diff --git a/.github/workflows/check-circular-deps.yml b/.github/workflows/check-circular-deps.yml index d1aa1c2bb3..d995eb6995 100644 --- a/.github/workflows/check-circular-deps.yml +++ b/.github/workflows/check-circular-deps.yml @@ -11,6 +11,8 @@ on: - .github/workflows/check-circular-deps.yml - '**.spec' +permissions: read-all + jobs: spec-check: name: Circular dependency check @@ -20,6 +22,8 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check for circular dependencies run: | diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml index d9d130a658..1ce335df7c 100644 --- a/.github/workflows/check-entangled-specs.yml +++ b/.github/workflows/check-entangled-specs.yml @@ -20,7 +20,9 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 - + with: + persist-credentials: false + # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 uses: actions/setup-python@v5 diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml index abe0ee677a..3c77d5769e 100644 --- a/.github/workflows/check-license-map.yml +++ b/.github/workflows/check-license-map.yml @@ -24,7 +24,9 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 - + with: + persist-credentials: false + - name: Setup Python 3.12 uses: actions/setup-python@v5 with: diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml index 5c40bab380..77b0398f32 100644 --- a/.github/workflows/check-manifests.yml +++ b/.github/workflows/check-manifests.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond - name: Define missing rpm macros diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml index 2c89c989ea..0922498f56 100644 --- a/.github/workflows/check-package-cgmanifest.yml +++ b/.github/workflows/check-package-cgmanifest.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond - name: Define missing rpm macros @@ -33,9 +35,12 @@ jobs: - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - git fetch origin ${{ github.base_ref }} - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + git fetch origin $base_ref + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} diff --git a/.github/workflows/check-source-signatures.yml b/.github/workflows/check-source-signatures.yml index 8f6cce3181..efd86fc9e8 100644 --- a/.github/workflows/check-source-signatures.yml +++ b/.github/workflows/check-source-signatures.yml @@ -11,6 +11,8 @@ on: - .github/workflows/check-source-signatures.yml - '**.spec' +permissions: read-all + jobs: spec-check: name: Source Signature Check @@ -24,6 +26,7 @@ jobs: - name: Workflow trigger checkout uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 # For consistency, we use the same major/minor version of Python that Azure Linux ships @@ -38,8 +41,11 @@ jobs: - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} diff --git a/.github/workflows/check-spec.yml b/.github/workflows/check-spec.yml index b95017005a..4df7f16dc8 100644 --- a/.github/workflows/check-spec.yml +++ b/.github/workflows/check-spec.yml @@ -24,6 +24,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 @@ -37,8 +38,11 @@ jobs: - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} @@ -63,6 +67,7 @@ jobs: with: ref: '3.0' path: '3.0-checkout' + persist-credentials: false - name: Verify .spec files if: ${{ env.updated-specs != '' }} diff --git a/.github/workflows/check-static-glibc.yml b/.github/workflows/check-static-glibc.yml index ad033bc7c3..709f956f7c 100644 --- a/.github/workflows/check-static-glibc.yml +++ b/.github/workflows/check-static-glibc.yml @@ -22,6 +22,8 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 + with: + persist-credentials: false # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml index 3e0f61e6db..e7645372d7 100644 --- a/.github/workflows/go-test-coverage.yml +++ b/.github/workflows/go-test-coverage.yml @@ -33,6 +33,8 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check go.mod run: | diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml index e93fb5be41..47dea50cbf 100644 --- a/.github/workflows/lint-specs.yml +++ b/.github/workflows/lint-specs.yml @@ -24,13 +24,17 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" - + base_ref="${BASE_REF}" + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} + - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} run: | @@ -50,6 +54,7 @@ jobs: with: ref: '3.0' path: '3.0-checkout' + persist-credentials: false # Our linter is based on the spec-cleaner tool from the folks at openSUSE # We apply a patch to modify it for our needs @@ -59,6 +64,7 @@ jobs: repository: 'rpm-software-management/spec-cleaner' ref: 'spec-cleaner-1.2.0' path: 'spec-cleaner' + persist-credentials: false # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8cf75ec04e..fdb8bf5a63 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,6 +16,8 @@ on: - "**.spec" - "**.patch" +permissions: read-all + jobs: lint: name: Lint Workflows and Code @@ -32,6 +34,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false + - name: Lint uses: github/super-linter/slim@v7 env: diff --git a/.github/workflows/merge-conflict-check.yml b/.github/workflows/merge-conflict-check.yml index 26334f09f5..ffe173c40f 100644 --- a/.github/workflows/merge-conflict-check.yml +++ b/.github/workflows/merge-conflict-check.yml @@ -7,6 +7,8 @@ on: pull_request: branches: [main, 3.0*] +permissions: read-all + jobs: spec-check: name: Github Merge Conflict Check @@ -16,13 +18,18 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - git fetch origin ${{ github.base_ref }} - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + git fetch origin $base_ref + echo "base_sha=$(git rev-parse origin/$base_ref)" >> $GITHUB_ENV + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 6c6e39d9b9..a7d565477e 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -19,7 +19,7 @@ permissions: jobs: build_microvisor-toolkit: if: ${{ (github.event.inputs.target == 'microvisor-toolkit') || (github.event.inputs.target == 'all-documentation') }} - uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@81b923cd8456c3efb633808611e09b4aed8ae3b1 + uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403 secrets: SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }} DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }} diff --git a/README.md b/README.md index 8f4e1f62d7..0e89451eaf 100644 --- a/README.md +++ b/README.md @@ -16,8 +16,8 @@ The currently published versions are: * Edge Microvisor Toolkit (immutable) * Edge Microvisor Toolkit with real time extensions (immutable) -* Edge Microvisor Toolkit Standalone (immutable) -* Edge Microvisor Toolkit Developer (mutable) +* Edge Microvisor Toolkit Standalone (immutable) ([Download link](https://edgesoftwarecatalog.intel.com/details/?microserviceType=recipeµserviceNameForUrl=edge-microvisor-toolkit-standalone-node)) +* Edge Microvisor Toolkit Developer (mutable) ([Download link](https://edgesoftwarecatalog.intel.com/details/?microserviceType=recipeµserviceNameForUrl=edge--microvisor-toolkit-development-node)) The Edge Microvisor Toolkit has undergone extensive validation across all Intel platforms such as Xeon®, Intel® Core Ultra™, Intel Core™ and Intel® Atom®. It