From 56c379ad92f50f8537aea3e4a3c9282068560d2a Mon Sep 17 00:00:00 2001 From: youben11 Date: Mon, 12 May 2025 12:07:10 +0100 Subject: [PATCH 1/2] chore(ci): don't persist creds during checkout --- .github/workflows/action_compliance.yaml | 4 ++++ .github/workflows/codeql.yml | 3 +++ .github/workflows/commit_compliance.yml | 2 ++ .github/workflows/concrete_compiler_benchmark.yml | 2 ++ .../workflows/concrete_compiler_publish_docker_images.yml | 3 +++ .github/workflows/concrete_compiler_test_cpu.yml | 3 +++ .../workflows/concrete_compiler_test_cpu_distributed.yml | 1 + .github/workflows/concrete_compiler_test_gpu.yml | 1 + .github/workflows/concrete_compiler_test_macos_cpu.yml | 1 + .github/workflows/concrete_cpu_test.yml | 2 ++ .github/workflows/concrete_ml_test.yml | 1 + .github/workflows/concrete_optimizer.yml | 4 ++++ .github/workflows/concrete_python_benchmark.yml | 2 ++ .github/workflows/concrete_python_finalize_release.yml | 2 ++ .github/workflows/concrete_python_release.yml | 8 ++++++++ .github/workflows/concrete_python_test_macos.yml | 1 + .github/workflows/concrete_python_tests_linux.yml | 6 ++++++ .github/workflows/docker_compliance.yml | 2 ++ .github/workflows/refresh_zama_pypi.yml | 2 ++ .github/workflows/trivy_scan.yml | 1 + 20 files changed, 51 insertions(+) diff --git a/.github/workflows/action_compliance.yaml b/.github/workflows/action_compliance.yaml index 3ee56dec45..b233f08ddc 100644 --- a/.github/workflows/action_compliance.yaml +++ b/.github/workflows/action_compliance.yaml @@ -15,6 +15,8 @@ jobs: steps: - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Ensure SHA pinned actions uses: zgosalvez/github-actions-ensure-sha-pinned-actions@64418826697dcd77c93a8e4a1f7601a1942e57b5 # v3.0.18 with: @@ -26,6 +28,8 @@ jobs: steps: - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: check-missing-teardown run: .github/workflows/scripts/teardown-check.sh - name: actionlint diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 46138d1ea7..4ad34348d5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -76,11 +76,14 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive + persist-credentials: 'false' fetch-depth: 0 - if: matrix.build-mode != 'manual' name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: diff --git a/.github/workflows/commit_compliance.yml b/.github/workflows/commit_compliance.yml index 46f28ea889..2c4393c260 100644 --- a/.github/workflows/commit_compliance.yml +++ b/.github/workflows/commit_compliance.yml @@ -20,6 +20,8 @@ jobs: accessToken: ${{ secrets.GITHUB_TOKEN }} # github access token is only required if checkAllCommitMessages is true - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: linelint uses: fernandrone/linelint@8136e0fa9997122d80f5f793e0bb9a45e678fbb1 # 0.0.4 id: linelint diff --git a/.github/workflows/concrete_compiler_benchmark.yml b/.github/workflows/concrete_compiler_benchmark.yml index e98f222556..49f456801a 100644 --- a/.github/workflows/concrete_compiler_benchmark.yml +++ b/.github/workflows/concrete_compiler_benchmark.yml @@ -54,6 +54,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Ouput benchmark details id: benchmark-details run: | @@ -126,6 +127,7 @@ jobs: repository: zama-ai/slab path: slab token: ${{ secrets.CONCRETE_ACTIONS_TOKEN }} + persist-credentials: 'false' - name: Send data to Slab shell: bash run: | diff --git a/.github/workflows/concrete_compiler_publish_docker_images.yml b/.github/workflows/concrete_compiler_publish_docker_images.yml index 897280851f..02ba054d77 100644 --- a/.github/workflows/concrete_compiler_publish_docker_images.yml +++ b/.github/workflows/concrete_compiler_publish_docker_images.yml @@ -58,6 +58,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: 'false' - name: Set up env run: | echo "HOME=/home/ubuntu" >> "${GITHUB_ENV}" @@ -110,6 +111,7 @@ jobs: with: fetch-depth: 0 submodules: recursive + persist-credentials: 'false' - name: Get changed files id: changed-files uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v44.5.24 @@ -176,6 +178,7 @@ jobs: with: fetch-depth: 0 submodules: recursive + persist-credentials: 'false' - name: Get changed files id: changed-files uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v44.5.24 diff --git a/.github/workflows/concrete_compiler_test_cpu.yml b/.github/workflows/concrete_compiler_test_cpu.yml index 5134bc5949..4f3cc2d6a8 100644 --- a/.github/workflows/concrete_compiler_test_cpu.yml +++ b/.github/workflows/concrete_compiler_test_cpu.yml @@ -45,6 +45,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Format with clang-format (Cpp) run: | sudo apt install moreutils @@ -97,6 +99,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Create build dir run: mkdir build - name: Build compiler diff --git a/.github/workflows/concrete_compiler_test_cpu_distributed.yml b/.github/workflows/concrete_compiler_test_cpu_distributed.yml index 487d822a4b..3113fabb67 100644 --- a/.github/workflows/concrete_compiler_test_cpu_distributed.yml +++ b/.github/workflows/concrete_compiler_test_cpu_distributed.yml @@ -53,6 +53,7 @@ jobs: with: fetch-depth: 0 submodules: recursive + persist-credentials: 'false' - name: Set up home # "Install rust" step require root user to have a HOME directory which is not set. diff --git a/.github/workflows/concrete_compiler_test_gpu.yml b/.github/workflows/concrete_compiler_test_gpu.yml index efe3c1fe80..8f3d599818 100644 --- a/.github/workflows/concrete_compiler_test_gpu.yml +++ b/.github/workflows/concrete_compiler_test_gpu.yml @@ -52,6 +52,7 @@ jobs: with: fetch-depth: 0 submodules: recursive + persist-credentials: 'false' - name: Create build dir run: mkdir build - name: Build and test compiler diff --git a/.github/workflows/concrete_compiler_test_macos_cpu.yml b/.github/workflows/concrete_compiler_test_macos_cpu.yml index 8a415471de..9215d899d7 100644 --- a/.github/workflows/concrete_compiler_test_macos_cpu.yml +++ b/.github/workflows/concrete_compiler_test_macos_cpu.yml @@ -45,6 +45,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Setup rust toolchain for concrete-cpu uses: ./.github/actions/setup_rust_toolchain_for_concrete_cpu - name: Set python variables diff --git a/.github/workflows/concrete_cpu_test.yml b/.github/workflows/concrete_cpu_test.yml index a463c42a79..ea08f5ea97 100644 --- a/.github/workflows/concrete_cpu_test.yml +++ b/.github/workflows/concrete_cpu_test.yml @@ -26,6 +26,8 @@ jobs: RUSTFLAGS: -D warnings steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Rust install uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 diff --git a/.github/workflows/concrete_ml_test.yml b/.github/workflows/concrete_ml_test.yml index 10f3b4e026..d53cd34c48 100644 --- a/.github/workflows/concrete_ml_test.yml +++ b/.github/workflows/concrete_ml_test.yml @@ -50,6 +50,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive + persist-credentials: 'false' - name: Set release version run: echo "__version__ = \"$(date +"%Y.%m.%d")\"" >| frontends/concrete-python/version.txt - name: Expose release version from Python diff --git a/.github/workflows/concrete_optimizer.yml b/.github/workflows/concrete_optimizer.yml index 9aa1427a3e..620a5d4c5c 100644 --- a/.github/workflows/concrete_optimizer.yml +++ b/.github/workflows/concrete_optimizer.yml @@ -35,6 +35,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Setup uses: ./.github/actions/optimizer_setup - name: Formatting @@ -66,6 +68,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Setup uses: ./.github/actions/optimizer_setup - name: Run benchmark diff --git a/.github/workflows/concrete_python_benchmark.yml b/.github/workflows/concrete_python_benchmark.yml index 8db067430f..b72c940767 100644 --- a/.github/workflows/concrete_python_benchmark.yml +++ b/.github/workflows/concrete_python_benchmark.yml @@ -44,6 +44,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Benchmark uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 @@ -86,6 +87,7 @@ jobs: repository: zama-ai/slab path: slab token: ${{ secrets.CONCRETE_ACTIONS_TOKEN }} + persist-credentials: 'false' - name: Send data to Slab shell: bash diff --git a/.github/workflows/concrete_python_finalize_release.yml b/.github/workflows/concrete_python_finalize_release.yml index b9f8686dbe..5f0b9d43e0 100644 --- a/.github/workflows/concrete_python_finalize_release.yml +++ b/.github/workflows/concrete_python_finalize_release.yml @@ -47,6 +47,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Get version from tag run: | # remove leading 'v' and '-' from tag diff --git a/.github/workflows/concrete_python_release.yml b/.github/workflows/concrete_python_release.yml index 3475c46832..8356f8db81 100644 --- a/.github/workflows/concrete_python_release.yml +++ b/.github/workflows/concrete_python_release.yml @@ -33,6 +33,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Avoid releasing nightly twice if: ${{ env.RELEASE_TYPE == 'nightly' }} run: | @@ -74,6 +75,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Set release version (nightly) if: ${{ env.RELEASE_TYPE == 'nightly' }} run: | @@ -215,6 +217,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Setup Python uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -258,6 +261,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Install OS Dependencies run: | brew install ninja ccache @@ -413,6 +417,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: 'false' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: wheels @@ -494,6 +499,7 @@ jobs: with: submodules: recursive path: repo + persist-credentials: 'false' - name: Test wheel run: | WHEEL_DIR=$(pwd)/${{ format('cpu-wheel-{0}-linux-x86', matrix.python-version) }}/ @@ -610,6 +616,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: repo + persist-credentials: 'false' - name: Test wheel run: | @@ -679,6 +686,7 @@ jobs: with: submodules: recursive path: repo + persist-credentials: 'false' - name: Test wheel run: | WHEEL_DIR=$(pwd)/${{ format('cpu-wheel-{0}-{1}', matrix.python-version, matrix.runs-on) }}/ diff --git a/.github/workflows/concrete_python_test_macos.yml b/.github/workflows/concrete_python_test_macos.yml index f85bfb8254..0a4c077416 100644 --- a/.github/workflows/concrete_python_test_macos.yml +++ b/.github/workflows/concrete_python_test_macos.yml @@ -40,6 +40,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Install build dependencies run: | brew install ninja ccache diff --git a/.github/workflows/concrete_python_tests_linux.yml b/.github/workflows/concrete_python_tests_linux.yml index 284f615875..cf83554a45 100644 --- a/.github/workflows/concrete_python_tests_linux.yml +++ b/.github/workflows/concrete_python_tests_linux.yml @@ -43,6 +43,8 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Install platform dependencies run: | sudo apt install -y graphviz libgraphviz-dev @@ -70,6 +72,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Create concrete build directory run: mkdir build @@ -150,6 +153,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Setup Python uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -193,6 +197,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Download concrete-compiler python-bindings uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: @@ -239,6 +244,7 @@ jobs: with: submodules: recursive fetch-depth: 0 + persist-credentials: 'false' - name: Download concrete-compiler python-bindings uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: diff --git a/.github/workflows/docker_compliance.yml b/.github/workflows/docker_compliance.yml index 0cf8618b9e..968b3ad3cf 100644 --- a/.github/workflows/docker_compliance.yml +++ b/.github/workflows/docker_compliance.yml @@ -17,6 +17,8 @@ jobs: image: hadolint/hadolint@sha256:27173fe25e062448490a32de410c08491c626a0bef360aa2ce5d5bdd9384b50d #2.12.0-debian steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: 'false' - name: Lint All Dockerfiles (except third_party) run: find . -name "*Dockerfile*" -not -path "./third_party/*" -exec hadolint -V {} \; diff --git a/.github/workflows/refresh_zama_pypi.yml b/.github/workflows/refresh_zama_pypi.yml index d0c78bec31..6f2e8cc29b 100644 --- a/.github/workflows/refresh_zama_pypi.yml +++ b/.github/workflows/refresh_zama_pypi.yml @@ -8,6 +8,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3 + with: + persist-credentials: 'false' - name: Update index and invalidate cache env: diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 91436a832e..47aa325818 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -25,6 +25,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true + persist-credentials: 'false' - name: Export DateTime run: | From c6e71bc0d80c8a8af165d52dea6abbd867a972a4 Mon Sep 17 00:00:00 2001 From: youben11 Date: Tue, 13 May 2025 08:54:43 +0100 Subject: [PATCH 2/2] fix(ci): permit action to comment on PR --- .github/workflows/concrete_optimizer.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/concrete_optimizer.yml b/.github/workflows/concrete_optimizer.yml index 620a5d4c5c..79efcf5308 100644 --- a/.github/workflows/concrete_optimizer.yml +++ b/.github/workflows/concrete_optimizer.yml @@ -65,6 +65,9 @@ jobs: benchmarks: runs-on: ubuntu-latest + permissions: + # to comment the benchmark result in the PR + pull-requests: write steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2