diff --git a/.github/workflows/base.yml b/.github/workflows/base.yml index 10326fba90..32f7e46adb 100644 --- a/.github/workflows/base.yml +++ b/.github/workflows/base.yml @@ -15,6 +15,9 @@ on: - '.github/workflows/base.yml' workflow_dispatch: +permissions: + contents: read + jobs: build-base: if: ${{ github.repository_owner == 'axolotl-ai-cloud' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) }} @@ -124,7 +127,7 @@ jobs: images: | axolotlai/axolotl-base - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 if: ${{ github.event_name != 'pull_request' && env.HAS_DOCKERHUB_CREDS == 'true' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -132,7 +135,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: ./docker/${{ matrix.dockerfile }} @@ -239,7 +242,7 @@ jobs: images: | axolotlai/axolotl-base-uv - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 if: ${{ github.event_name != 'pull_request' && env.HAS_DOCKERHUB_CREDS == 'true' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -247,7 +250,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: ./docker/${{ matrix.dockerfile }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cf322f1059..181fd9dc97 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,9 @@ on: - ".pre-commit-config.yaml" workflow_dispatch: +permissions: + contents: read + jobs: pre-commit: name: pre-commit diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index aca9b1dd36..439db91733 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,6 +8,9 @@ on: - "v*" workflow_dispatch: +permissions: + contents: read + jobs: build-axolotl: if: ${{ ! contains(github.event.commits[0].message, '[skip docker]') && github.repository_owner == 'axolotl-ai-cloud' }} diff --git a/.github/workflows/multi-gpu-e2e.yml b/.github/workflows/multi-gpu-e2e.yml index 6063c24c74..2bb499ded0 100644 --- a/.github/workflows/multi-gpu-e2e.yml +++ b/.github/workflows/multi-gpu-e2e.yml @@ -20,6 +20,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} +permissions: + contents: read + env: MODAL_IMAGE_BUILDER_VERSION: "2025.06" @@ -78,8 +81,9 @@ jobs: echo "AXOLOTL_EXTRAS=${{ matrix.axolotl_extras}}" >> $GITHUB_ENV echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run -m cicd.multigpu diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index d2c587cc7e..0372f5c7ab 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 0 * * *' # Runs at 00:00 UTC every day +permissions: + contents: read + jobs: build-axolotl: if: ${{ ! contains(github.event.commits[0].message, '[skip docker]') && github.repository_owner == 'axolotl-ai-cloud' }} diff --git a/.github/workflows/precommit-autoupdate.yml b/.github/workflows/precommit-autoupdate.yml index 4c2e59b6bb..d7e4ce141d 100644 --- a/.github/workflows/precommit-autoupdate.yml +++ b/.github/workflows/precommit-autoupdate.yml @@ -5,6 +5,8 @@ on: - cron: '0 0 1 * *' # Run monthly workflow_dispatch: # Manual kickoff +permissions: {} + jobs: auto-update: runs-on: ubuntu-latest diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 3bf66b4975..19dface731 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -3,9 +3,11 @@ name: publish pypi on: push: tags: - - 'v*' + - "v*" workflow_dispatch: +permissions: {} + jobs: setup_release: name: Create Release @@ -28,7 +30,8 @@ jobs: name: pypi url: https://pypi.org/p/axolotl permissions: - id-token: write # IMPORTANT: this permission is mandatory for trusted publishing + contents: read + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - name: Check out repository code uses: actions/checkout@v4 @@ -46,7 +49,7 @@ jobs: - name: Extract tag name id: tag - run: echo ::set-output name=TAG_NAME::$(echo $GITHUB_REF | cut -d / -f 3) + run: echo "TAG_NAME=$(echo $GITHUB_REF | cut -d / -f 3)" >> "$GITHUB_OUTPUT" - name: Update version in VERSION file run: | diff --git a/.github/workflows/tests-nightly.yml b/.github/workflows/tests-nightly.yml index d5a533fbcc..663b0476e1 100644 --- a/.github/workflows/tests-nightly.yml +++ b/.github/workflows/tests-nightly.yml @@ -8,6 +8,9 @@ on: paths: - '.github/workflows/tests-nightly.yml' +permissions: + contents: read + jobs: pre-commit: name: pre-commit @@ -156,8 +159,9 @@ jobs: echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV echo "NIGHTLY_BUILD=${{ matrix.nightly_build }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.e2e_tests docker-e2e-multigpu-tests: @@ -198,7 +202,8 @@ jobs: echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV echo "NIGHTLY_BUILD=${{ matrix.nightly_build }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.multigpu diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 23e9d39e39..9df249270e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -28,6 +28,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} +permissions: + contents: read + env: TRANSFORMERS_IS_CI: "yes" @@ -303,9 +306,10 @@ jobs: echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.e2e_tests @@ -371,9 +375,10 @@ jobs: echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV echo "GPU_TYPE=${{ matrix.gpu_type || 'L40S'}}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.e2e_tests @@ -413,7 +418,6 @@ jobs: echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV - name: Run tests job on Modal run: | modal run cicd.cleanup