[SDL] Fix OpenSSF hits (Dangerous-Workflow, Token-Permissions, Pinned-Dependencies)

.ci/convert_notebooks.sh

@@ -6,7 +6,6 @@ rstdir=$PWD"/rst_files"
 binderlist=$rstdir"/notebooks_with_binder_buttons.txt"
 colablist=$rstdir"/notebooks_with_colab_buttons.txt"
 notebooklist=$rstdir"/all_notebooks_paths.txt"
-tagslist=$rstdir"/notebooks_tags.json"
 mkdir -p $rstdir
 
 # List all notebooks that contain binder or colab buttons based on readme
@@ -17,8 +16,6 @@ done
 find notebooks -maxdepth 2 -name "*.ipynb" | sort > $notebooklist
 taggerpath=$(git ls-files "*tagger.py")
 notebookspath=$(git ls-files "*.ipynb"| head -n 1)
-keywordspath=$(git ls-files "*keywords.json")
-python $taggerpath $notebookspath $keywordspath> $tagslist
 
 echo "start converting notebooks"
 python $PWD"/.ci/convert_notebooks.py" --rst_dir $rstdir --exclude_execution_file $PWD"/.ci/ignore_convert_execution.txt"

.github/workflows/build_treon_reusable.yml

@@ -18,6 +18,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   build_treon:
     runs-on: ${{ inputs.runs_on }}
@@ -28,7 +31,7 @@ jobs:
         - /dev/dri:/dev/dri
     steps:
       - name: Set env variables
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const container = "${{ inputs.container }}";
@@ -45,12 +48,12 @@ jobs:
       #
       # These steps are also copied to convert_notebooks.yml
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Get changed files
         if: ${{ inputs.test_only_changed }}
         id: changed-files
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2
         with:
           files: |
             notebooks/*/**
@@ -70,7 +73,7 @@ jobs:
 
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/[email protected]
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
 
@@ -112,15 +115,15 @@ jobs:
           dpkg -i *.deb
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '${{ inputs.python }}'
         env:
           AGENT_TOOLSDIRECTORY: ${{ inputs.container && '/opt/hostedtoolcache' || '' }}
 
       - name: Cache Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache
@@ -129,7 +132,7 @@ jobs:
       # Cache specific files to reduce downloads or prevent network issues
       - name: Cache Files
         id: cachefiles
-        uses: actions/cache@v3 # TODO Consider updating cache action to v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             # NOTE: when modifying cache paths, update FILES_CACHE_KEY in .env
@@ -160,7 +163,7 @@ jobs:
       # Cache PaddlePaddle cache directories to prevent CI failing due to network/download issues
       - name: Cache PaddlePaddle cache directories
         id: cacheusercache
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ${{ env.HUB_HOME }}
@@ -221,7 +224,7 @@ jobs:
           python -m pip freeze
           python -m pip freeze > pip-freeze-${{ env.TEST_DEVICE }}-${{ github.sha }}-${{ env.OS_NAME }}-${{ inputs.python }}.txt
       - name: Upload pip freeze artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: pip-freeze-${{ env.TEST_DEVICE }}-${{ env.OS_NAME }}-${{ inputs.python }}
           path: pip-freeze-${{ env.TEST_DEVICE }}-${{ github.sha }}-${{ env.OS_NAME }}-${{ inputs.python }}.txt
@@ -301,7 +304,7 @@ jobs:
 
       - name: Archive notebook test report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: test_report-${{ env.TEST_REPORT_DIR }}
           path: test_report/

.github/workflows/codecheck.yml

@@ -25,26 +25,29 @@ on:
       - '.github/workflows/*.yml'
       - '.github/workflows/.env'
 
+permissions:
+  contents: read
+
 jobs:
   build_codecheck:
     strategy:
       fail-fast: false
     runs-on: ubuntu-20.04 # change cachepip step when changing this
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/[email protected]
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: 3.8 # change cachepip step when changing this
       - name: Cache OpenVINO Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache

.github/workflows/codeql.yml

@@ -1,7 +1,7 @@
 # GitHub CodeQL
 # https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
 
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   workflow_dispatch:
@@ -12,19 +12,21 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL:
-
     runs-on: ubuntu-latest
     permissions:
       security-events: write
       actions: read
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.8'
       - name: Install dependencies
@@ -33,17 +35,12 @@ jobs:
           if [ -f requirements.txt ];
           then pip install -r requirements.txt;
           fi
-          # Set the `CODEQL-PYTHON` environment variable to the Python executable
+          # Set the `CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION` environment variable to the Python executable
           # that includes the dependencies
-          echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
+          echo "CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
         with:
           languages: python
-          # Override the default behavior so that the action doesn't attempt
-          # to auto-install Python dependencies
-          setup-python-dependencies: false
-
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
+        uses: github/codeql-action/analyze@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9

.github/workflows/convert_notebooks.yml

@@ -24,6 +24,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -45,7 +48,7 @@ jobs:
           echo "Available storage:"
           df -h
       - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
+        uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c # master
         with:
           swap-size-gb: 10
       - name: Install required packages for rst converstion
@@ -59,14 +62,14 @@ jobs:
       # This should ideally be a reusable workflow
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Dotenv Action
         id: dotenv
-        uses: xom9ikk/[email protected]
+        uses: xom9ikk/dotenv@ac290ca23a42155a0cba1031d23afa46240116a9 # v2.3.0
         with:
           path: ./.github/workflows
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ matrix.python }}
       - name: Install required packages
@@ -78,7 +81,7 @@ jobs:
 
       - name: Cache OpenVINO Pip Packages
         id: cachepip
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             pipcache
@@ -87,7 +90,7 @@ jobs:
       # Cache specific files to reduce downloads or prevent network issues
       - name: Cache Files
         id: cachefiles
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             # NOTE: when modifying cache paths, update FILES_CACHE_KEY in .env
@@ -118,7 +121,7 @@ jobs:
       # Cache PaddlePaddle cache directories to prevent CI failing due to network/download issues
       - name: Cache PaddlePaddle cache directories (per OS)
         id: cacheusercache
-        uses: actions/cache@v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ${{ env.HUB_HOME }}
@@ -174,7 +177,7 @@ jobs:
           python -m pip freeze
           python -m pip freeze > pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
       - name: Archive pip freeze
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: pip-freeze-${{matrix.os}}-${{ matrix.python }}
           path: pip-freeze-${{ github.sha }}-${{matrix.os}}-${{ matrix.python }}.txt
@@ -185,7 +188,7 @@ jobs:
         shell: bash
         run: .ci/convert_notebooks.sh
       - name: Save reStructuredText files
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: rst_files
           path: rst_files

.github/workflows/docker.yml

@@ -36,6 +36,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_docker:
     strategy:
@@ -51,10 +54,10 @@ jobs:
           sudo rm -rf /opt/ghc
           echo "Available storage:"
           df -h
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v41
+        uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
         with:
           files: |
             notebooks/*/**