[DAR-3487][External] Mitigate security issues found by CodeQL (#912)

* Upgraded torch & torchvision

* Misc security improvements

* Fix warnings displayed in test runs

* Restricted GHA token permissions to minimum required

* Reverted torch upgrade since this requires dropping support for Python 3.8

.github/workflows/EVENT_merge_to_master.yml

@@ -7,6 +7,9 @@ on:
       - master
   workflow_call:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -24,7 +27,7 @@ jobs:
 
   warn_on_fail:
     needs: [run_tests, documentation]
-    if : ${{ failure() }}
+    if: ${{ failure() }}
     name: Slack message us on fail
     uses: ./.github/workflows/JOB_slack_message.yml
     secrets: inherit
@@ -35,9 +38,12 @@ jobs:
 
   success:
     needs: [run_tests, documentation]
-    if : ${{ success() }}
+    if: ${{ success() }}
     name: Success
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

.github/workflows/EVENT_pull_request.yml

@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
 
 # Prevent running concurrently
 concurrency:
@@ -16,29 +18,38 @@ jobs:
   get_changed_files:
     name: Get changed files
     uses: ./.github/workflows/JOB_get_changed_files.yml
+    permissions:
+      contents: read
 
   format:
     name: Check format of python
     needs: get_changed_files
     uses: ./.github/workflows/JOB_format.yml
     with:
       files: ${{ needs.get_changed_files.outputs.python_changed_files }}
+    permissions:
+      contents: read
 
   lint:
     name: Lint python
     needs: get_changed_files
     uses: ./.github/workflows/JOB_lint.yml
     with:
       files: ${{ needs.get_changed_files.outputs.python_changed_files }}
+    permissions:
+      contents: read
 
   # typecheck:
   #   name: Analyse types in python
   #   needs: get_changed_files
   #   uses: ./.github/workflows/JOB_typecheck.yml
   #   with:
   #     files: ${{ needs.get_changed_files.outputs.python_changed_files }}
+  #   permissions:
+  #     contents: read
 
   run_tests:
     name: Run tests
     uses: ./.github/workflows/JOB_tests.yml
-
+    permissions:
+      contents: read

.github/workflows/EVENT_release.yml

@@ -22,6 +22,9 @@ on:
         description: "Is the release a draft"
         required: false
 
+permissions:
+  contents: read
+
 env:
   release_id: ${{ inputs.release_id || github.event.release.id }}
   release_tag: ${{ inputs.release_tag || github.event.release.tag_name }}
@@ -31,6 +34,8 @@ env:
 jobs:
   validate_tag:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -70,6 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
@@ -98,6 +104,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

.github/workflows/EVENT_tag.yml

@@ -21,6 +21,8 @@ jobs:
   create_release:
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -41,4 +43,3 @@ jobs:
           release_name: ${{ github.ref }}
           draft: true
           prerelease: false
-

.github/workflows/EVENT_update-linear-labels.yml

@@ -1,5 +1,8 @@
 name: "Update Linear Labels"
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [master]
@@ -10,6 +13,8 @@ jobs:
     if: github.ref_name != 'master' && !github.event.pull_request.head.repo.fork
     name: Update Linear
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

.github/workflows/JOB_check-master-can-release.yml

@@ -4,9 +4,14 @@ run-name: check-master-can-release
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   check-master-can-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -48,4 +53,3 @@ jobs:
             if (commits.length === 0) {
               throw new Error('No commits in master since last release');
             }
-

.github/workflows/JOB_e2e.yml

@@ -1,5 +1,8 @@
 name: E2E Tests
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "0 8 * * mon-fri"
@@ -18,6 +21,8 @@ on:
 jobs:
   e2e:
     name: End to End Testing
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -59,6 +64,8 @@ jobs:
     name: Slack Notifier Bot
     needs: e2e
     if: failure() && github.event_name == 'schedule'
+    permissions:
+      contents: read
     uses: ./.github/workflows/JOB_slack_message.yml
     with:
       message: |

.github/workflows/JOB_lint.yml

@@ -9,10 +9,15 @@ on:
         description: "Files to lint"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     if: ${{ inputs.files != '' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -33,4 +38,3 @@ jobs:
     - name: Ruff Lint
       shell: bash
       run: bash ${{ github.workspace }}/deploy/format_lint.sh lint ${{ inputs.files }}
-

