diff --git a/.github/workflows/android_arm64.yml b/.github/workflows/android_arm64.yml index b3dbd98ecbe842..a24987d3811fc6 100644 --- a/.github/workflows/android_arm64.yml +++ b/.github/workflows/android_arm64.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-android-arm64-vcpkg cancel-in-progress: true +permissions: read-all + jobs: Smart_CI: runs-on: ubuntu-latest @@ -21,7 +23,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -75,7 +77,7 @@ jobs: run: apt-get update && apt-get install --assume-yes --no-install-recommends git ca-certificates - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' @@ -90,7 +92,7 @@ jobs: popd - name: Clone vcpkg - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'microsoft/vcpkg' # Keep in sync with /vcpkg.json @@ -130,7 +132,7 @@ jobs: echo "yes" | ./cmdline-tools/bin/sdkmanager --sdk_root=${ANDROID_TOOLS} --install "ndk-bundle" "platform-tools" "platforms;android-${{ env.ANDROID_SDK_VERSION }}" - name: Install sccache - uses: mozilla-actions/sccache-action@v0.0.4 + uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4 with: version: "v0.7.5" @@ -182,7 +184,7 @@ jobs: # Upload build logs # - name: Upload build logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: build_logs diff --git a/.github/workflows/assign_issue.yml b/.github/workflows/assign_issue.yml index 236705e070bf97..f466715f5cfcd3 100644 --- a/.github/workflows/assign_issue.yml +++ b/.github/workflows/assign_issue.yml @@ -6,6 +6,8 @@ on: - created - edited +permissions: read-all + jobs: take-issue: name: Take issue @@ -15,7 +17,7 @@ jobs: timeout-minutes: 10 steps: - name: take an issue - uses: bdougie/take-action@v1.6.1 + uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # v1.6.1 with: message: Thank you for looking into this issue! Please let us know if you have any questions or require any help. issueCurrentlyAssignedMessage: Thanks for being interested in this issue. It looks like this ticket is already assigned to a contributor. Please communicate with the assigned contributor to confirm the status of the issue. diff --git a/.github/workflows/build_doc.yml b/.github/workflows/build_doc.yml index 665d1afff1fc1d..320a0913440774 100644 --- a/.github/workflows/build_doc.yml +++ b/.github/workflows/build_doc.yml @@ -10,23 +10,25 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref && github.ref || github.run_id }} cancel-in-progress: true +permissions: read-all + jobs: Build_Doc: runs-on: ubuntu-20.04 steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: 'true' lfs: 'true' - name: Install apt-get dependencies - uses: awalsh128/cache-apt-pkgs-action@v1.4.2 + uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 with: packages: graphviz texlive liblua5.2-0 libclang1-9 libclang-cpp9 version: 3.0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 id: cp310 with: python-version: '3.10' @@ -56,7 +58,7 @@ jobs: - name: Cache documentation id: cache_sphinx_docs - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: build/docs/_build/.doctrees key: sphinx-docs-cache @@ -70,13 +72,13 @@ jobs: echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV - name: 'Upload sphinx.log' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: sphinx_build_log_${{ env.PR_NUMBER }}.log path: build/docs/sphinx.log - name: 'Upload docs html' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_docs_html_${{ env.PR_NUMBER }}.zip path: build/docs/openvino_docs_html.zip @@ -93,7 +95,7 @@ jobs: - name: 'Upload test results' if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_docs_pytest path: build/docs/_artifacts/ diff --git a/.github/workflows/check_pr_commits.yml b/.github/workflows/check_pr_commits.yml index 27af2c56013a36..571cca477d0aeb 100644 --- a/.github/workflows/check_pr_commits.yml +++ b/.github/workflows/check_pr_commits.yml @@ -1,12 +1,14 @@ name: PR Commits on: [pull_request] +permissions: read-all + jobs: Checks: runs-on: ubuntu-22.04 steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Install dependencies run: python3 -m pip install -r ./.github/github_org_control/requirements.txt diff --git a/.github/workflows/cleanup_caches.yml b/.github/workflows/cleanup_caches.yml index e3022913b6741b..c5cb8145d70d3f 100644 --- a/.github/workflows/cleanup_caches.yml +++ b/.github/workflows/cleanup_caches.yml @@ -5,6 +5,8 @@ on: # at 00:00 on the 1st day of every month - cron: '0 0 1 * *' +permissions: read-all + jobs: Cleanup_PIP: runs-on: aks-linux-2-cores-8gb @@ -42,7 +44,7 @@ jobs: steps: - name: Checkout cach action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/cache diff --git a/.github/workflows/code_snippets.yml b/.github/workflows/code_snippets.yml index 4a5fe55c93bf53..36a5489144c44b 100644 --- a/.github/workflows/code_snippets.yml +++ b/.github/workflows/code_snippets.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: Build: strategy: @@ -25,12 +27,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: 'true' - name: Install OpenCL - uses: awalsh128/cache-apt-pkgs-action@v1.4.2 + uses: awalsh128/cache-apt-pkgs-action@a6c3917cc929dd0345bfb2d3feaf9101823370ad # v1.4.2 if: runner.os == 'Linux' with: packages: ocl-icd-opencl-dev opencl-headers diff --git a/.github/workflows/code_style.yml b/.github/workflows/code_style.yml index 5da10ee12106a2..0eb4176764d3a9 100644 --- a/.github/workflows/code_style.yml +++ b/.github/workflows/code_style.yml @@ -5,13 +5,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: clang-format: runs-on: ubuntu-22.04 permissions: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: 'true' @@ -29,7 +31,7 @@ jobs: - name: suggester / clang-format if: startsWith(github.event_name, 'pull_request') - uses: reviewdog/action-suggester@v1 + uses: reviewdog/action-suggester@185c9c06d0a28fbe43b50aca4b32777b649e7cbd # v1.12.