oneapi-src
diff --git a/‎.github/workflows/bandit.yml
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/bandit.yml
Lines changed: 4 additions & 1 deletion
diff --git a/‎.github/workflows/cmake.yml
Lines changed: 12 additions & 9 deletions b/‎.github/workflows/cmake.yml
Lines changed: 12 additions & 9 deletions
diff --git a/‎.github/workflows/codeql.yml
Lines changed: 9 additions & 6 deletions b/‎.github/workflows/codeql.yml
Lines changed: 9 additions & 6 deletions
diff --git a/‎.github/workflows/coverage.yml
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/coverage.yml
Lines changed: 5 additions & 2 deletions
diff --git a/‎.github/workflows/coverity.yml
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/coverity.yml
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/docs.yml
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/docs.yml
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/e2e_nightly.yml
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/e2e_nightly.yml
Lines changed: 5 additions & 2 deletions
diff --git a/‎.github/workflows/nightly.yml
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/nightly.yml
Lines changed: 4 additions & 1 deletion
diff --git a/‎.github/workflows/prerelease.yml
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/prerelease.yml
Lines changed: 4 additions & 1 deletion
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 73 additions & 0 deletions b/‎.github/workflows/scorecard.yml
Lines changed: 73 additions & 0 deletions
@@ -7,14 +7,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Bandit
     runs-on: ubuntu-latest
 
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Install pip packages
         run: pip install -r third_party/requirements.txt
 
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-build:
     name: Build - Ubuntu
@@ -36,7 +39,7 @@ jobs:
     runs-on: ${{matrix.os}}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Install apt packages
       run: |
@@ -122,7 +125,7 @@ jobs:
     runs-on: 'ubuntu-22.04'
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Install pip packages
       run: pip install -r third_party/requirements.txt
@@ -174,7 +177,7 @@ jobs:
     runs-on: ${{matrix.adapter.name}}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Install pip packages
       run: pip install -r third_party/requirements.txt
@@ -240,13 +243,13 @@ jobs:
     runs-on: ${{matrix.adapter.name}}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Install pip packages
       run: pip install -r third_party/requirements.txt
 
     - name: Init conda env
-      uses: conda-incubator/setup-miniconda@v2
+      uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2.3.0
       with:
           miniconda-version: "latest"
           activate-environment: examples
@@ -306,9 +309,9 @@ jobs:
     runs-on: ${{matrix.os}}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
       with:
         python-version: 3.9
 
@@ -357,9 +360,9 @@ jobs:
     runs-on: ${{matrix.os}}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
       with:
         python-version: 3.9
 
 
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze-ubuntu:
     name: Analyze on Ubuntu
@@ -18,10 +21,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
       with:
         languages: cpp, python
 
@@ -35,7 +38,7 @@ jobs:
       run: cmake --build ${{github.workspace}}/build -j $(nproc)
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
 
   analyze-windows:
     name: Analyze on Windows
@@ -48,10 +51,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
       with:
         languages: cpp, python
 
@@ -65,4 +68,4 @@ jobs:
       run: cmake --build ${{github.workspace}}/build -j $(nproc) --config Release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
@@ -2,6 +2,9 @@ name: Coverage
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-build:
     name: Build - Ubuntu
@@ -16,7 +19,7 @@ jobs:
     runs-on: ${{matrix.os}}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Install apt packages
       run: |
@@ -72,7 +75,7 @@ jobs:
       run: ctest -T Coverage
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
       with:
         gcov: true
         gcov_include: source
@@ -23,6 +23,8 @@ env:
   COVERITY_SCAN_BRANCH_PATTERN:      "main"
   TRAVIS_BRANCH:                     ${{ github.ref_name }}
 
+permissions:
+  contents: read
 
 jobs:
   linux:
@@ -31,7 +33,7 @@ jobs:
 
     steps:
       - name: Clone the git repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Install pip packages
         run: pip install -r third_party/requirements.txt
 
@@ -26,9 +26,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.9
 
@@ -41,14 +41,14 @@ jobs:
         run: python3 -m pip install -r third_party/requirements.txt
 
       - name: Setup Pages
-        uses: actions/configure-pages@v2
+        uses: actions/configure-pages@c5a3e1159e0cbdf0845eb8811bd39e39fc3099c2 # v2.1.3
 
       - name: Build Documentation
         working-directory: ${{github.workspace}}/scripts
         run: python3 run.py --core
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@84bb4cd4b733d5c320c9c9cfbc354937524f4d64 # v1.0.10
         with:
           path: ${{github.workspace}}/docs/html
 
@@ -62,4 +62,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@f27bcc15848fdcdcc02f01754eb838e44bcf389b # v1.2.9
@@ -5,6 +5,9 @@ on:
     # Run every day at 23:00 UTC
     - cron: '0 23 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-build-hw:
     name: Build SYCL, UR, run E2E
@@ -29,12 +32,12 @@ jobs:
         rm -rf ./* || true
 
     - name: Checkout UR
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         path: ur-repo
 
     - name: Checkout SYCL
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         repository: intel/llvm
         ref: sycl
 
@@ -5,6 +5,9 @@ on:
     # Run every day at 23:00 UTC
     - cron: '0 23 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   long-fuzz-test:
     name: Run long fuzz tests
@@ -16,7 +19,7 @@ jobs:
     runs-on: 'ubuntu-22.04'
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Install pip packages
       run: pip install -r third_party/requirements.txt
 
@@ -6,13 +6,16 @@ on:
     # At 23:00 on Friday, GitHub actions schedule is in UTC time.
     - cron: 0 23 * * 5
 
+permissions:
+  contents: read
+
 jobs:
   weekly-prerelease:
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Create weekly prerelease
         run:
 
@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  workflow_dispatch:
+  schedule:
+    - cron: '45 22 * * 4'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif