From 3f3b4aef415d9b19d16b66422c6bbf203d014c4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Test=C3=A9?= Date: Mon, 5 May 2025 18:03:10 +0200 Subject: [PATCH] chore(ci): fix template-injection and token permissions issues This is part of security issues remediation campaign after having analyzed workflow using zizmor cargo tool. --- .github/actionlint.yaml | 10 ++++ .github/actions/gpu_setup/action.yml | 16 +++-- .github/workflows/approve_label.yml | 3 + .../aws_tfhe_backward_compat_tests.yml | 17 ++++-- .github/workflows/aws_tfhe_fast_tests.yml | 9 ++- .github/workflows/aws_tfhe_integer_tests.yml | 11 +++- .../aws_tfhe_signed_integer_tests.yml | 11 +++- .github/workflows/aws_tfhe_tests.yml | 9 ++- .github/workflows/aws_tfhe_wasm_tests.yml | 9 ++- .github/workflows/benchmark_boolean.yml | 19 +++--- .github/workflows/benchmark_core_crypto.yml | 17 ++++-- .github/workflows/benchmark_dex.yml | 18 +++--- .github/workflows/benchmark_erc20.yml | 19 +++--- .github/workflows/benchmark_gpu.yml | 11 +++- .github/workflows/benchmark_gpu_4090.yml | 31 +++++----- .github/workflows/benchmark_gpu_common.yml | 58 +++++++++++++------ .github/workflows/benchmark_gpu_dex.yml | 18 +++++- .../workflows/benchmark_gpu_dex_common.yml | 23 +++++--- .../workflows/benchmark_gpu_dex_weekly.yml | 32 +++++++++- .github/workflows/benchmark_gpu_erc20.yml | 11 +++- .../workflows/benchmark_gpu_erc20_common.yml | 24 +++++--- .../workflows/benchmark_gpu_erc20_weekly.yml | 3 + .github/workflows/benchmark_gpu_weekly.yml | 3 + .github/workflows/benchmark_integer.yml | 36 ++++++++---- .github/workflows/benchmark_shortint.yml | 21 ++++--- .../workflows/benchmark_signed_integer.yml | 32 ++++++---- .github/workflows/benchmark_tfhe_fft.yml | 19 +++--- .github/workflows/benchmark_tfhe_ntt.yml | 19 +++--- .github/workflows/benchmark_tfhe_zk_pok.yml | 21 ++++--- .github/workflows/benchmark_wasm_client.yml | 19 +++--- .github/workflows/benchmark_zk_pke.yml | 32 ++++++---- .github/workflows/cargo_build.yml | 3 + .github/workflows/cargo_build_tfhe_fft.yml | 3 + .github/workflows/cargo_build_tfhe_ntt.yml | 3 + .github/workflows/cargo_test_fft.yml | 3 + .github/workflows/cargo_test_ntt.yml | 5 +- .github/workflows/check_commit.yml | 3 + .github/workflows/ci_lint.yml | 3 + .github/workflows/code_coverage.yml | 3 + .github/workflows/csprng_randomness_tests.yml | 5 +- .github/workflows/data_pr_close.yml | 26 +++++++-- .github/workflows/gpu_4090_tests.yml | 3 + .github/workflows/gpu_fast_h100_tests.yml | 9 ++- .github/workflows/gpu_fast_tests.yml | 9 ++- .github/workflows/gpu_full_h100_tests.yml | 3 + .../workflows/gpu_full_multi_gpu_tests.yml | 9 ++- .../workflows/gpu_integer_long_run_tests.yml | 3 + .github/workflows/gpu_pcc.yml | 7 ++- .../gpu_signed_integer_classic_tests.yml | 9 ++- .../gpu_signed_integer_h100_tests.yml | 9 ++- .../workflows/gpu_signed_integer_tests.yml | 9 ++- .../gpu_unsigned_integer_classic_tests.yml | 9 ++- .../gpu_unsigned_integer_h100_tests.yml | 9 ++- .../workflows/gpu_unsigned_integer_tests.yml | 9 ++- .github/workflows/integer_long_run_tests.yml | 3 + .github/workflows/m1_tests.yml | 2 + .github/workflows/make_release.yml | 4 +- .github/workflows/make_release_cuda.yml | 4 +- .../workflows/make_release_tfhe_csprng.yml | 4 +- .github/workflows/make_release_tfhe_fft.yml | 4 +- .github/workflows/make_release_tfhe_ntt.yml | 4 +- .../make_release_tfhe_versionable.yml | 6 +- .github/workflows/make_release_zk_pok.yml | 4 +- .github/workflows/parameters_check.yml | 2 + .github/workflows/placeholder_workflow.yml | 2 + .github/workflows/sync_on_push.yml | 2 + .github/workflows/verify_tagged_commit.yml | 9 ++- 67 files changed, 573 insertions(+), 212 deletions(-) diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index 7a9086cb0..32b30e80e 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -10,3 +10,13 @@ self-hosted-runner: # organization. `null` means disabling configuration variables check. # Empty array means no configuration variable is allowed. config-variables: null + +paths: + .github/workflows/**/*.{yml,yaml}: + # List of regular expressions to filter errors by the error messages. + ignore: + # Ignore the specific error from shellcheck + # Allow string search/replace with Sed instead of ${variable//search/replace} pattern. + # Sed is used to extract a value from a string in our case, this task cannot be + # performed by the ${variable//search/replace} pattern. + - 'shellcheck reported issue in this script: SC2001:.+' diff --git a/.github/actions/gpu_setup/action.yml b/.github/actions/gpu_setup/action.yml index a09740e06..3a42cb01f 100644 --- a/.github/actions/gpu_setup/action.yml +++ b/.github/actions/gpu_setup/action.yml @@ -33,30 +33,36 @@ runs: if: inputs.github-instance == 'true' shell: bash run: | - TOOLKIT_VERSION="$(echo ${{ inputs.cuda-version }} | sed 's/\(.*\)\.\(.*\)/\1-\2/')" + TOOLKIT_VERSION="$(echo ${CUDA_VERSION} | sed 's/\(.*\)\.\(.*\)/\1-\2/')" wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb sudo dpkg -i cuda-keyring_1.1-1_all.deb sudo apt update sudo apt -y install cuda-toolkit-${TOOLKIT_VERSION} + env: + CUDA_VERSION: ${{ inputs.cuda-version }} - name: Export CUDA variables shell: bash run: | - CUDA_PATH=/usr/local/cuda-${{ inputs.cuda-version }} + CUDA_PATH=/usr/local/cuda-${CUDA_VERSION} echo "CUDA_PATH=$CUDA_PATH" >> "${GITHUB_ENV}" echo "PATH=$PATH:$CUDA_PATH/bin" >> "${GITHUB_PATH}" echo "LD_LIBRARY_PATH=$CUDA_PATH/lib64:$LD_LIBRARY_PATH" >> "${GITHUB_ENV}" echo "CUDA_MODULE_LOADER=EAGER" >> "${GITHUB_ENV}" + env: + CUDA_VERSION: ${{ inputs.cuda-version }} # Specify the correct host compilers - name: Export gcc and g++ variables shell: bash run: | { - echo "CC=/usr/bin/gcc-${{ inputs.gcc-version }}"; - echo "CXX=/usr/bin/g++-${{ inputs.gcc-version }}"; - echo "CUDAHOSTCXX=/usr/bin/g++-${{ inputs.gcc-version }}"; + echo "CC=/usr/bin/gcc-${GCC_VERSION}"; + echo "CXX=/usr/bin/g++-${GCC_VERSION}"; + echo "CUDAHOSTCXX=/usr/bin/g++-${GCC_VERSION}"; } >> "${GITHUB_ENV}" + env: + GCC_VERSION: ${{ inputs.gcc-version }} - name: Check device is detected shell: bash diff --git a/.github/workflows/approve_label.yml b/.github/workflows/approve_label.yml index 166407080..513e59aa2 100644 --- a/.github/workflows/approve_label.yml +++ b/.github/workflows/approve_label.yml @@ -6,6 +6,9 @@ on: pull_request_review: types: [submitted] + +permissions: {} + jobs: trigger-tests: runs-on: ubuntu-latest diff --git a/.github/workflows/aws_tfhe_backward_compat_tests.yml b/.github/workflows/aws_tfhe_backward_compat_tests.yml index