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: warning @@ -40,7 +42,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: 'true' @@ -58,7 +60,7 @@ jobs: # always provide suggestions even for skipped scripts in ov_shellcheck tagret - name: ShellCheck action if: always() - uses: reviewdog/action-shellcheck@v1 + uses: reviewdog/action-shellcheck@72365a51bf6476fe952a117c3ff703eb7775e40a # v1.20.0 with: level: style reporter: github-pr-review @@ -71,7 +73,7 @@ jobs: NamingConventionCheck: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: 'true' diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index a484e0bc87312e..a00d49814e1f91 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -5,6 +5,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: Coverage: runs-on: ${{ matrix.config.os }} @@ -16,19 +18,19 @@ jobs: steps: - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.10.10' architecture: 'x64' - name: Setup ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@c92f40bee50034e84c763e33b317c77adaa81c92 # v1.2.13 with: max-size: 50G - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: submodules: 'true' @@ -55,7 +57,7 @@ jobs: python3 -m pip install -r ${{ github.workspace }}/tools/mo/requirements_dev.txt - name: Build OpenVINO with CMake - uses: ashutoshvarma/action-cmake-build@master + uses: ashutoshvarma/action-cmake-build@ade188313bc7eaa6f14349569a64d8bc716342ff # master with: build-dir: ${{ github.workspace }}/build cc: ${{ matrix.config.cc }} @@ -112,7 +114,7 @@ jobs: run: ${{ github.workspace }}/bin/intel64/Release/ov_tensorflow_frontend_tests --gtest_filter=-*IE_GPU* - name: Build coverage with CMake - uses: ashutoshvarma/action-cmake-build@master + uses: ashutoshvarma/action-cmake-build@ade188313bc7eaa6f14349569a64d8bc716342ff # master with: build-dir: ${{ github.workspace }}/coverage cc: ${{ matrix.config.cc }} @@ -135,6 +137,6 @@ jobs: lcov --capture --directory ${{ github.workspace }}/. --output-file coverage.info genhtml coverage.info --output-directory coverage-report - name: Collect coverage - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 with: verbose: true diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 7d7a2d9faecd13..2b9ea632345efa 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-coverity cancel-in-progress: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -44,14 +46,14 @@ jobs: apt-get install --assume-yes --no-install-recommends git ca-certificates - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' ref: ${{ inputs.openvinoRef }} - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: ${{ env.OPENVINO_CONTRIB_REPO }} @@ -137,7 +139,7 @@ jobs: run: ${COVERITY_TOOL_DIR}/cov-analysis*/bin/cov-configure -c ${COVERITY_TOOL_DIR}/cov-analysis-linux64-2023.6.2/config/coverity_config.xml -lscc text - name: Upload Coverity build log - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: coverity_logs @@ -145,7 +147,7 @@ jobs: if-no-files-found: 'error' - name: Upload Coverity build archive - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: coverity_archive diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml index 99e949e1b775d0..30964cede47c2f 100644 --- a/.github/workflows/dependency_review.yml +++ b/.github/workflows/dependency_review.yml @@ -1,18 +1,17 @@ name: 'Dependency Review' on: [pull_request, merge_group] -permissions: - contents: read +permissions: read-all jobs: dependency-review: runs-on: ubuntu-latest steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Dependency Review - uses: actions/dependency-review-action@v4.3.2 + uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2 with: config-file: './.github/dependency_review.yml' base-ref: ${{ github.pull_request.base.sha || github.event.merge_group.base_ref }} diff --git a/.github/workflows/fedora.yml b/.github/workflows/fedora.yml index 303345e91e92ec..b9efd16b59151a 100644 --- a/.github/workflows/fedora.yml +++ b/.github/workflows/fedora.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-fedora33 cancel-in-progress: true +permissions: read-all + jobs: Smart_CI: runs-on: ubuntu-latest @@ -21,7 +23,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -71,7 +73,7 @@ jobs: run: yum update -y && yum install -y git - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' @@ -91,7 +93,7 @@ jobs: run: bash ${OPENVINO_REPO}/install_build_dependencies.sh - name: Install sccache - uses: mozilla-actions/sccache-action@v0.0.4 + uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4 with: version: "v0.7.5" @@ -170,7 +172,7 @@ jobs: # Upload build artifacts and logs # - name: Upload build logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: build_logs @@ -179,7 +181,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -187,7 +189,7 @@ jobs: - name: Upload openvino RPM packages if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_rpm_packages path: ${{ env.BUILD_DIR }}/*.rpm @@ -195,7 +197,7 @@ jobs: - name: Upload openvino tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz @@ -215,7 +217,7 @@ jobs: steps: - name: Download OpenVINO RPM packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_rpm_packages path: ${{ env.RPM_PACKAGES_DIR }} diff --git a/.github/workflows/files_size.yml b/.github/workflows/files_size.yml index 56485765b057b2..3828943d073a39 100644 --- a/.github/workflows/files_size.yml +++ b/.github/workflows/files_size.yml @@ -5,11 +5,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: Check_Files_Size: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: git ls-tree run: git ls-tree -r -t -l --full-name HEAD | sort -n -r -k 4 diff --git a/.github/workflows/job_cpu_functional_tests.yml b/.github/workflows/job_cpu_functional_tests.yml index bfa0514950db83..0f94dd735bbb0f 100644 --- a/.github/workflows/job_cpu_functional_tests.yml +++ b/.github/workflows/job_cpu_functional_tests.yml @@ -13,6 +13,8 @@ on: required: false default: null +permissions: read-all + jobs: CPU_Functional_Tests: name: CPU functional tests @@ -31,13 +33,13 @@ jobs: PARALLEL_TEST_CACHE: ${{ github.workspace }}/install/tests/test_cache.lst steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -61,7 +63,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -79,7 +81,7 @@ jobs: run: python3 -m pip install -r ${INSTALL_TEST_DIR}/functional_test_utils/layer_tests_summary/requirements.txt - name: Restore tests execution time - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ${{ env.PARALLEL_TEST_CACHE }} key: ${{ runner.os }}-${{ runner.arch }}-tests-functional-cpu-stamp-${{ github.sha }} @@ -99,14 +101,14 @@ jobs: timeout-minutes: 25 - name: Save tests execution time - uses: actions/cache/save@v4 + uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 if: github.ref_name == 'master' with: path: ${{ env.PARALLEL_TEST_CACHE }} key: ${{ runner.os }}-${{ runner.arch }}-tests-functional-cpu-stamp-${{ github.sha }} - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: test-results-functional-cpu diff --git a/.github/workflows/job_cxx_unit_tests.yml b/.github/workflows/job_cxx_unit_tests.yml index 5ed1d17a27ca92..92c12dfcd71251 100644 --- a/.github/workflows/job_cxx_unit_tests.yml +++ b/.github/workflows/job_cxx_unit_tests.yml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + jobs: CXX_Unit_Tests: name: C++ unit tests @@ -33,13 +35,13 @@ jobs: INSTALL_TEST_DIR: ${{ github.workspace }}/install/tests steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -253,7 +255,7 @@ jobs: ${INSTALL_TEST_DIR}/ov_hetero_func_tests --gtest_print_time=1 --gtest_output=xml:${INSTALL_TEST_DIR}/TEST-OVHeteroFuncTests.xml --gtest_filter="*smoke*" - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-cpp diff --git a/.github/workflows/job_debian_packages.yml b/.github/workflows/job_debian_packages.yml index 77c03f3053e82e..d4734805a2cb4d 100644 --- a/.github/workflows/job_debian_packages.yml +++ b/.github/workflows/job_debian_packages.yml @@ -13,6 +13,8 @@ on: required: false default: null +permissions: read-all + jobs: Debian_Packages: name: Debian Packages @@ -31,7 +33,7 @@ jobs: run: echo 'Acquire::Retries "10";' > /etc/apt/apt.conf.d/80-retries - name: Download OpenVINO debian packages - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_debian_packages path: ${{ env.DEBIAN_PACKAGES_DIR }} diff --git a/.github/workflows/job_onnx_models_tests.yml b/.github/workflows/job_onnx_models_tests.yml index f919e2c0478662..30c226488fbb5f 100644 --- a/.github/workflows/job_onnx_models_tests.yml +++ b/.github/workflows/job_onnx_models_tests.yml @@ -13,6 +13,8 @@ on: required: false default: '{"image": null}' +permissions: read-all + jobs: ONNX_Models_tests: name: ONNX Models tests @@ -36,13 +38,13 @@ jobs: if: ${{ github.event_name != 'merge_group' }} steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -67,7 +69,7 @@ jobs: popd - name: Fetch model_zoo_preprocess script - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | src/frontends/onnx/tests/tests_python/model_zoo_preprocess.sh diff --git a/.github/workflows/job_onnx_runtime.yml b/.github/workflows/job_onnx_runtime.yml index b1d7060b6bce33..ae0f21bf58ab37 100644 --- a/.github/workflows/job_onnx_runtime.yml +++ b/.github/workflows/job_onnx_runtime.yml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + jobs: ONNX_Runtime: name: ONNX Runtime Integration @@ -41,7 +43,7 @@ jobs: ONNX_RUNTIME_BUILD_DIR: ${{ github.workspace }}/onnxruntime/build steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} diff --git a/.github/workflows/job_openvino_js.yml b/.github/workflows/job_openvino_js.yml index b91a3d8bc93139..a90bafd968d60b 100644 --- a/.github/workflows/job_openvino_js.yml +++ b/.github/workflows/job_openvino_js.yml @@ -13,6 +13,8 @@ on: required: false default: '{"image": null}' +permissions: read-all + jobs: JS_API: name: OpenVINO JS API @@ -29,7 +31,7 @@ jobs: NODE_VERSION: 20 steps: - name: Fetch OpenVINO JS sources - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | src/bindings/js @@ -42,13 +44,13 @@ jobs: echo "OPENVINO_JS_LIBS_DIR=$GITHUB_WORKSPACE/openvino/src/bindings/js/node/bin" >> "$GITHUB_ENV" - name: Download OpenVINO JS package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_js_package path: ${{ env.OPENVINO_JS_LIBS_DIR }} - name: Setup Node ${{ env.NODE_VERSION }} - uses: actions/setup-node@v4 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: ${{ env.NODE_VERSION }} diff --git a/.github/workflows/job_python_unit_tests.yml b/.github/workflows/job_python_unit_tests.yml index 1c73272550f3f8..2348e64a78a01e 100644 --- a/.github/workflows/job_python_unit_tests.yml +++ b/.github/workflows/job_python_unit_tests.yml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -39,13 +41,13 @@ jobs: steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -68,7 +70,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -268,7 +270,7 @@ jobs: - name: Clone