From b7bed9534096e65ff619153ddac5e091a6bc12bd Mon Sep 17 00:00:00 2001 From: Jake Hemstad Date: Wed, 29 Nov 2023 17:13:35 +0000 Subject: [PATCH 1/5] Set workflow read permissions and per-job write permissions. --- .github/workflows/build-and-test-linux.yml | 7 +++++++ .github/workflows/dispatch-build-and-test.yml | 7 +++++++ .github/workflows/pr.yml | 19 ++++++++++++++++++- .github/workflows/run-as-coder.yml | 7 +++++-- 4 files changed, 37 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-test-linux.yml b/.github/workflows/build-and-test-linux.yml index b328e97884a..335a2442214 100644 --- a/.github/workflows/build-and-test-linux.yml +++ b/.github/workflows/build-and-test-linux.yml @@ -14,9 +14,14 @@ on: container_image: {type: string, required: false} run_tests: {type: boolean, required: false, default: true} +permissions: + contents: read + jobs: build: name: Build ${{inputs.test_name}} + permissions: + id-token: write uses: ./.github/workflows/run-as-coder.yml with: name: Build ${{inputs.test_name}} @@ -27,6 +32,8 @@ jobs: test: needs: build + permissions: + id-token: write if: ${{ !cancelled() && ( needs.build.result == 'success' || needs.build.result == 'skipped' ) && inputs.run_tests}} name: Test ${{inputs.test_name}} uses: ./.github/workflows/run-as-coder.yml diff --git a/.github/workflows/dispatch-build-and-test.yml b/.github/workflows/dispatch-build-and-test.yml index 553ae40db25..7fbec14cc54 100644 --- a/.github/workflows/dispatch-build-and-test.yml +++ b/.github/workflows/dispatch-build-and-test.yml @@ -8,12 +8,17 @@ on: devcontainer_version: {type: string, required: true} is_windows: {type: boolean, required: true} +permissions: + contents: read + jobs: # Using a matrix to dispatch to the build-and-test reusable workflow for each build configuration # ensures that the build/test steps can overlap across different configurations. For example, # the build step for CUDA 12.1 + gcc 9.3 can run at the same time as the test step for CUDA 11.0 + clang 11. build_and_test_linux: name: build and test linux + permissions: + id-token: write if: ${{ !inputs.is_windows }} uses: ./.github/workflows/build-and-test-linux.yml strategy: @@ -30,6 +35,8 @@ jobs: build_and_test_windows: name: build and test windows + permissions: + id-token: write if: ${{ inputs.is_windows }} uses: ./.github/workflows/build-and-test-windows.yml strategy: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index c56e2e1f6f3..165e5b6aa44 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -30,6 +30,9 @@ concurrency: group: ${{ github.workflow }}-on-${{ github.event_name }}-from-${{ github.ref_name }} cancel-in-progress: true +permissions: + contents: read + jobs: compute-matrix: name: Compute matrix @@ -53,6 +56,8 @@ jobs: nvrtc: name: NVRTC CUDA${{matrix.cuda}} C++${{matrix.std}} + permissions: + id-token: write needs: compute-matrix if: ${{ !contains(github.event.head_commit.message, 'skip-tests') }} uses: ./.github/workflows/run-as-coder.yml @@ -69,6 +74,8 @@ jobs: thrust: name: Thrust CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }} + permissions: + id-token: write needs: compute-matrix uses: ./.github/workflows/dispatch-build-and-test.yml strategy: @@ -84,6 +91,8 @@ jobs: cub: name: CUB CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }} + permissions: + id-token: write needs: compute-matrix uses: ./.github/workflows/dispatch-build-and-test.yml strategy: @@ -99,6 +108,8 @@ jobs: libcudacxx: name: libcudacxx CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }} + permissions: + id-token: write needs: compute-matrix uses: ./.github/workflows/dispatch-build-and-test.yml strategy: @@ -114,6 +125,8 @@ jobs: clang-cuda: name: ${{matrix.lib}} ${{matrix.cpu}}/CTK${{matrix.cuda}}/clang-cuda + permissions: + id-token: write needs: compute-matrix strategy: fail-fast: false @@ -129,6 +142,8 @@ jobs: cccl-infra: name: CCCL Infrastructure + permissions: + id-token: write needs: compute-matrix if: ${{ !contains(github.event.head_commit.message, 'skip-tests') }} strategy: @@ -146,6 +161,8 @@ jobs: verify-devcontainers: name: Verify Dev Containers + permissions: + id-token: write uses: ./.github/workflows/verify-devcontainers.yml # This job is the final job that runs after all other jobs and is used for branch protection status checks. @@ -154,7 +171,7 @@ jobs: ci: runs-on: ubuntu-latest name: CI - if: ${{ always() }} # need to use