fix openssf issue (#400)

minmingzhu · carsonwang · commit b08439e4770c · 2024-06-26T14:28:47.000+08:00
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -17,26 +17,29 @@
 
 name: RayDP PyPi
 
-on: 
+on:
   schedule:
     - cron: '0 0 * * *'
   # can manually trigger the workflow
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build-and-publish:
     # do not run in forks
     if: ${{ github.repository_owner == 'oap-project' }}
     name: build wheel and upload
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
     - name: Set up Python 3.7
-      uses: actions/setup-python@v1
+      uses: actions/setup-python@0f07f7f756721ebd886c2462646a35f78a8bc4de # v1.2.4
       with:
         python-version: 3.7
     - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
       with:
         java-version: 1.8
     - name: days since the commit date
@@ -54,6 +57,6 @@ jobs:
       run: pip install wheel grpcio-tools && ./build.sh
     - name: Upload
       if: env.COMMIT_TODAY == 'true'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # release/v1
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/ray_nightly_test.yml b/.github/workflows/ray_nightly_test.yml
@@ -22,6 +22,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build-and-test:
 
@@ -34,13 +37,13 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Install extra dependencies for macOS
@@ -54,13 +57,13 @@ jobs:
           sudo apt-get install -y mpich
       - name: Cache pip - Ubuntu
         if: matrix.os == 'ubuntu-latest'
-        uses: actions/cache@v2
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: ~/.cache/pip
           key: ${{ matrix.os }}-${{ matrix.python-version }}-pip
       - name: Cache pip - MacOS
         if: matrix.os == 'macos-latest'
-        uses: actions/cache@v2
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: ~/Library/Caches/pip
           key: ${{ matrix.os }}-${{ matrix.python-version }}-pip
@@ -96,7 +99,7 @@ jobs:
           HOROVOD_WITH_PYTORCH=1
           pip install horovod[pytorch,ray]
       - name: Cache Maven
-        uses: actions/cache@v2
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: ~/.m2
           key: ${{ matrix.os }}-m2-${{ hashFiles('core/pom.xml') }}
diff --git a/.github/workflows/raydp.yml b/.github/workflows/raydp.yml
@@ -24,6 +24,9 @@ on:
     branches: [ main, master ]
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build-and-test:
 
@@ -36,13 +39,13 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
         with:
           java-version: 1.8
       - name: Install extra dependencies for macOS
@@ -56,13 +59,13 @@ jobs:
           sudo apt-get install -y mpich
       - name: Cache pip - Ubuntu
         if: matrix.os == 'ubuntu-latest'
-        uses: actions/cache@v2
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: ~/.cache/pip
           key: ${{ matrix.os }}-${{ matrix.python-version }}-pip
       - name: Cache pip - MacOS
         if: matrix.os == 'macos-latest'
-        uses: actions/cache@v2
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: ~/Library/Caches/pip
           key: ${{ matrix.os }}-${{ matrix.python-version }}-pip
@@ -83,7 +86,7 @@ jobs:
           pip install "xgboost_ray[default]<=0.1.13"
           pip install torchmetrics
       - name: Cache Maven
-        uses: actions/cache@v2
+        uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           path: ~/.m2
           key: ${{ matrix.os }}-m2-${{ hashFiles('core/pom.xml') }}
diff --git a/.github/workflows/raydp_nightly.yml b/.github/workflows/raydp_nightly.yml
@@ -17,26 +17,29 @@
 
 name: Legacy raydp_nightly PyPi
 
-on: 
+on:
   schedule:
     - cron: '0 0 * * *'
   # can manually trigger the workflow
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build-and-publish:
     # do not run in forks
     if: ${{ github.repository_owner == 'oap-project' }}
     name: build wheel and upload
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
     - name: Set up Python 3.7
-      uses: actions/setup-python@v1
+      uses: actions/setup-python@0f07f7f756721ebd886c2462646a35f78a8bc4de # v1.2.4
       with:
         python-version: 3.7
     - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
       with:
         java-version: 1.8
     - name: days since the commit date
@@ -54,6 +57,6 @@ jobs:
       run: pip install wheel grpcio-tools && ./build.sh
     - name: Upload
       if: env.COMMIT_TODAY == 'true'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@e53eb8b103ffcb59469888563dc324e3c8ba6f06 # release/v1
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM rayproject/ray:latest
+FROM rayproject/ray:latest@sha256:c864e37f4ce516ff49425f69cac5503a51e84c333d30928416714a2c3da55b43
 
 ARG HTTP_PROXY
 ARG HTTPS_PROXY

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM rayproject/ray:latest`
	`1`	`+FROM rayproject/ray:latest@sha256:c864e37f4ce516ff49425f69cac5503a51e84c333d30928416714a2c3da55b43`
`2`	`2`
`3`	`3`	`ARG HTTP_PROXY`
`4`	`4`	`ARG HTTPS_PROXY`