API snippets if: runner.os != 'macOS' - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: docs/snippets path: ${{ env.OPENVINO_REPO }} @@ -284,7 +286,7 @@ jobs: python3 ${OPENVINO_REPO}/docs/snippets/main.py - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-python diff --git a/.github/workflows/job_pytorch_models_tests.yml b/.github/workflows/job_pytorch_models_tests.yml index 5d339c8af0acec..6ebaaf183fef41 100644 --- a/.github/workflows/job_pytorch_models_tests.yml +++ b/.github/workflows/job_pytorch_models_tests.yml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + jobs: PyTorch_Models_Tests: name: PyTorch Models tests @@ -47,19 +49,19 @@ jobs: fi - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tokenizers extension - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tokenizers_wheel path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -83,7 +85,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -162,7 +164,7 @@ jobs: df -h - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-torch-models diff --git a/.github/workflows/job_samples_tests.yml b/.github/workflows/job_samples_tests.yml index 3ca9719e75ebfe..ac2274d84156ac 100644 --- a/.github/workflows/job_samples_tests.yml +++ b/.github/workflows/job_samples_tests.yml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + jobs: Samples: runs-on: ${{ inputs.runner }} @@ -32,13 +34,13 @@ jobs: BUILD_DIR: ${{ github.workspace }}/build steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -64,7 +66,7 @@ jobs: run: brew install coreutils - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml diff --git a/.github/workflows/job_tensorflow_layer_tests.yml b/.github/workflows/job_tensorflow_layer_tests.yml index 01ed55d91d570f..e19e64d8aa058e 100644 --- a/.github/workflows/job_tensorflow_layer_tests.yml +++ b/.github/workflows/job_tensorflow_layer_tests.yml @@ -21,6 +21,8 @@ on: type: string required: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -42,19 +44,19 @@ jobs: LAYER_TESTS_INSTALL_DIR: ${{ github.workspace }}/install/tests/layer_tests steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} - name: Download OpenVINO tokenizers extension - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tokenizers_wheel path: ${{ env.INSTALL_DIR }} @@ -89,7 +91,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -156,7 +158,7 @@ jobs: TEST_PRECISION: FP16 - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-python-tf-layers diff --git a/.github/workflows/job_tensorflow_models_tests.yml b/.github/workflows/job_tensorflow_models_tests.yml index 4635fabefbd13c..cf69d0c4f1daf7 100644 --- a/.github/workflows/job_tensorflow_models_tests.yml +++ b/.github/workflows/job_tensorflow_models_tests.yml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + jobs: TensorFlow_Models_Tests: name: TensorFlow Models tests @@ -35,19 +37,19 @@ jobs: NUMBER_OF_REPLICAS: 2 steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tokenizers extension - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tokenizers_wheel path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -75,7 +77,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -112,7 +114,7 @@ jobs: TEST_DEVICE: CPU - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-tensorflow-models-${{ inputs.model_scope }} diff --git a/.github/workflows/job_tokenizers.yml b/.github/workflows/job_tokenizers.yml index 721e4772b039ba..bf3d650873f4ae 100644 --- a/.github/workflows/job_tokenizers.yml +++ b/.github/workflows/job_tokenizers.yml @@ -21,6 +21,8 @@ on: type: string required: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -48,7 +50,7 @@ jobs: echo "EXTENSION_BUILD_DIR=$GITHUB_WORKSPACE/build" >> "$GITHUB_ENV" - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python @@ -64,14 +66,14 @@ jobs: self-hosted-runner: ${{ runner.os == 'Linux' }} - name: Clone OpenVINO Tokenizers - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_tokenizers' path: ${{ env.OPENVINO_TOKENIZERS_REPO }} ref: 'master' - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} @@ -128,7 +130,7 @@ jobs: - name: Upload openvino tokenizers wheel if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tokenizers_wheel path: ${{ env.EXTENSION_BUILD_DIR }}/*.whl diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 3089268cdfd0e6..c07df7494f7faa 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,8 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: read-all + jobs: triage: permissions: @@ -9,20 +11,20 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: akladiev/labeler@v4.3.1 + - uses: akladiev/labeler@eeac5941e7fb6f980d47e038ac0665168851c874 # v4.3.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: '.github/labeler.yml' sync-labels: 'true' dot: 'true' non-matching-label: 'no-match-files' - + external_pr_labeller: name: Label External PR runs-on: ubuntu-latest steps: - name: Checkout Labeller Script - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: '.github' diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 0a7a1b0375dd28..462e30e44103b8 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux cancel-in-progress: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -29,7 +31,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -62,7 +64,7 @@ jobs: images: "${{ steps.handle_docker.outputs.images }}" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: ./.github/actions/handle_docker id: handle_docker @@ -111,7 +113,7 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' @@ -126,7 +128,7 @@ jobs: git rev-parse HEAD - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: ${{ env.OPENVINO_CONTRIB_REPO }} @@ -254,7 +256,7 @@ jobs: # Upload build artifacts and logs # - name: Upload build logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: build_logs @@ -263,7 +265,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -271,7 +273,7 @@ jobs: - name: Upload openvino js package if: fromJSON(needs.smart_ci.outputs.affected_components).JS_API - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_js_package path: ${{ env.INSTALL_DIR_JS }} @@ -279,7 +281,7 @@ jobs: - name: Upload openvino developer package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_developer_package path: ${{ env.BUILD_DIR }}/openvino_developer_package.tar.gz @@ -287,7 +289,7 @@ jobs: - name: Upload openvino debian packages if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_debian_packages path: ${{ env.BUILD_DIR }}/*.deb @@ -295,7 +297,7 @@ jobs: - name: Upload openvino tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz @@ -360,13 +362,13 @@ jobs: # - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -381,7 +383,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -425,7 +427,7 @@ jobs: - name: Upload Conformance Artifacts if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: conformance_artifacts_${{ matrix.TEST_TYPE }}-${{ env.TEST_DEVICE }} path: ${{ env.CONFORMANCE_ARTIFACTS_DIR }}/conformance_artifacts.tar.gz @@ -451,7 +453,7 @@ jobs: - name: Upload Conformance Artifacts if: ${{ matrix.TEST_TYPE == 'API' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: conformance_artifacts_${{ matrix.TEST_TYPE }}-TEMPLATE path: ${{ env.CONFORMANCE_ARTIFACTS_DIR }}/conformance_artifacts.tar.gz @@ -594,13 +596,13 @@ jobs: steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO Developer package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_developer_package path: ${{ env.INSTALL_DIR }} @@ -616,7 +618,7 @@ jobs: popd - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: ${{ env.OPENVINO_CONTRIB_REPO }} @@ -676,13 +678,13 @@ jobs: GTEST_PARALLEL_SCRIPT: ${{ github.workspace }}/gtest_parallel.py steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: 'openvino_package' path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: 'openvino_tests' path: ${{ env.INSTALL_TEST_DIR }} @@ -713,7 +715,7 @@ jobs: TZ: "Europe/London" # to prevent tzdata from waiting user input - name: Setup Python ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ env.PYTHON_VERSION }} @@ -752,7 +754,7 @@ jobs: - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: test-results-${{ matrix.TEST_TYPE }}-gpu diff --git a/.github/workflows/linux_arm64.yml b/.github/workflows/linux_arm64.yml index 2d50900d157e3e..95dab44352d159 100644 --- a/.github/workflows/linux_arm64.yml +++ b/.github/workflows/linux_arm64.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-arm cancel-in-progress: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -26,7 +28,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -59,7 +61,7 @@ jobs: images: "${{ steps.handle_docker.outputs.images }}" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: ./.github/actions/handle_docker id: handle_docker @@ -106,13 +108,13 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: ${{ env.OPENVINO_CONTRIB_REPO }} @@ -245,7 +247,7 @@ jobs: # Upload build artifacts and logs # - name: Upload build logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: build_logs @@ -254,7 +256,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -262,7 +264,7 @@ jobs: - name: Upload openvino developer package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_developer_package path: ${{ env.BUILD_DIR }}/openvino_developer_package.tar.gz @@ -270,7 +272,7 @@ jobs: - name: Upload openvino js package if: fromJSON(needs.smart_ci.outputs.affected_components).JS_API - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_js_package path: ${{ env.INSTALL_DIR_JS }} @@ -278,7 +280,7 @@ jobs: - name: Upload openvino debian packages if: ${{ 'false' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_debian_packages path: ${{ env.BUILD_DIR }}/*.deb @@ -286,7 +288,7 @@ jobs: - name: Upload openvino tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz diff --git a/.github/workflows/linux_conditional_compilation.yml b/.github/workflows/linux_conditional_compilation.yml index 97e8c533b43ca5..8cee38b67e0d33 100644 --- a/.github/workflows/linux_conditional_compilation.yml +++ b/.github/workflows/linux_conditional_compilation.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-cc cancel-in-progress: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -26,7 +28,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -59,7 +61,7 @@ jobs: images: "${{ steps.handle_docker.outputs.images }}" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: ./.github/actions/handle_docker id: handle_docker @@ -105,13 +107,13 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' - name: Clone test models - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: ${{ env.MODELS_PATH }} @@ -218,7 +220,7 @@ jobs: # Upload build artifacts and logs # - name: Upload build logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: build_logs @@ -227,7 +229,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -235,7 +237,7 @@ jobs: - name: Upload selective build statistics package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_selective_build_stat path: ${{ env.BUILD_DIR }}/openvino_selective_build_stat.tar.gz @@ -243,7 +245,7 @@ jobs: - name: Upload OpenVINO tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz @@ -277,13 +279,13 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' - name: Clone test models - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: ${{ env.MODELS_PATH }} @@ -291,7 +293,7 @@ jobs: ref: 'master' - name: Download selective build statistics package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_selective_build_stat path: ${{ env.SELECTIVE_BUILD_STAT_DIR }} diff --git a/.github/workflows/linux_riscv.yml b/.github/workflows/linux_riscv.yml index 6e63f2c44faee2..bb5116df054578 100644 --- a/.github/workflows/linux_riscv.yml +++ b/.github/workflows/linux_riscv.