From eb9ba18afb033e42beaecd58f923dbd89d9f15ef Mon Sep 17 00:00:00 2001
From: minmingzhu <minming.zhu@intel.com>
Date: Wed, 28 Feb 2024 07:27:02 +0000
Subject: [PATCH] fix openssf issues

Signed-off-by: minmingzhu <minming.zhu@intel.com>
---
 .github/workflows/ci-checks-build.yml | 19 ++++++++-------
 .github/workflows/ci-tests.yml        | 34 ++++++++++++++-------------
 .github/workflows/dev_cron.yml        |  9 +++----
 3 files changed, 34 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/ci-checks-build.yml b/.github/workflows/ci-checks-build.yml
index 5990908f3..e2d9ea941 100644
--- a/.github/workflows/ci-checks-build.yml
+++ b/.github/workflows/ci-checks-build.yml
@@ -2,14 +2,17 @@ name: Checks and Build
 
 on: [push, pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   code-checks-scala:
     name: Code Checks for Scala
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Check Scala code
@@ -21,9 +24,9 @@ jobs:
     name: Code Checks for Java
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Check Java code
@@ -35,7 +38,7 @@ jobs:
     name: Code Checks for C++
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Install clang-format
         run: |
           sudo apt-get update
@@ -49,13 +52,13 @@ jobs:
     name: Build Checks
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Restore cached dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             #/var/cache/apt/archives/*.deb
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
index 5a8594c7e..d9e263f4e 100644
--- a/.github/workflows/ci-tests.yml
+++ b/.github/workflows/ci-tests.yml
@@ -2,18 +2,21 @@ name: Tests
 
 on: [push, pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   local-test-oneAPI_table:
     name: Local Test for Units (OneAPI Table)
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Restore cached dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             #/var/cache/apt/archives/*.deb
@@ -30,13 +33,13 @@ jobs:
     name: Local Test for Units (CPU)
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Restore cached dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             #/var/cache/apt/archives/*.deb
@@ -54,13 +57,13 @@ jobs:
     name: Yarn Test for Examples (CPU)
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Restore cached dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             #/var/cache/apt/archives/*.deb
@@ -77,13 +80,13 @@ jobs:
     name: Standalone CPU_GPU_PROFILE Test for scala Examples (CPU)
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Restore cached dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             #/var/cache/apt/archives/*.deb
@@ -100,13 +103,13 @@ jobs:
     name: Standalone CPU_GPU_PROFILE Test for python Examples (CPU)
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Restore cached dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             #/var/cache/apt/archives/*.deb
@@ -119,4 +122,3 @@ jobs:
       - name: Cluster Test
         run: |
           ${{github.workspace}}/dev/ci/ci-standalone-python-test-cpu.sh
-          
diff --git a/.github/workflows/dev_cron.yml b/.github/workflows/dev_cron.yml
index ab2840ebd..8a7c8d886 100644
--- a/.github/workflows/dev_cron.yml
+++ b/.github/workflows/dev_cron.yml
@@ -25,19 +25,21 @@ on:
       - edited
       - synchronize
 
+permissions: read-all
+
 jobs:
   process:
     name: Process
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Comment Issues link
         if: |
           github.event_name == 'pull_request_target' &&
             (github.event.action == 'opened' ||
              github.event.action == 'edited')
-        uses: actions/github-script@v3
+        uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -49,10 +51,9 @@ jobs:
           github.event_name == 'pull_request_target' &&
             (github.event.action == 'opened' ||
              github.event.action == 'edited')
-        uses: actions/github-script@v3
+        uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const script = require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/dev_cron/title_check.js`);
             script({github, context});
-