From 996d1c3075de6d728435744836458a3d962074a6 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 11:17:17 +0400
Subject: [PATCH 01/14] Remove checkout ref for deploy workflow

---
 .github/workflows/gh_pages_deploy.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/gh_pages_deploy.yml b/.github/workflows/gh_pages_deploy.yml
index e2f33fc1658..e579d60d072 100644
--- a/.github/workflows/gh_pages_deploy.yml
+++ b/.github/workflows/gh_pages_deploy.yml
@@ -27,8 +27,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
           token: ${{ secrets.GH_ACTIONS_BOT_TOKEN }}
 

From d419d75dd8443f3bc6dde64a9f3d05cacec19855 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 11:24:47 +0400
Subject: [PATCH 02/14] Remove generate tags workflow and related files

---
 .ci/convert_notebooks.sh            |  3 --
 .ci/keywords.json                   | 27 ------------------
 .ci/tagger.py                       | 44 -----------------------------
 .github/workflows/generate_tags.yml | 39 -------------------------
 4 files changed, 113 deletions(-)
 delete mode 100644 .ci/keywords.json
 delete mode 100644 .ci/tagger.py
 delete mode 100644 .github/workflows/generate_tags.yml

diff --git a/.ci/convert_notebooks.sh b/.ci/convert_notebooks.sh
index 1b4e8a3074c..9b569f6edc6 100755
--- a/.ci/convert_notebooks.sh
+++ b/.ci/convert_notebooks.sh
@@ -6,7 +6,6 @@ rstdir=$PWD"/rst_files"
 binderlist=$rstdir"/notebooks_with_binder_buttons.txt"
 colablist=$rstdir"/notebooks_with_colab_buttons.txt"
 notebooklist=$rstdir"/all_notebooks_paths.txt"
-tagslist=$rstdir"/notebooks_tags.json"
 mkdir -p $rstdir
 
 # List all notebooks that contain binder or colab buttons based on readme
@@ -17,8 +16,6 @@ done
 find notebooks -maxdepth 2 -name "*.ipynb" | sort > $notebooklist
 taggerpath=$(git ls-files "*tagger.py")
 notebookspath=$(git ls-files "*.ipynb"| head -n 1)
-keywordspath=$(git ls-files "*keywords.json")
-python $taggerpath $notebookspath $keywordspath> $tagslist
 
 echo "start converting notebooks"
 python $PWD"/.ci/convert_notebooks.py" --rst_dir $rstdir --exclude_execution_file $PWD"/.ci/ignore_convert_execution.txt"
diff --git a/.ci/keywords.json b/.ci/keywords.json
deleted file mode 100644
index 77ebfa3b4aa..00000000000
--- a/.ci/keywords.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-    "tags": {
-        "GPU": ["device_name = \"GPU\"", "device_name=\"GPU\""],
-        "Auto device": ["device_name=\"AUTO\"", "device_name = \"AUTO\""],
-
-        "Dynamic Shape": [".partial_shape", "Dimension("],
-        "Reshape Model": ["model.reshape("],
-        "Async Inference": [".start_async("],
-
-        "Download Model": ["omz_downloader"],
-        "Convert Model": ["omz_converter"],
-        "Optimize Model": ["import openvino.tools.mo", "from openvino.tools.mo", "!mo "],
-        "Benchmark Model": ["benchmark_app"],
-        "OMZ Info Dumper": ["omz_info_dumper"],
-
-        "Paddle": ["import paddle", "from paddle"],
-        "Torchvision": ["import torchvision", "from torchvision"],
-        "Compression": ["import compression", "from compression"],
-        "Pytorch": ["import torch", "from torch"],
-        "NNCF": ["import nncf", "from nncf"],
-        "Transformers": ["import transformers", "from transformers"],
-        "Tensorflow": ["import tensorflow", "from tensorflow"],
-
-        "ONNX": [".onnx"],
-        "Train Model": ["model.fit(", "model.train()"]
-    } 
-}
\ No newline at end of file
diff --git a/.ci/tagger.py b/.ci/tagger.py
deleted file mode 100644
index bd50e39f17a..00000000000
--- a/.ci/tagger.py
+++ /dev/null
@@ -1,44 +0,0 @@
-import json
-import glob
-import mmap
-import sys
-
-
-def get_notebooks(path: str):
-    return glob.glob(f"{path}/*/[0-9]*.ipynb")
-
-
-def get_tags(path: str):
-    return json.load(open(path))
-
-
-def find_tags_for_notebook(notebook_path: str, tags: dict):
-    nb_tags = []
-    with open(notebook_path) as file:
-        f = mmap.mmap(file.fileno(), 0, access=mmap.ACCESS_READ)
-        for tag, keywords in tags.items():
-            for keyword in keywords:
-                if f.find(bytes(keyword, "utf-8")) != -1:
-                    nb_tags.append(tag)
-                    break
-    return nb_tags
-
-
-def find_tags_for_all_notebooks(notebooks: list, tags: dict):
-    notebooks_tags = {}
-    for notebook in notebooks:
-        nb_tags = sorted(find_tags_for_notebook(notebook, tags))
-        if nb_tags:
-            notebooks_tags[notebook.split("/")[-1].split(".")[0]] = nb_tags
-    return notebooks_tags
-
-
-if __name__ == "__main__":
-    if len(sys.argv) == 1:
-        notebooks_paths = sorted(get_notebooks("notebooks"))
-        tags = get_tags(".ci/keywords.json")["tags"]
-    else:
-        notebooks_paths = sorted(get_notebooks("/".join(sys.argv[1].split("/")[:-2])))
-        tags = get_tags(sys.argv[2])["tags"]
-    all_notebooks_tags = find_tags_for_all_notebooks(notebooks_paths, tags)
-    print(json.dumps(all_notebooks_tags, indent=4))
diff --git a/.github/workflows/generate_tags.yml b/.github/workflows/generate_tags.yml
deleted file mode 100644
index a630fa31cbc..00000000000
--- a/.github/workflows/generate_tags.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-# Generate tags for each notebook
-
-name: Generate tags
-on:
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - 'main'
-      - 'latest'
-    paths:
-      - 'notebooks/**.ipynb'
-      - '.ci/keywords.json'
-      - '.ci/tagger.py'
-
-jobs:
-  build_codecheck:
-    strategy:
-      fail-fast: false
-    runs-on: ubuntu-20.04 # change cachepip step when changing this
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Dotenv Action
-        id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
-        with:
-          path: ./.github/workflows
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.8
-      - name: Run tagger and store results in file
-        run: |
-          python .ci/tagger.py > notebook-tags-${{ github.sha }}.json
-      - name: Archive notebook tags
-        uses: actions/upload-artifact@v4
-        with:
-          name: notebook-tags
-          path: notebook-tags-${{ github.sha }}.json

From a526716bda48d560933b0e6bf5f14c7fdfa39628 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 11:45:05 +0400
Subject: [PATCH 03/14] Fix codeql workflow

---
 .github/workflows/codeql.yml | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 703ba5d70da..add3882a47d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,7 +1,7 @@
 # GitHub CodeQL
 # https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
 
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   workflow_dispatch:
@@ -12,9 +12,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL:
-
     runs-on: ubuntu-latest
     permissions:
       security-events: write
@@ -22,9 +24,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.8'
       - name: Install dependencies
@@ -33,17 +35,12 @@ jobs:
           if [ -f requirements.txt ];
           then pip install -r requirements.txt;
           fi
-          # Set the `CODEQL-PYTHON` environment variable to the Python executable
+          # Set the `CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION` environment variable to the Python executable
           # that includes the dependencies
-          echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
+          echo "CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
         with:
           languages: python
-          # Override the default behavior so that the action doesn't attempt
-          # to auto-install Python dependencies
-          setup-python-dependencies: false
-          
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
+        uses: github/codeql-action/analyze@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9

From 625240e40b939e120555f36337eada8b42669274 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 11:53:07 +0400
Subject: [PATCH 04/14] Fix codecheck workflow

---
 .github/workflows/codecheck.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codecheck.yml b/.github/workflows/codecheck.yml
index 5e4a876aac9..0c64192d442 100644
--- a/.github/workflows/codecheck.yml
+++ b/.github/workflows/codecheck.yml
@@ -25,6 +25,9 @@ on:
       - '.github/workflows/*.yml'
       - '.github/workflows/.env'
 
+permissions:
+  contents: read
+
 jobs:
   build_codecheck:
     strategy:
@@ -32,19 +35,19 @@ jobs:
     runs-on: ubuntu-20.04 # change cachepip step when changing this
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.8 # change cachepip step when changing this
       - name: Cache OpenVINO Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache

From 4f6f4070dd600ebca4a4c06b3e52c50cd005f999 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 11:57:50 +0400
Subject: [PATCH 05/14] Fix convert notebooks workflow

