From 78fbb5fad729d5c6749508b70285e0e4cd881d4f Mon Sep 17 00:00:00 2001 From: Thanh Ha Date: Fri, 25 Apr 2025 10:00:44 -0400 Subject: [PATCH] Pin to SHA for actions outside of PyTorch Pin actions from repos external to the PyTorch project to their shasums for security. This is a best practice as Git tags are not immutable. https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/ Signed-off-by: Thanh Ha --- .github/workflows/_binary_upload.yml | 10 +++---- .github/workflows/_upload_docs.yml | 4 +-- .github/workflows/backfill-workflow-job.yml | 4 +-- .github/workflows/build-windows-ami.yml | 6 ++--- .github/workflows/build_wheels_linux.yml | 4 +-- .github/workflows/build_wheels_macos.yml | 4 +-- .github/workflows/build_wheels_windows.yml | 4 +-- .github/workflows/check-alerts.yml | 4 +-- .github/workflows/clang-tidy-linux.yml | 2 +- .github/workflows/clang-tidy-macos.yml | 4 +-- .../clickhouse-replicator-dynamo-lambda.yml | 6 ++--- .../clickhouse-replicator-s3-lambda.yml | 6 ++--- ...ploy_lambda_whl_metadata_upload_pep658.yml | 10 +++---- .../generate_binary_build_matrix.yml | 4 +-- .../generate_docker_release_matrix.yml | 4 +-- .github/workflows/generate_release_matrix.yml | 4 +-- .github/workflows/gha-artifacts-lambda.yml | 10 +++---- .../workflows/github-status-test-lambda.yml | 8 +++--- .../workflows/lambda-do-release-runners.yml | 26 +++++++++---------- .../workflows/lambda-release-tag-runners.yml | 4 +-- .../lambda-runner-binaries-syncer.yml | 2 +- .github/workflows/lambda-runners.yml | 2 +- .github/workflows/lambda-webhook.yml | 2 +- .github/workflows/lint.yml | 6 ++--- .github/workflows/linux_job.yml | 14 +++++----- .github/workflows/linux_job_v2.yml | 16 ++++++------ .github/workflows/log-classifier-lambda.yml | 8 +++--- .github/workflows/macos_job.yml | 12 ++++----- .github/workflows/mobile_job.yml | 10 +++---- .../workflows/opensearch-gha-jobs-lambda.yml | 10 +++---- .github/workflows/pr-dependencies-check.yml | 2 +- .github/workflows/revert-tracker.yml | 4 +-- .github/workflows/scale_config_validation.yml | 4 +-- .../workflows/servicelab-ingestor-lambda.yml | 6 ++--- .../workflows/test-binary-size-validation.yml | 2 +- .github/workflows/test-setup-miniconda.yml | 2 +- .github/workflows/test-setup-nvidia.yml | 2 +- .github/workflows/test-setup-ssh.yml | 6 ++--- .../test_upload_benchmark_results.yml | 2 +- .github/workflows/tflint.yml | 6 ++--- .github/workflows/torchci.yml | 4 +-- .github/workflows/trigger_nightly.yml | 2 +- .github/workflows/trigger_nightly_core.yml | 2 +- .github/workflows/update-drci-comments.yml | 2 +- .github/workflows/update-queue-times.yml | 4 +-- .github/workflows/update-s3-html.yml | 4 +-- .github/workflows/update-test-times.yml | 4 +-- .github/workflows/update_disabled_tests.yml | 6 ++--- .../workflows/update_test_file_ratings.yml | 6 ++--- .github/workflows/upload-tutorials-stats.yml | 8 +++--- .../workflows/usage-log-aggregator-lambda.yml | 10 +++---- .../validate-pypi-wheel-binary-size.yml | 2 +- .github/workflows/windows-ami-validation.yml | 4 +-- .github/workflows/windows_job.yml | 12 ++++----- 54 files changed, 158 insertions(+), 158 deletions(-) diff --git a/.github/workflows/_binary_upload.yml b/.github/workflows/_binary_upload.yml index d24c518f2e..5842c49f21 100644 --- a/.github/workflows/_binary_upload.yml +++ b/.github/workflows/_binary_upload.yml @@ -51,7 +51,7 @@ jobs: timeout-minutes: 30 name: upload-${{ matrix.build_name }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.test-infra-repository }} ref: ${{ inputs.test-infra-ref }} @@ -70,21 +70,21 @@ jobs: upload-to-base-bucket: ${{ matrix.upload_to_base_bucket }} - name: Download the artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ env.ARTIFACT_NAME }} path: ${{ inputs.repository }}/dist/ - name: Configure aws credentials (pytorch account) if: ${{ inputs.trigger-event == 'schedule' || (inputs.trigger-event == 'push' && startsWith(github.event.ref, 'refs/heads/nightly')) }} - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: role-to-assume: arn:aws:iam::749337293305:role/gha_workflow_nightly_build_wheels aws-region: us-east-1 - name: Configure aws credentials (pytorch account) if: ${{ env.CHANNEL == 'test' && startsWith(github.event.ref, 'refs/tags/v') }} - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: role-to-assume: arn:aws:iam::749337293305:role/gha_workflow_test_build_wheels aws-region: us-east-1 @@ -120,7 +120,7 @@ jobs: - name: Upload package to pypi if: ${{ env.NIGHTLY_OR_TEST == '1' && contains(inputs.upload-to-pypi, matrix.desired_cuda) }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1 with: user: __token__ password: ${{ secrets.PYPI_API_TOKEN }} diff --git a/.github/workflows/_upload_docs.yml b/.github/workflows/_upload_docs.yml index 8fc98dbaed..f3594ebb92 100644 --- a/.github/workflows/_upload_docs.yml +++ b/.github/workflows/_upload_docs.yml @@ -26,12 +26,12 @@ jobs: if: ${{ github.repository == inputs.repository && github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.docs-branch }} persist-credentials: true - name: Download artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ inputs.docs-name }} path: docs diff --git a/.github/workflows/backfill-workflow-job.yml b/.github/workflows/backfill-workflow-job.yml index 702cd2e68f..981c835d9d 100644 --- a/.github/workflows/backfill-workflow-job.yml +++ b/.github/workflows/backfill-workflow-job.yml @@ -17,11 +17,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_backfill-workflow-job aws-region: us-east-1 - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: yarn install --frozen-lockfile - run: yarn node scripts/backfillJobs.mjs env: diff --git a/.github/workflows/build-windows-ami.yml b/.github/workflows/build-windows-ami.yml index 1e9c233eda..e9dedb3bca 100644 --- a/.github/workflows/build-windows-ami.yml +++ b/.github/workflows/build-windows-ami.yml @@ -24,19 +24,19 @@ jobs: runs-on: ubuntu-latest environment: packer-build-env steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: pytorch/test-infra ref: ${{ inputs.branch }} - name: Configure AWS Credentials (PyTorch Account) - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: aws-region: us-east-1 role-to-assume: arn:aws:iam::391835788720:role/gha-packer-role - name: Setup Packer - uses: hashicorp/setup-packer@main + uses: hashicorp/setup-packer@76e3039aa951aa4e6efe7e6ee06bc9ceb072142d # main with: version: ${{ env.PACKER_VERSION }} diff --git a/.github/workflows/build_wheels_linux.yml b/.github/workflows/build_wheels_linux.yml index 3389b8e8a4..3c3f571fdd 100644 --- a/.github/workflows/build_wheels_linux.yml +++ b/.github/workflows/build_wheels_linux.yml @@ -149,7 +149,7 @@ jobs: fi echo "::endgroup::" - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -307,7 +307,7 @@ jobs: - name: Upload wheel to GitHub continue-on-error: true - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ env.ARTIFACT_NAME }} path: ${{ inputs.repository }}/dist/ diff --git a/.github/workflows/build_wheels_macos.yml b/.github/workflows/build_wheels_macos.yml index 8f0efc03d9..30e150cfe5 100644 --- a/.github/workflows/build_wheels_macos.yml +++ b/.github/workflows/build_wheels_macos.yml @@ -117,7 +117,7 @@ jobs: rm -rfv "${GITHUB_WORKSPACE}" mkdir -p "${GITHUB_WORKSPACE}" echo "::endgroup::" - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -252,7 +252,7 @@ jobs: # NB: Only upload to GitHub after passing smoke tests - name: Upload wheel to GitHub continue-on-error: true - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ env.ARTIFACT_NAME }} path: ${{ inputs.repository }}/dist/ diff --git a/.github/workflows/build_wheels_windows.yml b/.github/workflows/build_wheels_windows.yml index 6cf0405a05..0ba3fdb685 100644 --- a/.github/workflows/build_wheels_windows.yml +++ b/.github/workflows/build_wheels_windows.yml @@ -94,7 +94,7 @@ jobs: # to have a conversation timeout-minutes: ${{ inputs.timeout }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -212,7 +212,7 @@ jobs: # NB: Only upload to GitHub after passing smoke tests - name: Upload wheel to GitHub continue-on-error: true - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ env.ARTIFACT_NAME }} path: ${{ inputs.repository }}/dist/ diff --git a/.github/workflows/check-alerts.yml b/.github/workflows/check-alerts.yml index 680eaaa013..d85a6629ad 100644 --- a/.github/workflows/check-alerts.yml +++ b/.github/workflows/check-alerts.yml @@ -41,7 +41,7 @@ jobs: issues: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Dependencies run: pip3 install requests setuptools==61.2.0 - name: Check for alerts and creates issue @@ -60,7 +60,7 @@ jobs: issues: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Dependencies run: pip3 install requests setuptools==61.2.0 - name: Check for alerts and creates issue diff --git a/.github/workflows/clang-tidy-linux.yml b/.github/workflows/clang-tidy-linux.yml index 75c8c74d2e..3745d21215 100644 --- a/.github/workflows/clang-tidy-linux.yml +++ b/.github/workflows/clang-tidy-linux.yml @@ -22,7 +22,7 @@ jobs: runs-on: linux.12xlarge steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build docker image and extract binary run: | diff --git a/.github/workflows/clang-tidy-macos.yml b/.github/workflows/clang-tidy-macos.yml index fb64b53efb..4ab8e25554 100644 --- a/.github/workflows/clang-tidy-macos.yml +++ b/.github/workflows/clang-tidy-macos.yml @@ -24,7 +24,7 @@ jobs: runs-on: macos-13 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install dependencies run: | brew install ninja @@ -57,7 +57,7 @@ jobs: runs-on: macos-m1-stable steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install dependencies run: | brew install ninja cmake diff --git a/.github/workflows/clickhouse-replicator-dynamo-lambda.yml b/.github/workflows/clickhouse-replicator-dynamo-lambda.yml index 674ae2472c..b80110a764 100644 --- a/.github/workflows/clickhouse-replicator-dynamo-lambda.yml +++ b/.github/workflows/clickhouse-replicator-dynamo-lambda.yml @@ -19,13 +19,13 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_deploy_clickhouse_replicator_lambdas aws-region: us-east-1 diff --git a/.github/workflows/clickhouse-replicator-s3-lambda.yml b/.github/workflows/clickhouse-replicator-s3-lambda.yml index 1c1bac6e02..cfc0370cde 100644 --- a/.github/workflows/clickhouse-replicator-s3-lambda.yml +++ b/.github/workflows/clickhouse-replicator-s3-lambda.yml @@ -19,13 +19,13 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_deploy_clickhouse_replicator_lambdas aws-region: us-east-1 diff --git a/.github/workflows/deploy_lambda_whl_metadata_upload_pep658.yml b/.github/workflows/deploy_lambda_whl_metadata_upload_pep658.yml index 758dab44c5..9caa96ca12 100644 --- a/.github/workflows/deploy_lambda_whl_metadata_upload_pep658.yml +++ b/.github/workflows/deploy_lambda_whl_metadata_upload_pep658.yml @@ -19,8 +19,8 @@ jobs: test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.13' cache: pip @@ -35,13 +35,13 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.13' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::749337293305:role/gha_workflow_whl_metadata_upload_pep658 aws-region: us-east-1 diff --git a/.github/workflows/generate_binary_build_matrix.yml b/.github/workflows/generate_binary_build_matrix.yml index 9d7c546918..883a66c348 100644 --- a/.github/workflows/generate_binary_build_matrix.yml +++ b/.github/workflows/generate_binary_build_matrix.yml @@ -71,11 +71,11 @@ jobs: matrix: ${{ steps.generate.outputs.matrix }} runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.10' - name: Checkout test-infra repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.test-infra-repository }} ref: ${{ inputs.test-infra-ref }} diff --git a/.github/workflows/generate_docker_release_matrix.yml b/.github/workflows/generate_docker_release_matrix.yml index cdc0b482e5..18d9ae05c9 100644 --- a/.github/workflows/generate_docker_release_matrix.yml +++ b/.github/workflows/generate_docker_release_matrix.yml @@ -31,11 +31,11 @@ jobs: matrix: ${{ steps.generate.outputs.matrix }} runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.10' - name: Checkout test-infra repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.test-infra-repository }} ref: ${{ inputs.test-infra-ref }} diff --git a/.github/workflows/generate_release_matrix.yml b/.github/workflows/generate_release_matrix.yml index b087785116..ba9a45361b 100644 --- a/.github/workflows/generate_release_matrix.yml +++ b/.github/workflows/generate_release_matrix.yml @@ -26,11 +26,11 @@ jobs: matrix: ${{ steps.generate.outputs.matrix }} runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.10' - name: Checkout test-infra repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.test-infra-repository }} ref: ${{ inputs.test-infra-ref }} diff --git a/.github/workflows/gha-artifacts-lambda.yml b/.github/workflows/gha-artifacts-lambda.yml index f8504cd055..f49530bd7b 100644 --- a/.github/workflows/gha-artifacts-lambda.yml +++ b/.github/workflows/gha-artifacts-lambda.yml @@ -24,8 +24,8 @@ jobs: test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip @@ -36,13 +36,13 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_gha-artifacts-lambda aws-region: us-east-1 diff --git a/.github/workflows/github-status-test-lambda.yml b/.github/workflows/github-status-test-lambda.yml index 6242d90dbb..e463c004ff 100644 --- a/.github/workflows/github-status-test-lambda.yml +++ b/.github/workflows/github-status-test-lambda.yml @@ -25,18 +25,18 @@ jobs: contents: read steps: - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_github-status-test-lambda aws-region: us-east-1 - name: Check out test infra - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - - uses: nick-fields/retry@3e91a01664abd3c5cd539100d10d33b9c5b68482 + - uses: nick-fields/retry@3e91a01664abd3c5cd539100d10d33b9c5b68482 # v2.8.2 name: Setup dependencies with: shell: bash diff --git a/.github/workflows/lambda-do-release-runners.yml b/.github/workflows/lambda-do-release-runners.yml index d4d8903c23..2f1d7de11b 100644 --- a/.github/workflows/lambda-do-release-runners.yml +++ b/.github/workflows/lambda-do-release-runners.yml @@ -19,7 +19,7 @@ jobs: REF: ${{ inputs.tag }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.tag }} @@ -35,7 +35,7 @@ jobs: - name: Copy js to root - Runner Binaries Syncer run: cp terraform-aws-github-runner/modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/dist/index.js . - name: create lambda zip - Runner Binaries Syncer - uses: montudor/action-zip@v1 + uses: montudor/action-zip@0852c26906e00f8a315c704958823928d8018b28 # v1.0.0 with: args: zip runner-binaries-syncer.zip index.js @@ -51,7 +51,7 @@ jobs: - name: Copy js to root - Runners run: cp terraform-aws-github-runner/modules/runners/lambdas/runners/dist/index.js . - name: create lambda zip - Runners - uses: montudor/action-zip@v1 + uses: montudor/action-zip@0852c26906e00f8a315c704958823928d8018b28 # v1.0.0 with: args: zip runners.zip index.js @@ -67,11 +67,11 @@ jobs: - name: Copy js to root - Webhook run: cp terraform-aws-github-runner/modules/webhook/lambdas/webhook/dist/index.js . - name: create lambda zip- Webhook - uses: montudor/action-zip@v1 + uses: montudor/action-zip@0852c26906e00f8a315c704958823928d8018b28 # v1.0.0 with: args: zip webhook.zip index.js - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 with: artifacts: "runner-binaries-syncer.zip,runners.zip,webhook.zip" allowUpdates: true @@ -89,11 +89,11 @@ jobs: REF: ${{ inputs.tag }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.tag }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.10' @@ -104,7 +104,7 @@ jobs: - name: Copy deployment.zip to root run: cp aws/lambda/ci-queue-pct/deployment.zip ci-queue-pct.zip - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 with: artifacts: "ci-queue-pct.zip" allowUpdates: true @@ -122,11 +122,11 @@ jobs: REF: ${{ inputs.tag }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.tag }} - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.10' @@ -137,7 +137,7 @@ jobs: - name: Copy deployment.zip to root run: cp aws/lambda/oss_ci_job_queue_time/deployment.zip oss-ci-job-queue-time.zip - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 with: artifacts: "oss-ci-job-queue-time.zip" allowUpdates: true @@ -159,10 +159,10 @@ jobs: REF: ${{ inputs.tag }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.tag }} - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 with: allowUpdates: true draft: false diff --git a/.github/workflows/lambda-release-tag-runners.yml b/.github/workflows/lambda-release-tag-runners.yml index d34264aa47..c0ba640eed 100644 --- a/.github/workflows/lambda-release-tag-runners.yml +++ b/.github/workflows/lambda-release-tag-runners.yml @@ -17,7 +17,7 @@ jobs: date: ${{ steps.date.outputs.date }} steps: - name: Checkout branch - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Get current date id: date @@ -25,7 +25,7 @@ jobs: echo "date=$(date +'%Y%m%d-%H%M%S')" >> "${GITHUB_OUTPUT}" - name: Tag snapshot - uses: tvdias/github-tagger@v0.0.1 + uses: tvdias/github-tagger@a570476cc87352c1655c606b29590df6014535e0 # v0.0.1 env: GITHUB_TOKEN: ${{ secrets.TAG_RELEASE }} with: diff --git a/.github/workflows/lambda-runner-binaries-syncer.yml b/.github/workflows/lambda-runner-binaries-syncer.yml index 218e44a3d5..759303305f 100644 --- a/.github/workflows/lambda-runner-binaries-syncer.yml +++ b/.github/workflows/lambda-runner-binaries-syncer.yml @@ -18,6 +18,6 @@ jobs: working-directory: terraform-aws-github-runner/modules/runner-binaries-syncer/lambdas/runner-binaries-syncer steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build, Lint, and Test run: make build diff --git a/.github/workflows/lambda-runners.yml b/.github/workflows/lambda-runners.yml index 186c274a2f..22db0aae40 100644 --- a/.github/workflows/lambda-runners.yml +++ b/.github/workflows/lambda-runners.yml @@ -18,6 +18,6 @@ jobs: working-directory: terraform-aws-github-runner/modules/runners/lambdas/runners steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build, Lint, and Test run: make build diff --git a/.github/workflows/lambda-webhook.yml b/.github/workflows/lambda-webhook.yml index 45e6b0fa61..d418c8d1a1 100644 --- a/.github/workflows/lambda-webhook.yml +++ b/.github/workflows/lambda-webhook.yml @@ -18,6 +18,6 @@ jobs: working-directory: terraform-aws-github-runner/modules/webhook/lambdas/webhook steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build, Lint, and Test run: make build diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 54102d4981..d3cb180572 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,9 +23,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python_version }} @@ -49,7 +49,7 @@ jobs: - name: Upload SARIF file if: always() && matrix.os == 'ubuntu-latest' continue-on-error: true - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: # Path to SARIF file relative to the root of the repository sarif_file: lintrunner.sarif diff --git a/.github/workflows/linux_job.yml b/.github/workflows/linux_job.yml index 73b870e9aa..8f9057bc7a 100644 --- a/.github/workflows/linux_job.yml +++ b/.github/workflows/linux_job.yml @@ -143,7 +143,7 @@ jobs: echo "::endgroup::" - name: Checkout repository (${{ inputs.test-infra-repository }}@${{ inputs.test-infra-ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -167,7 +167,7 @@ jobs: docker exec -it $(docker container ps --format '{{.ID}}') bash - name: Checkout repository (${{ inputs.repository || github.repository }}@${{ inputs.ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.repository || github.repository }} @@ -201,7 +201,7 @@ jobs: if: ${{ steps.check_container_runner.outputs.IN_CONTAINER_RUNNER == 'true' }} - name: Download artifacts (if any) - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: ${{ inputs.download-artifact != '' }} with: name: ${{ inputs.download-artifact }} @@ -270,7 +270,7 @@ jobs: - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.3.0 + uses: pmeier/pytest-results-action@a2c1430e2bddadbad9f49a6f9b879f062c6b19b1 # v0.3.0 with: path: ${{ env.RUNNER_TEST_RESULTS_DIR }} fail-on-empty: false @@ -321,7 +321,7 @@ jobs: # NB: Keep this for compatibility with existing jobs and also keep in mind that only # our AWS runners have access to S3 - name: Upload artifacts to GitHub (if any) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ always() && inputs.upload-artifact != '' && !inputs.upload-artifact-to-s3 }} with: name: ${{ inputs.upload-artifact }} @@ -329,7 +329,7 @@ jobs: # NB: This only works with our AWS runners - name: Upload artifacts to S3 (if any) - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: ${{ always() && inputs.upload-artifact != '' && inputs.upload-artifact-to-s3 }} with: retention-days: 14 @@ -339,7 +339,7 @@ jobs: path: ${{ runner.temp }}/artifacts/ - name: Upload documentation to S3 (if any) - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: ${{ steps.check-artifacts.outputs.upload-docs == 1 && github.event.pull_request.number != '' }} with: retention-days: 14 diff --git a/.github/workflows/linux_job_v2.yml b/.github/workflows/linux_job_v2.yml index 30098c47be..b66260aac7 100644 --- a/.github/workflows/linux_job_v2.yml +++ b/.github/workflows/linux_job_v2.yml @@ -147,7 +147,7 @@ jobs: echo "::endgroup::" - name: Checkout repository (${{ inputs.test-infra-repository }}@${{ inputs.test-infra-ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -164,7 +164,7 @@ jobs: if: ${{ inputs.gpu-arch-type != 'rocm' }} - name: Setup ROCM - uses: pytorch/pytorch/.github/actions/setup-rocm@main + uses: pytorch/pytorch/.github/actions/setup-rocm@9c1bc9ce4684de96db025292610c0664d3d55345 # main if: ${{ inputs.gpu-arch-type == 'rocm' }} - name: Setup SSH @@ -176,7 +176,7 @@ jobs: docker exec -it $(docker container ps --format '{{.ID}}') bash - name: Checkout repository (${{ inputs.repository || github.repository }}@${{ inputs.ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.repository || github.repository }} @@ -210,7 +210,7 @@ jobs: if: ${{ steps.check_container_runner.outputs.IN_CONTAINER_RUNNER == 'true' }} - name: Download artifacts (if any) - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: ${{ inputs.download-artifact != '' }} with: name: ${{ inputs.download-artifact }} @@ -270,7 +270,7 @@ jobs: - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.3.0 + uses: pmeier/pytest-results-action@a2c1430e2bddadbad9f49a6f9b879f062c6b19b1 # v0.3.0 with: path: ${{ env.RUNNER_TEST_RESULTS_DIR }} fail-on-empty: false @@ -321,7 +321,7 @@ jobs: # NB: Keep this for compatibility with existing jobs and also keep in mind that only # our AWS runners have access to S3 - name: Upload artifacts to GitHub (if any) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ always() && inputs.upload-artifact != '' && !inputs.upload-artifact-to-s3 }} with: name: ${{ inputs.upload-artifact }} @@ -329,7 +329,7 @@ jobs: # NB: This only works with our AWS runners - name: Upload artifacts to S3 (if any) - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: ${{ always() && inputs.upload-artifact != '' && inputs.upload-artifact-to-s3 }} with: retention-days: 14 @@ -339,7 +339,7 @@ jobs: path: ${{ runner.temp }}/artifacts/ - name: Upload documentation to S3 (if any) - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: ${{ steps.check-artifacts.outputs.upload-docs == 1 && github.event.pull_request.number != '' }} with: retention-days: 14 diff --git a/.github/workflows/log-classifier-lambda.yml b/.github/workflows/log-classifier-lambda.yml index ea8aea1e1c..845d3f4a8d 100644 --- a/.github/workflows/log-classifier-lambda.yml +++ b/.github/workflows/log-classifier-lambda.yml @@ -19,7 +19,7 @@ jobs: test: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: cargo test deploy: @@ -30,10 +30,10 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_log-classifier-lambda aws-region: us-east-1 diff --git a/.github/workflows/macos_job.yml b/.github/workflows/macos_job.yml index 62261a882f..7c1bb10900 100644 --- a/.github/workflows/macos_job.yml +++ b/.github/workflows/macos_job.yml @@ -98,7 +98,7 @@ jobs: echo "::endgroup::" - name: Checkout repository (${{ inputs.test-infra-repository }}@${{ inputs.test-infra-ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -111,7 +111,7 @@ jobs: python-version: ${{ inputs.python-version }} - name: Checkout repository (${{ inputs.repository || github.repository }}@${{ inputs.ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.repository || github.repository }} @@ -132,7 +132,7 @@ jobs: echo "RUNNER_TEST_RESULTS_DIR=${RUNNER_TEST_RESULTS_DIR}" >> "${GITHUB_ENV}" - name: Download artifacts (if any) - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: ${{ inputs.download-artifact != '' }} with: name: ${{ inputs.download-artifact }} @@ -166,7 +166,7 @@ jobs: - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.3.0 + uses: pmeier/pytest-results-action@a2c1430e2bddadbad9f49a6f9b879f062c6b19b1 # v0.3.0 with: path: ${{ env.RUNNER_TEST_RESULTS_DIR }} fail-on-empty: false @@ -193,7 +193,7 @@ jobs: # NB: Keep this for compatibility with existing jobs and also keep in mind that only # our AWS runners have access to S3 - name: Upload artifacts to GitHub (if any) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ always() && inputs.upload-artifact != '' && !inputs.upload-artifact-to-s3 }} with: name: ${{ inputs.upload-artifact }} @@ -202,7 +202,7 @@ jobs: # NB: This only works with our AWS runners - name: Upload artifacts to S3 (if any) - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: ${{ always() && inputs.upload-artifact != '' && inputs.upload-artifact-to-s3 }} with: retention-days: 14 diff --git a/.github/workflows/mobile_job.yml b/.github/workflows/mobile_job.yml index 821fcea187..72ee3d6c3d 100644 --- a/.github/workflows/mobile_job.yml +++ b/.github/workflows/mobile_job.yml @@ -124,7 +124,7 @@ jobs: echo "::endgroup::" - name: Authenticate with AWS - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_mobile_job # The max duration enforced by the server side @@ -132,7 +132,7 @@ jobs: aws-region: us-east-1 - name: Checkout repository (${{ inputs.test-infra-repository }}@${{ inputs.test-infra-ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.test-infra-repository }} ref: ${{ inputs.test-infra-ref }} @@ -318,7 +318,7 @@ jobs: GIT_JOB_NAME: ${{ steps.get-job-id.outputs.job-name }} WORKING_DIRECTORY: test-infra/tools/device-farm-runner NEW_OUTPUT_FORMAT_FLAG: ${{ inputs.new-output-format-flag }} - uses: nick-fields/retry@v3.0.0 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: shell: bash timeout_minutes: ${{ inputs.timeout }} @@ -362,7 +362,7 @@ jobs: GIT_JOB_NAME: ${{ steps.get-job-id.outputs.job-name }} WORKING_DIRECTORY: test-infra/tools/device-farm-runner NEW_OUTPUT_FORMAT_FLAG: ${{ inputs.new-output-format-flag }} - uses: nick-fields/retry@v3.0.0 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: shell: bash timeout_minutes: ${{ inputs.timeout }} @@ -402,7 +402,7 @@ jobs: fi - name: Upload artifacts to S3 - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: always() with: retention-days: 14 diff --git a/.github/workflows/opensearch-gha-jobs-lambda.yml b/.github/workflows/opensearch-gha-jobs-lambda.yml index 5ce7f579f3..a619325b6b 100644 --- a/.github/workflows/opensearch-gha-jobs-lambda.yml +++ b/.github/workflows/opensearch-gha-jobs-lambda.yml @@ -19,8 +19,8 @@ jobs: test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: pip @@ -35,13 +35,13 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_opensearch-gha-jobs-lambda aws-region: us-east-1 diff --git a/.github/workflows/pr-dependencies-check.yml b/.github/workflows/pr-dependencies-check.yml index 2510c71f7e..8da4215b4a 100644 --- a/.github/workflows/pr-dependencies-check.yml +++ b/.github/workflows/pr-dependencies-check.yml @@ -46,7 +46,7 @@ jobs: echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT" - name: Checkout Pytorch repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: pytorch/pytorch fetch-depth: -1 diff --git a/.github/workflows/revert-tracker.yml b/.github/workflows/revert-tracker.yml index 4603bf7b0c..04655a7f97 100644 --- a/.github/workflows/revert-tracker.yml +++ b/.github/workflows/revert-tracker.yml @@ -13,11 +13,11 @@ jobs: contents: write steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: test-infra - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: pytorch/pytorch path: pytorch diff --git a/.github/workflows/scale_config_validation.yml b/.github/workflows/scale_config_validation.yml index 3410ea0e92..0c39fc26cc 100644 --- a/.github/workflows/scale_config_validation.yml +++ b/.github/workflows/scale_config_validation.yml @@ -15,10 +15,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.11 diff --git a/.github/workflows/servicelab-ingestor-lambda.yml b/.github/workflows/servicelab-ingestor-lambda.yml index e7d5efc7dd..8e90036a58 100644 --- a/.github/workflows/servicelab-ingestor-lambda.yml +++ b/.github/workflows/servicelab-ingestor-lambda.yml @@ -19,13 +19,13 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_servicelab-ingestor-lambda aws-region: us-east-1 diff --git a/.github/workflows/test-binary-size-validation.yml b/.github/workflows/test-binary-size-validation.yml index 743ef826c8..b5f3cf4020 100644 --- a/.github/workflows/test-binary-size-validation.yml +++ b/.github/workflows/test-binary-size-validation.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install requirements run: | pip3 install -r tools/binary_size_validation/requirements.txt diff --git a/.github/workflows/test-setup-miniconda.yml b/.github/workflows/test-setup-miniconda.yml index fc0ca6f9c0..24492bb1b8 100644 --- a/.github/workflows/test-setup-miniconda.yml +++ b/.github/workflows/test-setup-miniconda.yml @@ -34,7 +34,7 @@ jobs: env: PYTHON_VERSION: ${{ matrix.python-version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Get disk space usage and throw an error for low disk space uses: ./.github/actions/check-disk-space diff --git a/.github/workflows/test-setup-nvidia.yml b/.github/workflows/test-setup-nvidia.yml index b11307feb8..a8731497f4 100644 --- a/.github/workflows/test-setup-nvidia.yml +++ b/.github/workflows/test-setup-nvidia.yml @@ -20,7 +20,7 @@ jobs: runs-on: ${{ matrix.runner-type }} timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Test that setup-nvidia works uses: ./.github/actions/setup-nvidia diff --git a/.github/workflows/test-setup-ssh.yml b/.github/workflows/test-setup-ssh.yml index 9345e2e0ef..96889aacd5 100644 --- a/.github/workflows/test-setup-ssh.yml +++ b/.github/workflows/test-setup-ssh.yml @@ -12,7 +12,7 @@ jobs: build: # make sure build/ci work properly runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | cd setup-ssh yarn install @@ -22,7 +22,7 @@ jobs: test-linux: # make sure the action works on a clean machine without building runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/setup-ssh name: Check if can write keys with: @@ -50,7 +50,7 @@ jobs: test-windows: runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/setup-ssh