diff --git a/.github/workflows/docker-builds.yml b/.github/workflows/docker-builds.yml index c006b0cfac2..6d4e3b27d46 100644 --- a/.github/workflows/docker-builds.yml +++ b/.github/workflows/docker-builds.yml @@ -27,6 +27,8 @@ env: ALPINE_IMAGE: 308535385114.dkr.ecr.us-east-1.amazonaws.com/tool/alpine AWS_DEFAULT_REGION: us-east-1 +permissions: read-all + jobs: docker-build: runs-on: [self-hosted, linux.2xlarge] diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 7788eda329d..51af9af7088 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -28,6 +28,8 @@ env: USE_BUILDX: 1 WITH_PUSH: ${{ github.event_name == 'push' && (github.event.ref == 'refs/heads/nightly' || startsWith(github.event.ref, 'refs/tags/v')) }} +permissions: read-all + jobs: generate-matrix: if: github.repository_owner == 'pytorch' diff --git a/.github/workflows/inductor-perf-compare.yml b/.github/workflows/inductor-perf-compare.yml index 444cf3c4281..e485a8bfce1 100644 --- a/.github/workflows/inductor-perf-compare.yml +++ b/.github/workflows/inductor-perf-compare.yml @@ -10,6 +10,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true +permissions: read-all + jobs: linux-focal-cuda12_1-py3_10-gcc9-inductor-build: name: cuda12.1-py3.10-gcc9-sm80 diff --git a/.github/workflows/inductor-perf-test-nightly.yml b/.github/workflows/inductor-perf-test-nightly.yml index e8a811d55b6..81e6ff76460 100644 --- a/.github/workflows/inductor-perf-test-nightly.yml +++ b/.github/workflows/inductor-perf-test-nightly.yml @@ -61,6 +61,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }} cancel-in-progress: true +permissions: read-all + jobs: linux-focal-cuda12_1-py3_10-gcc9-inductor-build: name: cuda12.1-py3.10-gcc9-sm80 diff --git a/.github/workflows/inductor-periodic.yml b/.github/workflows/inductor-periodic.yml index f775acf1e9e..6f8c06ed030 100644 --- a/.github/workflows/inductor-periodic.yml +++ b/.github/workflows/inductor-periodic.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true + +permissions: read-all + jobs: linux-focal-cuda12_1-py3_10-gcc9-periodic-dynamo-benchmarks-build: name: cuda12.1-py3.10-gcc9-sm86-periodic-dynamo-benchmarks diff --git a/.github/workflows/inductor.yml b/.github/workflows/inductor.yml index 015b197c2b3..23a7b748180 100644 --- a/.github/workflows/inductor.yml +++ b/.github/workflows/inductor.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true +permissions: read-all + jobs: linux-focal-rocm5_7-py3_8-inductor-build: name: rocm5.7-py3.8-inductor diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 90845e82d67..351bf83efe1 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,6 +11,7 @@ on: - landchecks/* workflow_dispatch: +permissions: read-all # The names of steps that actually test the code should be suffixed with `(nonretryable)`. # When any other step fails, it's job will be retried once by retryBot. jobs: diff --git a/.github/workflows/mac-mps.yml b/.github/workflows/mac-mps.yml index d2ec160e07f..fe58e7ceff0 100644 --- a/.github/workflows/mac-mps.yml +++ b/.github/workflows/mac-mps.yml @@ -10,6 +10,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true +permissions: read-all + jobs: macos-12-py3-arm64-build: name: macos-12-py3-arm64 diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index a6a8c6efffe..d7bce4b9512 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -20,6 +20,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}-${{ github.event.schedule }} cancel-in-progress: true +permissions: read-all + jobs: parallelnative-linux-jammy-py3_8-gcc11-build: name: parallelnative-linux-jammy-py3.8-gcc11 diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml index 4c4b33a3886..a74e50c4938 100644 --- a/.github/workflows/pull.yml +++ b/.github/workflows/pull.yml @@ -17,6 +17,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }} cancel-in-progress: true +permissions: read-all + jobs: linux-jammy-py3_8-gcc11-build: name: linux-jammy-py3.8-gcc11 diff --git a/.github/workflows/rocm.yml b/.github/workflows/rocm.yml index 856d13a33a4..686ddbbcc9e 100644 --- a/.github/workflows/rocm.yml +++ b/.github/workflows/rocm.yml @@ -15,6 +15,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }} cancel-in-progress: true +permissions: read-all + jobs: linux-focal-rocm5_7-py3_8-build: name: linux-focal-rocm5.7-py3.8 diff --git a/.github/workflows/slow.yml b/.github/workflows/slow.yml index a9b0c654b4c..620b2db7826 100644 --- a/.github/workflows/slow.yml +++ b/.github/workflows/slow.yml @@ -18,6 +18,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}-${{ github.event.schedule }} cancel-in-progress: true +permissions: read-all + jobs: linux-focal-cuda12_1-py3-gcc9-slow-gradcheck-build: name: linux-focal-cuda12.1-py3-gcc9-slow-gradcheck diff --git a/.github/workflows/trunk.yml b/.github/workflows/trunk.yml index 5ded7ac152c..2ba077b5b31 100644 --- a/.github/workflows/trunk.yml +++ b/.github/workflows/trunk.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }} cancel-in-progress: true +permissions: read-all + jobs: # Build PyTorch with BUILD_CAFFE2=ON caffe2-linux-jammy-py3_8-gcc11-build: diff --git a/.github/workflows/unstable-periodic.yml b/.github/workflows/unstable-periodic.yml index df422752f7e..9a41bbd44f2 100644 --- a/.github/workflows/unstable-periodic.yml +++ b/.github/workflows/unstable-periodic.yml @@ -13,6 +13,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}-${{ github.event.schedule }} cancel-in-progress: true +permissions: read-all + jobs: # There must be at least one job here to satisfy GitHub action workflow syntax introduction: diff --git a/.github/workflows/unstable.yml b/.github/workflows/unstable.yml index 7a803b54ef8..a2c4a45bd8b 100644 --- a/.github/workflows/unstable.yml +++ b/.github/workflows/unstable.yml @@ -12,6 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}-${{ github.ref_type == 'branch' && github.sha }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true +permissions: read-all + jobs: # There must be at least one job here to satisfy GitHub action workflow syntax introduction: diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index 836d25cf5f2..9c4db18e3a4 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -8,6 +8,8 @@ on: - cron: 37 7 * * 1 workflow_dispatch: +permissions: read-all + jobs: update-commit-hash: runs-on: ubuntu-latest