From efd2be8f6f0a0253938be80ff6664c7bc51924a3 Mon Sep 17 00:00:00 2001 From: Ana Luisa Ponsirenas Date: Wed, 23 Apr 2025 07:42:50 -0700 Subject: [PATCH 1/9] Update hash reference in publish docs workflow (#55) - Updated to the latest `publish-docs` in `orch-ci` --- .github/workflows/publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 46330247c0..0c79b15255 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -17,7 +17,7 @@ permissions: jobs: build_microvisor-toolkit: if: ${{ (github.event.inputs.target == 'microvisor-toolkit') || (github.event.inputs.target == 'all-documentation') }} - uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@2fc4c75be6b7f308dd95bdf5a822e466437734ac + uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@f6daea43ff4711b5c8cc12032eab94aa59ccb3b7 secrets: SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }} DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }} From 6fc6894147a0c02572af27d7eb0f0be75d2fb5b6 Mon Sep 17 00:00:00 2001 From: Ana Luisa Ponsirenas Date: Wed, 23 Apr 2025 08:07:28 -0700 Subject: [PATCH 2/9] Update sha publish docs (#56) * Update hash reference in publish docs workflow - Updated to the latest `publish-docs` in `orch-ci` * Update publish-docs.yml --- .github/workflows/publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 0c79b15255..bc92e31a09 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -17,7 +17,7 @@ permissions: jobs: build_microvisor-toolkit: if: ${{ (github.event.inputs.target == 'microvisor-toolkit') || (github.event.inputs.target == 'all-documentation') }} - uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@f6daea43ff4711b5c8cc12032eab94aa59ccb3b7 + uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@4ecba6bd86b92c842c88dec9e53cf782f523a746 secrets: SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }} DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }} From 90b2b08c1fe1dc9202ae565bb10ab1a54e964220 Mon Sep 17 00:00:00 2001 From: Ana Luisa Ponsirenas Date: Wed, 23 Apr 2025 20:52:03 -0700 Subject: [PATCH 3/9] Update permissions for publish-docs (#57) * Update hash reference in publish docs workflow - Updated to the latest `publish-docs` in `orch-ci` * Update publish-docs.yml * Update publish-docs.yml Updated permissions * Update publish-docs.yml Pin to latest SHA * Adds branch pattern 3.0 * Update publish-docs.yml * Change working dir --- .github/workflows/publish-docs.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index bc92e31a09..6c6e39d9b9 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -12,15 +12,19 @@ on: - microvisor-toolkit permissions: - contents: read + contents: read # needed for actions/checkout + pull-requests: read # needed for gh pr list + issues: write # needed to post PR comment jobs: build_microvisor-toolkit: if: ${{ (github.event.inputs.target == 'microvisor-toolkit') || (github.event.inputs.target == 'all-documentation') }} - uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@4ecba6bd86b92c842c88dec9e53cf782f523a746 + uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@81b923cd8456c3efb633808611e09b4aed8ae3b1 secrets: SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }} DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }} DOC_AWS_SECRET_ACCESS_KEY: ${{ secrets.DOC_AWS_SECRET_ACCESS_KEY }} with: - docs_directory: docs + docs_directory: '.' + branch_pattern: '^3\.0.