From ef46505a21625abea9d47ac86c47e4fb5a45f65f Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Tue, 23 Apr 2024 13:38:16 +0200 Subject: [PATCH] Fix gha smells: - Avoid executing scheduled workflows on forks - Use 'if' for upload-artifact action - Use permissions whenever using Github Token --- .github/workflows/build_on_pr.yml | 1 + .github/workflows/compatiblity_test_on_schedule.yml | 1 + .github/workflows/draft_github_release_post_after_merge.yml | 2 ++ .github/workflows/report_test_coverage.yml | 2 ++ .github/workflows/submodule.yml | 3 +++ 5 files changed, 9 insertions(+) diff --git a/.github/workflows/build_on_pr.yml b/.github/workflows/build_on_pr.yml index 0c3a55905764..f3fa2e140746 100644 --- a/.github/workflows/build_on_pr.yml +++ b/.github/workflows/build_on_pr.yml @@ -199,6 +199,7 @@ jobs: - name: Upload test coverage artifact uses: actions/upload-artifact@v3 + if: success() with: name: report path: report/ diff --git a/.github/workflows/compatiblity_test_on_schedule.yml b/.github/workflows/compatiblity_test_on_schedule.yml index 3dc8a5a328a6..e53e968573a4 100644 --- a/.github/workflows/compatiblity_test_on_schedule.yml +++ b/.github/workflows/compatiblity_test_on_schedule.yml @@ -10,6 +10,7 @@ jobs: matrix_preparation: name: Prepare Container List runs-on: ubuntu-latest + if: ${{github.event_name != 'schedule' || github.repository == 'hpcaitech-colossalai'}} outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: diff --git a/.github/workflows/draft_github_release_post_after_merge.yml b/.github/workflows/draft_github_release_post_after_merge.yml index 53bfa9e8deb6..ac785806b7ca 100644 --- a/.github/workflows/draft_github_release_post_after_merge.yml +++ b/.github/workflows/draft_github_release_post_after_merge.yml @@ -13,6 +13,8 @@ jobs: name: Draft Release Post if: ( github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true ) && github.repository == 'hpcaitech/ColossalAI' runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v2 with: diff --git a/.github/workflows/report_test_coverage.yml b/.github/workflows/report_test_coverage.yml index c9dc541b8a33..548c8e47c5d7 100644 --- a/.github/workflows/report_test_coverage.yml +++ b/.github/workflows/report_test_coverage.yml @@ -10,6 +10,8 @@ jobs: report-test-coverage: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + contents: write steps: - name: "Download artifact" uses: actions/github-script@v6 diff --git a/.github/workflows/submodule.yml b/.github/workflows/submodule.yml index 4ffb261183f1..fecbdf3f8a22 100644 --- a/.github/workflows/submodule.yml +++ b/.github/workflows/submodule.yml @@ -9,6 +9,9 @@ jobs: sync-submodule: runs-on: ubuntu-latest if: github.repository == 'hpcaitech/ColossalAI' + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v2