images.yaml +++ b/.github/workflows/build_images.yaml @@ -45,6 +45,7 @@ jobs: with: fetch-depth: 0 ref: ${{ inputs.sha }} + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: diff --git a/.github/workflows/build_test_publish_images.yaml b/.github/workflows/build_test_publish_images.yaml index 8817f66ac..ec82ac40f 100644 --- a/.github/workflows/build_test_publish_images.yaml +++ b/.github/workflows/build_test_publish_images.yaml @@ -138,6 +138,7 @@ jobs: with: ref: ${{ inputs.sha }} fetch-depth: 0 + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: diff --git a/.github/workflows/nightly-summary.yaml b/.github/workflows/nightly-summary.yaml index 9e2c4c0e2..813861184 100644 --- a/.github/workflows/nightly-summary.yaml +++ b/.github/workflows/nightly-summary.yaml @@ -63,6 +63,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.sha }} + persist-credentials: false - name: Install dependencies run: | apt-get update && apt-get install -y --no-install-recommends curl diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index a93fa30cf..92699aafa 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -25,6 +25,8 @@ jobs: - "release/26.06" steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - name: Trigger Pipeline env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/test_images.yaml b/.github/workflows/test_images.yaml index a4bcb946f..d1d513704 100644 --- a/.github/workflows/test_images.yaml +++ b/.github/workflows/test_images.yaml @@ -65,6 +65,7 @@ jobs: with: fetch-depth: 0 ref: ${{ inputs.sha }} + persist-credentials: false - name: Test cuopt run: | bash ./ci/docker/test_image.sh From e050a9384b43877cbbc12ff7eafad2b76e96e5f9 Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Tue, 5 May 2026 13:00:20 -0400 Subject: [PATCH 8/9] fix: pin all third-party actions to patch version This reverts commit 160e868355d55ddbd428c7e175bce53eaa84117f. --- .github/workflows/build.yaml | 2 +- .github/workflows/build_images.yaml | 10 +++++----- .github/workflows/build_test_publish_images.yaml | 8 ++++---- .github/workflows/cloud_ci.yaml | 2 +- .github/workflows/inactivity_reminder.yaml | 2 +- .github/workflows/issue_automation.yaml | 4 ++-- .github/workflows/nightly-summary.yaml | 2 +- .github/workflows/nightly.yaml | 2 +- .github/workflows/self_hosted_service_test.yaml | 4 ++-- .github/workflows/test_images.yaml | 2 +- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5563039e0..6519c04c3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -343,7 +343,7 @@ jobs: container: image: python:3.14-slim steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.sha }} persist-credentials: false diff --git a/.github/workflows/build_images.yaml b/.github/workflows/build_images.yaml index 650da5c5f..63adc882e 100644 --- a/.github/workflows/build_images.yaml +++ b/.github/workflows/build_images.yaml @@ -41,13 +41,13 @@ jobs: runs-on: "linux-${{ matrix.ARCH }}-cpu4" steps: - name: Checkout code repo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 ref: ${{ inputs.sha }} persist-credentials: false - name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.CUOPT_DOCKERHUB_USERNAME }} password: ${{ secrets.CUOPT_DOCKERHUB_TOKEN }} @@ -62,7 +62,7 @@ jobs: git rev-parse HEAD > ./ci/docker/context/COMMIT_SHA git log -n1 --pretty='%ct' > ./ci/docker/context/COMMIT_TIME - name: Login to NGC - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: "nvcr.io" username: "$oauthtoken" @@ -72,7 +72,7 @@ jobs: run: | docker context create builders - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: driver: docker endpoint: ./ci/docker/context @@ -85,7 +85,7 @@ jobs: echo "CUDA_SHORT=$(echo "$CUDA_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT echo "PYTHON_SHORT=$(echo "$PYTHON_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT - name: Build image and push to DockerHub and NGC - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ./ci/docker/context file: ./ci/docker/Dockerfile diff --git a/.github/workflows/build_test_publish_images.yaml b/.github/workflows/build_test_publish_images.yaml index ec82ac40f..de56634cd 100644 --- a/.github/workflows/build_test_publish_images.yaml +++ b/.github/workflows/build_test_publish_images.yaml @@ -63,7 +63,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # unshallow fetch for setuptools-scm persist-credentials: false @@ -134,18 +134,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code repo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ inputs.sha }} fetch-depth: 0 persist-credentials: false - name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.CUOPT_DOCKERHUB_USERNAME }} password: ${{ secrets.CUOPT_DOCKERHUB_TOKEN }} - name: Login to NGC - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: "nvcr.io" username: "$oauthtoken" diff --git a/.github/workflows/cloud_ci.yaml b/.github/workflows/cloud_ci.yaml index 26d04e17a..e1c5eb0ea 100644 --- a/.github/workflows/cloud_ci.yaml +++ b/.github/workflows/cloud_ci.yaml @@ -18,7 +18,7 @@ jobs: runs-on: 'ubuntu-22.04' steps: - run: echo "Starting GitHub Actions Job for Cloud CI test notification" - - uses: cinotify/github-action@89d5abbbfb50cdba9d4b462d47d9378d7d204d75 # main + - uses: cinotify/github-action@92a15ed24b17cce1bb185b985c0d463859c5b800 # v1.6.0 with: to: 'cuopt-eng@nvidia.com' subject: 'Cloud scripts change notification' diff --git a/.github/workflows/inactivity_reminder.yaml b/.github/workflows/inactivity_reminder.yaml index a52cdccbe..665c90cd0 100644 --- a/.github/workflows/inactivity_reminder.yaml +++ b/.github/workflows/inactivity_reminder.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Remind inactive issues and PRs - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | const MS_IN_DAY = 24 * 60 * 60 * 1000; diff --git a/.github/workflows/issue_automation.yaml b/.github/workflows/issue_automation.yaml index 7253629f0..22585a684 100644 --- a/.github/workflows/issue_automation.yaml +++ b/.github/workflows/issue_automation.