name: Check if can write keys with: diff --git a/.github/workflows/test_upload_benchmark_results.yml b/.github/workflows/test_upload_benchmark_results.yml index 15be9b16d7..ddd18a56d0 100644 --- a/.github/workflows/test_upload_benchmark_results.yml +++ b/.github/workflows/test_upload_benchmark_results.yml @@ -11,7 +11,7 @@ jobs: test: runs-on: linux.2xlarge steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Test upload the benchmark results (v2) uses: ./.github/actions/upload-benchmark-results diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml index f41e5889ca..23d6d1ac06 100644 --- a/.github/workflows/tflint.yml +++ b/.github/workflows/tflint.yml @@ -15,17 +15,17 @@ jobs: container: node:20 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 name: Checkout source code - - uses: terraform-linters/setup-tflint@v4 + - uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1 name: Setup TFLint with: github_token: ${{ secrets.GITHUB_TOKEN }} tflint_version: v0.54.0 - name: Install Tofu - uses: opentofu/setup-opentofu@v1 + uses: opentofu/setup-opentofu@592200bd4b9bbf4772ace78f887668b1aee8f716 # v1.0.5 with: terraform_version: 1.5.7 terraform_wrapper: false diff --git a/.github/workflows/torchci.yml b/.github/workflows/torchci.yml index eb2ab757c1..a56e530fbf 100644 --- a/.github/workflows/torchci.yml +++ b/.github/workflows/torchci.yml @@ -16,7 +16,7 @@ jobs: run: working-directory: torchci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: yarn install --frozen-lockfile - run: yarn lint - name: yarn prettier --check . @@ -31,7 +31,7 @@ jobs: run: working-directory: tools/torchci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | pip3 install --upgrade pip pip3 install -r requirements.txt diff --git a/.github/workflows/trigger_nightly.yml b/.github/workflows/trigger_nightly.yml index ed038174ec..526bfc4c07 100644 --- a/.github/workflows/trigger_nightly.yml +++ b/.github/workflows/trigger_nightly.yml @@ -30,7 +30,7 @@ jobs: environment: trigger-nightly timeout-minutes: 60 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trigger nightly audio build if: ${{ github.event_name == 'schedule' || inputs.domain == 'audio' || inputs.domain == 'all' }} uses: ./.github/actions/trigger-nightly diff --git a/.github/workflows/trigger_nightly_core.yml b/.github/workflows/trigger_nightly_core.yml index d42b09dd45..3ad2c494bc 100644 --- a/.github/workflows/trigger_nightly_core.yml +++ b/.github/workflows/trigger_nightly_core.yml @@ -12,7 +12,7 @@ jobs: environment: trigger-nightly timeout-minutes: 60 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trigger nightly core build uses: ./.github/actions/trigger-nightly with: diff --git a/.github/workflows/update-drci-comments.yml b/.github/workflows/update-drci-comments.yml index 1c36cb4aa3..07203f0cc4 100644 --- a/.github/workflows/update-drci-comments.yml +++ b/.github/workflows/update-drci-comments.yml @@ -28,7 +28,7 @@ jobs: ] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Retrieve query results and update Dr. CI comments run: | diff --git a/.github/workflows/update-queue-times.yml b/.github/workflows/update-queue-times.yml index 26f74ea0c6..0ab6d8add9 100644 --- a/.github/workflows/update-queue-times.yml +++ b/.github/workflows/update-queue-times.yml @@ -15,11 +15,11 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: yarn install --frozen-lockfile - name: configure aws credentials id: aws_creds - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_update_queue_times aws-region: us-east-1 diff --git a/.github/workflows/update-s3-html.yml b/.github/workflows/update-s3-html.yml index d507e6fc0c..85ef57d5d7 100644 --- a/.github/workflows/update-s3-html.yml +++ b/.github/workflows/update-s3-html.yml @@ -23,12 +23,12 @@ jobs: steps: - name: configure aws credentials id: aws_creds - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: role-to-assume: arn:aws:iam::749337293305:role/gha_workflow_s3_update aws-region: us-east-1 - name: Checkout repository test-infra - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: pytorch/test-infra ref: ${{ github.ref }} diff --git a/.github/workflows/update-test-times.yml b/.github/workflows/update-test-times.yml index 141ef0ec0f..750e16e2d1 100644 --- a/.github/workflows/update-test-times.yml +++ b/.github/workflows/update-test-times.yml @@ -21,10 +21,10 @@ jobs: update-test-time-stats: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up python 3.10 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.10' diff --git a/.github/workflows/update_disabled_tests.yml b/.github/workflows/update_disabled_tests.yml index 91b24146d2..906d5fb69e 100644 --- a/.github/workflows/update_disabled_tests.yml +++ b/.github/workflows/update_disabled_tests.yml @@ -20,7 +20,7 @@ jobs: environment: ${{ github.ref == 'refs/heads/main' && 'trigger-nightly' || '' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Generate new disabled tests and jobs jsons env: @@ -89,7 +89,7 @@ jobs: user_name: "Pytorch Test Infra" commit_message: "Updating unstable jobs" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: disabled-artifacts if-no-files-found: error @@ -105,7 +105,7 @@ jobs: needs: update-disabled-tests steps: - name: Download disabled artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: disabled-artifacts diff --git a/.github/workflows/update_test_file_ratings.yml b/.github/workflows/update_test_file_ratings.yml index 873f389f93..5b2e61020e 100644 --- a/.github/workflows/update_test_file_ratings.yml +++ b/.github/workflows/update_test_file_ratings.yml @@ -17,12 +17,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout pytorch/test-infra - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: test-infra - name: Checkout pytorch/pytorch - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: pytorch/pytorch path: pytorch @@ -36,7 +36,7 @@ jobs: pip3 install -e . - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2 with: role-to-assume: arn:aws:iam::308535385114:role/upload_to_ossci_raw_job_status aws-region: us-east-1 diff --git a/.github/workflows/upload-tutorials-stats.yml b/.github/workflows/upload-tutorials-stats.yml index 8d3f470919..0c10e149db 100644 --- a/.github/workflows/upload-tutorials-stats.yml +++ b/.github/workflows/upload-tutorials-stats.yml @@ -16,27 +16,27 @@ jobs: steps: - name: Configure aws credentials id: aws_creds - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_upload-tutorials-stats aws-region: us-east-1 - name: Checkout the tutorials repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'pytorch/tutorials' path: './tutorials' fetch-depth: 0 - name: Checkout the pytorch repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'pytorch/pytorch' path: './pytorch' fetch-depth: 0 - name: Checkout the test-infra repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: test-infra diff --git a/.github/workflows/usage-log-aggregator-lambda.yml b/.github/workflows/usage-log-aggregator-lambda.yml index fc6c34fd1c..110bf18200 100644 --- a/.github/workflows/usage-log-aggregator-lambda.yml +++ b/.github/workflows/usage-log-aggregator-lambda.yml @@ -20,8 +20,8 @@ jobs: test: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip @@ -36,13 +36,13 @@ jobs: contents: read if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' cache: pip - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: arn:aws:iam::308535385114:role/gha_workflow_usage-log-aggregator-lambda aws-region: us-east-1 diff --git a/.github/workflows/validate-pypi-wheel-binary-size.yml b/.github/workflows/validate-pypi-wheel-binary-size.yml index 348982bd34..b5727472be 100644 --- a/.github/workflows/validate-pypi-wheel-binary-size.yml +++ b/.github/workflows/validate-pypi-wheel-binary-size.yml @@ -24,7 +24,7 @@ jobs: CHANNEL: ${{ inputs.channel || 'nightly' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: pytorch/test-infra - name: Install requirements diff --git a/.github/workflows/windows-ami-validation.yml b/.github/workflows/windows-ami-validation.yml index d30dcbc8b5..cd8a869d8f 100644 --- a/.github/workflows/windows-ami-validation.yml +++ b/.github/workflows/windows-ami-validation.yml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup `packer` - uses: hashicorp/setup-packer@main + uses: hashicorp/setup-packer@76e3039aa951aa4e6efe7e6ee06bc9ceb072142d # main id: packer-setup with: version: ${{ env.PACKER_VERSION }} diff --git a/.github/workflows/windows_job.yml b/.github/workflows/windows_job.yml index 0bf042c956..65f88d1b10 100644 --- a/.github/workflows/windows_job.yml +++ b/.github/workflows/windows_job.yml @@ -98,7 +98,7 @@ jobs: echo "::endgroup::" - name: Checkout repository (${{ inputs.test-infra-repository }}@${{ inputs.test-infra-ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.test-infra-repository }} @@ -114,7 +114,7 @@ jobs: github-secret: ${{ github.token }} - name: Checkout repository (${{ inputs.repository || github.repository }}@${{ inputs.ref }}) - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Support the use case where we need to checkout someone's fork repository: ${{ inputs.repository || github.repository }} @@ -124,7 +124,7 @@ jobs: submodules: ${{ inputs.submodules }} - name: Download artifacts (if any) - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: ${{ inputs.download-artifact != '' }} with: name: ${{ inputs.download-artifact }} @@ -168,7 +168,7 @@ jobs: - name: Surface failing tests if: always() - uses: pmeier/pytest-results-action@v0.3.0 + uses: pmeier/pytest-results-action@a2c1430e2bddadbad9f49a6f9b879f062c6b19b1 # v0.3.0 with: path: ${{ env.RUNNER_TEST_RESULTS_DIR }} fail-on-empty: false @@ -195,7 +195,7 @@ jobs: # NB: Keep this for compatibility with existing jobs and also keep in mind that only # our AWS runners have access to S3 - name: Upload artifacts to GitHub (if any) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ always() && inputs.upload-artifact != '' && !inputs.upload-artifact-to-s3 }} with: name: ${{ inputs.upload-artifact }} @@ -204,7 +204,7 @@ jobs: # NB: This only works with our AWS runners - name: Upload artifacts to S3 (if any) - uses: seemethere/upload-artifact-s3@v5 + uses: seemethere/upload-artifact-s3@baba72d0712b404f646cebe0730933554ebce96a # v5.1.0 if: ${{ always() && inputs.upload-artifact != '' && inputs.upload-artifact-to-s3 }} with: retention-days: 14