ed5d0fb70..3f47f3394 100644 --- a/.github/workflows/aws_tfhe_backward_compat_tests.yml +++ b/.github/workflows/aws_tfhe_backward_compat_tests.yml @@ -23,6 +23,9 @@ on: workflow_dispatch: pull_request: + +permissions: {} + jobs: setup-instance: name: Setup instance (backward-compat-tests) @@ -47,7 +50,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" backward-compat-tests: name: Backward compatibility tests @@ -83,11 +86,12 @@ jobs: - name: Get backward compat branch head SHA id: backward_compat_sha + run: | + SHA=$(git ls-remote "${REPO_URL}" refs/heads/"${BACKWARD_COMPAT_BRANCH}" | awk '{print $1}') + echo "sha=${SHA}" >> "${GITHUB_OUTPUT}" env: REPO_URL: "https://github.com/zama-ai/tfhe-backward-compat-data" - run: | - SHA=$(git ls-remote ${{ env.REPO_URL }} refs/heads/${{ steps.backward_compat_branch.outputs.branch }} | awk '{print $1}') - echo "sha=${SHA}" >> "${GITHUB_OUTPUT}" + BACKWARD_COMPAT_BRANCH: ${{ steps.backward_compat_branch.outputs.branch }} - name: Retrieve data from cache id: retrieve-data-cache @@ -101,6 +105,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' + token: ${{ env.CHECKOUT_TOKEN }} repository: zama-ai/tfhe-backward-compat-data path: tests/tfhe-backward-compat-data lfs: 'true' @@ -121,7 +126,9 @@ jobs: - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }} diff --git a/.github/workflows/aws_tfhe_fast_tests.yml b/.github/workflows/aws_tfhe_fast_tests.yml index 2faa2ee3b..a57bece2e 100644 --- a/.github/workflows/aws_tfhe_fast_tests.yml +++ b/.github/workflows/aws_tfhe_fast_tests.yml @@ -24,6 +24,9 @@ on: workflow_dispatch: pull_request: + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -154,7 +157,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" fast-tests: name: Fast CPU tests @@ -269,7 +272,9 @@ jobs: - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() && env.SECRETS_AVAILABLE == 'true' }} diff --git a/.github/workflows/aws_tfhe_integer_tests.yml b/.github/workflows/aws_tfhe_integer_tests.yml index 5e2841654..c82d689d5 100644 --- a/.github/workflows/aws_tfhe_integer_tests.yml +++ b/.github/workflows/aws_tfhe_integer_tests.yml @@ -30,6 +30,9 @@ on: branches: - main + +permissions: {} + jobs: should-run: if: @@ -94,7 +97,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" unsigned-integer-tests: name: Unsigned integer tests @@ -134,12 +137,14 @@ jobs: - name: Run unsigned integer tests run: | - AVX512_SUPPORT=ON NO_BIG_PARAMS=${{ env.NO_BIG_PARAMS }} BIG_TESTS_INSTANCE=TRUE make test_unsigned_integer_ci + AVX512_SUPPORT=ON NO_BIG_PARAMS="${NO_BIG_PARAMS}" BIG_TESTS_INSTANCE=TRUE make test_unsigned_integer_ci - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }} diff --git a/.github/workflows/aws_tfhe_signed_integer_tests.yml b/.github/workflows/aws_tfhe_signed_integer_tests.yml index 1ea5f10e7..39dacdbba 100644 --- a/.github/workflows/aws_tfhe_signed_integer_tests.yml +++ b/.github/workflows/aws_tfhe_signed_integer_tests.yml @@ -30,6 +30,9 @@ on: branches: - main + +permissions: {} + jobs: should-run: if: @@ -95,7 +98,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" signed-integer-tests: name: Signed integer tests @@ -139,12 +142,14 @@ jobs: - name: Run signed integer tests run: | - AVX512_SUPPORT=ON NO_BIG_PARAMS=${{ env.NO_BIG_PARAMS }} BIG_TESTS_INSTANCE=TRUE make test_signed_integer_ci + AVX512_SUPPORT=ON NO_BIG_PARAMS="${NO_BIG_PARAMS}" BIG_TESTS_INSTANCE=TRUE make test_signed_integer_ci - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }} diff --git a/.github/workflows/aws_tfhe_tests.yml b/.github/workflows/aws_tfhe_tests.yml index e19103794..ce44cc2ae 100644 --- a/.github/workflows/aws_tfhe_tests.yml +++ b/.github/workflows/aws_tfhe_tests.yml @@ -27,6 +27,9 @@ on: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -163,7 +166,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cpu-tests: name: CPU tests @@ -251,7 +254,9 @@ jobs: - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }} diff --git a/.github/workflows/aws_tfhe_wasm_tests.yml b/.github/workflows/aws_tfhe_wasm_tests.yml index 6a1ddc21c..9084bfdc0 100644 --- a/.github/workflows/aws_tfhe_wasm_tests.yml +++ b/.github/workflows/aws_tfhe_wasm_tests.yml @@ -23,6 +23,9 @@ on: pull_request: types: [ labeled ] + +permissions: {} + jobs: setup-instance: name: Setup instance (wasm-tests) @@ -48,7 +51,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" wasm-tests: name: WASM tests @@ -120,7 +123,9 @@ jobs: - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }} diff --git a/.github/workflows/benchmark_boolean.yml b/.github/workflows/benchmark_boolean.yml index b3ce54afb..3c3eaf335 100644 --- a/.github/workflows/benchmark_boolean.yml +++ b/.github/workflows/benchmark_boolean.yml @@ -18,6 +18,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: setup-instance: name: Setup instance (boolean-benchmarks) @@ -73,15 +76,17 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 + env: + REF_NAME: ${{ github.ref_name }} - name: Measure key sizes run: | @@ -89,7 +94,7 @@ jobs: - name: Parse key sizes results run: | - python3 ./ci/benchmark_parser.py tfhe/boolean_key_sizes.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/boolean_key_sizes.csv "${RESULTS_FILENAME}" \ --object-sizes \ --append-results @@ -110,7 +115,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_core_crypto.yml b/.github/workflows/benchmark_core_crypto.yml index 95c437e38..a30b861ad 100644 --- a/.github/workflows/benchmark_core_crypto.yml +++ b/.github/workflows/benchmark_core_crypto.yml @@ -18,6 +18,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: setup-instance: name: Setup instance (core-crypto-benchmarks) @@ -75,15 +78,17 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --name-suffix avx512 \ --walk-subdirs + env: + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -102,7 +107,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_dex.yml b/.github/workflows/benchmark_dex.yml index be5bde90e..90d322a56 100644 --- a/.github/workflows/benchmark_dex.yml +++ b/.github/workflows/benchmark_dex.yml @@ -18,6 +18,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: setup-instance: name: Setup instance (dex-benchmarks) @@ -82,19 +84,21 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 + env: + REF_NAME: ${{ github.ref_name }} - name: Parse PBS counts run: | - python3 ./ci/benchmark_parser.py tfhe/dex_pbs_count.