TPC Improvement (Exclude tutorials and wrapper API documents)

[ueno-hiroshi002]

Pull Request Description:

• TPC Improvement

  • Modified existing API get_target_platform_capabilities(fw_name, target_platform_name, target_platform_version) to
    new API get_target_platform_capabilities(tpc_version, device_type) Modified existing TPC API #1580
  • Add TPC v4, v5, and v6 for IMX500 from edgemdt-tpc Add TPC v4, v5, and v6 #1581
  • Migrating verification code from edgemdt-tpc Migrating verification code from edgemdt-tpc #1584
  • Add a new TPC API get_target_platform_capabilities_sdsp for sdsp converter version Add a new TPC API for sdsp converter version #1586
  • Change name of TPC versions TPC_V*_* Move TPC and SDSP versions to a constant file #1588
  • Remove "latest" version TPC (Remove get_keras_tpc_latest and get_pytorch_tpc_latest #1592, Remove generate_keras_tpc #1594, Remove generate_pytorch_tpc #1595, Remove latest and fix the import from latest to v1_0 #1597)
  • Merge TPC for torch.index_select from edge-mdt-tpc Merge torch.index_select in TPC v6.0 #1599
  • CI/CD Migration about TPC and Converter version test CI/CD Migration about TPC and Converter version test #1606

• Update documents for TPC (Update API document for TPC #1621, Update README for TPC #1622, Update README in MCT #1623)

• Change implementation of wrapper for TPC Improvement.　(Wrapper)Refactor quantization method parameters #1631

  • Changed to get_target_platform_capabilities_sdsp() using in wrapper implementation
  • Removed the TPC selection variable
  • Changed the TPC tuning parameter to sdsp_version
  • Modified tutorials for new wrapper variables.

• Add CI/CD test about TPC and Converter for Keras Add CI/CD test about TPC and Converter for Keras #1618

Note:

• The tutorial (excluding the wrapper) does not yet support TPC improvement.
• API documentation updates for wrapper changes are also not reflected yet.

Checklist before requesting a review:

• I set the appropriate labels on the pull request.
• I have added/updated the release note draft (if necessary).
• I have updated the documentation to reflect my changes (if necessary).
• All function and files are well documented.
• All function and classes have type hints.
• There is a licenses in all file.
• The function and variable names are informative.
• I have checked for code duplications.
• I have added new unittest (if necessary).

In general, the fix is to explicitly declare a permissions block in the workflow (either at the top level or on the specific job) that limits the GITHUB_TOKEN to the minimal rights needed. For a test-running workflow that primarily reads code and artifacts, contents: read is usually sufficient unless the called reusable workflow requires additional scopes.

The single best fix here, without changing existing functional behavior, is to add a root-level permissions block just under the name: (and before on:) or just after on: so that it applies to all jobs that don’t override it. Since this workflow appears to run tests via a reusable workflow, and there is no explicit indication of write operations, we’ll set permissions: contents: read as a conservative default. If the reusable workflow needs more, it can still define its own permissions block, but within the constraints of the CodeQL report and given code snippet, we only adjust this file.

Concretely, in .github/workflows/run_keras_tests_conv314_tpc10.yml, add:

permissions:
  contents: read

right after the name: line (line 1) and before the on: key (line 2). No imports or additional definitions are needed since this is pure workflow YAML configuration.

In general, the fix is to define a permissions: block that restricts the GITHUB_TOKEN to the minimal access required. This can be done at the workflow root (applies to all jobs without their own permissions) or within the specific job. Since this workflow only defines a single job that delegates to a reusable workflow, adding a root-level permissions: block is simple and clear.

The best minimal, non-breaking change here is to add a workflow-level permissions: block between the on: block and concurrency: (or anywhere at the top level) that sets contents: read. This is a conservative default for a test-running workflow, which usually doesn’t need to write to the repo. If the called workflow actually needs more (e.g., checks: write), that would be added there, but we cannot see it from the provided snippet, so we stick to the safe minimal contents: read. No imports or additional definitions are needed; this is purely a YAML configuration change within .github/workflows/run_keras_tests_conv316_tpc10.yml.

In general, the fix is to explicitly declare permissions: in the workflow so the GITHUB_TOKEN used by this job is restricted to the minimum necessary. For a test-running workflow that primarily needs to read code and metadata, a good default is contents: read at the workflow level, which applies to all jobs that do not override it. This aligns with GitHub’s recommended baseline for most CI workflows.

The best minimal fix without changing existing functionality is to add a root-level permissions: block right after the on: section. This will apply contents: read to the run-tests job unless the called reusable workflow sets something else (in which case its job-level permissions still take precedence). Concretely, in .github/workflows/run_keras_tests_conv316_tpc40.yml, between the on: block (lines 2–6) and the existing concurrency: block (line 8), insert:

permissions:
  contents: read

No additional imports or external methods are needed since this is purely a YAML configuration change.

In general, this issue is fixed by adding a permissions: block that restricts the GITHUB_TOKEN to the minimal scopes needed, either at the workflow root (applies to all jobs without their own block) or per job. For a workflow that only runs tests and calls another workflow, a typical safe default is permissions: contents: read so actions can fetch the repository content but cannot perform write operations.

For this specific file, the best fix without altering existing functionality is to add a root-level permissions: block between the on: section and concurrency: (or anywhere at the top level) to apply to all jobs, including the run-tests reusable workflow call. Since we are not shown any behavior that requires write permissions, we will set contents: read as a minimal, conservative default. No additional imports or external dependencies are needed; this is purely a YAML configuration change inside .github/workflows/run_keras_tests_conv317_tpc10.yml.