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-riscv cancel-in-progress: true +permissions: read-all + jobs: Smart_CI: runs-on: ubuntu-latest @@ -24,7 +26,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -75,7 +77,7 @@ jobs: run: apt-get update && apt-get install --assume-yes --no-install-recommends git ca-certificates - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' diff --git a/.github/workflows/linux_sanitizers.yml b/.github/workflows/linux_sanitizers.yml index d4a517de57eef2..1daecd00a484e1 100644 --- a/.github/workflows/linux_sanitizers.yml +++ b/.github/workflows/linux_sanitizers.yml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-sanitizers cancel-in-progress: true +permissions: read-all + env: PIP_CACHE_PATH: /mount/caches/pip/linux PYTHON_VERSION: '3.11' @@ -62,13 +64,13 @@ jobs: apt-get install --assume-yes --no-install-recommends git ca-certificates - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: ${{ env.OPENVINO_REPO }} submodules: 'true' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: ${{ env.OPENVINO_CONTRIB_REPO }} @@ -184,7 +186,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package_${{ matrix.SANITIZER }} path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -192,7 +194,7 @@ jobs: - name: Upload openvino tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests_${{ matrix.SANITIZER }} path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz @@ -228,13 +230,13 @@ jobs: run: echo 'Acquire::Retries "10";' > /etc/apt/apt.conf.d/80-retries - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ format('openvino_package_{0}', matrix.SANITIZER) }} path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: ${{ format('openvino_tests_{0}', matrix.SANITIZER) }} path: ${{ env.INSTALL_TEST_DIR }} @@ -264,7 +266,7 @@ jobs: apt update && apt --assume-yes install clang lld - name: Fetch Sanitizer Suppression Lists - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | tests/lsan/suppressions.txt @@ -460,7 +462,7 @@ jobs: ${INSTALL_TEST_DIR}/ov_hetero_func_tests --gtest_print_time=1 --gtest_output=xml:${INSTALL_TEST_DIR}/TEST-OVHeteroFuncTests.xml --gtest_filter="*smoke*" - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-cpp diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml index 28e03288dabe69..2c2f445fc5cc47 100644 --- a/.github/workflows/mac.yml +++ b/.github/workflows/mac.yml @@ -29,11 +29,12 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-mac-main cancel-in-progress: true +permissions: read-all + env: PYTHON_VERSION: '3.11' jobs: - Smart_CI: runs-on: ubuntu-latest outputs: @@ -41,7 +42,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -79,13 +80,13 @@ jobs: BUILD_DIR: ${{ github.workspace }}/build steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' submodules: 'true' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: 'openvino_contrib' @@ -130,7 +131,7 @@ jobs: # - name: Setup ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@c92f40bee50034e84c763e33b317c77adaa81c92 # v1.2.13 with: max-size: "2000M" # Should save cache only if run in the master branch of the base repo @@ -203,7 +204,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -211,7 +212,7 @@ jobs: - name: Upload openvino tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz @@ -219,7 +220,7 @@ jobs: - name: Upload openvino js package if: fromJSON(needs.smart_ci.outputs.affected_components).JS_API - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_js_package path: ${{ env.INSTALL_DIR_JS }} diff --git a/.github/workflows/mac_arm64.yml b/.github/workflows/mac_arm64.yml index 37dc330eafde7a..8d51e8ae34be8b 100644 --- a/.github/workflows/mac_arm64.yml +++ b/.github/workflows/mac_arm64.yml @@ -29,6 +29,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-mac-arm64 cancel-in-progress: true +permissions: read-all + env: PYTHON_VERSION: '3.11' @@ -40,7 +42,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -78,13 +80,13 @@ jobs: BUILD_DIR: ${{ github.workspace }}/build steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' submodules: 'true' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: 'openvino_contrib' @@ -129,7 +131,7 @@ jobs: # - name: Setup ccache - uses: hendrikmuhs/ccache-action@v1.2 + uses: hendrikmuhs/ccache-action@c92f40bee50034e84c763e33b317c77adaa81c92 # v1.2.13 with: max-size: "2000M" # Should save cache only if run in the master branch of the base repo @@ -202,7 +204,7 @@ jobs: - name: Upload openvino package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.tar.gz @@ -210,7 +212,7 @@ jobs: - name: Upload openvino tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.tar.gz @@ -218,7 +220,7 @@ jobs: - name: Upload openvino js package if: fromJSON(needs.smart_ci.outputs.affected_components).JS_API - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_js_package path: ${{ env.INSTALL_DIR_JS }} diff --git a/.github/workflows/mo.yml b/.github/workflows/mo.yml