From 3a1e46ef168456fd6e51e861ac7568a402117d1b Mon Sep 17 00:00:00 2001
From: minmingzhu <45281494+minmingzhu@users.noreply.github.com>
Date: Wed, 7 Aug 2024 09:32:35 +0800
Subject: [PATCH] fix openssf (#274)

* fix openssf

Signed-off-by: minmingzhu <minming.zhu@intel.com>

* Update workflow_tests.yml

* Update workflow_tests.yml

---------

Signed-off-by: minmingzhu <minming.zhu@intel.com>
---
 .github/workflows/workflow_finetune.yml       | 11 +++++++++-
 .github/workflows/workflow_finetune_gpu.yml   |  5 ++++-
 .github/workflows/workflow_inference.yml      |  5 ++++-
 .../workflows/workflow_inference_gaudi2.yml   |  5 ++++-
 .github/workflows/workflow_lint.yml           |  5 ++++-
 .github/workflows/workflow_orders_nightly.yml |  3 +++
 .../workflows/workflow_orders_on_merge.yml    |  3 +++
 .github/workflows/workflow_orders_on_pr.yml   |  4 ++++
 .github/workflows/workflow_test_benchmark.yml |  5 ++++-
 .github/workflows/workflow_tests.yml          | 21 +++++++++++--------
 10 files changed, 52 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/workflow_finetune.yml b/.github/workflows/workflow_finetune.yml
index 9650ebfad..91950e553 100644
--- a/.github/workflows/workflow_finetune.yml
+++ b/.github/workflows/workflow_finetune.yml
@@ -29,6 +29,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-ft
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   finetune:
     name: finetune
@@ -63,7 +66,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Build Docker Image
         run: |
@@ -88,6 +91,12 @@ jobs:
           source dev/scripts/ci-functions.sh
           finetune_test ${{ matrix.model }}
 
+      - name: Run Finetune DPO Test
+        run: |
+          TARGET="finetune"
+          source dev/scripts/ci-functions.sh
+          finetune_dpo_test ${{ matrix.model }}
+
       - name: Run PEFT-LoRA Test
         run: |
           source dev/scripts/ci-functions.sh
diff --git a/.github/workflows/workflow_finetune_gpu.yml b/.github/workflows/workflow_finetune_gpu.yml
index fb1ec9103..b48811dfc 100644
--- a/.github/workflows/workflow_finetune_gpu.yml
+++ b/.github/workflows/workflow_finetune_gpu.yml
@@ -13,6 +13,9 @@ on:
         type: string
         default: 'http://proxy-prc.intel.com:912'
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   finetune-gpu:
     name: finetune-gpu
@@ -35,7 +38,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Running task on Intel GPU
         run: |
diff --git a/.github/workflows/workflow_inference.yml b/.github/workflows/workflow_inference.yml
index ed2266840..e01ef598e 100644
--- a/.github/workflows/workflow_inference.yml
+++ b/.github/workflows/workflow_inference.yml
@@ -29,6 +29,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-inf
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   inference:
     name: inference
@@ -65,7 +68,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Determine Target
         id: "target"
diff --git a/.github/workflows/workflow_inference_gaudi2.yml b/.github/workflows/workflow_inference_gaudi2.yml
index 97b1618a4..56f2df998 100644
--- a/.github/workflows/workflow_inference_gaudi2.yml
+++ b/.github/workflows/workflow_inference_gaudi2.yml
@@ -23,6 +23,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-inf-gaudi2
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   inference:
     name: inference
@@ -81,7 +84,7 @@ jobs:
           echo "target=$target" >> $GITHUB_OUTPUT
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Build Docker Image
         run: |
diff --git a/.github/workflows/workflow_lint.yml b/.github/workflows/workflow_lint.yml
index 35c1ea31f..a0094cbf8 100644
--- a/.github/workflows/workflow_lint.yml
+++ b/.github/workflows/workflow_lint.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-lt
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   lint:
     name: lint
@@ -22,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Run Lint
         run: ./format.sh -a
diff --git a/.github/workflows/workflow_orders_nightly.yml b/.github/workflows/workflow_orders_nightly.yml
index 025dcbe58..ab9b30099 100644
--- a/.github/workflows/workflow_orders_nightly.yml
+++ b/.github/workflows/workflow_orders_nightly.yml
@@ -4,6 +4,9 @@ on: []
   # schedule:
   #   - cron: "0 16 * * *"
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
 
   call-inference:
diff --git a/.github/workflows/workflow_orders_on_merge.yml b/.github/workflows/workflow_orders_on_merge.yml
index 632f880b8..d26c641ef 100644
--- a/.github/workflows/workflow_orders_on_merge.yml
+++ b/.github/workflows/workflow_orders_on_merge.yml
@@ -8,6 +8,9 @@ on:
       - '**'
       - '!*.md'
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   Lint:
     uses: ./.github/workflows/workflow_lint.yml
diff --git a/.github/workflows/workflow_orders_on_pr.yml b/.github/workflows/workflow_orders_on_pr.yml
index cac4bfacc..0c14c60ca 100644
--- a/.github/workflows/workflow_orders_on_pr.yml
+++ b/.github/workflows/workflow_orders_on_pr.yml
@@ -7,6 +7,10 @@ on:
     paths:
       - '**'
       - '!*.md'
+
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
 
   Lint:
diff --git a/.github/workflows/workflow_test_benchmark.yml b/.github/workflows/workflow_test_benchmark.yml
index ba57af94c..778de1c34 100644
--- a/.github/workflows/workflow_test_benchmark.yml
+++ b/.github/workflows/workflow_test_benchmark.yml
@@ -29,6 +29,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-bench
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   setup-test:
 
@@ -51,7 +54,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Load environment variables
         run: cat /root/actions-runner-config/.env >> $GITHUB_ENV
diff --git a/.github/workflows/workflow_tests.yml b/.github/workflows/workflow_tests.yml
index eb51d4f0f..c74536866 100644
--- a/.github/workflows/workflow_tests.yml
+++ b/.github/workflows/workflow_tests.yml
@@ -7,6 +7,9 @@ on:
         type: string
         default: 'pr'
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   setup-test:
 
@@ -26,10 +29,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{matrix.python-version}}
           architecture: 'x64'
@@ -60,10 +63,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{matrix.python-version}}
           architecture: 'x64'
@@ -94,10 +97,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{matrix.python-version}}
           architecture: 'x64'
@@ -141,7 +144,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Determine Target
         id: "target"
@@ -165,7 +168,7 @@ jobs:
           code_checkout_path=${{ github.workspace }}
           source dev/scripts/ci-functions.sh
           start_docker ${TARGET} ${code_checkout_path}
-      
+
       - name: Install Dependencies for Tests
         run: |
           TARGET=${{steps.target.outputs.target}}
@@ -189,4 +192,4 @@ jobs:
         run: |
           TARGET=${{steps.target.outputs.target}}
           source dev/scripts/ci-functions.sh
-          stop_container ${TARGET} 
\ No newline at end of file
+          stop_container ${TARGET}