[StepSecurity] ci: Harden GitHub Actions (#198)

step-security-bot · cquil11 · web-flow · commit f704cde107b8 · 2025-11-10T11:08:42.000-06:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: Cameron Quilici &lt;cjquilici@gmail.com&gt;
diff --git a/.github/workflows/benchmark-multinode-tmpl.yml b/.github/workflows/benchmark-multinode-tmpl.yml
@@ -49,6 +49,9 @@ env:
   RANDOM_RANGE_RATIO: ${{ inputs.random-range-ratio }}
   MTP_MODE: ${{ inputs.mtp-mode }}
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     runs-on: ${{ inputs.runner }}
@@ -65,7 +68,7 @@ jobs:
             sleep 5
           done
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ secrets.REPO_PAT }}
           fetch-depth: 0
@@ -106,7 +109,7 @@ jobs:
           done
 
       - name: Upload results
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: ${{ env.RESULT_FILENAME }}
           path: agg_${{ env.RESULT_FILENAME }}_*.json
diff --git a/.github/workflows/benchmark-tmpl.yml b/.github/workflows/benchmark-tmpl.yml
@@ -63,6 +63,9 @@ env:
   DP_ATTENTION: ${{ inputs.dp-attn }}
   CONC: ${{ inputs.conc }}
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     runs-on: ${{ inputs.runner }}
@@ -119,7 +122,7 @@ jobs:
             done
           fi
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ secrets.REPO_PAT }}
           fetch-depth: 0
@@ -143,7 +146,7 @@ jobs:
         run: |
           python3 utils/process_result.py
       - name: Upload result
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: ${{ env.RESULT_FILENAME }}
           path: agg_${{ env.RESULT_FILENAME }}.json
diff --git a/.github/workflows/collect-results.yml b/.github/workflows/collect-results.yml
@@ -8,13 +8,16 @@ on:
         type: string
         default: ''
 
+permissions:
+  contents: read
+
 jobs:
   collect-results:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ secrets.REPO_PAT }}
           fetch-depth: 0
@@ -28,7 +31,7 @@ jobs:
         run: pip install -q matplotlib
 
       - name: Download JSON artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: results/
           pattern: ${{ inputs.exp-name && format('{0}_*', inputs.exp-name) || '*' }}
@@ -40,15 +43,15 @@ jobs:
         run: python3 utils/collect_results.py results/ ${{ inputs.exp-name || 'all' }}
 
       - name: Upload aggregated results
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: results_${{ inputs.exp-name || 'all' }}
           path: agg_${{ inputs.exp-name || 'all' }}.json
 
       - name: Plot performance
         run: python3 utils/plot_perf.py results/ ${{ inputs.exp-name || 'all' }}
       - name: Upload performance graphs
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: graphs_${{ inputs.exp-name || 'all' }}
           path: |
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -16,7 +16,7 @@ jobs:
             search-space-config: ${{ steps.get-jobs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -72,7 +72,7 @@ jobs:
             GITHUB_TOKEN: ${{ secrets.REPO_PAT }}
 
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
                   token: ${{ secrets.REPO_PAT }}
                   fetch-depth: 0
@@ -86,15 +86,15 @@ jobs:
               run: pip install PyGithub
 
             - name: Download results artifacts
-              uses: actions/download-artifact@v6
+              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
               with:
                   path: ${{ env.RESULTS_DIR }}
                   pattern: results_*
 
             - name: Calculate success rate
               run: python3 utils/calc_success_rate.py $STATS_FILENAME
 
-            - uses: actions/upload-artifact@v5
+            - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
               with:
                   name: "run-stats"
                   path: ${{ env.STATS_FILENAME }}.json
diff --git a/.github/workflows/full-sweep-1k1k-scheduler.yml b/.github/workflows/full-sweep-1k1k-scheduler.yml
@@ -12,7 +12,7 @@ jobs:
             search-space-config: ${{ steps.get-dsr1-configs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -33,7 +33,7 @@ jobs:
             search-space-config: ${{ steps.get-gptoss-configs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -168,7 +168,7 @@ jobs:
             GITHUB_TOKEN: ${{ secrets.REPO_PAT }}
 
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
                   token: ${{ secrets.REPO_PAT }}
                   fetch-depth: 0
@@ -182,15 +182,15 @@ jobs:
               run: pip install PyGithub
 
             - name: Download results artifacts
-              uses: actions/download-artifact@v6
+              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
               with:
                   path: ${{ env.RESULTS_DIR }}
                   pattern: results_*
 
             - name: Calculate success rate
               run: python3 utils/calc_success_rate.py $STATS_FILENAME
 
-            - uses: actions/upload-artifact@v5
+            - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
               with:
                   name: "run-stats"
                   path: ${{ env.STATS_FILENAME }}.json
diff --git a/.github/workflows/full-sweep-1k8k-scheduler.yml b/.github/workflows/full-sweep-1k8k-scheduler.yml
@@ -12,7 +12,7 @@ jobs:
             search-space-config: ${{ steps.get-dsr1-configs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -33,7 +33,7 @@ jobs:
             search-space-config: ${{ steps.get-gptoss-configs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -123,7 +123,7 @@ jobs:
             GITHUB_TOKEN: ${{ secrets.REPO_PAT }}
 
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
                   token: ${{ secrets.REPO_PAT }}
                   fetch-depth: 0
@@ -137,15 +137,15 @@ jobs:
               run: pip install PyGithub
 
             - name: Download results artifacts
-              uses: actions/download-artifact@v6
+              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
               with:
                   path: ${{ env.RESULTS_DIR }}
                   pattern: results_*
 
             - name: Calculate success rate
               run: python3 utils/calc_success_rate.py $STATS_FILENAME
 
-            - uses: actions/upload-artifact@v5
+            - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
               with:
                   name: "run-stats"
                   path: ${{ env.STATS_FILENAME }}.json
diff --git a/.github/workflows/full-sweep-8k1k-scheduler.yml b/.github/workflows/full-sweep-8k1k-scheduler.yml
@@ -12,7 +12,7 @@ jobs:
             search-space-config: ${{ steps.get-dsr1-configs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -33,7 +33,7 @@ jobs:
             search-space-config: ${{ steps.get-gptoss-configs.outputs.search-space-config }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -168,7 +168,7 @@ jobs:
             GITHUB_TOKEN: ${{ secrets.REPO_PAT }}
 
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
                   token: ${{ secrets.REPO_PAT }}
                   fetch-depth: 0
@@ -182,15 +182,15 @@ jobs:
               run: pip install PyGithub
 
             - name: Download results artifacts
-              uses: actions/download-artifact@v6
+              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
               with:
                   path: ${{ env.RESULTS_DIR }}
                   pattern: results_*
 
             - name: Calculate success rate
               run: python3 utils/calc_success_rate.py $STATS_FILENAME
 
-            - uses: actions/upload-artifact@v5
+            - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
               with:
                   name: "run-stats"
                   path: ${{ env.STATS_FILENAME }}.json
diff --git a/.github/workflows/full-sweep-test.yml b/.github/workflows/full-sweep-test.yml
@@ -46,7 +46,7 @@ jobs:
             gptoss-8k1k: ${{ steps.generate-configs.outputs.gptoss-8k1k }}
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
             - name: Set up Python
               uses: actions/setup-python@v6
@@ -429,7 +429,7 @@ jobs:
             GITHUB_TOKEN: ${{ secrets.REPO_PAT }}
 
         steps:
-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
                   token: ${{ secrets.REPO_PAT }}
                   fetch-depth: 0
@@ -443,15 +443,15 @@ jobs:
               run: pip install PyGithub
 
             - name: Download results artifacts
-              uses: actions/download-artifact@v6
+              uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
               with:
                   path: ${{ env.RESULTS_DIR }}
                   pattern: results_*
 
             - name: Calculate success rate
               run: python3 utils/calc_success_rate.py $STATS_FILENAME
 
-            - uses: actions/upload-artifact@v5
+            - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
               with:
                   name: "run-stats"
                   path: ${{ env.STATS_FILENAME }}.json
diff --git a/.github/workflows/label-validation.yml b/.github/workflows/label-validation.yml
@@ -16,7 +16,7 @@ jobs:
       search-space-config: ${{ steps.get-jobs.outputs.search-space-config }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -127,7 +127,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.REPO_PAT }}
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           token: ${{ secrets.REPO_PAT }}
           fetch-depth: 0
@@ -141,15 +141,15 @@ jobs:
         run: pip install PyGithub
 
       - name: Download results artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: ${{ env.RESULTS_DIR }}
           pattern: results_*
 
       - name: Calculate success rate
         run: python3 utils/calc_success_rate.py $STATS_FILENAME
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: "run-stats"
           path: ${{ env.STATS_FILENAME }}.json
diff --git a/.github/workflows/pr-line-counter.yml b/.github/workflows/pr-line-counter.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - 'utils/matrix-logic/**'
 
+permissions:
+  contents: read
+
 jobs:
   count-lines:
     if: github.event.pull_request.draft != true
@@ -18,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -108,7 +111,7 @@ jobs:
           fi
 
       - name: Comment on PR
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const fileExists = '${{ steps.line-count.outputs.file_exists }}';
diff --git a/.github/workflows/test-matrix-logic.yml b/.github/workflows/test-matrix-logic.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - 'utils/matrix-logic/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     if: github.event.pull_request.draft != true
@@ -14,10 +17,10 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.12'
 
