diff --git a/.github/workflows/auto_update_doc.yml b/.github/workflows/auto_update_doc.yml index 9357f2ace61..a70114786fa 100644 --- a/.github/workflows/auto_update_doc.yml +++ b/.github/workflows/auto_update_doc.yml @@ -3,6 +3,9 @@ on: pull_request_target: workflow_dispatch: +permissions: # set top-level default permissions as security best practice + contents: read # Check https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions + concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true diff --git a/.github/workflows/check_urls.yml b/.github/workflows/check_urls.yml index 4ccc0bac30a..985f36d7c4b 100644 --- a/.github/workflows/check_urls.yml +++ b/.github/workflows/check_urls.yml @@ -1,3 +1,7 @@ +# Copyright (c) ONNX Project Contributors +# +# SPDX-License-Identifier: Apache-2.0 + name: Check URLs on: @@ -8,6 +12,9 @@ on: - cron: '0 0 1 * *' workflow_dispatch: +permissions: # set top-level default permissions as security best practice + contents: read + jobs: build: runs-on: ubuntu-latest @@ -22,7 +29,7 @@ jobs: file_types: .md,.py,.rst,.ipynb,.cc,.h,.cpp print_all: false timeout: 2 - retry_count# : 2 + retry_count : 2 exclude_urls: https://devblogs.nvidia.com/optimizing-recurrent-neural-networks-cudnn-5/,https://media.githubusercontent.com/media/,https://download.onnxruntime.ai/onnx/models # exclude_patterns: https://... force_pass: false @@ -34,7 +41,7 @@ jobs: file_types: .md,.py,.rst,.ipynb,.cc,.h,.cpp print_all: false timeout: 10 - retry_count# : 2 + retry_count : 2 exclude_urls: https://github.com/onnx/onnx/blob/main/docs/Operators,https://github.com/onnx/onnx/pull/436 force_pass: false @@ -45,5 +52,5 @@ jobs: file_types: .md,.py,.rst print_all: false timeout: 2 - retry_count# : 2 + retry_count : 2 force_pass: false diff --git a/.github/workflows/dco_merge_group.yml b/.github/workflows/dco_merge_group.yml index 10d5b8cbd78..9719eca4361 100644 --- a/.github/workflows/dco_merge_group.yml +++ b/.github/workflows/dco_merge_group.yml @@ -6,6 +6,9 @@ name: DCO on: merge_group: +permissions: # set top-level default permissions as security best practice + contents: read # Check https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions + jobs: DCO: runs-on: ubuntu-latest diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index ce5a8a88489..c748f182884 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -1,3 +1,7 @@ +# Copyright (c) ONNX Project Contributors +# +# SPDX-License-Identifier: Apache-2.0 + name: Generate and publish ONNX docs on: diff --git a/.github/workflows/release_linux_aarch64.yml b/.github/workflows/release_linux_aarch64.yml index 8d8f59c6bab..7d26303f861 100644 --- a/.github/workflows/release_linux_aarch64.yml +++ b/.github/workflows/release_linux_aarch64.yml @@ -1,3 +1,7 @@ +# Copyright (c) ONNX Project Contributors +# +# SPDX-License-Identifier: Apache-2.0 + name: LinuxRelease_aarch64 on: diff --git a/.github/workflows/release_linux_x86_64.yml b/.github/workflows/release_linux_x86_64.yml index 20423cac961..2544ba0266b 100644 --- a/.github/workflows/release_linux_x86_64.yml +++ b/.github/workflows/release_linux_x86_64.yml @@ -1,3 +1,7 @@ +# Copyright (c) ONNX Project Contributors +# +# SPDX-License-Identifier: Apache-2.0 + name: LinuxRelease_x86_64 on: diff --git a/.github/workflows/release_mac.yml b/.github/workflows/release_mac.yml index 1f650306130..c420cf3865b 100644 --- a/.github/workflows/release_mac.yml +++ b/.github/workflows/release_mac.yml @@ -1,3 +1,7 @@ +# Copyright (c) ONNX Project Contributors +# +# SPDX-License-Identifier: Apache-2.0 + name: MacRelease on: