[CI] [GHA] Set actions references to specific commit hash; provide ex…

…plicit top level token permissions for jobs (openvinotoolkit#24839) ### Details: - Token permissions docs: https://github.com/ossf/scorecard/blob/98ec491a888a8a0db9d83a3c7d379ae1f46321de/docs/checks.md#token-permissions - Actions by hash docs: https://github.com/ossf/scorecard/blob/98ec491a888a8a0db9d83a3c7d379ae1f46321de/docs/checks.md#pinned-dependencies ### Tickets: - *142943* - *142944*
allnes · Jun 26, 2024 · aa00050 · aa00050
1 parent 6e6976a
commit aa00050
Show file tree

Hide file tree

Showing 41 changed files with 296 additions and 222 deletions.
diff --git a/.github/workflows/android_arm64.yml b/.github/workflows/android_arm64.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-android-arm64-vcpkg
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   Smart_CI:
     runs-on: ubuntu-latest
@@ -21,7 +23,7 @@ jobs:
       skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}"
     steps:
       - name: checkout action
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           sparse-checkout: .github/actions/smart-ci
 
@@ -75,7 +77,7 @@ jobs:
         run: apt-get update && apt-get install --assume-yes --no-install-recommends git ca-certificates
 
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           path: 'openvino'
 
@@ -90,7 +92,7 @@ jobs:
           popd
 
       - name: Clone vcpkg
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: 'microsoft/vcpkg'
           # Keep in sync with <root>/vcpkg.json <builtin-baseline>
@@ -130,7 +132,7 @@ jobs:
           echo "yes" | ./cmdline-tools/bin/sdkmanager --sdk_root=${ANDROID_TOOLS} --install "ndk-bundle" "platform-tools" "platforms;android-${{ env.ANDROID_SDK_VERSION }}"
 
       - name: Install sccache
-        uses: mozilla-actions/[email protected]
+        uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4
         with:
           version: "v0.7.5"
 
@@ -182,7 +184,7 @@ jobs:
       # Upload build logs
       #
       - name: Upload build logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: always()
         with:
           name: build_logs

diff --git a/.github/workflows/assign_issue.yml b/.github/workflows/assign_issue.yml
@@ -6,6 +6,8 @@ on:
       - created
       - edited
 
+permissions: read-all
+
 jobs:
   take-issue:
     name: Take issue
@@ -15,7 +17,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: take an issue
-        uses: bdougie/[email protected]
+        uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # v1.6.1
         with:
           message: Thank you for looking into this issue! Please let us know if you have any questions or require any help.
           issueCurrentlyAssignedMessage: Thanks for being interested in this issue. It looks like this ticket is already assigned to a contributor. Please communicate with the assigned contributor to confirm the status of the issue.

diff --git a/.github/workflows/build_doc.yml b/.github/workflows/build_doc.yml
@@ -10,23 +10,25 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref && github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   Build_Doc:
     runs-on: ubuntu-20.04
     steps:
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: 'true'
           lfs: 'true'
 
       - name: Install apt-get dependencies
-        uses: awalsh128/[email protected]
+        uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2
         with:
           packages: graphviz texlive liblua5.2-0 libclang1-9 libclang-cpp9
           version: 3.0
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         id: cp310
         with:
           python-version: '3.10'
@@ -56,7 +58,7 @@ jobs:
 
       - name: Cache documentation
         id: cache_sphinx_docs
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: build/docs/_build/.doctrees
           key: sphinx-docs-cache
@@ -70,13 +72,13 @@ jobs:
           echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
 
       - name: 'Upload sphinx.log'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: sphinx_build_log_${{ env.PR_NUMBER }}.log
           path: build/docs/sphinx.log
 
       - name: 'Upload docs html'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: openvino_docs_html_${{ env.PR_NUMBER }}.zip
           path: build/docs/openvino_docs_html.zip
@@ -93,7 +95,7 @@ jobs:
 
       - name: 'Upload test results'
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: openvino_docs_pytest
           path: build/docs/_artifacts/
diff --git a/.github/workflows/check_pr_commits.yml b/.github/workflows/check_pr_commits.yml
@@ -1,12 +1,14 @@
 name: PR Commits
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   Checks:
     runs-on: ubuntu-22.04
     steps:
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Install dependencies
         run: python3 -m pip install -r ./.github/github_org_control/requirements.txt

diff --git a/.github/workflows/cleanup_caches.yml b/.github/workflows/cleanup_caches.yml
@@ -5,6 +5,8 @@ on:
     # at 00:00 on the 1st day of every month
     - cron: '0 0 1 * *'
 
+permissions: read-all
+
 jobs:
   Cleanup_PIP:
     runs-on: aks-linux-2-cores-8gb
@@ -42,7 +44,7 @@ jobs:
 
     steps:
       - name: Checkout cach action
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           sparse-checkout: .github/actions/cache
 

diff --git a/.github/workflows/code_snippets.yml b/.github/workflows/code_snippets.yml
@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   Build:
     strategy:
@@ -25,12 +27,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: 'true'
 
       - name: Install OpenCL
-        uses: awalsh128/[email protected]
+        uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2
         if: runner.os == 'Linux'
         with:
           packages: ocl-icd-opencl-dev opencl-headers

diff --git a/.github/workflows/code_style.yml b/.github/workflows/code_style.yml
@@ -5,13 +5,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   clang-format:
     runs-on: ubuntu-22.04
     permissions:
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: 'true'
 
@@ -29,7 +31,7 @@ jobs:
 
       - name: suggester / clang-format
         if: startsWith(github.event_name, 'pull_request')
-        uses: reviewdog/action-suggester@v1
+        uses: reviewdog/action-suggester@185c9c06d0a28fbe43b50aca4b32777b649e7cbd # v1.12.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           level: warning
@@ -40,7 +42,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: 'true'
 
@@ -58,7 +60,7 @@ jobs:
       # always provide suggestions even for skipped scripts in ov_shellcheck tagret
       - name: ShellCheck action
         if: always()
-        uses: reviewdog/action-shellcheck@v1
+        uses: reviewdog/action-shellcheck@72365a51bf6476fe952a117c3ff703eb7775e40a # v1.20.0
         with:
           level: style
           reporter: github-pr-review
@@ -71,7 +73,7 @@ jobs:
   NamingConventionCheck:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: 'true'
 

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -5,6 +5,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   Coverage:
     runs-on: ${{ matrix.config.os }}
@@ -16,19 +18,19 @@ jobs:
 
     steps:
       - name: Setup python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.10.10'
           architecture: 'x64'
 
 
       - name: Setup ccache
-        uses: hendrikmuhs/[email protected]
+        uses: hendrikmuhs/ccache-action@c92f40bee50034e84c763e33b317c77adaa81c92 # v1.2.13
         with:
           max-size: 50G
 
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: 'true'
 
@@ -55,7 +57,7 @@ jobs:
           python3 -m pip install -r ${{ github.workspace }}/tools/mo/requirements_dev.txt
 
       - name: Build OpenVINO with CMake
-        uses: ashutoshvarma/action-cmake-build@master
+        uses: ashutoshvarma/action-cmake-build@ade188313bc7eaa6f14349569a64d8bc716342ff # master
         with:
           build-dir: ${{ github.workspace }}/build
           cc: ${{ matrix.config.cc }}
@@ -112,7 +114,7 @@ jobs:
         run: ${{ github.workspace }}/bin/intel64/Release/ov_tensorflow_frontend_tests --gtest_filter=-*IE_GPU*
 
       - name: Build coverage with CMake
-        uses: ashutoshvarma/action-cmake-build@master
+        uses: ashutoshvarma/action-cmake-build@ade188313bc7eaa6f14349569a64d8bc716342ff # master
         with:
           build-dir: ${{ github.workspace }}/coverage
           cc: ${{ matrix.config.cc }}
@@ -135,6 +137,6 @@ jobs:
           lcov --capture --directory ${{ github.workspace }}/. --output-file coverage.info
           genhtml coverage.info --output-directory coverage-report
       - name: Collect coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1
         with:
           verbose: true
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-coverity
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   PIP_CACHE_PATH: /mount/caches/pip/linux
   PYTHON_VERSION: '3.11'
@@ -44,14 +46,14 @@ jobs:
           apt-get install --assume-yes --no-install-recommends git ca-certificates
 
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           path: ${{ env.OPENVINO_REPO }}
           submodules: 'true'
           ref: ${{ inputs.openvinoRef }}
 
       - name: Clone OpenVINO Contrib
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: 'openvinotoolkit/openvino_contrib'
           path: ${{ env.OPENVINO_CONTRIB_REPO }}
@@ -137,15 +139,15 @@ jobs:
         run: ${COVERITY_TOOL_DIR}/cov-analysis*/bin/cov-configure -c ${COVERITY_TOOL_DIR}/cov-analysis-linux64-2023.6.2/config/coverity_config.xml -lscc text
 
       - name: Upload Coverity build log
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: always()
         with:
           name: coverity_logs
           path: ${{ env.BUILD_DIR }}/cov-int/build-log.txt
           if-no-files-found: 'error'
 
       - name: Upload Coverity build archive
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: always()
         with:
           name: coverity_archive

diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
@@ -1,18 +1,17 @@
 name: 'Dependency Review'
 on: [pull_request, merge_group]
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
       - name: Clone OpenVINO
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Dependency Review
-        uses: actions/[email protected]
+        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
         with:
           config-file: './.github/dependency_review.yml'
           base-ref: ${{ github.pull_request.base.sha || github.event.merge_group.base_ref }}