---
 .github/workflows/convert_notebooks.yml | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/convert_notebooks.yml b/.github/workflows/convert_notebooks.yml
index c7ecfd37e75..70c533a4cef 100644
--- a/.github/workflows/convert_notebooks.yml
+++ b/.github/workflows/convert_notebooks.yml
@@ -24,6 +24,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -45,7 +48,7 @@ jobs:
           echo "Available storage:"
           df -h
       - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
+        uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c # master
         with:
           swap-size-gb: 10
       - name: Install required packages for rst converstion
@@ -59,14 +62,14 @@ jobs:
       # This should ideally be a reusable workflow
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ matrix.python }}
       - name: Install required packages
@@ -78,7 +81,7 @@ jobs:
 
       - name: Cache OpenVINO Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache
@@ -87,7 +90,7 @@ jobs:
       # Cache specific files to reduce downloads or prevent network issues
       - name: Cache Files
         id: cachefiles
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             # NOTE: when modifying cache paths, update FILES_CACHE_KEY in .env
@@ -118,7 +121,7 @@ jobs:
       # Cache PaddlePaddle cache directories to prevent CI failing due to network/download issues
       - name: Cache PaddlePaddle cache directories (per OS)
         id: cacheusercache
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ${{ env.HUB_HOME }}
@@ -174,7 +177,7 @@ jobs:
           python -m pip freeze
           python -m pip freeze > pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
       - name: Archive pip freeze
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: pip-freeze-${{matrix.os}}-${{ matrix.python }}
           path: pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
@@ -185,7 +188,7 @@ jobs:
         shell: bash
         run: .ci/convert_notebooks.sh
       - name: Save reStructuredText files
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: rst_files
           path: rst_files

From 9f51d98b9e8de9e4a18f5a7e8288655f3773ba61 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:00:10 +0400
Subject: [PATCH 06/14] Fix build treon reusable workflow

---
 .github/workflows/build_treon_reusable.yml | 23 ++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build_treon_reusable.yml b/.github/workflows/build_treon_reusable.yml
index 85f024580d5..a137cf358d1 100644
--- a/.github/workflows/build_treon_reusable.yml
+++ b/.github/workflows/build_treon_reusable.yml
@@ -18,6 +18,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   build_treon:
     runs-on: ${{ inputs.runs_on }}
@@ -28,7 +31,7 @@ jobs:
         - /dev/dri:/dev/dri
     steps:
       - name: Set env variables
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const container = "${{ inputs.container }}";
@@ -45,12 +48,12 @@ jobs:
       #
       # These steps are also copied to convert_notebooks.yml
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Get changed files
         if: ${{ inputs.test_only_changed }}
         id: changed-files
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2
         with:
           files: |
             notebooks/*/**
@@ -70,7 +73,7 @@ jobs:
 
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
 
@@ -112,7 +115,7 @@ jobs:
           dpkg -i *.deb
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '${{ inputs.python }}'
         env:
@@ -120,7 +123,7 @@ jobs:
 
       - name: Cache Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache
@@ -129,7 +132,7 @@ jobs:
       # Cache specific files to reduce downloads or prevent network issues
       - name: Cache Files
         id: cachefiles
-        uses: actions/cache@v3 # TODO Consider updating cache action to v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             # NOTE: when modifying cache paths, update FILES_CACHE_KEY in .env
@@ -160,7 +163,7 @@ jobs:
       # Cache PaddlePaddle cache directories to prevent CI failing due to network/download issues
       - name: Cache PaddlePaddle cache directories
         id: cacheusercache
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ${{ env.HUB_HOME }}
@@ -221,7 +224,7 @@ jobs:
           python -m pip freeze
           python -m pip freeze > pip-freeze-${{ env.TEST_DEVICE }}-${{ github.sha }}-${{ env.OS_NAME }}-${{ inputs.python }}.txt
       - name: Upload pip freeze artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: pip-freeze-${{ env.TEST_DEVICE }}-${{ env.OS_NAME }}-${{ inputs.python }}
           path: pip-freeze-${{ env.TEST_DEVICE }}-${{ github.sha }}-${{ env.OS_NAME }}-${{ inputs.python }}.txt
@@ -301,7 +304,7 @@ jobs:
 
       - name: Archive notebook test report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: test_report-${{ env.TEST_REPORT_DIR }}
           path: test_report/

From c2bf9e155bc75c32a2387db0a8eadb03a86949dd Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:02:14 +0400
Subject: [PATCH 07/14] Fix docker workflow

