diff --git a/.github/actions/setup-python-env/action.yml b/.github/actions/setup-python-env/action.yml index 303929908..fa5aae135 100644 --- a/.github/actions/setup-python-env/action.yml +++ b/.github/actions/setup-python-env/action.yml @@ -39,4 +39,9 @@ runs: - name: Install extra packages if: inputs.extra-packages != '' shell: bash - run: pip install ${{ inputs.extra-packages }} + env: + EXTRA_PACKAGES: ${{ inputs.extra-packages }} + # Pass packages via env var to prevent shell-injection from the input value. + # Word-splitting on $EXTRA_PACKAGES is intentional (space-separated list). + # shellcheck disable=SC2086 + run: pip install $EXTRA_PACKAGES diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index cd7f9af5e..6b110fdc7 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -32,7 +32,7 @@ jobs: run: sudo apt-get update && sudo apt-get install -y shellcheck - name: Run actionlint - uses: reviewdog/action-actionlint@v1 + uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 with: fail_level: failure reporter: github-check diff --git a/.github/workflows/aria-tests.yml b/.github/workflows/aria-tests.yml index 4d9ec70fa..911f3089e 100644 --- a/.github/workflows/aria-tests.yml +++ b/.github/workflows/aria-tests.yml @@ -31,6 +31,9 @@ on: - '.github/workflows/aria-tests.yml' workflow_dispatch: # Manual trigger +permissions: + contents: read + concurrency: group: aria-tests-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/auto-validation.yml b/.github/workflows/auto-validation.yml index a15c5186f..e54e78721 100644 --- a/.github/workflows/auto-validation.yml +++ b/.github/workflows/auto-validation.yml @@ -25,6 +25,9 @@ on: - cron: '0 5 * * *' workflow_dispatch: +permissions: + contents: read + concurrency: auto-validation jobs: diff --git a/.github/workflows/azureml-train.yml b/.github/workflows/azureml-train.yml index 3c080e821..8b1091115 100644 --- a/.github/workflows/azureml-train.yml +++ b/.github/workflows/azureml-train.yml @@ -55,12 +55,19 @@ jobs: with: inlineScript: | az extension add -n ml -y - az account set --subscription "${{ github.event.inputs.subscriptionId }}" - az configure --defaults group="${{ github.event.inputs.resourceGroup }}" workspace="${{ github.event.inputs.workspaceName }}" + az account set --subscription "$SUBSCRIPTION_ID" + az configure --defaults group="$RESOURCE_GROUP" workspace="$WORKSPACE_NAME" + env: + SUBSCRIPTION_ID: ${{ github.event.inputs.subscriptionId }} + RESOURCE_GROUP: ${{ github.event.inputs.resourceGroup }} + WORKSPACE_NAME: ${{ github.event.inputs.workspaceName }} - name: Submit Azure ML job uses: azure/cli@v2 with: inlineScript: | - echo "Submitting job from ${{ github.event.inputs.jobFile }} ..." - az ml job create -f "${{ github.event.inputs.jobFile }}" --set compute="${{ github.event.inputs.compute }}" --stream + echo "Submitting job from $JOB_FILE ..." + az ml job create -f "$JOB_FILE" --set compute="$COMPUTE_TARGET" --stream + env: + JOB_FILE: ${{ github.event.inputs.jobFile }} + COMPUTE_TARGET: ${{ github.event.inputs.compute }} diff --git a/.github/workflows/broken-links.yml b/.github/workflows/broken-links.yml index d1d80e823..9806aab1d 100644 --- a/.github/workflows/broken-links.yml +++ b/.github/workflows/broken-links.yml @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@v4 - name: Check links in docs and markdown - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 with: fail: true args: >- diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index c26b69c27..5041430c6 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '0 2 * * *' # Daily at 2 AM UTC +permissions: + contents: read + concurrency: group: ci-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index ea8a8b5cb..7c7a8dfc0 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -7,6 +7,9 @@ on: branches: [ main, dev ] workflow_dispatch: +permissions: + contents: read + concurrency: group: quality-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/coverage-report.yml b/.github/workflows/coverage-report.yml index 2df01ec2d..bcd0fdd4a 100644 --- a/.github/workflows/coverage-report.yml +++ b/.github/workflows/coverage-report.yml @@ -91,7 +91,7 @@ jobs: - name: Download main baseline if: github.event_name == 'pull_request' id: dl-base - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: name: coverage-main-baseline workflow: coverage-report.yml diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 955aadfbf..b00227060 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/devcontainer-ci.yml b/.github/workflows/devcontainer-ci.yml index bc2d3e809..62cc85fa2 100644 --- a/.github/workflows/devcontainer-ci.yml +++ b/.github/workflows/devcontainer-ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest @@ -14,6 +17,6 @@ jobs: uses: actions/checkout@v4 - name: Build and test devcontainer - uses: devcontainers/ci@v0.2 + uses: devcontainers/ci@b63b30de439b47a52267f241112c5b453b673db5 # v0.3 with: runCmd: python -m pytest tests -q --maxfail=1 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 2b7c2fa99..0fc7119d3 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -18,6 +18,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + concurrency: group: e2e-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/llm-maker-tests.yml b/.github/workflows/llm-maker-tests.yml index 3f6b435bb..4460e407c 100644 --- a/.github/workflows/llm-maker-tests.yml +++ b/.github/workflows/llm-maker-tests.yml @@ -9,6 +9,9 @@ on: - 'ai-projects/llm-maker/**' workflow_dispatch: +permissions: + contents: read + jobs: test-llm-maker: runs-on: ubuntu-latest diff --git a/.github/workflows/markdown-quality.yml b/.github/workflows/markdown-quality.yml index 19e37d004..e2bbd8517 100644 --- a/.github/workflows/markdown-quality.yml +++ b/.github/workflows/markdown-quality.