always() instead of !cancelled() because skipped jobs count as success + if: ${{ always() }} # need to use always() instead of !cancelled() because skipped jobs count as success needs: - clang-cuda - cub diff --git a/.github/workflows/run-as-coder.yml b/.github/workflows/run-as-coder.yml index 8d0cce9fba6..9b97f141ec9 100644 --- a/.github/workflows/run-as-coder.yml +++ b/.github/workflows/run-as-coder.yml @@ -14,17 +14,20 @@ on: command: {type: string, required: true} env: { type: string, required: false, default: "" } +permissions: + contents: read + jobs: run-as-coder: name: ${{inputs.name}} + permissions: + id-token: write runs-on: ${{inputs.runner}} container: options: -u root image: ${{inputs.image}} env: NVIDIA_VISIBLE_DEVICES: ${{ env.NVIDIA_VISIBLE_DEVICES }} - permissions: - id-token: write steps: - name: Checkout repo uses: actions/checkout@v3 From 2c99d7d787384562babbfcd0cbc8f65b5bffd8b0 Mon Sep 17 00:00:00 2001 From: Jake Hemstad Date: Wed, 29 Nov 2023 17:21:22 +0000 Subject: [PATCH 2/5] set pull-requests read at workflow level. --- .github/workflows/build-and-test-linux.yml | 1 + .github/workflows/dispatch-build-and-test.yml | 1 + .github/workflows/pr.yml | 3 +-- .github/workflows/run-as-coder.yml | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-test-linux.yml b/.github/workflows/build-and-test-linux.yml index 335a2442214..da34d50df24 100644 --- a/.github/workflows/build-and-test-linux.yml +++ b/.github/workflows/build-and-test-linux.yml @@ -16,6 +16,7 @@ on: permissions: contents: read + pull-requests: read jobs: build: diff --git a/.github/workflows/dispatch-build-and-test.yml b/.github/workflows/dispatch-build-and-test.yml index 7fbec14cc54..755f9dd00db 100644 --- a/.github/workflows/dispatch-build-and-test.yml +++ b/.github/workflows/dispatch-build-and-test.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + pull-requests: read jobs: # Using a matrix to dispatch to the build-and-test reusable workflow for each build configuration diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 165e5b6aa44..5d7ad0b6b0a 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -32,6 +32,7 @@ concurrency: permissions: contents: read + pull-requests: read jobs: compute-matrix: @@ -161,8 +162,6 @@ jobs: verify-devcontainers: name: Verify Dev Containers - permissions: - id-token: write uses: ./.github/workflows/verify-devcontainers.yml # This job is the final job that runs after all other jobs and is used for branch protection status checks. diff --git a/.github/workflows/run-as-coder.yml b/.github/workflows/run-as-coder.yml index 9b97f141ec9..292ff151626 100644 --- a/.github/workflows/run-as-coder.yml +++ b/.github/workflows/run-as-coder.yml @@ -16,6 +16,7 @@ on: permissions: contents: read + pull-requests: read jobs: run-as-coder: From a53cdc888dcfb61a4a2baafc60f1dd0f2f35db08 Mon Sep 17 00:00:00 2001 From: Jake Hemstad Date: Wed, 29 Nov 2023 17:24:33 +0000 Subject: [PATCH 3/5] Set contents read at job level. --- .github/workflows/build-and-test-linux.yml | 1 - .github/workflows/dispatch-build-and-test.yml | 1 - .github/workflows/pr.yml | 6 ++++++ .github/workflows/run-as-coder.yml | 1 - 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-test-linux.yml b/.github/workflows/build-and-test-linux.yml index da34d50df24..335a2442214 100644 --- a/.github/workflows/build-and-test-linux.yml +++ b/.github/workflows/build-and-test-linux.yml @@ -16,7 +16,6 @@ on: permissions: contents: read - pull-requests: read jobs: build: diff --git a/.github/workflows/dispatch-build-and-test.yml b/.github/workflows/dispatch-build-and-test.yml index 755f9dd00db..7fbec14cc54 100644 --- a/.github/workflows/dispatch-build-and-test.yml +++ b/.github/workflows/dispatch-build-and-test.yml @@ -10,7 +10,6 @@ on: permissions: contents: read - pull-requests: read jobs: # Using a matrix to dispatch to the build-and-test reusable workflow for each build configuration diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 5d7ad0b6b0a..02464dd6331 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -59,6 +59,7 @@ jobs: name: NVRTC CUDA${{matrix.cuda}} C++${{matrix.std}} permissions: id-token: write + contents: read needs: compute-matrix if: ${{ !contains(github.event.head_commit.message, 'skip-tests') }} uses: ./.github/workflows/run-as-coder.yml @@ -77,6 +78,7 @@ jobs: name: Thrust CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }} permissions: id-token: write + contents: read needs: compute-matrix uses: ./.github/workflows/dispatch-build-and-test.yml strategy: @@ -94,6 +96,7 @@ jobs: name: CUB CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }} permissions: id-token: write + contents: read needs: compute-matrix uses: ./.github/workflows/dispatch-build-and-test.yml strategy: @@ -111,6 +114,7 @@ jobs: name: libcudacxx CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }} permissions: id-token: write + contents: read needs: compute-matrix uses: ./.github/workflows/dispatch-build-and-test.yml strategy: @@ -128,6 +132,7 @@ jobs: name: ${{matrix.lib}} ${{matrix.cpu}}/CTK${{matrix.cuda}}/clang-cuda permissions: id-token: write + contents: read needs: compute-matrix strategy: fail-fast: false @@ -145,6 +150,7 @@ jobs: name: CCCL Infrastructure permissions: id-token: write + contents: read needs: compute-matrix if: ${{ !contains(github.event.head_commit.message, 'skip-tests') }} strategy: diff --git a/.github/workflows/run-as-coder.yml b/.github/workflows/run-as-coder.yml index 292ff151626..9b97f141ec9 100644 --- a/.github/workflows/run-as-coder.yml +++ b/.github/workflows/run-as-coder.yml @@ -16,7 +16,6 @@ on: permissions: contents: read - pull-requests: read jobs: run-as-coder: From 9896b41f080a8b8e0889b86629d411c16b20c8d6 Mon Sep 17 00:00:00 2001 From: Jake Hemstad Date: Wed, 29 Nov 2023 17:28:13 +0000 Subject: [PATCH 4/5] Explicitly set job-level read permissions. --- .github/workflows/build-and-test-linux.yml | 2 ++ .github/workflows/dispatch-build-and-test.yml | 2 ++ .github/workflows/run-as-coder.yml | 1 + 3 files changed, 5 insertions(+) diff --git a/.github/workflows/build-and-test-linux.yml b/.github/workflows/build-and-test-linux.yml index 335a2442214..32cfc259514 100644 --- a/.github/workflows/build-and-test-linux.yml +++ b/.github/workflows/build-and-test-linux.yml @@ -22,6 +22,7 @@ jobs: name: Build ${{inputs.test_name}} permissions: id-token: write + contents: read uses: ./.github/workflows/run-as-coder.yml with: name: Build ${{inputs.test_name}} @@ -34,6 +35,7 @@ jobs: needs: build permissions: id-token: write + contents: read if: ${{ !cancelled() && ( needs.build.result == 'success' || needs.build.result == 'skipped' ) && inputs.run_tests}} name: Test ${{inputs.test_name}} uses: ./.github/workflows/run-as-coder.yml diff --git a/.github/workflows/dispatch-build-and-test.yml b/.github/workflows/dispatch-build-and-test.yml index 7fbec14cc54..b3052d38e9d 100644 --- a/.github/workflows/dispatch-build-and-test.yml +++ b/.github/workflows/dispatch-build-and-test.yml @@ -19,6 +19,7 @@ jobs: name: build and test linux permissions: id-token: write + contents: read if: ${{ !inputs.is_windows }} uses: ./.github/workflows/build-and-test-linux.yml strategy: @@ -37,6 +38,7 @@ jobs: name: build and test windows permissions: id-token: write + contents: read if: ${{ inputs.is_windows }} uses: ./.github/workflows/build-and-test-windows.yml strategy: diff --git a/.github/workflows/run-as-coder.yml b/.github/workflows/run-as-coder.yml index 9b97f141ec9..6d09fd220ff 100644 --- a/.github/workflows/run-as-coder.yml +++ b/.github/workflows/run-as-coder.yml @@ -22,6 +22,7 @@ jobs: name: ${{inputs.name}} permissions: id-token: write + contents: read runs-on: ${{inputs.runner}} container: options: -u root From 391fb52f1da93f537bbaa4835b092edbd01aebe6 Mon Sep 17 00:00:00 2001 From: Jake Hemstad Date: Wed, 29 Nov 2023 17:29:47 +0000 Subject: [PATCH 5/5] Add permissions to verify-devcontainers. --- .github/workflows/pr.yml | 3 +++ .github/workflows/verify-devcontainers.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 02464dd6331..28da0d5df4f 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -168,6 +168,9 @@ jobs: verify-devcontainers: name: Verify Dev Containers + permissions: + id-token: write + contents: read uses: ./.github/workflows/verify-devcontainers.yml # This job is the final job that runs after all other jobs and is used for branch protection status checks. diff --git a/.github/workflows/verify-devcontainers.yml b/.github/workflows/verify-devcontainers.yml index baa6c2e2739..ef9780f820f 100644 --- a/.github/workflows/verify-devcontainers.yml +++ b/.github/workflows/verify-devcontainers.yml @@ -7,6 +7,9 @@ defaults: run: shell: bash -euo pipefail {0} +permissions: + contents: read + jobs: verify-make-devcontainers: name: Verify devcontainer files are up-to-date