diff --git a/.github/actions/build-and-publish-image/action.yml b/.github/actions/build-and-publish-image/action.yml index 332337197..ae6444a16 100644 --- a/.github/actions/build-and-publish-image/action.yml +++ b/.github/actions/build-and-publish-image/action.yml @@ -115,10 +115,11 @@ runs: env: arch: ${{ inputs.arch }} push: ${{ inputs.push }} + STEPS_BUILD_OUTPUTS_DIGEST: ${{ steps.build.outputs.digest }} shell: bash --noprofile --norc -eo pipefail {0} run: | if test "${push}" = true; then - echo "${arch}=${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"; + echo "${arch}=${STEPS_BUILD_OUTPUTS_DIGEST}" >> "$GITHUB_OUTPUT"; else echo "${arch}=" >> "$GITHUB_OUTPUT"; fi diff --git a/.github/actions/free-disk-space/action.yml b/.github/actions/free-disk-space/action.yml index 74aa2e38e..d44a61075 100644 --- a/.github/actions/free-disk-space/action.yml +++ b/.github/actions/free-disk-space/action.yml @@ -11,6 +11,8 @@ runs: using: composite steps: - name: Free up disk space + env: + INPUTS_TOOL_CACHE: ${{ inputs.tool_cache }} shell: bash --noprofile --norc -eo pipefail {0} run: | df -h @@ -25,7 +27,7 @@ runs: /usr/share/dotnet \ /usr/local/lib/android \ /home/linuxbrew/.linuxbrew \ - ${{ inputs.tool_cache }}/CodeQL + ${INPUTS_TOOL_CACHE}/CodeQL docker rmi $(docker image ls -aq) || true df -h docker images diff --git a/.github/actions/get-pr-info/action.yml b/.github/actions/get-pr-info/action.yml index e29b89987..c6f239616 100644 --- a/.github/actions/get-pr-info/action.yml +++ b/.github/actions/get-pr-info/action.yml @@ -17,7 +17,7 @@ runs: id: get-pull-request with: retries: 3 - script: | + script: | # zizmor: ignore[template-injection] return ( await github.rest.pulls.get({ repo: context.repo.repo, diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml index 6dba645ed..903f9fe3b 100644 --- a/.github/workflows/build-and-push-image.yml +++ b/.github/workflows/build-and-push-image.yml @@ -54,6 +54,9 @@ on: type: boolean required: false description: "Generate sccache and sccache-dist credentials" + secrets: + SCCACHE_GH_PAT: + required: false permissions: actions: none @@ -61,7 +64,7 @@ permissions: contents: none deployments: none discussions: none - id-token: write + id-token: none issues: none packages: write pages: none @@ -91,7 +94,7 @@ jobs: shell: bash --noprofile --norc -eo pipefail {0} env: CUDA: "${{ inputs.cuda }}" - run: | + run: | # zizmor: ignore[template-injection] echo "${{ toJSON(runner) }}"; echo "CUDA_VERSION_MAJOR=$(cut -d'.' -f1 <<< "${CUDA}")" >> "$GITHUB_ENV" echo "CUDA_VERSION_MINOR=$(cut -d'.' -f2 <<< "${CUDA}")" >> "$GITHUB_ENV" @@ -110,7 +113,9 @@ jobs: shell: bash --noprofile --norc -eo pipefail {0} run: | sudo apt update && sudo apt install -y --no-install-recommends jq git-lfs - # sudo sed -ri "s@$HOME@${{ runner.workspace }}@g" /etc/passwd + env: + RUNNER_WORKSPACE: ${{ runner.workspace }} + # sudo sed -ri "s@$HOME@${RUNNER_WORKSPACE}@g" /etc/passwd # sudo chown -R $(id -u):$(id -g) "${{ runner.workspace }}" # echo "HOME=${{ runner.workspace }}" >> "$GITHUB_ENV" @@ -119,6 +124,7 @@ jobs: with: lfs: true fetch-depth: 0 + persist-credentials: false - name: Checkout LFS shell: bash --noprofile --norc -eo pipefail {0} @@ -264,11 +270,13 @@ jobs: shell: bash --noprofile --norc -eo pipefail {0} env: ARCH: ${{ matrix.ARCH }} + STEPS_BUILD_OUTPUTS_DIGEST_AMD64: ${{ steps.build.outputs.digest_amd64 }} + STEPS_BUILD_OUTPUTS_DIGEST_ARM64: ${{ steps.build.outputs.digest_arm64 }} run: | if [[ "${ARCH}" == amd64 ]]; then - DIGEST="${{ steps.build.outputs.digest_amd64 }}" + DIGEST="${STEPS_BUILD_OUTPUTS_DIGEST_AMD64}" else - DIGEST="${{ steps.build.outputs.digest_arm64 }}" + DIGEST="${STEPS_BUILD_OUTPUTS_DIGEST_ARM64}" fi cat <> "$GITHUB_OUTPUT" ${ARCH}={"digest":"${DIGEST}","name":"${IMAGE_NAME}","repo":"${REPOSITORY}","tag":"${IMAGE_TAG}"} @@ -297,7 +305,7 @@ jobs: ARM64: ${{ needs.build.outputs.arm64 }} REPO: ${{ fromJSON(needs.build.outputs.amd64).repo }} REPO_PREFIX: "${{ env.REGISTRY }}/${{ github.actor }}" - run: | + run: | # zizmor: ignore[template-injection] # Create the multiarch manifest docker buildx imagetools create --tag \ "${{ fromJSON(env.AMD64).name }}" \ diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index cec8d7d80..61d5bfa0a 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -19,6 +19,8 @@ jobs: name: Update Docs runs-on: ubuntu-24.04 container: node:24.14.1-trixie + permissions: + contents: write steps: - name: Checkout main uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/main.pr.yml b/.github/workflows/main.pr.yml index 48b7102d2..512f2d9b7 100644 --- a/.github/workflows/main.pr.yml +++ b/.github/workflows/main.pr.yml @@ -5,11 +5,18 @@ on: branches: - 'pull-request/**' -permissions: - contents: write - id-token: write +permissions: {} jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + - uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 + build-pull-request: name: Build pull request runs-on: ${{ fromJSON(github.repository != 'rapidsai/node' && '"ubuntu-latest"' || format('"linux-{0}-cpu16"', matrix.ARCH)) }} @@ -26,12 +33,14 @@ jobs: DOCKER_BUILDKIT: "1" DOCKER_CLI_HINTS: "false" DOCKER_SCAN_SUGGEST: "false" + permissions: + contents: write steps: - name: Dump runner context shell: bash --noprofile --norc -eo pipefail {0} env: CUDA: "${{ matrix.CUDA }}" - run: | + run: | # zizmor: ignore[template-injection] echo "${{ toJSON(runner) }}" echo "CUDA_VERSION_MAJOR=$(cut -d'.' -f1 <<< "${CUDA}")" >> "$GITHUB_ENV" echo "CUDA_VERSION_MINOR=$(cut -d'.' -f2 <<< "${CUDA}")" >> "$GITHUB_ENV" @@ -47,17 +56,20 @@ jobs: - name: Set up self-hosted runner if: runner.environment == 'self-hosted' shell: bash --noprofile --norc -eo pipefail {0} + env: + RUNNER_WORKSPACE: ${{ runner.workspace }} run: | sudo apt update && sudo apt install -y --no-install-recommends jq git-lfs - # sudo sed -ri "s@$HOME@${{ runner.workspace }}@g" /etc/passwd - # sudo chown -R $(id -u):$(id -g) "${{ runner.workspace }}" - # echo "HOME=${{ runner.workspace }}" >> $GITHUB_ENV + # sudo sed -ri "s@$HOME@${RUNNER_WORKSPACE}@g" /etc/passwd + # sudo chown -R $(id -u):$(id -g) "${RUNNER_WORKSPACE}" + # echo "HOME=${RUNNER_WORKSPACE}" >> $GITHUB_ENV - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: lfs: true fetch-depth: 0 + persist-credentials: false - name: Checkout LFS shell: bash --noprofile --norc -eo pipefail {0} diff --git a/.github/workflows/merge.pr.yml b/.github/workflows/merge.pr.yml index b3fc71a6b..4353e14aa 100644 --- a/.github/workflows/merge.pr.yml +++ b/.github/workflows/merge.pr.yml @@ -16,9 +16,9 @@ permissions: contents: none deployments: none discussions: none - id-token: write + id-token: none issues: none - packages: write + packages: write # zizmor: ignore[excessive-permissions] pages: none pull-requests: none repository-projects: none @@ -30,7 +30,8 @@ jobs: build-and-publish-devel-main-image: name: Build devel main image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -50,7 +51,8 @@ jobs: needs: - build-and-publish-devel-main-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -73,7 +75,8 @@ jobs: needs: - build-and-publish-devel-main-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -93,7 +96,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -116,7 +120,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -139,7 +144,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -162,7 +168,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -185,7 +192,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -208,7 +216,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: @@ -233,7 +242,8 @@ jobs: - build-and-publish-devel-packages-image - build-and-publish-runtime-cuda-base-image uses: ./.github/workflows/build-and-push-image.yml - secrets: inherit + secrets: + SC_CACHE_GHPAT: ${{ secrets.SC_CACHE_GHPAT }} strategy: fail-fast: true matrix: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 85e841d37..c0a2b7dee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,9 +27,7 @@ concurrency: group: release-${{ inputs.rapids-version }} cancel-in-progress: true -permissions: - contents: write - id-token: write +permissions: {} jobs: @@ -43,6 +41,8 @@ jobs: ARCH: ["amd64", "arm64"] NODE: ["24.14.1"] LINUX: ["ubuntu24.04"] + permissions: + contents: write steps: - name: Extract node native addons shell: bash --noprofile --norc -eo pipefail {0} @@ -78,14 +78,18 @@ jobs: name: rapidsai-native-addons - name: Create GitHub release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 if: ${{ inputs.make-release == true }} - with: - body: "" - files: build/*.node - tag_name: "v${{ env.RAPIDS }}" - repository: ${{ github.repository }} - draft: ${{ inputs.draft-release == true }} + env: + GH_TOKEN: ${{ github.token }} + DRAFT_RELEASE: ${{ inputs.draft-release }} + RAPIDS_VERSION: ${{ env.RAPIDS }} + run: | + EXTRA_RELEASE_ARGS=() + if [[ "${DRAFT_RELEASE}" == "true" ]]; then + EXTRA_RELEASE_ARGS+=("--draft") + fi + + gh release create v$RAPIDS_VERSION build/*.node "${EXTRA_RELEASE_ARGS[@]}" publish-npm-packages: if: ${{ inputs.make-release == true && inputs.npm-publish == true }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..1b6ea1e53 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + # We require SHA-pinning for all workflows and actions _except_ for those from + # rapidsai/shared-workflows and rapidsai/shared-actions + "rapidsai/shared-workflows/*": any + "rapidsai/shared-actions/*": any + "*": hash-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..3a577370d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: Copyright (c) 2026, NVIDIA CORPORATION. +# SPDX-License-Identifier: Apache-2.0 + +repos: + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor