Fix code scanning issues (#10129)

* Fix code scanning issues * update oneccl_bind_pt link * update * update --------- Co-authored-by: Your Name <Your Email>
intel-analytics · Feb 8, 2024 · 428e100 · 428e100
1 parent c67d363
commit 428e100
Show file tree

Hide file tree

Showing 25 changed files with 93 additions and 10 deletions.
diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml
@@ -11,6 +11,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   GIST_ID: 966d4c0bf23c67662120d1bf4b1c88dc
 

diff --git a/.github/workflows/llm-binary-build.yml b/.github/workflows/llm-binary-build.yml
@@ -5,6 +5,9 @@ name: LLM Binary Build
 #   group: ${{ github.workflow }}-llm-binary-build-${{ github.event.pull_request.number || github.run_id }}
 #   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

diff --git a/.github/workflows/llm-nightly-test.yml b/.github/workflows/llm-nightly-test.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-nightly-test-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   schedule:

diff --git a/.github/workflows/llm-ppl-evaluation.yml b/.github/workflows/llm-ppl-evaluation.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-nightly-test-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   schedule:

diff --git a/.github/workflows/llm_example_tests.yml b/.github/workflows/llm_example_tests.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-example-tests-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run. 
 on:
   # schedule:

diff --git a/.github/workflows/llm_performance_tests.yml b/.github/workflows/llm_performance_tests.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-performance-tests-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   schedule:

diff --git a/.github/workflows/llm_tests_for_stable_version_on_arc.yml b/.github/workflows/llm_tests_for_stable_version_on_arc.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-performance-tests-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   # pull_request:

diff --git a/.github/workflows/llm_tests_for_stable_version_on_spr.yml b/.github/workflows/llm_tests_for_stable_version_on_spr.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-performance-tests-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   # pull_request:

diff --git a/.github/workflows/llm_unit_tests.yml b/.github/workflows/llm_unit_tests.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-llm-unittest-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

diff --git a/.github/workflows/nano-nightly-test.yml b/.github/workflows/nano-nightly-test.yml
@@ -17,6 +17,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   GIST_ID: bc8a699b455bced4a1aef138ad5df07e
 

diff --git a/.github/workflows/nano_howto_guides_tests.yml b/.github/workflows/nano_howto_guides_tests.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

diff --git a/.github/workflows/nano_notebooks_tests.yml b/.github/workflows/nano_notebooks_tests.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

diff --git a/.github/workflows/nano_unit_tests_basic.yml b/.github/workflows/nano_unit_tests_basic.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run. 
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

diff --git a/.github/workflows/nano_unit_tests_pytorch.yml b/.github/workflows/nano_unit_tests_pytorch.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   # Triggers the workflow on push or pull request events but only for the main branch
@@ -29,11 +32,11 @@ jobs:
         os: ["ubuntu-20.04"]
         python-version: ["3.8"]
         pytorch-version: [
-          "pytorch_110 neural-compressor==1.13.1 oneccl_bind_pt==1.10",
-          "pytorch_111 neural-compressor==1.13.1 oneccl_bind_pt==1.11",
-          "pytorch_112 neural-compressor==1.13.1 oneccl_bind_pt==1.12.100",
-          "pytorch_113 neural-compressor==2.0 oneccl_bind_pt==1.13",
-          "pytorch_20 neural-compressor==2.1 oneccl_bind_pt==2.0",
+          "pytorch_110 neural-compressor==1.13.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.10.0-cp38-cp38-linux_x86_64.whl",
+          "pytorch_111 neural-compressor==1.13.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.11.0-cp38-cp38-linux_x86_64.whl",
+          "pytorch_112 neural-compressor==1.13.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.12.100%2Bcpu-cp38-cp38-linux_x86_64.whl",
+          "pytorch_113 neural-compressor==2.0 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.13.0%2Bcpu-cp38-cp38-linux_x86_64.whl",
+          "pytorch_20 neural-compressor==2.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-2.0.0%2Bcpu-cp38-cp38-linux_x86_64.whl",
           ]
     steps:
       - uses: actions/checkout@v2
@@ -108,11 +111,11 @@ jobs:
         os: ["ubuntu-20.04"]
         python-version: ["3.8"]
         pytorch-version: [
-          "pytorch_110 neural-compressor==1.13.1 oneccl_bind_pt==1.10",
-          "pytorch_111 neural-compressor==1.13.1 oneccl_bind_pt==1.11",
-          "pytorch_112 neural-compressor==1.13.1 oneccl_bind_pt==1.12.100",
-          "pytorch_113 neural-compressor==2.0 oneccl_bind_pt==1.13",
-          "pytorch_20 neural-compressor==2.1 oneccl_bind_pt==2.0",
+          "pytorch_110 neural-compressor==1.13.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.10.0-cp38-cp38-linux_x86_64.whl",
+          "pytorch_111 neural-compressor==1.13.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.11.0-cp38-cp38-linux_x86_64.whl",
+          "pytorch_112 neural-compressor==1.13.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.12.100%2Bcpu-cp38-cp38-linux_x86_64.whl",
+          "pytorch_113 neural-compressor==2.0 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-1.13.0%2Bcpu-cp38-cp38-linux_x86_64.whl",
+          "pytorch_20 neural-compressor==2.1 https://intel-extension-for-pytorch.s3.amazonaws.com/ipex_stable/cpu/oneccl_bind_pt-2.0.0%2Bcpu-cp38-cp38-linux_x86_64.whl",
           ]
     steps:
       - uses: actions/checkout@v3

