Merge pull request #1 from step-security-bot/stepsecurity_remediation…

…_1718306137

[StepSecurity] ci: Harden GitHub Actions

.github/workflows/e2eaiok_deltatuner_nightly_pypi.yml

@@ -9,6 +9,9 @@ on:
       - 'e2eAIOK/deltatuner/version'
 
 
+permissions:
+  contents: read
+
 jobs:
   e2eaiok-dtuner-nightly-python-pypi:
     runs-on: ubuntu-latest

.github/workflows/e2eaiok_deltatuner_release_pypi.yml

@@ -3,6 +3,9 @@ name: Publish E2EAIOK Deltatuner Release to PyPI
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   e2eaiok-dtuner-nightly-python-pypi:
     runs-on: ubuntu-latest

.github/workflows/integration_test_deltatuner.yml

@@ -10,6 +10,9 @@ on:
     - 'example/instruction_tuning_pipeline/finetune_clm.py'
     - 'tests/deltatuner/cicd/**'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Deltatuner

.github/workflows/integration_test_denas_asr.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_denas_asr.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test DeNas ASR

.github/workflows/integration_test_denas_cnn.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_denas_cnn.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test DeNas CNN

.github/workflows/integration_test_denas_hf.yml

@@ -14,6 +14,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_denas_hf.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test DeNas HF

.github/workflows/integration_test_denas_nlp.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_denas_bert.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test DeNas NLP

.github/workflows/integration_test_denas_vit.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_denas_vit.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test DeNas ViT

.github/workflows/integration_test_denas_vit_imagenet.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_denas_vit_imagenet.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test DeNas ViT ImageNet

.github/workflows/integration_test_ma_adapter.yml

@@ -12,6 +12,9 @@ on:
     - 'tests/cicd/jenkins_ma_adapter_test.sh'
     - 'modelzoo/unet/**'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Model Adapter domain adapter

.github/workflows/integration_test_ma_baseline_ddp.yml

@@ -13,6 +13,9 @@ on:
     - 'tests/cicd/ModelAdapterJenkinsfile'
     - 'tests/cicd/jenkins_ma_baseline_ddp_test.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Model Adapter baseline DDP

.github/workflows/integration_test_ma_distiller.yml

@@ -13,6 +13,9 @@ on:
     - 'tests/cicd/ModelAdapterJenkinsfile'
     - 'tests/cicd/jenkins_ma_distiller_test.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Model Adapter distiller

.github/workflows/integration_test_ma_finetuner.yml

@@ -13,6 +13,9 @@ on:
     - 'tests/cicd/ModelAdapterJenkinsfile'
     - 'tests/cicd/jenkins_ma_finetuner_test.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Model Adapter finetuner

.github/workflows/integration_test_workflow_nlp.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/cicd/test_denas.bats'
     - 'tests/cicd/jenkins_workflow_bert.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workflow NLP

.github/workflows/integration_test_workload_bert.yml

@@ -20,6 +20,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_bert_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload BERT

.github/workflows/integration_test_workload_dien.yml

@@ -20,6 +20,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_dien_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload DIEN

.github/workflows/integration_test_workload_dlrm.yml

@@ -20,6 +20,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_dlrm_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload DLRM

.github/workflows/integration_test_workload_minigo.yml

@@ -19,6 +19,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_minigo_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload MiniGo

.github/workflows/integration_test_workload_pipeline.yml

@@ -21,6 +21,9 @@ on:
     - 'tests/cicd/docker_horovod_test.sh'
     - 'tests/cicd/docker_torchccl_test'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload Basic Pipeline

.github/workflows/integration_test_workload_resnet.yml

@@ -20,6 +20,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_resnet_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload ResNet

.github/workflows/integration_test_workload_rnnt.yml

@@ -20,6 +20,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_rnnt_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload RNNT

.github/workflows/integration_test_workload_wnd.yml

@@ -20,6 +20,9 @@ on:
     - 'tests/cicd/Jenkinsfile*'
     - 'tests/cicd/jenkins_wnd_test*.sh'
 
+permissions:
+  contents: read
+
 jobs:
   integration_test:
     name: Integration Test Workload WnD

.github/workflows/performance_test.yml

@@ -6,6 +6,9 @@ on:
     branches:
     - RecDP_v2.0
 
+permissions:
+  contents: read
+
 jobs:
   perf-test:
     name: Performance test AutoFE

.github/workflows/release_docker_e2eaiokv12.yml

@@ -13,6 +13,9 @@ on:
       - 'Dockerfile-ubuntu/Dockerfile-v1.2'
       - '.github/workflows/release_docker_e2eaiokv12.yml'
 
+permissions:
+  contents: read
+
 jobs:
   e2eaiok-release-docker:
     runs-on: self-hosted

.github/workflows/release_docker_pytorch.yml

@@ -13,6 +13,9 @@ on:
       - 'Dockerfile-ubuntu/DockerfilePytorch'
       - '.github/workflows/release_docker_pytorch.yml'
 
+permissions:
+  contents: read
+
 jobs:
   e2eaiok-release-docker:
     runs-on: self-hosted

.github/workflows/release_docker_pytorch112.yml

@@ -13,6 +13,9 @@ on:
       - 'Dockerfile-ubuntu/DockerfilePytorch112'
       - '.github/workflows/release_docker_pytorch112.yml'
 
+permissions:
+  contents: read
+
 jobs:
   e2eaiok-release-docker:
     runs-on: self-hosted

.github/workflows/release_docker_tensorflow.yml

@@ -13,6 +13,9 @@ on:
       - 'Dockerfile-ubuntu/DockerfileTensorflow'
       - '.github/workflows/release_docker_tensorflow.yml'
 
+permissions:
+  contents: read
+
 jobs:
   e2eaiok-release-docker:
     runs-on: self-hosted

.github/workflows/unittest_autofe.yml

@@ -13,6 +13,9 @@ on:
     - 'RecDP/tests/cicd/bashrun_unittest_autofe.sh'
     - 'RecDP/tests/test_autofe.py'
 
+permissions:
+  contents: read
+
 jobs:
   unittest:
     name: Unittest AutoFE

.github/workflows/unittest_denas.yml

@@ -14,6 +14,9 @@ on:
     - 'tests/unittest/denas/**'
     - 'setup.py'
 
+permissions:
+  contents: read
+
 jobs:
   unit_tests:
     name: Unit Test DENAS

.github/workflows/unittest_llmutils.yml

@@ -8,6 +8,9 @@ on:
     - 'RecDP/tests/cicd/bashrun_unittest_llmutils.sh'
     - 'RecDP/tests/test_llmutils.py'
 
+permissions:
+  contents: read
+
 jobs:
   unittest:
     name: Unittest LLMUtils

.github/workflows/unittest_llmutils_operations.yml

@@ -9,6 +9,9 @@ on:
     - 'RecDP/tests/cicd/bashrun_unittest_llmutilspipeline.sh'
     - 'RecDP/tests/test_llmutils_operations.py'
 
+permissions:
+  contents: read
+
 jobs:
   unittest:
     name: Unittest LLM Operations

.github/workflows/unittest_llmutils_pipeline.yml

@@ -9,6 +9,9 @@ on:
     - 'RecDP/tests/cicd/bashrun_unittest_llmutilspipeline.sh'
     - 'RecDP/tests/test_llmutils_operations.py'
 
+permissions:
+  contents: read
+
 jobs:
   unittest:
     name: Unittest LLM Pipeline

.github/workflows/unittest_ma.yml

@@ -15,6 +15,9 @@ on:
     - 'tests/unittest/ma/**'
     - 'setup.py'
 
+permissions:
+  contents: read
+
 jobs:
   unit_tests:
     name: Unit Test MA

.github/workflows/unittest_util.yml

@@ -11,6 +11,9 @@ on:
     - 'tests/unittest/utils/**'
     - 'setup.py'
 
+permissions:
+  contents: read
+
 jobs:
   unit_tests:
     name: Unit Test Util