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Add awaiting response label to new issues - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | // Only process issues (not PRs) @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Assign issue round-robin only if unassigned - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | // Only process issues (not PRs) diff --git a/.github/workflows/nightly-summary.yaml b/.github/workflows/nightly-summary.yaml index 813861184..83ef35793 100644 --- a/.github/workflows/nightly-summary.yaml +++ b/.github/workflows/nightly-summary.yaml @@ -60,7 +60,7 @@ jobs: container: image: python:3.14-slim steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.sha }} persist-credentials: false diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 92699aafa..3e80a2130 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -24,7 +24,7 @@ jobs: - "main" - "release/26.06" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - name: Trigger Pipeline diff --git a/.github/workflows/self_hosted_service_test.yaml b/.github/workflows/self_hosted_service_test.yaml index 4843cb3ab..edb42cf2e 100644 --- a/.github/workflows/self_hosted_service_test.yaml +++ b/.github/workflows/self_hosted_service_test.yaml @@ -66,7 +66,7 @@ jobs: - /tmp/asset_dir/:/tmp/asset_dir/ - /tmp/response_dir/:/tmp/response_dir/ steps: - - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v1-node16 + - uses: aws-actions/configure-aws-credentials@023daa7fe5f7f817faa31fc0fc4a8d0fb6224ed0 # v1-node16 with: role-to-assume: ${{ vars.AWS_ROLE_ARN }} aws-region: ${{ vars.AWS_REGION }} @@ -78,7 +78,7 @@ jobs: run: printf 'machine pypi.k8s.rapids.ai\n\tlogin cibuildwheel\n\tpassword ${{ secrets.RAPIDSAI_PYPI_CI_PASSWORD }}\n' > ~/.netrc - name: checkout code repo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: ${{ inputs.repo }} ref: ${{ inputs.sha }} diff --git a/.github/workflows/test_images.yaml b/.github/workflows/test_images.yaml index d1d513704..501768009 100644 --- a/.github/workflows/test_images.yaml +++ b/.github/workflows/test_images.yaml @@ -61,7 +61,7 @@ jobs: image: "nvidia/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ needs.prepare.outputs.CUDA_SHORT }}-py${{ needs.prepare.outputs.PYTHON_SHORT }}" steps: - name: Checkout code repo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 ref: ${{ inputs.sha }} From 8914029aea17c95bf867bc563315bc0b7e81d30e Mon Sep 17 00:00:00 2001 From: Gil Forsyth Date: Tue, 5 May 2026 15:29:58 -0400 Subject: [PATCH 9/9] refactor: make secrets explicit where possible, pare back permissions --- .github/workflows/build.yaml | 24 ++++++++++++++----- .github/workflows/pr.yaml | 12 ---------- .../trigger-breaking-change-alert.yaml | 9 +++---- 3 files changed, 21 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6519c04c3..870244bbc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -84,8 +84,10 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/conda-upload-packages.yaml@main + secrets: + CONDA_RAPIDSAI_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_NIGHTLY_TOKEN }} + CONDA_RAPIDSAI_TOKEN: ${{ secrets.CONDA_RAPIDSAI_TOKEN }} with: build_type: ${{ inputs.build_type || 'branch' }} branch: ${{ inputs.branch }} @@ -119,8 +121,10 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} with: build_type: ${{ inputs.build_type || 'branch' }} branch: ${{ inputs.branch }} @@ -155,8 +159,10 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} with: build_type: ${{ inputs.build_type || 'branch' }} branch: ${{ inputs.branch }} @@ -190,8 +196,10 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} with: build_type: ${{ inputs.build_type || 'branch' }} branch: ${{ inputs.branch }} @@ -227,8 +235,10 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} with: build_type: ${{ inputs.build_type || 'branch' }} branch: ${{ inputs.branch }} @@ -286,8 +296,10 @@ jobs: id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main + secrets: + CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }} + RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }} with: build_type: ${{ inputs.build_type || 'branch' }} branch: ${{ inputs.branch }} diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 1a2679ab9..b0e13243a 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -36,12 +36,7 @@ jobs: - wheel-build-cuopt-sh-client - test-self-hosted-server permissions: - actions: read contents: read - id-token: write - packages: read - pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main if: always() with: @@ -132,10 +127,8 @@ jobs: permissions: actions: read contents: read - id-token: write packages: read pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@main with: files_yaml: | @@ -381,12 +374,7 @@ jobs: - '!utilities/**' checks: permissions: - actions: read contents: read - id-token: write - packages: read - pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] uses: rapidsai/shared-workflows/.github/workflows/checks.yaml@main with: enable_check_generated_files: false diff --git a/.github/workflows/trigger-breaking-change-alert.yaml b/.github/workflows/trigger-breaking-change-alert.yaml index 74f4f5afe..0347178e3 100644 --- a/.github/workflows/trigger-breaking-change-alert.yaml +++ b/.github/workflows/trigger-breaking-change-alert.yaml @@ -19,14 +19,11 @@ permissions: {} jobs: trigger-notifier: if: contains(github.event.pull_request.labels.*.name, 'breaking') + uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main + secrets: + NV_SLACK_BREAKING_CHANGE_ALERT: ${{ secrets.NV_SLACK_BREAKING_CHANGE_ALERT }} permissions: - actions: read contents: read - id-token: write - packages: read - pull-requests: read - secrets: inherit # zizmor: ignore[secrets-inherit] - uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main with: sender_login: ${{ github.event.sender.login }} sender_avatar: ${{ github.event.sender.avatar_url }}