---
 .github/workflows/docker.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 413930346eb..cfef3721603 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -36,6 +36,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_docker:
     strategy:
@@ -51,10 +54,10 @@ jobs:
           sudo rm -rf /opt/ghc
           echo "Available storage:"
           df -h
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v41
+        uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
         with:
           files: |
             notebooks/*/**

From de4cf585a6077db250a61a3dd84b4a537d287a7d Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:04:16 +0400
Subject: [PATCH 08/14] Fix gh pages deploy workflow

---
 .github/workflows/gh_pages_deploy.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/gh_pages_deploy.yml b/.github/workflows/gh_pages_deploy.yml
index e579d60d072..868b37ccf13 100644
--- a/.github/workflows/gh_pages_deploy.yml
+++ b/.github/workflows/gh_pages_deploy.yml
@@ -16,6 +16,9 @@ concurrency:
   group: 'pages'
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_assets:
     runs-on: ubuntu-20.04
@@ -25,13 +28,13 @@ jobs:
       should_deploy: ${{ steps.check_deploy.outputs.should_deploy }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
           token: ${{ secrets.GH_ACTIONS_BOT_TOKEN }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
 
@@ -41,7 +44,7 @@ jobs:
         run: npm ci
 
       - name: Validate all notebooks metadata
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { NotebookMetadataHandler } = await import('${{ github.workspace }}/selector/src/notebook-metadata/notebook-metadata-handler.js');
@@ -62,7 +65,7 @@ jobs:
 
       - name: Check if deploy needed
         id: check_deploy
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { readFile } = require('fs/promises');
@@ -77,13 +80,13 @@ jobs:
 
       - name: Upload pages artifact
         if: ${{ steps.check_deploy.outputs.should_deploy == 'true' }}
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: ./selector/dist/openvino_notebooks
 
       - name: Generate new notebooks index
         if: ${{ steps.check_deploy.outputs.should_deploy == 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { generateNotebooksIndex } = await import('${{ github.workspace }}/selector/src/shared/generate-notebooks-index.js');
@@ -112,4 +115,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

From 7b9d3784a616651f3e12351979e9e1a5e9a674e0 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:05:56 +0400
Subject: [PATCH 09/14] Fix install requirements china workflow

---
 .../workflows/install_requirements_china.yml  | 50 ++++++++++---------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/install_requirements_china.yml b/.github/workflows/install_requirements_china.yml
index 499a25a7b8e..ddfbc4dd578 100644
--- a/.github/workflows/install_requirements_china.yml
+++ b/.github/workflows/install_requirements_china.yml
@@ -3,7 +3,10 @@ name: install_requirements_china
 on:
   workflow_dispatch:
   schedule:
-    - cron:  '30 18 * * *'
+    - cron: '30 18 * * *'
+
+permissions:
+  contents: read
 
 jobs:
   build:
@@ -16,27 +19,26 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python 
-      uses: actions/setup-python@v5
-      with:
-        python-version: ${{ matrix.python }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip==21.3.* -i https://pypi.tuna.tsinghua.edu.cn/simple
-        python -m pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
-
-        python -m ipykernel install --user --name openvino_env
-        python -m pip freeze > pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
-    - name: Archive pip freeze
-      uses: actions/upload-artifact@v4
-      with:
-        name: pip-freeze-${{matrix.os}}-${{ matrix.python }}
-        path: pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
-    - name: Test that `jupyter lab` works
-      run: |
-        jupyter lab notebooks --help
-    - name: Check install
-      run: |
-        python check_install.py
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - name: Set up Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: ${{ matrix.python }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip==21.3.* -i https://pypi.tuna.tsinghua.edu.cn/simple
+          python -m pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
 
+          python -m ipykernel install --user --name openvino_env
+          python -m pip freeze > pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
+      - name: Archive pip freeze
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: pip-freeze-${{matrix.os}}-${{ matrix.python }}
+          path: pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
+      - name: Test that `jupyter lab` works
+        run: |
+          jupyter lab notebooks --help
+      - name: Check install
+        run: |
+          python check_install.py

From 8ff62e9a6fb35a18c5fce37b8815a3807c689ddb Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:06:58 +0400
Subject: [PATCH 10/14] Fix install requirements workflow

---
 .github/workflows/install_requirements.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/install_requirements.yml b/.github/workflows/install_requirements.yml
index bdcfba69114..12b6a4120b9 100644
--- a/.github/workflows/install_requirements.yml
+++ b/.github/workflows/install_requirements.yml
@@ -10,6 +10,9 @@ on:
       - '.github/workflows/install_requirements.yml'
       - 'check_install.py'
 