.github/workflows/JOB_typecheck.yml

@@ -36,6 +36,5 @@ jobs:
     - name: MyPy typecheck
       shell: bash
       run: |
-        pip install pydantic
+        pip install pydantic==2.8.2
         bash ${{ github.workspace }}/deploy/format_lint.sh typecheck ${{ inputs.files }}
-

darwin/exporter/formats/nifti.py

@@ -14,7 +14,7 @@
     import nibabel as nib
     from nibabel.orientations import io_orientation, ornt_transform
 except ImportError:
-    import_fail_string = """
+    import_fail_string = r"""
     You must install darwin-py with pip install darwin-py\[medical]
     in order to export using nifti format
     """

darwin/future/data_objects/dataset.py

@@ -1,6 +1,6 @@
 from typing import List, Optional
 
-from pydantic import PositiveInt, validator
+from pydantic import PositiveInt, field_validator
 
 from darwin.future.data_objects.release import ReleaseList
 from darwin.future.data_objects.validators import parse_name
@@ -30,7 +30,7 @@ class DatasetCore(DefaultDarwin):
     releases: Optional[ReleaseList] = None
 
     # Data Validation
-    _name_validator = validator("name", allow_reuse=True)(parse_name)
+    _name_validator = field_validator("name")(parse_name)
 
 
 DatasetList = List[DatasetCore]

darwin/future/data_objects/release.py

@@ -1,6 +1,6 @@
 from typing import List
 
-from pydantic import validator
+from pydantic import field_validator
 
 from darwin.future.data_objects import validators as darwin_validators
 from darwin.future.pydantic_base import DefaultDarwin
@@ -26,7 +26,7 @@ def __str__(self) -> str:
         return self.name
 
     # Data Validation
-    _name_validator = validator("name", allow_reuse=True)(darwin_validators.parse_name)
+    _name_validator = field_validator("name")(darwin_validators.parse_name)
 
 
 ReleaseList = List[ReleaseCore]

darwin/future/data_objects/sorting.py

@@ -1,6 +1,6 @@
 from typing import Literal, Optional
 
-from pydantic import BaseModel, Field, root_validator
+from pydantic import BaseModel, Field, model_validator
 
 
 class SortingMethods(BaseModel):
@@ -12,7 +12,7 @@ class SortingMethods(BaseModel):
     priority: Optional[Literal["asc", "desc"]] = Field(None)
     updated_at: Optional[Literal["asc", "desc"]] = Field(None)
 
-    @root_validator(pre=True)
+    @model_validator(mode="before")
     def check_at_least_one_field(cls, values):
         assert any(value is not None for value in values.values())
         return values

darwin/future/data_objects/team.py

@@ -2,7 +2,7 @@
 
 from typing import List, Optional
 
-from pydantic import validator
+from pydantic import field_validator
 
 from darwin.future.core.client import ClientCore
 from darwin.future.core.team.get_raw import get_team_raw
@@ -56,7 +56,7 @@ class TeamCore(DefaultDarwin):
     default_role: TeamMemberRole = TeamMemberRole.USER
 
     # Data Validation
-    _slug_validator = validator("slug", allow_reuse=True)(parse_name)
+    _slug_validator = field_validator("slug")(parse_name)
 
     @staticmethod
     def from_client(client: ClientCore, team_slug: Optional[str] = None) -> TeamCore:

darwin/importer/formats/nifti.py

@@ -15,7 +15,7 @@
     import nibabel as nib
     from scipy.ndimage import zoom
 except ImportError:
-    import_fail_string = """
+    import_fail_string = r"""
     You must install darwin-py with pip install darwin-py\[medical]
     in order to import using nifti format
     """

deploy/_filter_files.py

@@ -11,11 +11,7 @@ def main(argv: List[str]) -> None:
     if file_extension.startswith("."):
         file_extension = file_extension[1:]
 
-    files_out = [
-        file
-        for file in files_in
-        if file.endswith(f".{file_extension}") and "future" in file
-    ]
+    files_out = [file for file in files_in if file.endswith(f".{file_extension}")]
 
     print(" ".join(files_out))