[CI] Set actions references to specific commit hash, provide explicit…

… top level token permissions for jobs (openvinotoolkit#2720) ### Changes Token permissions docs: https://github.com/ossf/scorecard/blob/98ec491a888a8a0db9d83a3c7d379ae1f46321de/docs/checks.md#token-permissions Actions by hash docs: https://github.com/ossf/scorecard/blob/98ec491a888a8a0db9d83a3c7d379ae1f46321de/docs/checks.md#pinned-dependencies ### Related tickets 143130
dupeljan · Jun 10, 2024 · da18bf3 · da18bf3
1 parent 65c9515
commit da18bf3
Show file tree

Hide file tree

Showing 14 changed files with 95 additions and 63 deletions.
diff --git a/.github/workflows/api_changes_check.yml b/.github/workflows/api_changes_check.yml
@@ -1,4 +1,6 @@
 name: API changes check
+permissions: read-all
+
 on:
   pull_request_target:
     branches:
@@ -23,11 +25,11 @@ jobs:
       issues: write
     steps:
       - name: Download built HTML doc as artifact from previous step
-        uses: alehechka/download-tartifact@v2
+        uses: alehechka/download-tartifact@a055d3a102b9ed9cfff1263bc713295047d0197e # v2
         with:
           name: html_doc_artifact
       - name: Checkout latest doc_pages branch tip
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: doc_pages
           path: previous_doc_state
@@ -39,7 +41,7 @@ jobs:
           echo ${CHANGED_FILES}
           CHANGED_FILES=$(echo $CHANGED_FILES | tr '\n' ' ')
           echo "changed_files=${CHANGED_FILES}" >> $GITHUB_OUTPUT
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: ${{ !(contains(steps.diff.outputs.changed_files, 'differ'))  && contains(github.event.pull_request.labels.*.name, 'API') }}
         with:
           github-token: ${{ secrets.ADD_LABELS_WITH_REST_API }}
@@ -50,7 +52,7 @@ jobs:
               repo: context.repo.repo,
               name: "API"
             })
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: ${{ contains(steps.diff.outputs.changed_files, 'differ') }}
         with:
           github-token: ${{ secrets.ADD_LABELS_WITH_REST_API }}
@@ -62,7 +64,7 @@ jobs:
               labels: ["API"]
             })
       - name: Add release label
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: ${{ contains(github.event.pull_request.base.ref, 'release_v') }}
         with:
           github-token: ${{ secrets.ADD_LABELS_WITH_REST_API }}

diff --git a/.github/workflows/assign_issue.yml b/.github/workflows/assign_issue.yml
@@ -1,4 +1,5 @@
 name: Take Issue
+permissions: read-all
 
 on:
   issue_comment:
@@ -15,7 +16,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: take an issue
-        uses: bdougie/take-action@v1.6.1
+        uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # v1.6.1
         with:
           message: Thank you for looking into this issue! Please let us know if you have any questions or require any help.
           issueCurrentlyAssignedMessage: Thanks for being interested in this issue. It looks like this ticket is already assigned to a contributor. Please communicate with the assigned contributor to confirm the status of the issue.

diff --git a/.github/workflows/build_and_publish_doc.yml b/.github/workflows/build_and_publish_doc.yml
@@ -1,4 +1,6 @@
 name: Build complete docs and publish to GH Pages
+permissions: read-all
+
 on:
   push:
     branches:
@@ -11,8 +13,6 @@ concurrency:
   group: ci-${{ github.head_ref }}-${{ github.workflow }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
 jobs:
   call-build-html-doc:
     uses: ./.github/workflows/build_html_doc.yml
@@ -23,20 +23,22 @@ jobs:
   publish:
     needs: [call-build-html-doc, call-build-schema-page]
     runs-on: ubuntu-20.04
+    permissions:
+      attestations: write
     steps:
       - name: Checkout main repo  # the github-pages-deploy-action seems to require this step
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Download HTML doc build artifact
-        uses: alehechka/download-tartifact@v2
+        uses: alehechka/download-tartifact@a055d3a102b9ed9cfff1263bc713295047d0197e # v2
         with:
           name: html_doc_artifact
       - name: Download schema doc build artifact
-        uses: alehechka/download-tartifact@v2
+        uses: alehechka/download-tartifact@a055d3a102b9ed9cfff1263bc713295047d0197e # v2
         with:
           name: schema_doc_artifact
           path: html_build/html
       - name: Publish built docs on Github Pages branch ${{ env.GH_PAGES_BRANCH }}
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@5c6e9e9f3672ce8fd37b9856193d2a537941e66c # v4.6.1
         with:
           folder: html_build/html
           token: ${{ secrets.PUSH_TO_GH_PAGES_BRANCH }}

diff --git a/.github/workflows/build_html_doc.yml b/.github/workflows/build_html_doc.yml
@@ -1,4 +1,6 @@
 name: HTML documentation build
+permissions: read-all
+
 on:
   workflow_call:
     inputs:
@@ -10,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ inputs.ref }}
       - name: Install NNCF and doc requirements
@@ -21,7 +23,7 @@ jobs:
         run: |
           sphinx-build -M html docs/api/source html_build
       - name: Upload built HTMLs as job artifact
-        uses: alehechka/upload-tartifact@v2
+        uses: alehechka/upload-tartifact@a055d3a102b9ed9cfff1263bc713295047d0197e # v2
         with:
           name: html_doc_artifact
           path: html_build/html
diff --git a/.github/workflows/build_schema_page.yml b/.github/workflows/build_schema_page.yml
@@ -1,12 +1,15 @@
 name: Config schema HTML build
+permissions: read-all
+
 on:
   workflow_call:
+
 jobs:
   build-config-schema-html:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Install and Build
         run: |
@@ -20,7 +23,7 @@ jobs:
           generate-schema-doc --deprecated-from-description schema.json schema/index.html
 
       - name: Upload result as artifact
-        uses: alehechka/upload-tartifact@v2
+        uses: alehechka/upload-tartifact@a055d3a102b9ed9cfff1263bc713295047d0197e # v2
         with:
           name: schema_doc_artifact
           path: schema
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -1,4 +1,6 @@
 name: "Pull Request Labeler"
+permissions: read-all
+
 on: [pull_request_target]
 
 jobs:
@@ -8,7 +10,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: '.github/action_configs/labeler.yml'

diff --git a/.github/workflows/model_hub.yml b/.github/workflows/model_hub.yml
@@ -1,4 +1,5 @@
 name: Model Hub
+permissions: read-all
 
 on:
   workflow_dispatch:
@@ -10,8 +11,8 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.8.18
       - name: Install NNCF and test requirements

diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
@@ -1,4 +1,5 @@
 name: mypy
+permissions: read-all
 
 on:
   pull_request:
@@ -11,13 +12,13 @@ jobs:
   mypy:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: 3.8.18
-    - name: Install NNCF
-      run: pip install -e .
-    - name: Install mypy
-      run: pip install mypy==1.8.0
-    - name: Run mypy
-      run: mypy --install-types --config-file=.mypy.ini --non-interactive
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: 3.8.18
+      - name: Install NNCF
+        run: pip install -e .
+      - name: Install mypy
+        run: pip install mypy==1.8.0
+      - name: Run mypy
+        run: mypy --install-types --config-file=.mypy.ini --non-interactive
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -1,4 +1,5 @@
 name: nightly
+permissions: read-all
 
 on:
   workflow_dispatch:
@@ -9,5 +10,5 @@ jobs:
   md-dead-link-check:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: AlexanderDokuchaev/md-dead-link-check@v0.8
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: AlexanderDokuchaev/md-dead-link-check@76ecefc7f64753bba30a36179f46d903e9f77669 # v0.8
diff --git a/.github/workflows/post_pr_merge.yml b/.github/workflows/post_pr_merge.yml
@@ -8,6 +8,7 @@
 # PR commit is generated.
 
 name: Post-PR merge actions
+permissions: read-all
 
 on:
   pull_request_target:
@@ -18,6 +19,8 @@ on:
 
 jobs:
   upload-coverage-common:
+    permissions:
+      attestations: write
     if: github.event.pull_request.merged == true
     uses: ./.github/workflows/upload_coverage_for_develop.yml
     with:
@@ -28,6 +31,8 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   upload-coverage-onnx:
+    permissions:
+      attestations: write
     if: github.event.pull_request.merged == true
     uses: ./.github/workflows/upload_coverage_for_develop.yml
     with:
@@ -38,6 +43,8 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   upload-coverage-openvino:
+    permissions:
+      attestations: write
     if: github.event.pull_request.merged == true
     uses: ./.github/workflows/upload_coverage_for_develop.yml
     with:

diff --git a/.github/workflows/pre-commit-linters.yml b/.github/workflows/pre-commit-linters.yml
@@ -1,4 +1,5 @@
 name: pre-commit-linters
+permissions: read-all
 
 on:
   pull_request:
@@ -11,16 +12,16 @@ jobs:
   pre-commit:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-      with:
-        python-version: 3.8.18
-    - name: Install pre-commit package
-      run: make install-pre-commit
-    - name: Run pre-commit linter suite
-      run: make pre-commit
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: 3.8.18
+      - name: Install pre-commit package
+        run: make install-pre-commit
+      - name: Run pre-commit linter suite
+        run: make pre-commit
   md-dead-link-check:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: AlexanderDokuchaev/md-dead-link-check@v0.8
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: AlexanderDokuchaev/md-dead-link-check@76ecefc7f64753bba30a36179f46d903e9f77669 # v0.8