diff --git a/.github/workflows/nano_unit_tests_tensorflow.yml b/.github/workflows/nano_unit_tests_tensorflow.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

diff --git a/.github/workflows/performance-regression-test.yml b/.github/workflows/performance-regression-test.yml
@@ -1,5 +1,8 @@
 name: Performance Regression Test
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 16 * * *'

diff --git a/.github/workflows/python-style-check.yml b/.github/workflows/python-style-check.yml
@@ -5,6 +5,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # Controls when the action will run.
 on:
   push:

diff --git a/.github/workflows/sdl_hadolint.yml b/.github/workflows/sdl_hadolint.yml
@@ -1,4 +1,5 @@
 name: Scanner-hadolint
+
 on:
 #  schedule:
 #    - cron: '0 3 * * 0' # GMT time, 3:00 GMT == 3:00 China Every Sunday
@@ -7,6 +8,10 @@ on:
 #  pull_request:
 #    branchs: [ main ]
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   scan-dockerfile:
     runs-on: [self-hosted, SDL-TEST]

diff --git a/.github/workflows/sdl_snyk_docker.yml b/.github/workflows/sdl_snyk_docker.yml
@@ -1,4 +1,8 @@
 name: Scanner-snyk-docker
+
+permissions:
+  contents: read
+
 on:
 #  pull_request:
 #    branchs: [ main ]

diff --git a/.github/workflows/sdl_snyk_python.yml b/.github/workflows/sdl_snyk_python.yml
@@ -1,4 +1,8 @@
 name: Scanner-snyk-python
+
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 3 * * 0' # GMT time, 3:00 GMT == 11:00 China Every Sunday

diff --git a/.github/workflows/sdl_snyk_scala.yml b/.github/workflows/sdl_snyk_scala.yml
@@ -1,4 +1,8 @@
 name: Scanner-snyk-scala
+
+permissions:
+  contents: read
+
 on:
 #  pull_request:
 #    branchs: [ main ]

diff --git a/.github/workflows/sdl_virus-malware.yml b/.github/workflows/sdl_virus-malware.yml
@@ -1,4 +1,8 @@
 name: Scanner-virus
+
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 3 * * 0' # GMT time, 3:00 GMT == 3:00 China Every Sunday

diff --git a/.github/workflows/stable-diffusion-winlog.yml b/.github/workflows/stable-diffusion-winlog.yml
@@ -1,4 +1,8 @@
 name: stable-diffusion-win
+
+permissions:
+  contents: read
+
 on:
   # pull_request:
   #   branchs: [ main ]

diff --git a/.github/workflows/url-auto-merge.yml b/.github/workflows/url-auto-merge.yml
@@ -1,4 +1,8 @@
 name: Create PR to update nightly build download URL in docs/readthedocs/source/doc/Orca/Overview/install.md and auto merge
+
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 13 * * 0' # GMT time, 13:00 GMT == 21:00 China

diff --git a/.github/workflows/url_check.yml b/.github/workflows/url_check.yml
@@ -1,5 +1,8 @@
 name: Check download URL in docs/readthedocs/source/doc/Orca/Overview/install.md
 
+permissions:
+  contents: read
+
 on:
   push:
     paths: 'docs/readthedocs/source/doc/Orca/Overview/install.md'