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/dex_pbs_count.csv "${RESULTS_FILENAME}" \ --object-sizes \ --append-results @@ -107,7 +111,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_erc20.yml b/.github/workflows/benchmark_erc20.yml index a940416cb..4a732b8e1 100644 --- a/.github/workflows/benchmark_erc20.yml +++ b/.github/workflows/benchmark_erc20.yml @@ -18,6 +18,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: setup-instance: name: Setup instance (erc20-benchmarks) @@ -82,19 +85,21 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 + env: + REF_NAME: ${{ github.ref_name }} - name: Parse PBS counts run: | - python3 ./ci/benchmark_parser.py tfhe/erc20_pbs_count.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/erc20_pbs_count.csv "${RESULTS_FILENAME}" \ --object-sizes \ --append-results @@ -107,7 +112,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_gpu.yml b/.github/workflows/benchmark_gpu.yml index 25abedaf4..ea35c3b60 100644 --- a/.github/workflows/benchmark_gpu.yml +++ b/.github/workflows/benchmark_gpu.yml @@ -59,22 +59,29 @@ on: - multi_bit - both + +permissions: {} + jobs: parse-inputs: runs-on: ubuntu-latest outputs: profile: ${{ steps.parse_profile.outputs.profile }} hardware_name: ${{ steps.parse_hardware_name.outputs.name }} + env: + INPUTS_PROFILE: ${{ inputs.profile }} steps: - name: Parse profile id: parse_profile run: | - echo "profile=$(echo '${{ inputs.profile }}' | sed 's|\(.*\)[[:space:]](.*)|\1|')" >> "${GITHUB_OUTPUT}" + PROFILE=$(echo "${INPUTS_PROFILE}" | sed 's|\(.*\)[[:space:]](.*)|\1|') + echo "profile=${PROFILE}" >> "${GITHUB_OUTPUT}" - name: Parse hardware name id: parse_hardware_name run: | - echo "name=$(echo '${{ inputs.profile }}' | sed 's|.*[[:space:]](\(.*\))|\1|')" >> "${GITHUB_OUTPUT}" + NAME=$(echo "${INPUTS_PROFILE}" | sed 's|.*[[:space:]](\(.*\))|\1|') + echo "name=${NAME}" >> "${GITHUB_OUTPUT}" run-benchmarks: name: Run benchmarks diff --git a/.github/workflows/benchmark_gpu_4090.yml b/.github/workflows/benchmark_gpu_4090.yml index a16dcffaa..1b488e204 100644 --- a/.github/workflows/benchmark_gpu_4090.yml +++ b/.github/workflows/benchmark_gpu_4090.yml @@ -22,6 +22,9 @@ on: # Weekly benchmarks will be triggered each Friday at 9p.m. - cron: "0 21 * * 5" + +permissions: {} + jobs: cuda-integer-benchmarks: name: Cuda integer benchmarks (RTX 4090) @@ -69,15 +72,17 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "rtx4090" \ --backend gpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs + env: + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -88,7 +93,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification @@ -145,14 +150,14 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "rtx4090" \ --backend gpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ @@ -166,14 +171,14 @@ jobs: shell: bash run: | echo "Computing HMac on results file" - SIGNATURE="$(slab/scripts/hmac_calculator.sh ${{ env.RESULTS_FILENAME }} '${{ secrets.JOB_SECRET }}')" + SIGNATURE="$(slab/scripts/hmac_calculator.sh "${RESULTS_FILENAME}" '${{ secrets.JOB_SECRET }}')" echo "Sending results to Slab..." curl -v -k \ -H "Content-Type: application/json" \ -H "X-Slab-Repository: ${{ github.repository }}" \ -H "X-Slab-Command: store_data_v2" \ -H "X-Hub-Signature-256: sha256=${SIGNATURE}" \ - -d @${{ env.RESULTS_FILENAME }} \ + -d "@${RESULTS_FILENAME}" \ ${{ secrets.SLAB_URL }} - name: Slack Notification diff --git a/.github/workflows/benchmark_gpu_common.yml b/.github/workflows/benchmark_gpu_common.yml index 9004361ed..b746a5c19 100644 --- a/.github/workflows/benchmark_gpu_common.yml +++ b/.github/workflows/benchmark_gpu_common.yml @@ -58,6 +58,9 @@ env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} FAST_BENCH: TRUE + +permissions: {} + jobs: prepare-matrix: name: Prepare operations matrix @@ -67,44 +70,52 @@ jobs: op_flavor: ${{ steps.set_op_flavor.outputs.op_flavor }} bench_type: ${{ steps.set_bench_type.outputs.bench_type }} params_type: ${{ steps.set_params_type.outputs.params_type }} + env: + INPUTS_COMMAND: ${{ inputs.command }} + INPUTS_OP_FLAVOR: ${{ inputs.op_flavor }} steps: - name: Set single command if: ${{ !contains(inputs.command, ',')}} run: | - echo "COMMAND=[\"${{ inputs.command }}\"]" >> "${GITHUB_ENV}" + echo "COMMAND=[\"${INPUTS_COMMAND}\"]" >> "${GITHUB_ENV}" - name: Set multiple commands if: ${{ contains(inputs.command, ',')}} run: | - PARSED_COMMAND=$(echo "${{ inputs.command }}" | sed 's/[[:space:]]*,[[:space:]]*/\\", \\"/g') + PARSED_COMMAND=$(echo "${INPUTS_COMMAND}" | sed 's/[[:space:]]*,[[:space:]]*/\\", \\"/g') echo "COMMAND=[\"${PARSED_COMMAND}\"]" >> "${GITHUB_ENV}" - name: Set single operations flavor if: ${{ !contains(inputs.op_flavor, ',')}} run: | - echo "OP_FLAVOR=[\"${{ inputs.op_flavor }}\"]" >> "${GITHUB_ENV}" + echo "OP_FLAVOR=[\"${INPUTS_OP_FLAVOR}\"]" >> "${GITHUB_ENV}" - name: Set multiple operations flavors if: ${{ contains(inputs.op_flavor, ',')}} run: | - PARSED_OP_FLAVOR=$(echo "${{ inputs.op_flavor }}" | sed 's/[[:space:]]*,[[:space:]]*/", "/g') + PARSED_OP_FLAVOR=$(echo "${INPUTS_OP_FLAVOR}" | sed 's/[[:space:]]*,[[:space:]]*/", "/g') echo "OP_FLAVOR=[\"${PARSED_OP_FLAVOR}\"]" >> "${GITHUB_ENV}" - name: Set benchmark types run: | - if [[ "${{ inputs.bench_type }}" == "both" ]]; then + if [[ "${INPUTS_BENCH_TYPE}" == "both" ]]; then echo "BENCH_TYPE=[\"latency\", \"throughput\"]" >> "${GITHUB_ENV}" else - echo "BENCH_TYPE=[\"${{ inputs.bench_type }}\"]" >> "${GITHUB_ENV}" + echo "BENCH_TYPE=[\"${INPUTS_BENCH_TYPE}\"]" >> "${GITHUB_ENV}" fi + env: + INPUTS_BENCH_TYPE: ${{ inputs.bench_type }} - name: Set parameters types run: | - if [[ "${{ inputs.params_type }}" == "both" ]]; then + if [[ "${INPUTS_PARAMS_TYPE}" == "both" ]]; then echo "PARAMS_TYPE=[\"classical\", \"multi_bit\"]" >> "${GITHUB_ENV}" else - echo "PARAMS_TYPE=[\"${{ inputs.params_type }}\"]" >> "${GITHUB_ENV}" + echo "PARAMS_TYPE=[\"${INPUTS_PARAMS_TYPE}\"]" >> "${GITHUB_ENV}" fi + env: + INPUTS_PARAMS_TYPE: ${{ inputs.params_type }} + - name: Set command output id: set_command @@ -154,9 +165,11 @@ jobs: if: steps.start-remote-instance.outcome == 'failure' && inputs.profile != 'single-h100' run: | - echo "Remote instance instance has failed to start (profile provided: '${{ inputs.profile }}')" + echo "Remote instance instance has failed to start (profile provided: '${INPUTS_PROFILE}')" echo "Permanent instance instance cannot be used as a substitute (profile needed: 'single-h100')" exit 1 + env: + INPUTS_PROFILE: ${{ inputs.profile }} # This will allow to fallback on permanent instances running on Hyperstack. - name: Use permanent remote instance @@ -259,21 +272,30 @@ jobs: - name: Run benchmarks run: | - make BENCH_OP_FLAVOR=${{ matrix.op_flavor }} BENCH_TYPE=${{ matrix.bench_type }} BENCH_PARAM_TYPE=${{ matrix.params_type }} bench_${{ matrix.command }}_gpu + make BENCH_OP_FLAVOR="${OP_FLAVOR}" BENCH_TYPE="${BENCH_TYPE}" BENCH_PARAM_TYPE="${PARAMS_TYPE}" bench_"${COMMAND}"_gpu + env: + OP_FLAVOR: ${{ matrix.op_flavor }} + BENCH_TYPE: ${{ matrix.bench_type }} + BENCH_PARAM_TYPE: ${{ matrix.params_type }} + BENCH_COMMAND: ${{ matrix.command }} - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ - --hardware "${{ inputs.hardware_name }}" \ + --hardware "${INPUTS_HARDWARE_NAME}" \ --backend gpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 \ - --bench-type ${{ matrix.bench_type }} + --bench-type "${BENCH_TYPE}" + env: + INPUTS_HARDWARE_NAME: ${{ inputs.hardware_name }} + REF_NAME: ${{ github.ref_name }} + BENCH_TYPE: ${{ matrix.bench_type }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -292,7 +314,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" slack-notify: diff --git a/.github/workflows/benchmark_gpu_dex.yml b/.github/workflows/benchmark_gpu_dex.yml index 3bd21e398..0f492c507 100644 --- a/.github/workflows/benchmark_gpu_dex.yml +++ b/.github/workflows/benchmark_gpu_dex.yml @@ -17,6 +17,8 @@ on: - "multi-h100-nvlink (n3-H100x8-NVLink)" - "multi-h100-sxm5 (n3-H100x8-SXM5)" +permissions: {} + jobs: parse-inputs: runs-on: ubuntu-latest @@ -27,12 +29,14 @@ jobs: - name: Parse profile id: parse_profile run: | - echo "profile=$(echo '${{ inputs.profile }}' | sed 's|\(.*\)[[:space:]](.*)|\1|')" >> "${GITHUB_OUTPUT}" + PROFILE=$(echo "${INPUTS_PROFILE}" | sed 's|\(.*\)[[:space:]](.*)|\1|') + echo "profile=${PROFILE}" >> "${GITHUB_OUTPUT}" - name: Parse hardware name id: parse_hardware_name run: | - echo "name=$(echo '${{ inputs.profile }}' | sed 's|.*[[:space:]](\(.*\))|\1|')" >> "${GITHUB_OUTPUT}" + NAME=$(echo "${INPUTS_PROFILE}" | sed 's|.*[[:space:]](\(.*\))|\1|') + echo "name=${NAME}" >> "${GITHUB_OUTPUT}" run-benchmarks: name: Run benchmarks @@ -41,4 +45,12 @@ jobs: with: profile: ${{ needs.parse-inputs.outputs.profile }} hardware_name: ${{ needs.parse-inputs.outputs.hardware_name }} - secrets: inherit + secrets: + BOT_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + JOB_SECRET: ${{ secrets.JOB_SECRET }} + SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }} + SLAB_URL: ${{ secrets.SLAB_URL }} + SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }} diff --git a/.github/workflows/benchmark_gpu_dex_common.yml b/.github/workflows/benchmark_gpu_dex_common.yml index b2a6b34bb..19409f0dc 100644 --- a/.github/workflows/benchmark_gpu_dex_common.yml +++ b/.github/workflows/benchmark_gpu_dex_common.yml @@ -43,6 +43,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: setup-instance: name: Setup instance (cuda-dex-benchmarks) @@ -73,9 +75,11 @@ jobs: if: steps.start-remote-instance.outcome == 'failure' && inputs.profile != 'single-h100' run: | - echo "Remote instance instance has failed to start (profile provided: '${{ inputs.profile }}')" + echo "Remote instance instance has failed to start (profile provided: '${INPUTS_PROFILE}')" echo "Permanent instance instance cannot be used as a substitute (profile needed: 'single-h100')" exit 1 + env: + INPUTS_PROFILE: ${{ inputs.profile }} # This will allow to fallback on permanent instances running on Hyperstack. - name: Use permanent remote instance @@ -132,16 +136,19 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ - --hardware "${{ inputs.hardware_name }}" \ + --hardware "${INPUTS_HARDWARE_NAME}" \ --backend gpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 + env: + INPUTS_HARDWARE_NAME: ${{ inputs.hardware_name }} + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -160,7 +167,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" slack-notify: diff --git a/.github/workflows/benchmark_gpu_dex_weekly.yml b/.github/workflows/benchmark_gpu_dex_weekly.yml index 720b82c24..09ad40e4b 100644 --- a/.github/workflows/benchmark_gpu_dex_weekly.yml +++ b/.github/workflows/benchmark_gpu_dex_weekly.yml @@ -6,6 +6,8 @@ on: # Weekly benchmarks will be triggered each Saturday at 9a.m. - cron: '0 9 * * 6' +permissions: {} + jobs: run-benchmarks-1-h100: name: Run benchmarks (1xH100) @@ -14,7 +16,15 @@ jobs: with: profile: single-h100 hardware_name: n3-H100x1 - secrets: inherit + secrets: + BOT_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + JOB_SECRET: ${{ secrets.JOB_SECRET }} + SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }} + SLAB_URL: ${{ secrets.SLAB_URL }} + SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }} run-benchmarks-2-h100: name: Run benchmarks (2xH100) @@ -23,7 +33,15 @@ jobs: with: profile: 2-h100 hardware_name: n3-H100x2 - secrets: inherit + secrets: + BOT_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + JOB_SECRET: ${{ secrets.JOB_SECRET }} + SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }} + SLAB_URL: ${{ secrets.SLAB_URL }} + SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }} run-benchmarks-8-h100: name: Run benchmarks (8xH100) @@ -32,4 +50,12 @@ jobs: with: profile: multi-h100 hardware_name: n3-H100x8 - secrets: inherit + secrets: + BOT_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + JOB_SECRET: ${{ secrets.JOB_SECRET }} + SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }} + SLAB_URL: ${{ secrets.SLAB_URL }} + SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }} diff --git a/.github/workflows/benchmark_gpu_erc20.yml b/.github/workflows/benchmark_gpu_erc20.yml index 98c106d6b..0c13f8c6f 100644 --- a/.github/workflows/benchmark_gpu_erc20.yml +++ b/.github/workflows/benchmark_gpu_erc20.yml @@ -17,22 +17,29 @@ on: - "multi-h100-nvlink (n3-H100x8-NVLink)" - "multi-h100-sxm5 (n3-H100x8-SXM5)" + +permissions: {} + jobs: parse-inputs: runs-on: ubuntu-latest outputs: profile: ${{ steps.parse_profile.outputs.profile }} hardware_name: ${{ steps.parse_hardware_name.outputs.name }} + env: + INPUTS_PROFILE: ${{ inputs.profile }} steps: - name: Parse profile id: parse_profile run: | - echo "profile=$(echo '${{ inputs.profile }}' | sed 's|\(.*\)[[:space:]](.*)|\1|')" >> "${GITHUB_OUTPUT}" + PROFILE=$(echo "${INPUTS_PROFILE}" | sed 's|\(.*\)[[:space:]](.*)|\1|') + echo "profile=${PROFILE}" >> "${GITHUB_OUTPUT}" - name: Parse hardware name id: parse_hardware_name run: | - echo "name=$(echo '${{ inputs.profile }}' | sed 's|.*[[:space:]](\(.*\))|\1|')" >> "${GITHUB_OUTPUT}" + NAME=$(echo "${INPUTS_PROFILE}" | sed 's|.*[[:space:]](\(.