[StepSecurity] ci: Harden GitHub Actions (#1625)

Signed-off-by: StepSecurity Bot <[email protected]>

.github/workflows/build-container.yaml

@@ -3,6 +3,9 @@ on:
   workflow_dispatch: # Can be manually executed
   schedule: # 1/week Sunday at 07:00AM
     - cron: "5 7 * * 0"
+permissions:
+  contents: read
+
 jobs:
   build:
     container: # MLOps Dev container for Compose Automation

.github/workflows/chatbot-finetune-mpt-7b-chat-hpu.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ft-mpt-7b-hpu
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   finetuning:
     name: finetuning test

.github/workflows/chatbot-finetune-mpt-7b-chat.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ft-mpt-7b
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   finetuning:
     name: finetuning test

.github/workflows/chatbot-inference-llama-2-7b-chat-hf.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-inf-lla-7b
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   inference:
     name: inference test

.github/workflows/chatbot-inference-llama-2-7b_70b-chat-hf-hpu.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-inf-lla-7b-hpu
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   inference:
     name: inference test

.github/workflows/chatbot-inference-mpt-7b-chat-hpu.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-inf-mpt-7b-hpu
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   inference:
     name: inference test

.github/workflows/chatbot-inference-mpt-7b-chat.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-inf-mpt-7b
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   inference:
     name: inference test

.github/workflows/deploy-test.yml

@@ -18,8 +18,15 @@ env:
   EXTRA_CONTAINER_NAME: "utTest"
   EXTRA_CONTAINER_NAME2: "codeScan"
 
+permissions:
+  contents: read
+
 jobs:
   Deploy-Workflow:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for dawidd6/action-download-artifact to query commit hash
     runs-on: itrex-node
     strategy:
       matrix:
@@ -127,6 +134,10 @@ jobs:
           retention-days: 60 # 1 <= retention-days <= 90
 
   Genreate-Report:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for dawidd6/action-download-artifact to query commit hash
     runs-on: itrex-node-spell
     needs: [Deploy-Workflow]
     steps:

.github/workflows/format_scan.yml

@@ -23,6 +23,9 @@ env:
   DOCKER_FILE_NAME: "codeScan"
   CONTAINER_NAME: "codeScan"
 
+permissions:
+  contents: read
+
 jobs:
   format-scan:
     runs-on: itrex-node-spell

.github/workflows/llm-test.yml

@@ -25,6 +25,9 @@ env:
   EXTRA_CONTAINER_NAME: "codeScan"
 
 
+permissions:
+  contents: read
+
 jobs:
   LLM-Workflow:
     runs-on: spr
@@ -83,6 +86,10 @@ jobs:
           retention-days: 60 # 1 <= retention-days <= 90
 
   Generate-LLM-Report:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for dawidd6/action-download-artifact to query commit hash
     runs-on: itrex-node-spell
     needs: [LLM-Workflow]
     steps:

.github/workflows/optimize-test.yml

@@ -19,8 +19,15 @@ env:
   EXTRA_CONTAINER_NAME2: "codeScan"
 
 
+permissions:
+  contents: read
+
 jobs:
   Optimize-Workflow:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for dawidd6/action-download-artifact to query commit hash
     runs-on: itrex-node
     strategy:
       matrix:
@@ -132,6 +139,10 @@ jobs:
           retention-days: 60 # 1 <= retention-days <= 90
 
   Genreate-Report:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for dawidd6/action-download-artifact to query commit hash
     runs-on: itrex-node-spell
     needs: [Optimize-Workflow]
     steps:

.github/workflows/publish.yml

@@ -5,9 +5,14 @@ on:
     branches:
       - main
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   build:
 
+    permissions:
+      contents: write  # for peaceiris/actions-gh-pages to push pages branch
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/sparse_lib_CI.yml

@@ -16,6 +16,9 @@ env:
   DOCKER_FILE_NAME: "unitTest"
   CONTAINER_NAME: "utTest"
 
+permissions:
+  contents: read
+
 jobs:
   sparselib:
     runs-on: itrex-node

.github/workflows/trellix.yaml

@@ -3,6 +3,9 @@ name: Trellix Command Line Scanner
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   Trellix:
     runs-on: inner-source

.github/workflows/unit-test-engine.yml

@@ -28,6 +28,9 @@ env:
   EXTRA_CONTAINER_NAME: "modelTest"
   CONTAINER_SCAN: "codeScan"
 
+permissions:
+  contents: read
+
 jobs:
   engine-unit-test:
     runs-on: [self-hosted, linux, X64, itrex-node]

.github/workflows/unit-test-kernel.yml

@@ -22,6 +22,9 @@ env:
   CONTAINER_NAME: "utTest"
   EXTRA_CONTAINER_NAME: "modelTest"
 
+permissions:
+  contents: read
+
 jobs:
   unit-test:
     runs-on: [self-hosted, linux, X64, itrex-node]

.github/workflows/unit-test-neuralchat.yml

@@ -35,6 +35,9 @@ env:
   CONTAINER_SCAN: "codeScan"
   GOOGLE_API_KEY: ${{ vars.GOOGLE_API_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   neuralchat-unit-test:
     runs-on: [self-hosted, Linux, X64, itrex-node]

.github/workflows/unit-test-neuralspeed.yml

@@ -20,6 +20,9 @@ env:
   CONTAINER_NAME: "utTest"
   EXTRA_CONTAINER_NAME: "modelTest"
 
+permissions:
+  contents: read
+
 jobs:
   neural-speed-unit-test:
     runs-on: [self-hosted, linux, X64, llmruntime-node]

.github/workflows/unit-test-optimize.yml

@@ -32,6 +32,9 @@ env:
   EXTRA_CONTAINER_NAME: "modelTest"
   CONTAINER_SCAN: "codeScan"
 
+permissions:
+  contents: read
+
 jobs:
   optimize-unit-test:
     runs-on: [self-hosted, Linux, X64, itrex-node]

.github/workflows/windows-test.yml

@@ -23,6 +23,9 @@ env:
     SCRIPT_PATH: ${{ github.workspace }}\.github\workflows\script
     WORKING_DIR: ${{ github.workspace }}
 
+permissions:
+  contents: read
+
 jobs:
     Windows-Binary-Test:
       runs-on: 'Windows'