*$' + From 93dc987465e505d42a69c8389d2c0d07200eccaa Mon Sep 17 00:00:00 2001 From: Mats Agerstam Date: Wed, 23 Apr 2025 20:52:47 -0700 Subject: [PATCH 4/9] updated EMT-D overview documentation (#60) * updated EMT-D overview documentation * fixed typo --- docs/user-guide/Overview.md | 84 ++++++++++++++++++++----------------- 1 file changed, 45 insertions(+), 39 deletions(-) diff --git a/docs/user-guide/Overview.md b/docs/user-guide/Overview.md index 2826de0cbf..24f04f86e2 100644 --- a/docs/user-guide/Overview.md +++ b/docs/user-guide/Overview.md @@ -1,85 +1,91 @@ --- orphan: true --- -# Overview - -The Edge Microvisor Toolkit Developer is a package that contains mutable Edge Microvisor Toolkit in an `ISO` installer format. Edge Microvisor Toolkit is a streamlined container operating system that showcases the Intel® silicon optimizations. Built on Azure Linux, it features a Linux Kernel maintained by -Intel, incorporating all the latest kernel and user patches. - -The Edge Microvisor Toolkit Developer has undergone extensive validation across -all Intel® platforms such as Intel® Xeon®, Intel® Core™ Ultra, Intel® Core™ and Intel® Atom®. -The Edge Microvisor Toolkit Developer Node enables users to quickly deploy -and run their solutions for multiple scenarios like benchmarking and validation -of Edge AI computing workloads. The Edge Microvisor Toolkit Developer is -available to download from the Open-source repository. - -The Edge Microvisor Toolkit Developer supports Native applications and VM based applications out of the box. Users can customize their Edge Node using the -provided `dnf` package manager to install container runtimes and Docker tools. -This allows users to run Docker containers. - -The Edge Microvisor Toolkit Developer is Fully open-Source and royalty free. - -## Get started - -### System requirements - -Edge Microvisor Toolkit Developer is designed to support all Intel® platforms -with the latest Intel® kernel to ensure all features are exposed and available -for application and workloads. The microvisor has been validated on the -following platforms. +# Edge Microvisor Toolkit Developer Node + +The Edge Microvisor Toolkit Development Node is a developer version of the Edge +Microvisor Toolkit which is a container host operating system, that comes with +and an ISO installer. + +## Overview + +The Edge Microvisor Toolkit Development Node is a software package that contains +mutable Edge Microvisor Toolkit in an ISO installer format. Edge Microvisor +Toolkit is a streamlined container operating system that showcases the Intel +silicon optimizations. Built on Azure Linux, it features a Linux Kernel +maintained by Intel, incorporating all the latest kernel and user patches. The +Edge Microvisor Toolkit Development Node has undergone extensive validation +across all Intel platforms such as Xeon®, Intel® Core Ultra™, Intel Core™ and +Intel® Atom®. The Edge Microvisor Toolkit Development Node allows users to +quickly deploy and run their solutions for multiple scenarios like benchmarking +and validation of Edge AI computing workloads. This software package is +available to download as buildable source code from the Open-source repository +or as binary. + +The Edge Microvisor Toolkit Development Node supports Native applications and VM +based applications out of the box. Users can customize their Edge Node using the +provided dnf package manager to install container runtimes and Docker tools. +The Edge Microvisor Toolkit Development Node is fully open-Source and royalty +free. + +## How It Works + +Edge Microvisor Toolkit Development Node is designed to support all Intel® +platforms with the latest Intel® kernel to ensure all features are exposed and +available for application and workloads. The microvisor has been validated on +the following platforms. | Atom | Core | Xeon | | ----------------------| ----------------------------- | -------------- | -| Intel Atom® X Series | 12th Gen Intel® Core™ | 4th Gen Intel® Xeon® SP | +| Intel® Atom® X Series | 12th Gen Intel® Core™ | 4th Gen Intel® Xeon® SP | | | 13th Gen Intel® Core™ | 3rd Gen Intel® Xeon® SP | | | Intel® Core™ Ultra (Series 1) | | The following outlines the recommended hardware configuration to run Edge Microvisor Toolkit Developer. -| Component | Edge Microvisor Toolkit Developer | +| Component | Edge Microvisor Toolkit Development Node | |--------------|----------------------------| -| CPU | Intel Atom®, Intel® Core™, or Intel® Xeon® | +| CPU | Intel® Atom, Core, or Xeon | | RAM | 2GB