Concretely:

• Edit .github/workflows/run_keras_tests_conv317_tpc10.yml.
• Insert:

  permissions:
    contents: read

  after the on: block (after line 6, before line 8).
  This ensures the run-tests job and the called reusable workflow execute with a read-only GITHUB_TOKEN unless they define stricter permissions inside themselves.

To fix this, we should explicitly define a permissions block that limits the GITHUB_TOKEN to the least privileges needed. Because this workflow simply delegates to another reusable workflow with uses: ./.github/workflows/run_network_deployment_keras_tests.yml and we don’t see any direct write operations in this caller, a conservative and safe choice is to set permissions: contents: read at the workflow (root) level. This will apply to all jobs that don’t override permissions, including run-tests, and will satisfy CodeQL’s requirement while keeping functionality unchanged in typical CI scenarios where read access to the repository is sufficient.

Concretely, in .github/workflows/run_keras_tests_conv317_tpc40.yml, insert a permissions: block near the top-level keys, for example after the on: block and before concurrency:. The block should minimally specify contents: read. No imports or additional methods are needed because this is purely a YAML configuration change for GitHub Actions. If the reusable workflow needs broader permissions, those should ideally be specified in that reusable workflow itself; in the absence of that context, we keep this caller minimal and read-only.

In general, fix this by explicitly defining a permissions section to restrict the GITHUB_TOKEN to the least privileges needed. This can be done at the workflow root (applies to all jobs without their own permissions) or per job. Since this workflow only defines a single job that reuses another workflow, the clearest fix is to add a workflow-level permissions block with minimal scope, such as contents: read, before the jobs: section.

Concretely, in .github/workflows/run_pytorch_tests_conv316_tpc10.yml, add a new permissions: block between the concurrency section (lines 8–10) and the jobs: section (line 12). Unless you know the job needs write access (which we can’t assume from the snippet), default to read-only repository contents: permissions:\n contents: read. This leaves existing behavior of the tests unchanged while tightening token permissions. No imports or external definitions are required, as this is pure workflow configuration.

In general, to fix this issue you must explicitly declare a permissions: block in the workflow (either at the top level or per job) to constrain the default GITHUB_TOKEN to the minimal access needed. For a test-running workflow that primarily checks out code and runs tests, contents: read is typically sufficient; if the called workflow needs more (e.g., to comment on PRs), those narrower permissions (such as pull-requests: write) can be granted there.

For this specific file, the best minimal change without altering behavior is to add a restrictive permissions block at the workflow root so it applies to all jobs that don’t override it. Since we see no evidence in this file that write access is required, we can set contents: read as a safe baseline. The change should be inserted after the on: block (common pattern in GitHub Actions) and before concurrency:. No imports or other definitions are needed—this is purely a YAML configuration change within .github/workflows/run_pytorch_tests_conv316_tpc40.yml.

In general, the fix is to explicitly declare a permissions block in the workflow so the GITHUB_TOKEN has only the minimal rights required. This can be done at the workflow root (applies to all jobs without their own permissions) or per-job. Since this workflow only defines the run-tests job that reuses another workflow, the simplest and safest fix is to add a root-level permissions: contents: read, which is GitHub’s recommended baseline for workflows that primarily need to fetch code and run tests.

Concretely, in .github/workflows/run_pytorch_tests_conv317_tpc10.yml, add a permissions section after the on: block and before concurrency:. Unless the reused workflow requires additional scopes (which we cannot see here), we keep it minimal: contents: read. This does not change existing functionality for typical test workflows, but it constrains the GITHUB_TOKEN so it cannot perform write operations on the repository or other resources by default.

In general, the fix is to explicitly declare a permissions block for the workflow (or at least for the run-tests job) so that the GITHUB_TOKEN is limited to the minimal access required. For a test-running workflow that primarily needs to read repository contents, a common secure default is permissions: contents: read. If the called workflow needs broader permissions for specific operations (e.g., commenting on PRs), those should be granted more narrowly in that downstream workflow or in specific jobs there.

The best minimal fix here, without changing existing functionality, is to add a root-level permissions block right after the on: section. This will apply to all jobs in this workflow that do not override permissions, including the run-tests job using the reusable workflow. Since we do not see evidence here that write permissions are required, we will set contents: read, which is a standard least-privilege default for CI workflows that just build and test. No other code, imports, or definitions are needed; this is a pure YAML configuration change in .github/workflows/run_pytorch_tests_conv317_tpc40.yml, affecting lines between the on: block and the existing concurrency block.

To fix the problem, explicitly declare a permissions block in this workflow so that the GITHUB_TOKEN used by the run-tests job has the least privileges required. Since this wrapper workflow appears to only dispatch a reusable workflow and does not itself need write access, a safe default is to set contents: read at the workflow level. This will apply to all jobs (including the uses:-based job) that do not override permissions, and does not change any existing functional behavior other than tightening token permissions.

Concretely, in .github/workflows/run_pytorch_tests_conv317_tpc50.yml, add a top-level permissions: section after the on: block (lines 2–7) and before concurrency: (line 8). Set contents: read as a minimal starting point; if the called workflow needs additional scopes (e.g., for PR annotations), they can be added there instead or overridden within the called workflow, but that is outside the provided snippet and cannot be modified here. No imports or additional methods are needed, just the YAML configuration change.