diff --git a/.github/workflows/create-release-branch.yaml b/.github/workflows/create-release-branch.yaml index 8f0ce9a2da..125a977adc 100644 --- a/.github/workflows/create-release-branch.yaml +++ b/.github/workflows/create-release-branch.yaml @@ -165,6 +165,33 @@ jobs: # --- UPDATED: Run on the specific node --- runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run pytest in tests/unit_tests run: | EXITCODE=1 @@ -222,6 +249,33 @@ jobs: test_function: ${{ fromJson(needs.discover_tests.outputs.matrix) }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run test suite - ${{ matrix.test_function }} run: | EXITCODE=1 @@ -249,6 +303,33 @@ jobs: # --- UPDATED: Run on the specific node --- runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run Data Parallel test run: | EXITCODE=1 @@ -276,6 +357,33 @@ jobs: # --- UPDATED: Run on the specific node --- runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run PD disaggregate test run: | EXITCODE=1 @@ -306,6 +414,33 @@ jobs: # --- UPDATED: Run on the specific node --- runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run Sharegpt performance tests with warmup run: | EXITCODE=1 diff --git a/.github/workflows/hourly-ci.yaml b/.github/workflows/hourly-ci.yaml index 659221c336..e8f0d62116 100644 --- a/.github/workflows/hourly-ci.yaml +++ b/.github/workflows/hourly-ci.yaml @@ -102,6 +102,33 @@ jobs: # <-- UPDATED: Runs on the specific runner runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run pytest in tests/unit_tests run: | EXITCODE=1 @@ -164,6 +191,33 @@ jobs: test_function: ${{ fromJson(needs.discover_tests.outputs.matrix) }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run test suite - ${{ matrix.test_function }} run: | EXITCODE=1 @@ -193,6 +247,33 @@ jobs: # <-- UPDATED: Runs on the specific runner runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run Data Parallel test run: | EXITCODE=1 @@ -221,6 +302,33 @@ jobs: # <-- UPDATED: Runs on the specific runner runs-on: ${{ needs.discover_runner.outputs.runner_name }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run PD disaggregate test run: | EXITCODE=1 diff --git a/.github/workflows/pre-merge.yaml b/.github/workflows/pre-merge.yaml index 7b782c7e71..cd8630a132 100644 --- a/.github/workflows/pre-merge.yaml +++ b/.github/workflows/pre-merge.yaml @@ -363,6 +363,33 @@ jobs: runs-on: ${{ needs.discover_runner.outputs.runner_name }} timeout-minutes: 720 steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run pytest in tests/unit_tests run: | EXITCODE=1 @@ -388,6 +415,33 @@ jobs: runs-on: ${{ needs.discover_runner.outputs.runner_name }} timeout-minutes: 720 steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run test scripts run: | EXITCODE=1 @@ -419,6 +473,33 @@ jobs: runs-on: ${{ needs.discover_runner.outputs.runner_name }} timeout-minutes: 720 steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run test scripts run: | EXITCODE=1 @@ -445,6 +526,33 @@ jobs: runs-on: ${{ needs.discover_runner.outputs.runner_name }} timeout-minutes: 720 steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run test scripts run: | EXITCODE=1 @@ -478,6 +586,33 @@ jobs: test_function: ${{ fromJson(needs.discover_tests.outputs.matrix) }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run test suite - ${{ matrix.test_function }} run: | EXITCODE=1 @@ -510,6 +645,33 @@ jobs: test_function: ${{ fromJson(needs.discover_calibration_tests.outputs.matrix) }} steps: + - name: Harden runner (egress block) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: block + disable-sudo: false + allowed-endpoints: > + api.github.com:443 + github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + *.actions.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + *.blob.core.windows.net:443 + vault.habana.ai:443 + pypi.org:443 + files.pythonhosted.org:443 + download.pytorch.org:443 + huggingface.co:443 + cdn-lfs.huggingface.co:443 + cdn-lfs.hf.co:443 + cdn-lfs-us-1.hf.co:443 + cas-bridge.xethub.hf.co:443 + xet-lfs-us-1.hf.co:443 - name: Run calibration test - ${{ matrix.test_function }} run: | EXITCODE=1