index b59df07a21bafd..f8318f1a69190a 100644 --- a/.github/workflows/mo.yml +++ b/.github/workflows/mo.yml @@ -16,20 +16,22 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: Pylint-UT: runs-on: ubuntu-22.04 steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.10' - name: Cache pip - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('tools/mo/requirements*.txt') }} @@ -53,4 +55,4 @@ jobs: - name: Pylint-MO run: pylint -d C,R,W openvino/tools/mo - working-directory: tools/mo \ No newline at end of file + working-directory: tools/mo diff --git a/.github/workflows/ovc.yml b/.github/workflows/ovc.yml index 886ed96f948c81..25c1f4c738bb93 100644 --- a/.github/workflows/ovc.yml +++ b/.github/workflows/ovc.yml @@ -11,20 +11,22 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: Pylint-UT: runs-on: ubuntu-22.04 steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.10' - name: Cache pip - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('src/bindings/python/requirements*.txt') }} diff --git a/.github/workflows/py_checks.yml b/.github/workflows/py_checks.yml index b4a361c0e55496..5766105f1649de 100644 --- a/.github/workflows/py_checks.yml +++ b/.github/workflows/py_checks.yml @@ -20,15 +20,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: linters: runs-on: ubuntu-20.04 steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.8' @@ -47,7 +49,7 @@ jobs: git diff > samples_diff.diff working-directory: samples/python - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: failure() with: name: samples_diff @@ -65,7 +67,7 @@ jobs: git diff > pyopenvino_diff.diff working-directory: src/bindings/python/src/openvino - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: failure() with: name: pyopenvino_diff @@ -83,7 +85,7 @@ jobs: git diff > wheel_diff.diff working-directory: src/bindings/python/wheel - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: failure() with: name: wheel_diff @@ -111,4 +113,3 @@ jobs: fi fi done - diff --git a/.github/workflows/send_workflows_to_opentelemetry.yml b/.github/workflows/send_workflows_to_opentelemetry.yml index df77a74ce0d7d6..c52b20bdcfd628 100644 --- a/.github/workflows/send_workflows_to_opentelemetry.yml +++ b/.github/workflows/send_workflows_to_opentelemetry.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: '.github' diff --git a/.github/workflows/stale_prs_and_issues.yml b/.github/workflows/stale_prs_and_issues.yml index deaf62781842e4..395fc6a350e2ba 100644 --- a/.github/workflows/stale_prs_and_issues.yml +++ b/.github/workflows/stale_prs_and_issues.yml @@ -4,15 +4,16 @@ on: schedule: - cron: '0 0 * * *' -permissions: - issues: write - pull-requests: write +permissions: read-all jobs: stale: + permissions: + issues: write + pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: stale-issue-message: 'This issue will be closed in a week because of 9 months of no activity.' stale-pr-message: 'This PR will be closed in a week because of 2 weeks of no activity.' diff --git a/.github/workflows/webassembly.yml b/.github/workflows/webassembly.yml index 250b9f549a6ec2..f14b7de568c336 100644 --- a/.github/workflows/webassembly.yml +++ b/.github/workflows/webassembly.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-webassembly cancel-in-progress: true +permissions: read-all + jobs: Smart_CI: runs-on: ubuntu-latest @@ -21,7 +23,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -64,13 +66,13 @@ jobs: run: apt-get update && apt-get install --assume-yes --no-install-recommends git ca-certificates - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' submodules: 'true' - name: Install sccache - uses: mozilla-actions/sccache-action@v0.0.4 + uses: mozilla-actions/sccache-action@2e7f9ec7921547d4b46598398ca573513895d0bd # v0.0.4 with: version: "v0.7.5" diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 7b0f4ad976e162..e87db422b25f0a 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -16,6 +16,8 @@ env: PIP_CACHE_PATH: /mount/caches/pip/win PYTHON_VERSION: '3.11' +permissions: read-all + jobs: Smart_CI: runs-on: ubuntu-latest @@ -24,7 +26,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -67,13 +69,13 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' submodules: 'true' - name: Clone OpenVINO Contrib - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/openvino_contrib' path: 'openvino_contrib' @@ -150,7 +152,7 @@ jobs: ${{ runner.os }}-${{ runner.arch }}-ccache - name: Configure Developer Command Prompt for Microsoft Visual C++ - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Set SSL_CERT_FILE for model downloading for unit tests run: echo SSL_CERT_FILE=$(python3 -m certifi) >> $env:GITHUB_ENV @@ -215,14 +217,14 @@ jobs: # - name: Upload openvino package - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_package path: ${{ env.BUILD_DIR }}/openvino_package.zip if-no-files-found: 'error' - name: Upload openvino tests package - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.zip @@ -230,7 +232,7 @@ jobs: - name: Upload openvino js package if: fromJSON(needs.smart_ci.outputs.affected_components).JS_API - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_js_package path: ${{ env.INSTALL_DIR_JS }} @@ -253,13 +255,13 @@ jobs: steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -274,7 +276,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -339,20 +341,20 @@ jobs: steps: - name: Fetch OpenVINO JS sources - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | src/bindings/js path: 'openvino' - name: Download OpenVINO js