From 2fd5c031fd982e74aa8ef7503c91b231d983ec94 Mon Sep 17 00:00:00 2001 From: NanoCode012 Date: Tue, 10 Mar 2026 15:01:12 +0700 Subject: [PATCH 1/4] fix: explicit set workflow permission and move secrets to necessary steps only --- .github/workflows/base.yml | 11 +++++++---- .github/workflows/lint.yml | 3 +++ .github/workflows/main.yml | 3 +++ .github/workflows/multi-gpu-e2e.yml | 6 +++++- .github/workflows/nightlies.yml | 3 +++ .github/workflows/pypi.yml | 2 +- .github/workflows/tests-nightly.yml | 9 +++++++-- .github/workflows/tests.yml | 12 +++++++++--- 8 files changed, 38 insertions(+), 11 deletions(-) diff --git a/.github/workflows/base.yml b/.github/workflows/base.yml index 10326fba90..32f7e46adb 100644 --- a/.github/workflows/base.yml +++ b/.github/workflows/base.yml @@ -15,6 +15,9 @@ on: - '.github/workflows/base.yml' workflow_dispatch: +permissions: + contents: read + jobs: build-base: if: ${{ github.repository_owner == 'axolotl-ai-cloud' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) }} @@ -124,7 +127,7 @@ jobs: images: | axolotlai/axolotl-base - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 if: ${{ github.event_name != 'pull_request' && env.HAS_DOCKERHUB_CREDS == 'true' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -132,7 +135,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: ./docker/${{ matrix.dockerfile }} @@ -239,7 +242,7 @@ jobs: images: | axolotlai/axolotl-base-uv - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 if: ${{ github.event_name != 'pull_request' && env.HAS_DOCKERHUB_CREDS == 'true' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -247,7 +250,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: ./docker/${{ matrix.dockerfile }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cf322f1059..181fd9dc97 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,9 @@ on: - ".pre-commit-config.yaml" workflow_dispatch: +permissions: + contents: read + jobs: pre-commit: name: pre-commit diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index aca9b1dd36..439db91733 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,6 +8,9 @@ on: - "v*" workflow_dispatch: +permissions: + contents: read + jobs: build-axolotl: if: ${{ ! contains(github.event.commits[0].message, '[skip docker]') && github.repository_owner == 'axolotl-ai-cloud' }} diff --git a/.github/workflows/multi-gpu-e2e.yml b/.github/workflows/multi-gpu-e2e.yml index 6063c24c74..2bb499ded0 100644 --- a/.github/workflows/multi-gpu-e2e.yml +++ b/.github/workflows/multi-gpu-e2e.yml @@ -20,6 +20,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} +permissions: + contents: read + env: MODAL_IMAGE_BUILDER_VERSION: "2025.06" @@ -78,8 +81,9 @@ jobs: echo "AXOLOTL_EXTRAS=${{ matrix.axolotl_extras}}" >> $GITHUB_ENV echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run -m cicd.multigpu diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index d2c587cc7e..0372f5c7ab 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 0 * * *' # Runs at 00:00 UTC every day +permissions: + contents: read + jobs: build-axolotl: if: ${{ ! contains(github.event.commits[0].message, '[skip docker]') && github.repository_owner == 'axolotl-ai-cloud' }} diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 3bf66b4975..d3640b75d0 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -46,7 +46,7 @@ jobs: - name: Extract tag name id: tag - run: echo ::set-output name=TAG_NAME::$(echo $GITHUB_REF | cut -d / -f 3) + run: echo "TAG_NAME=$(echo $GITHUB_REF | cut -d / -f 3)" >> "$GITHUB_OUTPUT" - name: Update version in VERSION file run: | diff --git a/.github/workflows/tests-nightly.yml b/.github/workflows/tests-nightly.yml index d5a533fbcc..663b0476e1 100644 --- a/.github/workflows/tests-nightly.yml +++ b/.github/workflows/tests-nightly.yml @@ -8,6 +8,9 @@ on: paths: - '.github/workflows/tests-nightly.yml' +permissions: + contents: read + jobs: pre-commit: name: pre-commit @@ -156,8 +159,9 @@ jobs: echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV echo "NIGHTLY_BUILD=${{ matrix.nightly_build }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.e2e_tests docker-e2e-multigpu-tests: @@ -198,7 +202,8 @@ jobs: echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV echo "NIGHTLY_BUILD=${{ matrix.nightly_build }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.multigpu diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 23e9d39e39..2a3c621fe8 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -28,6 +28,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} +permissions: + contents: read + env: TRANSFORMERS_IS_CI: "yes" @@ -303,9 +306,10 @@ jobs: echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.e2e_tests @@ -371,9 +375,10 @@ jobs: echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV echo "GPU_TYPE=${{ matrix.gpu_type || 'L40S'}}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV echo "E2E_DOCKERFILE=${{ matrix.dockerfile || 'Dockerfile.jinja'}}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.e2e_tests @@ -413,7 +418,8 @@ jobs: echo "CUDA=${{ matrix.cuda }}" >> $GITHUB_ENV echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - echo "CODECOV_TOKEN=${{ secrets.CODECOV_TOKEN }}" >> $GITHUB_ENV - name: Run tests job on Modal + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.cleanup From 7787a3ac74500e7f12bca0f2523132d74b716eda Mon Sep 17 00:00:00 2001 From: NanoCode012 Date: Tue, 10 Mar 2026 15:24:26 +0700 Subject: [PATCH 2/4] fix: comment --- .github/workflows/tests.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 2a3c621fe8..9df249270e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -419,7 +419,5 @@ jobs: echo "MODAL_IMAGE_BUILDER_VERSION=2024.10" >> $GITHUB_ENV echo "N_GPUS=${{ matrix.num_gpus }}" >> $GITHUB_ENV - name: Run tests job on Modal - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} run: | modal run cicd.cleanup From 632cd182a19488f215dd01a7f52ad624a126a5c8 Mon Sep 17 00:00:00 2001 From: NanoCode012 Date: Tue, 10 Mar 2026 15:41:59 +0700 Subject: [PATCH 3/4] fix: more permission restrict --- .github/workflows/precommit-autoupdate.yml | 2 ++ .github/workflows/pypi.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/precommit-autoupdate.yml b/.github/workflows/precommit-autoupdate.yml index 4c2e59b6bb..d7e4ce141d 100644 --- a/.github/workflows/precommit-autoupdate.yml +++ b/.github/workflows/precommit-autoupdate.yml @@ -5,6 +5,8 @@ on: - cron: '0 0 1 * *' # Run monthly workflow_dispatch: # Manual kickoff +permissions: {} + jobs: auto-update: runs-on: ubuntu-latest diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index d3640b75d0..6674e4aa60 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -6,6 +6,8 @@ on: - 'v*' workflow_dispatch: +permissions: {} + jobs: setup_release: name: Create Release From e804c872ec654f80b93ff445e8c880764b9812e3 Mon Sep 17 00:00:00 2001 From: NanoCode012 Date: Wed, 11 Mar 2026 13:25:37 +0700 Subject: [PATCH 4/4] chore: add read for pypi --- .github/workflows/pypi.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index 6674e4aa60..19dface731 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -3,7 +3,7 @@ name: publish pypi on: push: tags: - - 'v*' + - "v*" workflow_dispatch: permissions: {} @@ -30,7 +30,8 @@ jobs: name: pypi url: https://pypi.org/p/axolotl permissions: - id-token: write # IMPORTANT: this permission is mandatory for trusted publishing + contents: read + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - name: Check out repository code uses: actions/checkout@v4