[CI] Set read-all for workflows top-level token-permissions (#1777)

disable_all

---------

Co-authored-by: mengfeil <test>

Author: mengfei25

.github/workflows/_linux_accelerate.yml

@@ -39,13 +39,37 @@ on:
         default: 'v4.51.3'
         description: Transformers version
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
+  conditions-filter:
+    name: conditions-filter
+    if: ${{ github.event.pull_request.draft == false }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    env:
+      GH_TOKEN: ${{ github.token }}
+    outputs:
+      disabled_tests: ${{ steps.check-pr-desc.outputs.disabled_tests }}
+    steps:
+      - name: Check PR infos
+        id: check-pr-desc
+        run: |
+          set -x -e -o pipefail
+          sudo apt update && sudo apt install -y dos2unix
+          gh --repo ${GITHUB_REPOSITORY} pr view ${{ github.event.pull_request.number }} 2>&1 |tee pr-info.txt
+          dos2unix pr-info.txt
+          disabled_tests="$(awk '/disable_/{printf("%s ", $0)}' pr-info.txt)"
+          echo "disabled_tests=${disabled_tests}" |tee "${GITHUB_OUTPUT}"
+
   Torch-XPU-Accelerate-Tests:
     runs-on: ${{ inputs.runner != '' && inputs.runner || 'linux.idc.xpu' }}
+    needs: conditions-filter
+    if: ${{ !(contains(needs.conditions-filter.outputs.disabled_tests, 'disable_all') || contains(needs.conditions-filter.outputs.disabled_tests, 'disable_accelerate')) }}
     env:
       WORK_DIR: 'accelerate'
       NEOReadDebugKeys: 0

.github/workflows/_linux_build.yml

@@ -38,6 +38,8 @@ on:
         description: The commit id of the torch build
         value: ${{ jobs.build.outputs.TORCH_COMMIT_ID }}
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}

.github/workflows/_linux_op_benchmark.yml

@@ -34,6 +34,8 @@ on:
         default: 'rolling'
         description: Driver lts/rolling
 
+permissions: read-all
+
 jobs:
   op_benchmark_test:
     runs-on: ${{ inputs.runner }} 

.github/workflows/_linux_transformers.yml

@@ -44,6 +44,8 @@ on:
         default: 'v4.51.3'
         description: Transformers version
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -72,8 +74,30 @@ env:
   TORCH_INDEX: '--pre --index-url https://download.pytorch.org/whl/nightly/xpu'
 
 jobs:
+  conditions-filter:
+    name: conditions-filter
+    if: ${{ github.event.pull_request.draft == false }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    env:
+      GH_TOKEN: ${{ github.token }}
+    outputs:
+      disabled_tests: ${{ steps.check-pr-desc.outputs.disabled_tests }}
+    steps:
+      - name: Check PR infos
+        id: check-pr-desc
+        run: |
+          set -x -e -o pipefail
+          sudo apt update && sudo apt install -y dos2unix
+          gh --repo ${GITHUB_REPOSITORY} pr view ${{ github.event.pull_request.number }} 2>&1 |tee pr-info.txt
+          dos2unix pr-info.txt
+          disabled_tests="$(awk '/disable_/{printf("%s ", $0)}' pr-info.txt)"
+          echo "disabled_tests=${disabled_tests}" |tee "${GITHUB_OUTPUT}"
+
   prepare:
     runs-on: ${{ inputs.runner != '' && inputs.runner || 'linux.idc.xpu' }}
+    needs: conditions-filter
+    if: ${{ !(contains(needs.conditions-filter.outputs.disabled_tests, 'disable_all') || contains(needs.conditions-filter.outputs.disabled_tests, 'disable_transformers')) }}
     outputs:
       torch: ${{ steps.getver.outputs.torch }}
       torchvision: ${{ steps.getver.outputs.torchvision }}
@@ -313,7 +337,7 @@ jobs:
 
   report:
     needs: tests
-    if: ${{ always() }}
+    if: ${{ success() || failure() }}
     runs-on: ${{ inputs.runner != '' && inputs.runner || 'linux.idc.xpu' }}
     steps:
       - name: Download reports

.github/workflows/_linux_ut.yml

@@ -44,6 +44,8 @@ on:
         default: 'lts'
         description: Driver lts/rolling
 
+permissions: read-all
+
 jobs:
   ut_test:
     runs-on: ${{ inputs.runner }}
@@ -65,7 +67,8 @@ jobs:
                 rm -rf $(dirname ${CONDA_EXE})/../envs/xpu_op_${ZE_AFFINITY_MASK}
           conda create -n xpu_op_${ZE_AFFINITY_MASK} python=${{ inputs.python }} cmake ninja -y
           source activate xpu_op_${ZE_AFFINITY_MASK}
-          cd ../ && rm -rf pytorch
+          cd ../
+          rm -rf pytorch || sudo rm -rf pytorch
           pip install requests
           git clone https://github.com/pytorch/pytorch pytorch
           if [ "${{ inputs.pytorch }}" != "nightly_wheel" ]; then

.github/workflows/_performance_comparison.yml

@@ -14,6 +14,8 @@ on:
         default: ''
         description: Baseline run id
 
+permissions: read-all
+
 jobs:
   Performance-Comparison:
     env:

.github/workflows/_windows_ut.yml

@@ -44,6 +44,8 @@ on:
         default: 'false'
         description: Check if labelled
 
+permissions: read-all
+
 env: 
     USE_XPU: 1
 

.github/workflows/nightly_ondemand.yml

@@ -59,6 +59,8 @@ on:
         default: '3.10'
         description: Python version
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.sha }}-${{ github.event_name }}-${{ inputs.pytorch }}-${{ inputs.keep_torch_xpu_ops }}-${{ inputs.ut }}-${{ inputs.triton }}-${{ inputs.suite }}-${{ inputs.dt }}-${{ inputs.mode }}-${{ inputs.scenario }}-${{ inputs.model }}-${{ inputs.python }}
   cancel-in-progress: ${{ github.event_name != 'schedule' }}
@@ -129,7 +131,8 @@ jobs:
       - name: Prepare Stock Pytorch
         run: |
           pwd
-          cd ../ && rm -rf pytorch
+          cd ../
+          rm -rf pytorch || sudo rm -rf pytorch
           source activate e2e_ci
           git clone https://github.com/pytorch/pytorch pytorch
           cd pytorch && git checkout $(echo ${{ env.pytorch }} |awk '{print $1}') 
@@ -369,6 +372,8 @@ jobs:
   Tests-Failure-And-Report:
     if: ${{ ! cancelled() }}
     runs-on: [ self-hosted, Linux ]
+    permissions:
+      issues: write
     env:
       GH_TOKEN: ${{ github.token }}
       python: ${{ github.event_name == 'schedule' && '3.10' || inputs.python }}

.github/workflows/nightly_ondemand_rolling.yml

@@ -59,6 +59,8 @@ on:
         default: '3.10'
         description: Python version
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.sha }}-${{ github.event_name }}-${{ inputs.pytorch }}-${{ inputs.keep_torch_xpu_ops }}-${{ inputs.ut }}-${{ inputs.triton }}-${{ inputs.suite }}-${{ inputs.dt }}-${{ inputs.mode }}-${{ inputs.scenario }}-${{ inputs.model }}-${{ inputs.python }}
   cancel-in-progress: ${{ github.event_name != 'schedule' }}
@@ -145,7 +147,8 @@ jobs:
       - name: Prepare Stock Pytorch
         run: |
           pwd
-          cd ../ && rm -rf pytorch
+          cd ../
+          rm -rf pytorch || sudo rm -rf pytorch
           source activate e2e_ci
           git clone https://github.com/pytorch/pytorch pytorch
           cd pytorch && git checkout $(echo ${{ env.pytorch }} |awk '{print $1}') 
@@ -383,6 +386,8 @@ jobs:
   Tests-Failure-And-Report:
     if: ${{ ! cancelled() }}
     runs-on: [ self-hosted, Linux ]
+    permissions:
+      issues: write
     env:
       GH_TOKEN: ${{ github.token }}
       python: ${{ github.event_name == 'schedule' && '3.10' || inputs.python }}

.github/workflows/nightly_ondemand_whl.yml

@@ -49,6 +49,8 @@ on:
         default: '3.10'
         description: Python version
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.sha }}-${{ github.event_name }}-${{ inputs.pytorch }}-${{ inputs.ut }}-${{ inputs.suite }}-${{ inputs.dt }}-${{ inputs.mode }}-${{ inputs.scenario }}-${{ inputs.model }}-${{ inputs.python }}
   cancel-in-progress: ${{ github.event_name != 'schedule' }}
@@ -108,7 +110,8 @@ jobs:
           echo "TORCH_BRANCH_ID=$(python -c 'import torch; print(torch.__version__)')" |tee -a "${GITHUB_OUTPUT}" >> "${GITHUB_ENV}"
           TORCH_COMMIT_ID=$(python -c 'import torch; print(torch.version.git_version)')
           echo "TORCH_COMMIT_ID=${TORCH_COMMIT_ID}" |tee -a "${GITHUB_OUTPUT}" >> "${GITHUB_ENV}"
-          cd ../ && rm -rf pytorch
+          cd ../
+          rm -rf pytorch || sudo rm -rf pytorch
           git clone https://github.com/pytorch/pytorch pytorch
           cd pytorch && git checkout ${TORCH_COMMIT_ID}
           # apply PRs for stock pytorch
@@ -320,6 +323,8 @@ jobs:
   Tests-Failure-And-Report:
     if: ${{ ! cancelled() }}
     runs-on: [ self-hosted, Linux ]
+    permissions:
+      issues: write
     env:
       GH_TOKEN: ${{ github.token }}
       python: ${{ github.event_name == 'schedule' && '3.10' || inputs.python }}