From cdbeb5e59d926175cff57ced52061cfe103293d2 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 17:54:26 -0800 Subject: [PATCH 1/3] Pin the versions of CI actions to commit sha's Google's security practices for GitHub Actions states the following: > When using a third-party action (one not hosted in a [Google-managed org](http://go/github/orgs)), a fixed version of the action MUST be used by [specifying a specific commit](https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses), rather than a branch like "main", or a tagged release, which can be overwritten by any maintainer of the action. This commit adds sha hash numbers to all `uses:` directives that didn't have one already. This was done by running the tool [frizbee](https://github.com/stacklok/frizbee?README) over the files. --- .github/workflows/ci-build-checks.yaml | 54 ++++++++++---------- .github/workflows/ci-file-checks.yaml | 26 +++++----- .github/workflows/ci-nightly-build-test.yaml | 10 ++-- .github/workflows/ci-nightly-cirq-test.yaml | 10 ++-- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/ci-build-checks.yaml b/.github/workflows/ci-build-checks.yaml index 72fb90f4b..30a5c60e2 100644 --- a/.github/workflows/ci-build-checks.yaml +++ b/.github/workflows/ci-build-checks.yaml @@ -178,12 +178,12 @@ jobs: debug: ${{steps.parameters.outputs.debug}} steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Note: setup-python has a cache facility, but we don't use it here # because we want to cache more Python things than setup-python does. - name: Set up Python ${{inputs.python_ver || env.python_ver}} - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} @@ -218,7 +218,7 @@ jobs: fi - name: Test if the cache already exists - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: check_cache with: lookup-only: true @@ -241,7 +241,7 @@ jobs: steps.check_cache.outputs.cache-hit != 'true' || inputs.remake_python_cache == 'true' name: Set up the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: restore_cache with: key: ${{steps.parameters.outputs.python_cache_key}} @@ -269,22 +269,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.12.0 + uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0 # Note that we don't need to set the Bazel version to use, because it # knows to use what's in the .bazel-version file. with: @@ -307,7 +307,7 @@ jobs: pip install -U ./wheel/*.whl - name: Save the wheel for the tutorial tests - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: wheel-${{github.run_id}} path: ./wheel @@ -316,7 +316,7 @@ jobs: - if: failure() || needs.Setup.outputs.debug == 'true' name: Make Bazel artifacts downloadable for analysis - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: bazel-build-artifacts-${{github.run_id}} retention-days: 14 @@ -338,22 +338,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Get the Python wheel we built - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4 with: name: wheel-${{github.run_id}} path: ./wheel @@ -374,22 +374,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.12.0 + uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0 with: bazelrc: ${{env.bazelrc_additions}} bazelisk-cache: true @@ -407,7 +407,7 @@ jobs: - if: failure() || needs.Setup.outputs.debug == 'true' name: Make Bazel artifacts downloadable for analysis - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: bazel-tests-${{github.run_id}} retention-days: 7 @@ -428,22 +428,22 @@ jobs: needs: [Decision, Setup, Build_wheel] steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Get the Python wheel we built - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4 with: name: wheel-${{github.run_id}} path: ./wheel @@ -473,22 +473,22 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore our Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.python_cache_key}} path: ${{needs.Setup.outputs.python_cache_paths}} fail-on-cache-miss: true - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.12.0 + uses: bazel-contrib/setup-bazel@c50333a3696ad2e6df1e7a2f9b417c5336db774f # 0.12.0 with: bazelrc: ${{env.bazelrc_additions}} bazelisk-cache: true diff --git a/.github/workflows/ci-file-checks.yaml b/.github/workflows/ci-file-checks.yaml index a9728a3a4..d10cc5227 100644 --- a/.github/workflows/ci-file-checks.yaml +++ b/.github/workflows/ci-file-checks.yaml @@ -107,10 +107,10 @@ jobs: echo base=${{github.ref_name}} >> "$GITHUB_ENV" - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Determine files changed by this ${{github.event_name}} event - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: base: ${{env.base}} @@ -136,12 +136,12 @@ jobs: cache_paths: ${{steps.parameters.outputs.cache_paths}} steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Note: setup-python has a cache facility, but we don't use it here # because we want to cache more Python things than setup-python does. - name: Set up Python ${{inputs.python_ver || env.python_ver}} - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} @@ -161,7 +161,7 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Test if the cache already exists - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: check_cache with: lookup-only: true @@ -184,7 +184,7 @@ jobs: steps.check_cache.outputs.cache-hit != 'true' || inputs.remake_python_cache == 'true' name: Set up the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 id: restore_cache with: key: ${{steps.parameters.outputs.cache_key}} @@ -221,7 +221,7 @@ jobs: changed_files: ${{needs.Changes.outputs.cc_files}} steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up clang-format output problem matcher run: echo '::add-matcher::.github/problem-matchers/clang-format.json' @@ -258,15 +258,15 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.cache_key}} path: ${{needs.Setup.outputs.cache_paths}} @@ -298,15 +298,15 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - name: Restore the Python cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4 with: key: ${{needs.Setup.outputs.cache_key}} path: ${{needs.Setup.outputs.cache_paths}} diff --git a/.github/workflows/ci-nightly-build-test.yaml b/.github/workflows/ci-nightly-build-test.yaml index 2732ca175..5ba3ee7b3 100644 --- a/.github/workflows/ci-nightly-build-test.yaml +++ b/.github/workflows/ci-nightly-build-test.yaml @@ -61,7 +61,7 @@ jobs: run: ${{steps.commits.outputs.count > 0}} steps: - name: Check out a sparse copy of the git repo for TFQ - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: sparse-checkout: . @@ -79,15 +79,15 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python ${{inputs.py_version || env.py_version}} - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.py_version || env.py_version}} - name: Set up Bazel - uses: bazel-contrib/setup-bazel@0.9.1 + uses: bazel-contrib/setup-bazel@f3f50ea6791b9b0f4c4eeabba4507422426462f5 # 0.9.1 with: bazelrc: ${{env.bazelrc_additions}} @@ -123,7 +123,7 @@ jobs: - if: failure() || inputs.save_artifacts == 'true' name: Make artifacts downloadable - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: test-artifacts retention-days: 7 diff --git a/.github/workflows/ci-nightly-cirq-test.yaml b/.github/workflows/ci-nightly-cirq-test.yaml index 74cccec00..7b7c61ea2 100644 --- a/.github/workflows/ci-nightly-cirq-test.yaml +++ b/.github/workflows/ci-nightly-cirq-test.yaml @@ -75,11 +75,11 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Python ${{inputs.py_version || env.py_version}} id: python - uses: actions/setup-python@v5 + uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.py_version || env.py_version}} architecture: ${{inputs.arch || env.arch}} @@ -113,7 +113,7 @@ jobs: - name: Set up Bazel with caching if: env.use_bazel_disk_cache == 'true' - uses: bazel-contrib/setup-bazel@0.12.1 + uses: bazel-contrib/setup-bazel@529dbc2648ea79358c64f2bfa5f3ec98f07859e4 # 0.12.1 env: USE_BAZEL_VERSION: ${{inputs.bazel_version || env.bazel_version}} with: @@ -127,7 +127,7 @@ jobs: - name: Set up Bazel without caching if: env.use_bazel_disk_cache == 'false' - uses: bazel-contrib/setup-bazel@0.12.1 + uses: bazel-contrib/setup-bazel@529dbc2648ea79358c64f2bfa5f3ec98f07859e4 # 0.12.1 env: USE_BAZEL_VERSION: ${{inputs.bazel_version || env.bazel_version}} with: @@ -159,7 +159,7 @@ jobs: if: >- github.event.inputs.save_artifacts == 'true' && (failure() || github.event_name == 'workflow_dispatch') - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 with: name: bazel-out retention-days: 7 From cd3eefa234131f2a9e480153ef630cff53335564 Mon Sep 17 00:00:00 2001 From: mhucka Date: Sat, 30 Aug 2025 00:06:15 +0000 Subject: [PATCH 2/3] Update a hash for one of the actions --- .github/workflows/ci-file-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-file-checks.yaml b/.github/workflows/ci-file-checks.yaml index 2688aa790..afac8f30b 100644 --- a/.github/workflows/ci-file-checks.yaml +++ b/.github/workflows/ci-file-checks.yaml @@ -350,7 +350,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Check out a copy of the TFQ git repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Set up yamllint output problem matcher run: echo '::add-matcher::.github/problem-matchers/yamllint.json' From 8cd8a65a72be0f73cef1975dd81fab6c1c65a34a Mon Sep 17 00:00:00 2001 From: mhucka Date: Sat, 30 Aug 2025 00:31:16 +0000 Subject: [PATCH 3/3] Disable yamllint line-length check Line lengths are a problem due to long hashes. --- .github/workflows/ci-build-checks.yaml | 1 + .github/workflows/ci-nightly-build-test.yaml | 1 + .github/workflows/ci-nightly-cirq-test.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/ci-build-checks.yaml b/.github/workflows/ci-build-checks.yaml index 218f2d227..f69770ade 100644 --- a/.github/workflows/ci-build-checks.yaml +++ b/.github/workflows/ci-build-checks.yaml @@ -6,6 +6,7 @@ # Bazel artifacts, and can be invoked manually via the "Run workflow" button at # https://github.com/tensorflow/quantum/actions/workflows/ci-build-checks.yaml # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# yamllint disable rule:line-length name: CI build checks run-name: Continuous integration build & test diff --git a/.github/workflows/ci-nightly-build-test.yaml b/.github/workflows/ci-nightly-build-test.yaml index 1670a0113..189cb1a30 100644 --- a/.github/workflows/ci-nightly-build-test.yaml +++ b/.github/workflows/ci-nightly-build-test.yaml @@ -13,6 +13,7 @@ # This workflow also can be invoked manually via the "Run workflow" button at # https://github.com/tensorflow/quantum/actions/workflows/ci-build-checks.yaml # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# yamllint disable rule:line-length name: CI nightly full test run-name: Continuous integration nightly build & test diff --git a/.github/workflows/ci-nightly-cirq-test.yaml b/.github/workflows/ci-nightly-cirq-test.yaml index 17b50790d..235a7bdb4 100644 --- a/.github/workflows/ci-nightly-cirq-test.yaml +++ b/.github/workflows/ci-nightly-cirq-test.yaml @@ -8,6 +8,7 @@ # Clicking the "Run workflow" button there will present a form interface with # options for overridding some of the parameters for the run. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# yamllint disable rule:line-length name: CI nightly Cirq compatibility test run-name: Continuous integration Cirq compatibility test