package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_js_package path: ${{ env.OPENVINO_JS_LIBS_DIR }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 @@ -405,13 +407,13 @@ jobs: steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -426,7 +428,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -563,7 +565,7 @@ jobs: run: python3 -m pytest -s ${{ env.INSTALL_TEST_DIR }}/ovc/unit_tests --junitxml=${{ env.INSTALL_TEST_DIR }}/TEST-OpenVinoConversion.xml - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-python @@ -593,13 +595,13 @@ jobs: steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -769,7 +771,7 @@ jobs: ${{ env.INSTALL_TEST_DIR }}/ov_hetero_func_tests --gtest_print_time=1 --gtest_output=xml:${{ env.INSTALL_TEST_DIR }}/TEST-OVHeteroFuncTests.xml --gtest_filter="*smoke*" - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-cpp @@ -793,13 +795,13 @@ jobs: if: fromJSON(needs.smart_ci.outputs.affected_components).CPU.test steps: - name: Download OpenVINO package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_package path: ${{ env.INSTALL_DIR }} - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -814,7 +816,7 @@ jobs: popd - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -832,7 +834,7 @@ jobs: run: python3 -m pip install -r ${{ github.workspace }}\install\tests\functional_test_utils\layer_tests_summary\requirements.txt - name: Restore tests execution time - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ${{ env.PARALLEL_TEST_CACHE }} key: ${{ runner.os }}-tests-functional-cpu-stamp-${{ github.sha }} @@ -846,14 +848,14 @@ jobs: timeout-minutes: 60 - name: Save tests execution time - uses: actions/cache/save@v4 + uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 if: github.ref_name == 'master' with: path: ${{ env.PARALLEL_TEST_CACHE }} key: ${{ runner.os }}-tests-functional-cpu-stamp-${{ github.sha }} - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-functional-cpu diff --git a/.github/workflows/windows_conditional_compilation.yml b/.github/workflows/windows_conditional_compilation.yml index 087f3308f78f1a..81fa38fb5e68d3 100644 --- a/.github/workflows/windows_conditional_compilation.yml +++ b/.github/workflows/windows_conditional_compilation.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-windows-cc cancel-in-progress: true +permissions: read-all + env: PYTHON_VERSION: '3.11' @@ -27,7 +29,7 @@ jobs: skip_workflow: "${{ steps.smart_ci.outputs.skip_workflow }}" steps: - name: checkout action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: .github/actions/smart-ci @@ -70,13 +72,13 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' submodules: 'true' - name: Clone test models - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: 'testdata' @@ -149,7 +151,7 @@ jobs: ${{ runner.os }}-${{ runner.arch }}-ccache - name: Configure Developer Command Prompt for Microsoft Visual C++ - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: Set SSL_CERT_FILE for model downloading for unit tests run: echo SSL_CERT_FILE=$(python3 -m certifi) >> $env:GITHUB_ENV @@ -242,7 +244,7 @@ jobs: - name: Upload selective build statistics package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_selective_build_stat path: ${{ env.BUILD_DIR }}/openvino_selective_build_stat.zip @@ -250,7 +252,7 @@ jobs: - name: Upload OpenVINO tests package if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: openvino_tests path: ${{ env.BUILD_DIR }}/openvino_tests.zip @@ -273,13 +275,13 @@ jobs: steps: - name: Clone OpenVINO - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: path: 'openvino' submodules: 'true' - name: Clone test models - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: 'openvinotoolkit/testdata' path: 'testdata' @@ -287,7 +289,7 @@ jobs: ref: 'master' - name: Download selective build statistics package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_selective_build_stat path: ${{ env.SELECTIVE_BUILD_STAT_DIR }} @@ -349,7 +351,7 @@ jobs: steps: - name: Download OpenVINO tests package - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: openvino_tests path: ${{ env.INSTALL_TEST_DIR }} @@ -358,7 +360,7 @@ jobs: run: Expand-Archive ${{ env.INSTALL_TEST_DIR }}/openvino_tests.zip -DestinationPath "${{ env.INSTALL_TEST_DIR }}" - name: Fetch setup_python action - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | .github/actions/setup_python/action.yml @@ -376,7 +378,7 @@ jobs: run: python3 -m pip install -r ${{ env.INSTALL_TEST_DIR }}/layer_tests_summary/requirements.txt - name: Restore tests execution time - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ${{ env.PARALLEL_TEST_CACHE }} key: ${{ runner.os }}-tests-functional-cpu-stamp-${{ github.sha }} @@ -391,7 +393,7 @@ jobs: timeout-minutes: 60 - name: Upload Test Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ !cancelled() }} with: name: test-results-functional-cpu diff --git a/.github/workflows/workflow_rerunner.yml b/.github/workflows/workflow_rerunner.yml index 08215bea2544bc..bb8ddfd6e64c0d 100644 --- a/.github/workflows/workflow_rerunner.yml +++ b/.github/workflows/workflow_rerunner.yml @@ -16,6 +16,8 @@ on: - '.github/workflows/workflow_rerunner.yml' - '.github/scripts/workflow_rerun/**' +permissions: read-all + jobs: rerun: name: Rerun Workflow @@ -28,7 +30,7 @@ jobs: checks: read steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: '.github/scripts/workflow_rerun' @@ -59,7 +61,7 @@ jobs: runs-on: aks-linux-2-cores-8gb steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: '.github/scripts/workflow_rerun' lfs: true