+permissions:
+  contents: read
+
 jobs:
   build_install_requirements:
     runs-on: ${{ matrix.os }}
@@ -20,19 +23,19 @@ jobs:
         python: ['3.8', '3.9', '3.10', '3.11']
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ matrix.python }}
       - name: Cache OpenVINO Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache
@@ -61,7 +64,7 @@ jobs:
           python -m pip freeze
           python -m pip freeze > pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
       - name: Archive pip freeze
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: pip-freeze-${{matrix.os}}-${{ matrix.python }}
           path: pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt

From 1ae1003befc7a65f02fa4f54f4b6cd76d9cdd08a Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:08:34 +0400
Subject: [PATCH 11/14] Fix pip conflicts check workflow

---
 .github/workflows/pip_conflicts_check.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pip_conflicts_check.yml b/.github/workflows/pip_conflicts_check.yml
index fde0f2b2b10..40e985b0b2b 100644
--- a/.github/workflows/pip_conflicts_check.yml
+++ b/.github/workflows/pip_conflicts_check.yml
@@ -15,21 +15,24 @@ on:
     paths:
       - 'notebooks/**.ipynb'
 
+permissions:
+  contents: read
+
 jobs:
   build_pip_conflicts_check:
     runs-on: ubuntu-20.04 # change cachepip step when changing this
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.8 # change cachepip step when changing this
 

From e344f088687d6014e80a752541490141a022fe56 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:12:25 +0400
Subject: [PATCH 12/14] Fix spellcheck workflow

---
 .github/workflows/spellcheck.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 1888516d391..5e1a648b133 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -23,6 +23,9 @@ on:
       - 'notebooks/**.md'
       - 'notebooks/**.ipynb'
 
+permissions:
+  contents: read
+
 jobs:
   build_spellcheck:
     strategy:
@@ -30,22 +33,22 @@ jobs:
     runs-on: ubuntu-20.04 # change cachepip step when changing this
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/dotenv@v2.3.0
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.8 # change cachepip step when changing this
 
       - name: Cache OpenVINO Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache

From be42bb429a6ecfeb4ebc54c88b233bdbdd46bd25 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:18:25 +0400
Subject: [PATCH 13/14] Fix treon workflows

---
 .github/workflows/treon.yml           | 11 +++++++----
 .github/workflows/treon_precommit.yml |  3 +++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/treon.yml b/.github/workflows/treon.yml
index 983e56a78a0..ae5bd9376f7 100644
--- a/.github/workflows/treon.yml
+++ b/.github/workflows/treon.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_treon_cpu:
     strategy:
@@ -47,13 +50,13 @@ jobs:
     needs: [build_treon_cpu, build_treon_gpu]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.8'
       - name: Collect artifacts with reports
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           pattern: test_report-*
           merge-multiple: true
@@ -62,7 +65,7 @@ jobs:
         run: |
           python .ci/aggregate_notebooks_reports.py
       - name: Upload aggregated report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: notebooks-status-map.json
           path: test_reports/notebooks-status-map.json
diff --git a/.github/workflows/treon_precommit.yml b/.github/workflows/treon_precommit.yml
index 8c27e20d027..cc6a48a20a8 100644
--- a/.github/workflows/treon_precommit.yml
+++ b/.github/workflows/treon_precommit.yml
@@ -29,6 +29,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_treon:
     strategy:

From be7796adcb5253b462c964e0f211f005ecbb2914 Mon Sep 17 00:00:00 2001
From: yatarkan <yaroslav.tarkan@intel.com>
Date: Thu, 13 Jun 2024 12:20:59 +0400
Subject: [PATCH 14/14] Fix validate notebook metadata workflow

---
 .github/workflows/validate_notebook_metadata.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/validate_notebook_metadata.yml b/.github/workflows/validate_notebook_metadata.yml
index 53e16ccef11..4becc08a03f 100644
--- a/.github/workflows/validate_notebook_metadata.yml
+++ b/.github/workflows/validate_notebook_metadata.yml
@@ -10,26 +10,29 @@ concurrency:
   group: ${{ github.head_ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   validate_notebooks_metadata:
     runs-on: ubuntu-20.04
     name: Validate notebooks metadata
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
 
       - name: Get changed notebook files
         id: get_changed_notebook_files
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { execSync } = require('child_process');
@@ -44,7 +47,7 @@ jobs:
         run: npm ci
 
       - name: Validate changed notebooks metadata
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { NotebookMetadataHandler } = await import('${{ github.workspace }}/selector/src/notebook-metadata/notebook-metadata-handler.js');