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v4 - name: Lint Markdown files - uses: DavidAnson/markdownlint-cli2-action@v20 + uses: DavidAnson/markdownlint-cli2-action@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20 with: globs: | **/*.md diff --git a/.github/workflows/nightly-regression.yml b/.github/workflows/nightly-regression.yml index 6ac9a9d9d..afe9b78b7 100644 --- a/.github/workflows/nightly-regression.yml +++ b/.github/workflows/nightly-regression.yml @@ -124,7 +124,7 @@ jobs: - name: Download previous baseline artifact id: download-prev - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: github_token: ${{ secrets.GITHUB_TOKEN }} workflow: nightly-regression.yml diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index f7762a8fb..567996833 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -63,20 +63,21 @@ jobs: fetch-depth: 0 - name: Check PR size + id: size + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | - BASE_SHA=${{ github.event.pull_request.base.sha }} - HEAD_SHA=${{ github.event.pull_request.head.sha }} - - ADDITIONS=$(git diff $BASE_SHA...$HEAD_SHA --numstat | awk '{sum+=$1} END {print sum}') - DELETIONS=$(git diff $BASE_SHA...$HEAD_SHA --numstat | awk '{sum+=$2} END {print sum}') - FILES_CHANGED=$(git diff $BASE_SHA...$HEAD_SHA --name-only | wc -l) + ADDITIONS=$(git diff "$BASE_SHA"..."$HEAD_SHA" --numstat | awk '{sum+=$1} END {print sum}') + DELETIONS=$(git diff "$BASE_SHA"..."$HEAD_SHA" --numstat | awk '{sum+=$2} END {print sum}') + FILES_CHANGED=$(git diff "$BASE_SHA"..."$HEAD_SHA" --name-only | wc -l) echo "Files changed: $FILES_CHANGED" echo "Lines added: $ADDITIONS" echo "Lines deleted: $DELETIONS" # Warn if PR is very large - if [ $FILES_CHANGED -gt 50 ] || [ $ADDITIONS -gt 1000 ]; then + if [ "$FILES_CHANGED" -gt 50 ] || [ "$ADDITIONS" -gt 1000 ]; then echo "⚠️ Warning: This is a large PR. Consider breaking it into smaller PRs for easier review." echo "pr_size=large" >> $GITHUB_OUTPUT else @@ -95,7 +96,7 @@ jobs: uses: actions/checkout@v4 - name: Label PR based on files changed - uses: actions/labeler@v5 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler.yml diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 5bb069731..4260f2a00 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -16,6 +16,9 @@ on: required: false default: '10' +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/quantum-ai-smoke.yml b/.github/workflows/quantum-ai-smoke.yml index 2e2b4b407..3fce108a2 100644 --- a/.github/workflows/quantum-ai-smoke.yml +++ b/.github/workflows/quantum-ai-smoke.yml @@ -13,6 +13,9 @@ on: - '.github/workflows/quantum-ai-smoke.yml' workflow_dispatch: +permissions: + contents: read + jobs: smoke-quantum-ai: name: Smoke Quantum Code LLM diff --git a/.github/workflows/quantum-orchestration.yml b/.github/workflows/quantum-orchestration.yml index 594012937..b5a0e041c 100644 --- a/.github/workflows/quantum-orchestration.yml +++ b/.github/workflows/quantum-orchestration.yml @@ -15,15 +15,17 @@ on: branches: [ main ] workflow_dispatch: inputs: - AZURE_CREDENTIALS: - description: "Service principal JSON for azure/login (optional; recommended via GitHub Secret)" - required: false - type: string LOGIC_APP_URL: description: "Logic App URL for optional notifications" required: false type: string +# Credentials must come exclusively from the AZURE_CREDENTIALS repository secret. +# Never pass service principal JSON as a workflow_dispatch input — it would be +# visible in the GitHub Actions UI and potentially captured in runner logs. +permissions: + contents: read + jobs: run-quantum: runs-on: windows-latest @@ -31,10 +33,10 @@ jobs: steps: - uses: actions/checkout@v4 - name: Azure Login - if: ${{ inputs.AZURE_CREDENTIALS != '' }} + if: ${{ secrets.AZURE_CREDENTIALS != '' }} uses: azure/login@v2 with: - creds: ${{ inputs.AZURE_CREDENTIALS }} + creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Run Orchestration shell: pwsh run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 71c47b013..ae01b74f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -64,7 +64,7 @@ jobs: cat CHANGELOG.md - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: tag_name: ${{ steps.version.outputs.version }} name: Release ${{ steps.version.outputs.version }} @@ -85,7 +85,7 @@ jobs: git archive --format=zip --prefix=aria-${{ steps.version.outputs.version_number }}/ HEAD > release-artifacts/aria-${{ steps.version.outputs.version_number }}.zip - name: Upload release artifacts - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: tag_name: ${{ steps.version.outputs.version }} files: | diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index dae33e838..aca6214a7 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Mark stale issues and PRs - uses: actions/stale@v9 + uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }}