This is an automated email from the ASF dual-hosted git repository.
tqchen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tvm.git
The following commit(s) were added to refs/heads/main by this push:
new 47ddef8fdb [CI] Pin actions by version tag, trim wheel perms (#19703)
47ddef8fdb is described below
commit 47ddef8fdb41ee1a0f18b51e61cb2eccaf75b14b
Author: Ruihang Lai <[email protected]>
AuthorDate: Tue Jun 9 17:54:07 2026 -0400
[CI] Pin actions by version tag, trim wheel perms (#19703)
Convert SHA-pinned third-party actions to their full version tags across
all workflows and composite actions; each tag verified to resolve to the
same commit that was pinned.
Drop the unused actions:read / contents:read permissions from the
upload_pypi job (aligns with apache/tvm-ffi). No behavior change.
---
.github/actions/build-wheel-for-publish/action.yml | 8 ++++----
.github/actions/setup/action.yml | 6 +++---
.github/workflows/cc_bot.yml | 2 +-
.github/workflows/lint.yml | 4 ++--
.github/workflows/main.yml | 4 ++--
.github/workflows/nightly_docker_update.yml | 2 +-
.github/workflows/ping_reviewers.yml | 2 +-
.github/workflows/publish_wheel.yml | 20 +++++++++-----------
.github/workflows/tag_teams.yml | 2 +-
.github/workflows/tvmbot.yml | 2 +-
.github/workflows/update_last_successful_branch.yml | 2 +-
.github/workflows/update_nightly_branch.yml | 2 +-
12 files changed, 27 insertions(+), 29 deletions(-)
diff --git a/.github/actions/build-wheel-for-publish/action.yml
b/.github/actions/build-wheel-for-publish/action.yml
index db5d5ea84c..44903aeaa8 100644
--- a/.github/actions/build-wheel-for-publish/action.yml
+++ b/.github/actions/build-wheel-for-publish/action.yml
@@ -55,7 +55,7 @@ runs:
# ---- Cache LLVM prefix ----
- name: Cache LLVM
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ uses: actions/[email protected]
id: llvm-cache
with:
path: ${{ runner.os == 'Windows' && 'C:/opt/llvm' || '/opt/llvm' }}
@@ -64,7 +64,7 @@ runs:
# ---- Install LLVM via conda (cache miss only) ----
- name: Setup conda
if: steps.llvm-cache.outputs.cache-hit != 'true'
- uses:
conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 #
v4.0.1
+ uses: conda-incubator/[email protected]
continue-on-error: true
id: conda1
with:
@@ -73,7 +73,7 @@ runs:
- name: Setup conda (retry with tar.bz2)
if: steps.llvm-cache.outputs.cache-hit != 'true' && steps.conda1.outcome
== 'failure'
- uses:
conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 #
v4.0.1
+ uses: conda-incubator/[email protected]
with:
miniforge-version: latest
use-only-tar-bz2: true
@@ -108,7 +108,7 @@ runs:
# ---- Build and test wheels ----
- name: Build and test wheels
- uses: pypa/cibuildwheel@298ed2fb2c105540f5ed055e8a6ad78d82dd3a7e # v3.3.1
+ uses: pypa/[email protected]
with:
package-dir: .
output-dir: wheelhouse
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 842dbd03b0..64a36dd6bd 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -1,13 +1,13 @@
runs:
using: "composite"
steps:
- - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+ - uses: actions/[email protected]
env:
CACHE_NUMBER: 2
with:
path: ~/conda_pkgs_dir
key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{
hashFiles('ci/scripts/package/build-environment.yaml') }}
- - uses:
conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 #
v4.0.1
+ - uses: conda-incubator/[email protected]
continue-on-error: true
id: conda1
with:
@@ -19,7 +19,7 @@ runs:
python-version: "3.10"
condarc-file: tests/conda/condarc
conda-remove-defaults: true
- - uses:
conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 #
v4.0.1
+ - uses: conda-incubator/[email protected]
if: steps.conda1.outcome == 'failure'
with:
activate-environment: tvm-build
diff --git a/.github/workflows/cc_bot.yml b/.github/workflows/cc_bot.yml
index 7648668653..ae22871ec0 100644
--- a/.github/workflows/cc_bot.yml
+++ b/.github/workflows/cc_bot.yml
@@ -35,7 +35,7 @@ jobs:
if: github.repository == 'apache/tvm'
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
with:
submodules: "recursive"
- name: Add cc'ed reviewers
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 3936789a91..6c17e0f149 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -31,8 +31,8 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #
v3.0.1
+ - uses: pre-commit/[email protected]
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index a30bbc3421..6dc08b96f6 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -39,7 +39,7 @@ jobs:
if: ${{ github.repository == 'apache/tvm' }}
runs-on: macOS-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
with:
submodules: 'recursive'
- name: Set up environment
@@ -79,7 +79,7 @@ jobs:
if: ${{ github.repository == 'apache/tvm' }}
runs-on: windows-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
with:
submodules: 'recursive'
- name: Set up environment
diff --git a/.github/workflows/nightly_docker_update.yml
b/.github/workflows/nightly_docker_update.yml
index 55759a8157..b9fecd9894 100644
--- a/.github/workflows/nightly_docker_update.yml
+++ b/.github/workflows/nightly_docker_update.yml
@@ -20,7 +20,7 @@ jobs:
if: github.repository == 'apache/tvm'
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
- name: Open PR to update Docker images
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ping_reviewers.yml
b/.github/workflows/ping_reviewers.yml
index a98888218d..de68e57b58 100644
--- a/.github/workflows/ping_reviewers.yml
+++ b/.github/workflows/ping_reviewers.yml
@@ -14,7 +14,7 @@ jobs:
if: github.repository == 'apache/tvm'
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
- name: Ping reviewers
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish_wheel.yml
b/.github/workflows/publish_wheel.yml
index 1e39f8d111..5865e12440 100644
--- a/.github/workflows/publish_wheel.yml
+++ b/.github/workflows/publish_wheel.yml
@@ -82,7 +82,7 @@ jobs:
run: git config --global --add safe.directory '*'
- name: Checkout source
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ uses: actions/[email protected]
with:
ref: ${{ inputs.tag }}
submodules: recursive
@@ -92,7 +92,7 @@ jobs:
# Windows has no manylinux interpreter; the script's pip install needs
one.
- name: Set up Python (Windows host)
if: runner.os == 'Windows'
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
+ uses: actions/[email protected]
with:
python-version: "3.10"
@@ -107,7 +107,7 @@ jobs:
run: call ${{ matrix.script }}
- name: Upload CUDA runtime sidecar
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
# v7.0.1
+ uses: actions/[email protected]
with:
name: tvm-cuda-runtime-${{ matrix.arch }}
path: ${{ matrix.lib }}
@@ -150,7 +150,7 @@ jobs:
artifact_suffix: windows-amd64
steps:
- name: Checkout source
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ uses: actions/[email protected]
with:
ref: ${{ inputs.tag }}
submodules: recursive
@@ -163,7 +163,7 @@ jobs:
# mount expects it. Skipped on CPU-only rows (macOS).
- name: Download CUDA runtime sidecar
if: ${{ matrix.include_cuda_runtime == '1' }}
- uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+ uses: actions/[email protected]
with:
name: tvm-cuda-runtime-${{ matrix.arch }}
path: build-wheel-cuda/lib
@@ -177,7 +177,7 @@ jobs:
include_cuda_runtime: ${{ matrix.include_cuda_runtime }}
- name: Upload wheel artifact
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
# v7.0.1
+ uses: actions/[email protected]
with:
name: tvm-wheel-${{ matrix.artifact_suffix }}
path: wheelhouse/*.whl
@@ -190,12 +190,10 @@ jobs:
runs-on: ubuntu-latest
environment: ${{ inputs.publish_repository }}
permissions:
- actions: read
- contents: read
id-token: write
attestations: write
steps:
- - uses:
actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+ - uses: actions/[email protected]
with:
pattern: tvm-wheel-*
path: dist
@@ -208,13 +206,13 @@ jobs:
run: ls -alh dist/*.whl
- name: Generate artifact attestation for wheels
- uses:
actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #
v4.1.0
+ uses: actions/[email protected]
with:
subject-path: dist/*
- name: Publish package distributions to PyPI
if: ${{ inputs.publish_repository == 'pypi' }}
- uses:
pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+ uses: pypa/[email protected]
with:
attestations: true
verbose: true
diff --git a/.github/workflows/tag_teams.yml b/.github/workflows/tag_teams.yml
index 5b732f66db..8fffba929c 100644
--- a/.github/workflows/tag_teams.yml
+++ b/.github/workflows/tag_teams.yml
@@ -30,7 +30,7 @@ jobs:
if: github.repository == 'apache/tvm'
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
- name: Tag people from relevant teams
env:
PR: ${{ toJson(github.event.pull_request) }}
diff --git a/.github/workflows/tvmbot.yml b/.github/workflows/tvmbot.yml
index cef1f59bb6..44d0ac8783 100644
--- a/.github/workflows/tvmbot.yml
+++ b/.github/workflows/tvmbot.yml
@@ -23,7 +23,7 @@ jobs:
if: ${{ github.event.issue.pull_request && github.repository ==
'apache/tvm' }}
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
- name: Run tvm-bot
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update_last_successful_branch.yml
b/.github/workflows/update_last_successful_branch.yml
index 6ad82a9235..7f952a2210 100644
--- a/.github/workflows/update_last_successful_branch.yml
+++ b/.github/workflows/update_last_successful_branch.yml
@@ -35,7 +35,7 @@ jobs:
if: github.repository == 'apache/tvm'
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
- name: Update last-successful branch
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/update_nightly_branch.yml
b/.github/workflows/update_nightly_branch.yml
index 25781ae39e..4bc6d3f906 100644
--- a/.github/workflows/update_nightly_branch.yml
+++ b/.github/workflows/update_nightly_branch.yml
@@ -33,7 +33,7 @@ jobs:
if: github.repository == 'apache/tvm'
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ - uses: actions/[email protected]
- name: Update nightly branch
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