minimum | | Storage | 32GB SSD/NVMe or eMMC | | Networking | 1GbE Ethernet or Wi-Fi | ### Installation Instructions -You can download the Edge Microvisor Toolkit Developer from [Edge Software Catalog](https://edgesoftwarecatalog.intel.com/) - -> TODO: Add step by step guide to download the ISO image from ESC with screenshots +You can download the Edge Microvisor Toolkit Developer Node [here](https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor) -## Secure by Design +### Secure by Design - Package based updates with 'dnf'. - Support for Secure Boot (optional) and TPM support for hardware-verified integrity. - Support for Full Disc Encryption (optional) -## Optimized for Intel® Architecture +### Optimized for Intel® Architecture - Pre-tuned drivers and acceleration libraries for Intel® CPUs and GPUs. - Enables Intel® silicon ahead of Operating System vendors (OSVs), unlocking features that may not be accepted upstream. - Intel® Linux* Kernel 6.12 with optimized security settings -## Flexible and Modular Deployment +### Flexible and Modular Deployment - Supports bare metal, VM-based, and containerized deployments. - Supports Kubernetes*, Docker*, and OCI-compliant runtimes. -## Open Source and Extensible +### Open Source and Extensible - Fully open-source and royalty-free. - Actively integrates OxM platform features and third-party vendor hardware. -## Getting help +### Getting help -If you encounter bugs, have feature requests, or need assistance, file a GitHub Issue. Before submitting a new report, check the existing issues to see if a +If you encounter bugs, have feature requests, or need assistance, file a GitHub +Issue. Before submitting a new report, check the existing issues to see if a similar one has not been filed already. If no matching issue is found, feel free to file the issue as described in the contribution guide. -## License Information +### License Information Edge Microvisor Toolkit Developer is based on [Azure Linux](https://github.com/microsoft/azurelinux), sharing its permissive open-source license: [MIT](https://github.com/microsoft/azurelinux/blob/3.0/LICENSE). From 54100ee5ee668e94abe00a92e2241e59d8bf9c9d Mon Sep 17 00:00:00 2001 From: SupriyaPamulpati <120701079+SupriyaPamulpati@users.noreply.github.com> Date: Fri, 25 Apr 2025 07:55:41 +0530 Subject: [PATCH 5/9] Update sb-howto.md (#58) * Update sb-howto.md * Update sb-howto.md * Update sb-howto.md --- docs/developer-guide/get-started/sb-howto.md | 27 ++++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/docs/developer-guide/get-started/sb-howto.md b/docs/developer-guide/get-started/sb-howto.md index 0f40e97a99..652f6704ab 100644 --- a/docs/developer-guide/get-started/sb-howto.md +++ b/docs/developer-guide/get-started/sb-howto.md @@ -125,10 +125,15 @@ export KEY=KeyInDB cd ~ ``` Make sure your rpm %_topdir is ~/rpmbuild; if not you should edit your ~/.rpmmacros to include: + ```bash mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} %_topdir %(echo $HOME)/rpmbuild ``` +If file ~/.rpmmacros does not exist in home directory, create one: +```bash +vi ~/.rpmmacros +``` ### Step 2: Rebuild the shim-unsigned Package @@ -143,14 +148,14 @@ certutil -d /etc/pki/pesign -L -n KeyInShim -r > ~/key-in-shim.der ```bash base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//') -shim_unsigned_package=$(tdnf repoquery --source shim-unsigned-x64 | tail -1) -wget $base_url/SRPMS/$shim_unsigned_package.rpm +shim_unsigned_package=$(tdnf repoquery --source shim-unsigned-x64 | tail -1 | sed 's/\.src$//') +wget $base_url/SRPMS/$shim_unsigned_package.src.rpm -rpm -i shim-unsigned-x64-*.src.rpm +rpm -i $shim_unsigned_package.src.rpm cd ~/rpmbuild cp ~/key-in-shim.der SOURCES/azurelinux-ca-20230216.der rpmbuild -bb SPECS/shim-unsigned-x64.spec -sudo tdnf install RPMS/x86_64/shim-unsigned-x64-*.x86_64.rpm +sudo tdnf install RPMS/x86_64/$shim_unsigned_package.x86_64.rpm ``` ```bash cd ~ @@ -163,10 +168,10 @@ cd ~ ```bash base_url=$(grep -E '^\s*baseurl' /etc/yum.repos.d/*.repo | awk -F= '{print $2}' | sed 's/^[ \t]*//') -shim_package=$(tdnf repoquery --source shim | grep -v "unsigned" | tail -1) -wget $base_url/SRPMS/$shim_package.rpm +shim_package=$(tdnf repoquery --source shim | grep -v "unsigned" | tail -1 | sed 's/\.src$//') +wget $base_url/SRPMS/$shim_package.src.rpm -rpm -i $shim_package.rpm +rpm -i $shim_package.src.rpm ``` **Sign the binaries**: @@ -186,12 +191,12 @@ rpmbuild -bb SPECS/shim.spec Install the new package and reboot with secure boot disabled: ```bash -sudo tdnf install RPMS/x86_64/$shim_package.rpm +sudo tdnf install RPMS/x86_64/$shim_package.x86_64.rpm ``` -Ensure that the `$shim_package.rpm` package is installed properly. If you encounter any messages, such as "Nothing to do", you can attempt to reinstall the package. +Ensure that the `$shim_package.x86_64.rpm` package is installed properly. If you encounter any messages, such as "Nothing to do", you can attempt to reinstall the package. ```bash -sudo tdnf reinstall --allowerasing RPMS/x86_64/$shim_package.rpm +sudo tdnf reinstall --allowerasing RPMS/x86_64/$shim_package.x86_64.rpm ``` ```bash @@ -213,7 +218,7 @@ sudo sh -c 'cp /boot/vmlinuz-* .' ```bash sudo pesign -s -i grubx64.efi -o /boot/efi/EFI/BOOT/grubx64.efi -c KeyInShim --force -udo sh -c 'pesign -s -i vmlinuz-* -o /boot/vmlinuz-* -c KeyInShim --force' +sudo sh -c 'pesign -s -i vmlinuz-* -o /boot/vmlinuz-* -c KeyInShim --force' ``` ### Step 6: Enroll KeyInDB into UEFI DB From d5f65db14c6eae27495be01ef854e978bd13d680 Mon Sep 17 00:00:00 2001 From: Anuj Mittal Date: Fri, 25 Apr 2025 14:41:09 +0800 Subject: [PATCH 6/9] docs/overview: fix location of iso (#62) Point to the location where ISO is available. --- docs/user-guide/Overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/Overview.md b/docs/user-guide/Overview.md index 24f04f86e2..c670b3c34f 100644 --- a/docs/user-guide/Overview.md +++ b/docs/user-guide/Overview.md @@ -53,7 +53,7 @@ Microvisor Toolkit Developer. ### Installation Instructions -You can download the Edge Microvisor Toolkit Developer Node [here](https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor) +You can download the Edge Microvisor Toolkit Developer Node [here](https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/iso/EdgeMicrovisorToolkit-3.0.iso) ### Secure by Design From acc705b8a223400bf08a2d67a9cf30691255ed8f Mon Sep 17 00:00:00 2001 From: Ana Luisa Ponsirenas Date: Sun, 27 Apr 2025 20:04:24 -0700 Subject: [PATCH 7/9] Update pinned sha in publish docs (#64) * Update hash reference in publish docs workflow - Updated to the latest `publish-docs` in `orch-ci` * Update publish-docs.yml * Update publish-docs.yml Updated permissions * Update publish-docs.yml Pin to latest SHA * Adds branch pattern 3.0 * Update publish-docs.yml * Change working dir * Update publish-docs.yml --- .github/workflows/publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 6c6e39d9b9..a7d565477e 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -19,7 +19,7 @@ permissions: jobs: build_microvisor-toolkit: if: ${{ (github.event.inputs.target == 'microvisor-toolkit') || (github.event.inputs.target == 'all-documentation') }} - uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@81b923cd8456c3efb633808611e09b4aed8ae3b1 + uses: open-edge-platform/orch-ci/.github/workflows/publish-documentation.yml@734970a73e3d6e8d7cd160e2cad6366770f52403 secrets: SYS_ORCH_GITHUB: ${{ secrets.SYS_ORCH_GITHUB }} DOC_AWS_ACCESS_KEY_ID: ${{ secrets.DOC_AWS_ACCESS_KEY_ID }} From 0eee046687f2f0884be46d8b0ebc504b6cbb085d Mon Sep 17 00:00:00 2001 From: Ashutosh Kumar Date: Tue, 29 Apr 2025 18:25:16 -0700 Subject: [PATCH 8/9] Update README.md (#74) Updated download links for standalone and developer versions --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 938e76c808..46067f2be6 100644 --- a/README.md +++ b/README.md @@ -16,8 +16,8 @@ The currently published versions are: * Edge Microvisor Toolkit (immutable) * Edge Microvisor Toolkit with real time extensions (immutable) -* Edge Microvisor Toolkit Standalone (immutable) -* Edge Microvisor Toolkit Developer (mutable) +* Edge Microvisor Toolkit Standalone (immutable) ([Download link](https://edgesoftwarecatalog.intel.com/details/?microserviceType=recipeµserviceNameForUrl=edge-microvisor-toolkit-standalone-node)) +* Edge Microvisor Toolkit Developer (mutable) ([Download link](https://edgesoftwarecatalog.intel.com/details/?microserviceType=recipeµserviceNameForUrl=edge--microvisor-toolkit-development-node)) The Edge Microvisor Toolkit has undergone extensive validation across all Intel platforms such as Xeon®, Intel® Core Ultra™, Intel Core™ and Intel® Atom®. It From c52c1b779e679bb42e8e8bfea58c26746462b5ea Mon Sep 17 00:00:00 2001 From: Nirmal George Date: Wed, 30 Apr 2025 09:11:13 +0530 Subject: [PATCH 9/9] Zizmor report related fixes (#73) * permission fixes * workflow permission updates * Update .github/workflows/check-spec.yml * Update check-spec.yml --------- Co-authored-by: Anuj Mittal --- .github/workflows/check-circular-deps.yml | 4 ++++ .github/workflows/check-entangled-specs.yml | 4 +++- .github/workflows/check-license-map.yml | 4 +++- .github/workflows/check-manifests.yml | 2 ++ .github/workflows/check-package-cgmanifest.yml | 11 ++++++++--- .github/workflows/check-source-signatures.yml | 10 ++++++++-- .github/workflows/check-spec.yml | 9 +++++++-- .github/workflows/check-static-glibc.yml | 2 ++ .github/workflows/go-test-coverage.yml | 2 ++ .github/workflows/lint-specs.yml | 12 +++++++++--- .github/workflows/lint.yml | 4 ++++ .github/workflows/merge-conflict-check.yml | 13 ++++++++++--- 12 files changed, 62 insertions(+), 15 deletions(-) diff --git a/.github/workflows/check-circular-deps.yml b/.github/workflows/check-circular-deps.yml index d1aa1c2bb3..d995eb6995 100644 --- a/.github/workflows/check-circular-deps.yml +++ b/.github/workflows/check-circular-deps.yml @@ -11,6 +11,8 @@ on: - .github/workflows/check-circular-deps.yml - '**.spec' +permissions: read-all + jobs: spec-check: name: Circular dependency check @@ -20,6 +22,8 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check for circular dependencies run: | diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml index d9d130a658..1ce335df7c 100644 --- a/.github/workflows/check-entangled-specs.yml +++ b/.github/workflows/check-entangled-specs.yml @@ -20,7 +20,9 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 - + with: + persist-credentials: false + # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 uses: actions/setup-python@v5 diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml index abe0ee677a..3c77d5769e 100644 --- a/.github/workflows/check-license-map.yml +++ b/.github/workflows/check-license-map.yml @@ -24,7 +24,9 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 - + with: + persist-credentials: false + - name: Setup Python 3.12 uses: actions/setup-python@v5 with: diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml index 5c40bab380..77b0398f32 100644 --- a/.github/workflows/check-manifests.yml +++ b/.github/workflows/check-manifests.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond - name: Define missing rpm macros diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml index 2c89c989ea..0922498f56 100644 --- a/.github/workflows/check-package-cgmanifest.yml +++ b/.github/workflows/check-package-cgmanifest.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond - name: Define missing rpm macros @@ -33,9 +35,12 @@ jobs: - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - git fetch origin ${{ github.base_ref }} - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + git fetch origin $base_ref + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} diff --git a/.github/workflows/check-source-signatures.yml b/.github/workflows/check-source-signatures.yml index 8f6cce3181..efd86fc9e8 100644 --- a/.github/workflows/check-source-signatures.yml +++ b/.github/workflows/check-source-signatures.yml @@ -11,6 +11,8 @@ on: - .github/workflows/check-source-signatures.yml - '**.spec' +permissions: read-all + jobs: spec-check: name: Source Signature Check @@ -24,6 +26,7 @@ jobs: - name: Workflow trigger checkout uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 # For consistency, we use the same major/minor version of Python that Azure Linux ships @@ -38,8 +41,11 @@ jobs: - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} diff --git a/.github/workflows/check-spec.yml b/.github/workflows/check-spec.yml index b95017005a..4df7f16dc8 100644 --- a/.github/workflows/check-spec.yml +++ b/.github/workflows/check-spec.yml @@ -24,6 +24,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 @@ -37,8 +38,11 @@ jobs: - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} @@ -63,6 +67,7 @@ jobs: with: ref: '3.0' path: '3.0-checkout' + persist-credentials: false - name: Verify .spec files if: ${{ env.updated-specs != '' }} diff --git a/.github/workflows/check-static-glibc.yml b/.github/workflows/check-static-glibc.yml index ad033bc7c3..709f956f7c 100644 --- a/.github/workflows/check-static-glibc.yml +++ b/.github/workflows/check-static-glibc.yml @@ -22,6 +22,8 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 + with: + persist-credentials: false # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml index 3e0f61e6db..e7645372d7 100644 --- a/.github/workflows/go-test-coverage.yml +++ b/.github/workflows/go-test-coverage.yml @@ -33,6 +33,8 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check go.mod run: | diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml index e93fb5be41..47dea50cbf 100644 --- a/.github/workflows/lint-specs.yml +++ b/.github/workflows/lint-specs.yml @@ -24,13 +24,17 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> "$GITHUB_ENV" - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" - + base_ref="${BASE_REF}" + echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} + - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }} run: | @@ -50,6 +54,7 @@ jobs: with: ref: '3.0' path: '3.0-checkout' + persist-credentials: false # Our linter is based on the spec-cleaner tool from the folks at openSUSE # We apply a patch to modify it for our needs @@ -59,6 +64,7 @@ jobs: repository: 'rpm-software-management/spec-cleaner' ref: 'spec-cleaner-1.2.0' path: 'spec-cleaner' + persist-credentials: false # For consistency, we use the same major/minor version of Python that Azure Linux ships - name: Setup Python 3.12 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8cf75ec04e..fdb8bf5a63 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,6 +16,8 @@ on: - "**.spec" - "**.patch" +permissions: read-all + jobs: lint: name: Lint Workflows and Code @@ -32,6 +34,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false + - name: Lint uses: github/super-linter/slim@v7 env: diff --git a/.github/workflows/merge-conflict-check.yml b/.github/workflows/merge-conflict-check.yml index 26334f09f5..ffe173c40f 100644 --- a/.github/workflows/merge-conflict-check.yml +++ b/.github/workflows/merge-conflict-check.yml @@ -7,6 +7,8 @@ on: pull_request: branches: [main, 3.0*] +permissions: read-all + jobs: spec-check: name: Github Merge Conflict Check @@ -16,13 +18,18 @@ jobs: # Checkout the branch of our repo that triggered this action - name: Workflow trigger checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} run: | - git fetch origin ${{ github.base_ref }} - echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV - echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + base_ref="${BASE_REF}" + git fetch origin $base_ref + echo "base_sha=$(git rev-parse origin/$base_ref)" >> $GITHUB_ENV + echo "Merging ${{ github.sha }} into $base_ref" + env: + BASE_REF: ${{ github.base_ref }} - name: Get base commit for Pushes if: ${{ github.event_name == 'push' }}