*\))|\1|') + echo "name=${NAME}" >> "${GITHUB_OUTPUT}" run-benchmarks: name: Run benchmarks diff --git a/.github/workflows/benchmark_gpu_erc20_common.yml b/.github/workflows/benchmark_gpu_erc20_common.yml index 88ce5fa58..cc1ac968b 100644 --- a/.github/workflows/benchmark_gpu_erc20_common.yml +++ b/.github/workflows/benchmark_gpu_erc20_common.yml @@ -43,6 +43,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: setup-instance: name: Setup instance (cuda-erc20-benchmarks) @@ -73,9 +76,11 @@ jobs: if: steps.start-remote-instance.outcome == 'failure' && inputs.profile != 'single-h100' run: | - echo "Remote instance instance has failed to start (profile provided: '${{ inputs.profile }}')" + echo "Remote instance instance has failed to start (profile provided: '${INPUTS_PROFILE}')" echo "Permanent instance instance cannot be used as a substitute (profile needed: 'single-h100')" exit 1 + env: + INPUTS_PROFILE: ${{ inputs.profile }} # This will allow to fallback on permanent instances running on Hyperstack. - name: Use permanent remote instance @@ -132,16 +137,19 @@ jobs: - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ - --hardware "${{ inputs.hardware_name }}" \ + --hardware "${INPUTS_HARDWARE_NAME}" \ --backend gpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 + env: + INPUTS_HARDWARE_NAME: ${{ inputs.hardware_name }} + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -160,7 +168,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" slack-notify: diff --git a/.github/workflows/benchmark_gpu_erc20_weekly.yml b/.github/workflows/benchmark_gpu_erc20_weekly.yml index a3409afb7..084c9743f 100644 --- a/.github/workflows/benchmark_gpu_erc20_weekly.yml +++ b/.github/workflows/benchmark_gpu_erc20_weekly.yml @@ -6,6 +6,9 @@ on: # Weekly benchmarks will be triggered each Saturday at 5a.m. - cron: '0 5 * * 6' + +permissions: {} + jobs: run-benchmarks-1-h100: name: Run benchmarks (1xH100) diff --git a/.github/workflows/benchmark_gpu_weekly.yml b/.github/workflows/benchmark_gpu_weekly.yml index 8f08e0990..0ca3e4dc5 100644 --- a/.github/workflows/benchmark_gpu_weekly.yml +++ b/.github/workflows/benchmark_gpu_weekly.yml @@ -6,6 +6,9 @@ on: # Weekly benchmarks will be triggered each Saturday at 1a.m. - cron: '0 1 * * 6' + +permissions: {} + jobs: run-benchmarks-1-h100: name: Run integer benchmarks (1xH100) diff --git a/.github/workflows/benchmark_integer.yml b/.github/workflows/benchmark_integer.yml index fdd8f17e9..da485a724 100644 --- a/.github/workflows/benchmark_integer.yml +++ b/.github/workflows/benchmark_integer.yml @@ -36,6 +36,9 @@ env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} FAST_BENCH: TRUE + +permissions: {} + jobs: prepare-matrix: name: Prepare operations matrix @@ -60,11 +63,13 @@ jobs: if: github.event_name == 'workflow_dispatch' run: | echo "OP_FLAVOR=[\"default\"]" >> "${GITHUB_ENV}" - if [[ "${{ inputs.bench_type }}" == "both" ]]; then + if [[ "${INPUTS_BENCH_TYPE}" == "both" ]]; then echo "BENCH_TYPE=[\"latency\", \"throughput\"]" >> "${GITHUB_ENV}" else - echo "BENCH_TYPE=[\"${{ inputs.bench_type }}\"]" >> "${GITHUB_ENV}" + echo "BENCH_TYPE=[\"${INPUTS_BENCH_TYPE}\"]" >> "${GITHUB_ENV}" fi + env: + INPUTS_BENCH_TYPE: ${{ inputs.bench_type }} - name: Default benchmark type if: github.event_name != 'workflow_dispatch' @@ -150,26 +155,35 @@ jobs: - name: Run benchmarks with AVX512 run: | - make BENCH_OP_FLAVOR=${{ matrix.op_flavor }} BENCH_TYPE=${{ matrix.bench_type }} bench_${{ matrix.command }} + make BENCH_OP_FLAVOR="${OP_FLAVOR}" BENCH_TYPE="${BENCH_TYPE}" bench_"${BENCH_COMMAND}" + env: + OP_FLAVOR: ${{ matrix.op_flavor }} + BENCH_TYPE: ${{ matrix.bench_type }} + BENCH_COMMAND: ${{ matrix.command }} # Run these benchmarks only once per benchmark type - name: Run compression benchmarks with AVX512 if: matrix.op_flavor == 'default' && matrix.command == 'integer' run: | - make BENCH_TYPE=${{ matrix.bench_type }} bench_integer_compression + make BENCH_TYPE="${BENCH_TYPE}" bench_integer_compression + env: + BENCH_TYPE: ${{ matrix.bench_type }} - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 \ - --bench-type ${{ matrix.bench_type }} + --bench-type "${BENCH_TYPE}" + env: + REF_NAME: ${{ github.ref_name }} + BENCH_TYPE: ${{ matrix.bench_type }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -180,7 +194,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_shortint.yml b/.github/workflows/benchmark_shortint.yml index bbb4bddc2..537dea720 100644 --- a/.github/workflows/benchmark_shortint.yml +++ b/.github/workflows/benchmark_shortint.yml @@ -22,6 +22,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: prepare-matrix: name: Prepare operations matrix @@ -108,21 +111,23 @@ jobs: - name: Run benchmarks with AVX512 run: | - make BENCH_OP_FLAVOR=${{ matrix.op_flavor }} bench_shortint + make BENCH_OP_FLAVOR="${OP_FLAVOR}" bench_shortint + env: + OP_FLAVOR: ${{ matrix.op_flavor }} - name: Parse results run: | - COMMIT_DATE="$(git --no-pager show -s --format=%cd --date=iso8601-strict ${{ github.sha }})" - COMMIT_HASH="$(git describe --tags --dirty)" - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ --project-version "${COMMIT_HASH}" \ - --branch ${{ github.ref_name }} \ + --branch "${REF_NAME}" \ --commit-date "${COMMIT_DATE}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 + env: + REF_NAME: ${{ github.ref_name }} # This small benchmark needs to be executed only once. - name: Measure key sizes @@ -133,7 +138,7 @@ jobs: - name: Parse key sizes results if: matrix.op_flavor == 'default' run: | - python3 ./ci/benchmark_parser.py tfhe/shortint_key_sizes.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/shortint_key_sizes.csv "${RESULTS_FILENAME}" \ --object-sizes \ --append-results @@ -146,7 +151,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_signed_integer.yml b/.github/workflows/benchmark_signed_integer.yml index 813a2509f..3a8c6a1bd 100644 --- a/.github/workflows/benchmark_signed_integer.yml +++ b/.github/workflows/benchmark_signed_integer.yml @@ -36,6 +36,9 @@ env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} FAST_BENCH: TRUE + +permissions: {} + jobs: prepare-matrix: name: Prepare operations matrix @@ -60,11 +63,13 @@ jobs: if: github.event_name == 'workflow_dispatch' run: | echo "OP_FLAVOR=[\"default\"]" >> "${GITHUB_ENV}" - if [[ "${{ inputs.bench_type }}" == "both" ]]; then + if [[ "${INPUTS_BENCH_TYPE}" == "both" ]]; then echo "BENCH_TYPE=[\"latency\", \"throughput\"]" >> "${GITHUB_ENV}" else - echo "BENCH_TYPE=[\"${{ inputs.bench_type }}\"]" >> "${GITHUB_ENV}" + echo "BENCH_TYPE=[\"${INPUTS_BENCH_TYPE}\"]" >> "${GITHUB_ENV}" fi + env: + INPUTS_BENCH_TYPE: ${{ inputs.bench_type }} - name: Default benchmark type if: github.event_name != 'workflow_dispatch' @@ -150,20 +155,27 @@ jobs: - name: Run benchmarks with AVX512 run: | - make BENCH_OP_FLAVOR=${{ matrix.op_flavor }} BENCH_TYPE=${{ matrix.bench_type }} bench_signed_${{ matrix.command }} + make BENCH_OP_FLAVOR="${OP_FLAVOR}" BENCH_TYPE="${BENCH_TYPE}" bench_signed_"${BENCH_COMMAND}" + env: + OP_FLAVOR: ${{ matrix.op_flavor }} + BENCH_TYPE: ${{ matrix.bench_type }} + BENCH_COMMAND: ${{ matrix.command }} - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 \ - --bench-type ${{ matrix.bench_type }} + --bench-type "${BENCH_TYPE}" + env: + REF_NAME: ${{ github.ref_name }} + BENCH_TYPE: ${{ matrix.bench_type }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -174,7 +186,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_tfhe_fft.yml b/.github/workflows/benchmark_tfhe_fft.yml index afed36434..ce5a30b7c 100644 --- a/.github/workflows/benchmark_tfhe_fft.yml +++ b/.github/workflows/benchmark_tfhe_fft.yml @@ -23,6 +23,9 @@ on: # Job will be triggered each Thursday at 11p.m. - cron: '0 23 * * 4' + +permissions: {} + jobs: setup-ec2: name: Setup EC2 instance (fft-benchmarks) @@ -74,14 +77,16 @@ jobs: - name: Parse AVX512 results run: | - python3 ./ci/fft_benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/fft_benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database concrete_fft \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --name-suffix avx512 + env: + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -101,14 +106,14 @@ jobs: shell: bash run: | echo "Computing HMac on downloaded artifact" - SIGNATURE="$(slab/scripts/hmac_calculator.sh ${{ env.RESULTS_FILENAME }} '${{ secrets.JOB_SECRET }}')" + SIGNATURE="$(slab/scripts/hmac_calculator.sh "${RESULTS_FILENAME}" '${{ secrets.JOB_SECRET }}')" echo "Sending results to Slab..." curl -v -k \ -H "Content-Type: application/json" \ -H "X-Slab-Repository: ${{ github.repository }}" \ -H "X-Slab-Command: store_data_v2" \ -H "X-Hub-Signature-256: sha256=${SIGNATURE}" \ - -d @${{ env.RESULTS_FILENAME }} \ + -d "@${RESULTS_FILENAME}" \ ${{ secrets.SLAB_URL }} - name: Slack Notification diff --git a/.github/workflows/benchmark_tfhe_ntt.yml b/.github/workflows/benchmark_tfhe_ntt.yml index badaab2d2..20812d546 100644 --- a/.github/workflows/benchmark_tfhe_ntt.yml +++ b/.github/workflows/benchmark_tfhe_ntt.yml @@ -23,6 +23,9 @@ on: # Job will be triggered each Friday at 11p.m. - cron: "0 23 * * 5" + +permissions: {} + jobs: setup-ec2: name: Setup EC2 instance (ntt-benchmarks) @@ -74,14 +77,16 @@ jobs: - name: Parse results run: | - python3 ./ci/ntt_benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/ntt_benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database concrete_ntt \ --hardware "hpc7a.96xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --name-suffix avx512 + env: + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -101,14 +106,14 @@ jobs: shell: bash run: | echo "Computing HMac on downloaded artifact" - SIGNATURE="$(slab/scripts/hmac_calculator.sh ${{ env.RESULTS_FILENAME }} '${{ secrets.JOB_SECRET }}')" + SIGNATURE="$(slab/scripts/hmac_calculator.sh "${RESULTS_FILENAME}" '${{ secrets.JOB_SECRET }}')" echo "Sending results to Slab..." curl -v -k \ -H "Content-Type: application/json" \ -H "X-Slab-Repository: ${{ github.repository }}" \ -H "X-Slab-Command: store_data_v2" \ -H "X-Hub-Signature-256: sha256=${SIGNATURE}" \ - -d @${{ env.RESULTS_FILENAME }} \ + -d "@${RESULTS_FILENAME}" \ ${{ secrets.SLAB_URL }} - name: Slack Notification diff --git a/.github/workflows/benchmark_tfhe_zk_pok.yml b/.github/workflows/benchmark_tfhe_zk_pok.yml index db82b4a40..ec4653b3b 100644 --- a/.github/workflows/benchmark_tfhe_zk_pok.yml +++ b/.github/workflows/benchmark_tfhe_zk_pok.yml @@ -30,6 +30,9 @@ env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} BENCH_TYPE: ${{ inputs.bench_type || 'latency' }} + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -114,22 +117,24 @@ jobs: - name: Run benchmarks run: | - make BENCH_TYPE=${{ env.BENCH_TYPE }} bench_tfhe_zk_pok + make BENCH_TYPE="${BENCH_TYPE}" bench_tfhe_zk_pok - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --crate tfhe-zk-pok \ --hardware "hpc7a.96xlarge" \ --backend cpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 \ - --bench-type ${{ env.BENCH_TYPE }} + --bench-type "${BENCH_TYPE}" + env: + REF_NAME: ${{ github.ref_name }} - name: Upload parsed results artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 @@ -148,7 +153,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_wasm_client.yml b/.github/workflows/benchmark_wasm_client.yml index 027e82d78..bbfb2a6ee 100644 --- a/.github/workflows/benchmark_wasm_client.yml +++ b/.github/workflows/benchmark_wasm_client.yml @@ -21,6 +21,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -143,15 +146,17 @@ jobs: - name: Parse results run: | make parse_wasm_benchmarks - python3 ./ci/benchmark_parser.py tfhe/wasm_pk_gen.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/wasm_pk_gen.csv "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "m6i.4xlarge" \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --key-gen rm tfhe/wasm_pk_gen.csv + env: + REF_NAME: ${{ github.ref_name }} # Run these benchmarks only once - name: Measure public key and ciphertext sizes in HL Api @@ -162,7 +167,7 @@ jobs: - name: Parse key and ciphertext sizes results if: matrix.browser == 'chrome' run: | - python3 ./ci/benchmark_parser.py tfhe/hlapi_cpk_and_cctl_sizes.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/hlapi_cpk_and_cctl_sizes.csv "${RESULTS_FILENAME}" \ --key-gen \ --append-results @@ -183,7 +188,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/benchmark_zk_pke.yml b/.github/workflows/benchmark_zk_pke.yml index bb2579434..39b155833 100644 --- a/.github/workflows/benchmark_zk_pke.yml +++ b/.github/workflows/benchmark_zk_pke.yml @@ -31,6 +31,9 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -74,11 +77,13 @@ jobs: - name: Set benchmark types if: github.event_name == 'workflow_dispatch' run: | - if [[ "${{ inputs.bench_type }}" == "both" ]]; then + if [[ "${INPUTS_BENCH_TYPE}" == "both" ]]; then echo "BENCH_TYPE=[\"latency\", \"throughput\"]" >> "${GITHUB_ENV}" else - echo "BENCH_TYPE=[\"${{ inputs.bench_type }}\"]" >> "${GITHUB_ENV}" + echo "BENCH_TYPE=[\"${INPUTS_BENCH_TYPE}\"]" >> "${GITHUB_ENV}" fi + env: + INPUTS_BENCH_TYPE: ${{ inputs.bench_type }} - name: Default benchmark type if: github.event_name != 'workflow_dispatch' @@ -156,25 +161,30 @@ jobs: - name: Run benchmarks with AVX512 run: | - make BENCH_TYPE=${{ matrix.bench_type }} bench_integer_zk + make BENCH_TYPE="${BENCH_TYPE}" bench_integer_zk + env: + BENCH_TYPE: ${{ matrix.bench_type }} - name: Parse results run: | - python3 ./ci/benchmark_parser.py target/criterion ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py target/criterion "${RESULTS_FILENAME}" \ --database tfhe_rs \ --hardware "hpc7a.96xlarge" \ --backend cpu \ - --project-version "${{ env.COMMIT_HASH }}" \ - --branch ${{ github.ref_name }} \ - --commit-date "${{ env.COMMIT_DATE }}" \ - --bench-date "${{ env.BENCH_DATE }}" \ + --project-version "${COMMIT_HASH}" \ + --branch "${REF_NAME}" \ + --commit-date "${COMMIT_DATE}" \ + --bench-date "${BENCH_DATE}" \ --walk-subdirs \ --name-suffix avx512 \ - --bench-type ${{ matrix.bench_type }} + --bench-type "${BENCH_TYPE}" + env: + REF_NAME: ${{ github.ref_name }} + BENCH_TYPE: ${{ matrix.bench_type }} - name: Parse CRS sizes results run: | - python3 ./ci/benchmark_parser.py tfhe/pke_zk_crs_sizes.csv ${{ env.RESULTS_FILENAME }} \ + python3 ./ci/benchmark_parser.py tfhe/pke_zk_crs_sizes.csv "${RESULTS_FILENAME}" \ --object-sizes \ --append-results @@ -195,7 +205,7 @@ jobs: - name: Send data to Slab shell: bash run: | - python3 slab/scripts/data_sender.py ${{ env.RESULTS_FILENAME }} "${{ secrets.JOB_SECRET }}" \ + python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${{ secrets.JOB_SECRET }}" \ --slab-url "${{ secrets.SLAB_URL }}" - name: Slack Notification diff --git a/.github/workflows/cargo_build.yml b/.github/workflows/cargo_build.yml index ebb5faaa7..94282b9b7 100644 --- a/.github/workflows/cargo_build.yml +++ b/.github/workflows/cargo_build.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true + +permissions: {} + jobs: cargo-builds: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/cargo_build_tfhe_fft.yml b/.github/workflows/cargo_build_tfhe_fft.yml index 3bb43cdae..48ec85b8a 100644 --- a/.github/workflows/cargo_build_tfhe_fft.yml +++ b/.github/workflows/cargo_build_tfhe_fft.yml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true + +permissions: {} + jobs: cargo-builds-fft: runs-on: ${{ matrix.runner_type }} diff --git a/.github/workflows/cargo_build_tfhe_ntt.yml b/.github/workflows/cargo_build_tfhe_ntt.yml index 8669a51af..3e8155cb1 100644 --- a/.github/workflows/cargo_build_tfhe_ntt.yml +++ b/.github/workflows/cargo_build_tfhe_ntt.yml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true + +permissions: {} + jobs: cargo-builds-ntt: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/cargo_test_fft.yml b/.github/workflows/cargo_test_fft.yml index d0a6f1428..2b784a667 100644 --- a/.github/workflows/cargo_test_fft.yml +++ b/.github/workflows/cargo_test_fft.yml @@ -15,6 +15,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest diff --git a/.github/workflows/cargo_test_ntt.yml b/.github/workflows/cargo_test_ntt.yml index 71674daac..073a915c2 100644 --- a/.github/workflows/cargo_test_ntt.yml +++ b/.github/workflows/cargo_test_ntt.yml @@ -15,7 +15,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true -jobs: + +permissions: {} + +jobs: should-run: runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/check_commit.yml b/.github/workflows/check_commit.yml index d21cac7ed..51e78f7d7 100644 --- a/.github/workflows/check_commit.yml +++ b/.github/workflows/check_commit.yml @@ -3,6 +3,9 @@ name: Check commit and PR compliance on: pull_request: + +permissions: {} + jobs: check-commit-pr: name: Check commit and PR diff --git a/.github/workflows/ci_lint.yml b/.github/workflows/ci_lint.yml index 8dbc70b71..d4b8d1f72 100644 --- a/.github/workflows/ci_lint.yml +++ b/.github/workflows/ci_lint.yml @@ -8,6 +8,9 @@ env: ACTIONLINT_VERSION: 1.6.27 CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }} + +permissions: {} + jobs: lint-check: name: Lint and checks diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index 20fa13861..2e809db0f 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -16,6 +16,9 @@ on: workflow_dispatch: # Code coverage workflow is only run via workflow_dispatch event since execution duration is not stabilized yet. + +permissions: {} + jobs: setup-instance: name: Setup instance (code-coverage) diff --git a/.github/workflows/csprng_randomness_tests.yml b/.github/workflows/csprng_randomness_tests.yml index 0597cbb13..1b50140b9 100644 --- a/.github/workflows/csprng_randomness_tests.yml +++ b/.github/workflows/csprng_randomness_tests.yml @@ -21,6 +21,9 @@ on: pull_request: types: [ labeled ] + +permissions: {} + jobs: setup-instance: name: Setup instance (csprng-randomness-tests) @@ -46,7 +49,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" csprng-randomness-tests: name: CSPRNG randomness tests diff --git a/.github/workflows/data_pr_close.yml b/.github/workflows/data_pr_close.yml index 84cc7ba79..b54f0bd6d 100644 --- a/.github/workflows/data_pr_close.yml +++ b/.github/workflows/data_pr_close.yml @@ -25,6 +25,9 @@ on: # the script will always return 0 because of the "echo EOF". + +permissions: {} + jobs: auto_close_job: if: ${{ contains(github.event.pull_request.labels.*.name, 'data_PR') }} @@ -39,14 +42,17 @@ jobs: curl --fail-with-body --no-progress-meter -L -X GET \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - ${{ env.TARGET_REPO_API_URL }}/pulls\?head=${{ github.repository_owner }}:${{ env.PR_BRANCH }} | jq -e '.[0]' | sed 's/null/{ "message": "corresponding PR not found" }/' + "${TARGET_REPO_API_URL}"/pulls\?head="${REPO_OWNER}":"${PR_BRANCH}" | jq -e '.[0]' | sed 's/null/{ "message": "corresponding PR not found" }/' RES="$?" echo EOF } >> "${GITHUB_ENV}" exit $RES + env: + REPO_OWNER: ${{ github.repository_owner }} - name: Comment on the PR to indicate the reason of the close run: | + BODY="'{ \"body\": \"PR ${CLOSE_TYPE}d because the corresponding PR in main repo was ${CLOSE_TYPE}d: ${REPO}#${EVENT_NUMBER}\" }'" { set +e set -o pipefail @@ -55,12 +61,16 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - ${{ fromJson(env.TARGET_REPO_PR).comments_url }} \ - -d '{ "body": "PR ${{ env.CLOSE_TYPE }}d because the corresponding PR in main repo was ${{ env.CLOSE_TYPE }}d: ${{ github.repository }}#${{ github.event.number }}" }' + "${COMMENTS_URL}" \ + -d "${BODY}" RES="$?" echo EOF } >> "${GITHUB_ENV}" exit $RES + env: + REPO: ${{ github.repository }} + EVENT_NUMBER: ${{ github.event.number }} + COMMENTS_URL: ${{ fromJson(env.TARGET_REPO_PR).comments_url }} - name: Merge the Pull Request in the data repo if: ${{ github.event.pull_request.merged }} @@ -73,12 +83,14 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - ${{ fromJson(env.TARGET_REPO_PR).url }}/merge \ + "${TARGET_REPO_PR_URL}"/merge \ -d '{ "merge_method": "rebase" }' RES="$?" echo EOF } >> "${GITHUB_ENV}" exit $RES + env: + TARGET_REPO_PR_URL: ${{ fromJson(env.TARGET_REPO_PR).url }} - name: Close the Pull Request in the data repo if: ${{ !github.event.pull_request.merged }} @@ -91,12 +103,14 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - ${{ fromJson(env.TARGET_REPO_PR).url }} \ + "${TARGET_REPO_PR_URL}" \ -d '{ "state": "closed" }' RES="$?" echo EOF } >> "${GITHUB_ENV}" exit $RES + env: + TARGET_REPO_PR_URL: ${{ fromJson(env.TARGET_REPO_PR).url }} - name: Delete the associated branch in the data repo run: | @@ -108,7 +122,7 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - ${{ env.TARGET_REPO_API_URL }}/git/refs/heads/${{ env.PR_BRANCH }} + "${TARGET_REPO_API_URL}"/git/refs/heads/"${PR_BRANCH}" RES="$?" echo EOF } >> "${GITHUB_ENV}" diff --git a/.github/workflows/gpu_4090_tests.yml b/.github/workflows/gpu_4090_tests.yml index 67bf9dbe9..9dc4052bf 100644 --- a/.github/workflows/gpu_4090_tests.yml +++ b/.github/workflows/gpu_4090_tests.yml @@ -22,6 +22,9 @@ on: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" + +permissions: {} + jobs: cuda-tests-linux: name: CUDA tests (RTX 4090) diff --git a/.github/workflows/gpu_fast_h100_tests.yml b/.github/workflows/gpu_fast_h100_tests.yml index a25948d9c..e5f5f08ec 100644 --- a/.github/workflows/gpu_fast_h100_tests.yml +++ b/.github/workflows/gpu_fast_h100_tests.yml @@ -25,6 +25,9 @@ on: pull_request: types: [ labeled ] + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -102,7 +105,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA H100 tests @@ -169,7 +172,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_fast_tests.yml b/.github/workflows/gpu_fast_tests.yml index 3282bef2e..f225da5c3 100644 --- a/.github/workflows/gpu_fast_tests.yml +++ b/.github/workflows/gpu_fast_tests.yml @@ -24,6 +24,9 @@ on: workflow_dispatch: pull_request: + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -87,7 +90,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA tests @@ -153,7 +156,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_full_h100_tests.yml b/.github/workflows/gpu_full_h100_tests.yml index c2551868d..70c9105e9 100644 --- a/.github/workflows/gpu_full_h100_tests.yml +++ b/.github/workflows/gpu_full_h100_tests.yml @@ -15,6 +15,9 @@ env: on: workflow_dispatch: + +permissions: {} + jobs: setup-instance: name: Setup instance (cuda-h100-tests) diff --git a/.github/workflows/gpu_full_multi_gpu_tests.yml b/.github/workflows/gpu_full_multi_gpu_tests.yml index 0b0a5d0f5..6cbd22dcc 100644 --- a/.github/workflows/gpu_full_multi_gpu_tests.yml +++ b/.github/workflows/gpu_full_multi_gpu_tests.yml @@ -25,6 +25,9 @@ on: pull_request: types: [ labeled ] + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -89,7 +92,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA multi-GPU tests @@ -158,7 +161,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_integer_long_run_tests.yml b/.github/workflows/gpu_integer_long_run_tests.yml index 692647f40..95ee7d80d 100644 --- a/.github/workflows/gpu_integer_long_run_tests.yml +++ b/.github/workflows/gpu_integer_long_run_tests.yml @@ -18,6 +18,9 @@ on: # Nightly tests will be triggered each evening 8p.m. - cron: "0 20 * * *" + +permissions: {} + jobs: setup-instance: name: Setup instance (gpu-tests) diff --git a/.github/workflows/gpu_pcc.yml b/.github/workflows/gpu_pcc.yml index cc27fba9e..938429d90 100644 --- a/.github/workflows/gpu_pcc.yml +++ b/.github/workflows/gpu_pcc.yml @@ -21,6 +21,9 @@ env: on: pull_request: + +permissions: {} + jobs: setup-instance: name: Setup instance (cuda-pcc) @@ -116,7 +119,9 @@ jobs: - name: Set pull-request URL if: ${{ failure() && github.event_name == 'pull_request' }} run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Slack Notification if: ${{ failure() && env.SECRETS_AVAILABLE == 'true' }} diff --git a/.github/workflows/gpu_signed_integer_classic_tests.yml b/.github/workflows/gpu_signed_integer_classic_tests.yml index f18ab081c..66d2ffcf0 100644 --- a/.github/workflows/gpu_signed_integer_classic_tests.yml +++ b/.github/workflows/gpu_signed_integer_classic_tests.yml @@ -25,6 +25,9 @@ on: pull_request: types: [ labeled ] + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -89,7 +92,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA signed integer tests with classical PBS @@ -141,7 +144,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_signed_integer_h100_tests.yml b/.github/workflows/gpu_signed_integer_h100_tests.yml index 5c83436f0..c027f2976 100644 --- a/.github/workflows/gpu_signed_integer_h100_tests.yml +++ b/.github/workflows/gpu_signed_integer_h100_tests.yml @@ -26,6 +26,9 @@ on: types: [ labeled ] + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -103,7 +106,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA H100 signed integer tests @@ -156,7 +159,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_signed_integer_tests.yml b/.github/workflows/gpu_signed_integer_tests.yml index 5501a43cf..ae2362610 100644 --- a/.github/workflows/gpu_signed_integer_tests.yml +++ b/.github/workflows/gpu_signed_integer_tests.yml @@ -29,6 +29,9 @@ on: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -93,7 +96,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-signed-integer-tests: name: CUDA signed integer tests @@ -153,7 +156,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_unsigned_integer_classic_tests.yml b/.github/workflows/gpu_unsigned_integer_classic_tests.yml index d1cc2304b..ade9b01b0 100644 --- a/.github/workflows/gpu_unsigned_integer_classic_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_classic_tests.yml @@ -26,6 +26,9 @@ on: types: [ labeled ] + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -90,7 +93,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA unsigned integer tests with classical PBS @@ -142,7 +145,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_unsigned_integer_h100_tests.yml b/.github/workflows/gpu_unsigned_integer_h100_tests.yml index 93a5b32b9..f1587e387 100644 --- a/.github/workflows/gpu_unsigned_integer_h100_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_h100_tests.yml @@ -25,6 +25,9 @@ on: pull_request: types: [ labeled ] + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -102,7 +105,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-tests-linux: name: CUDA H100 unsigned integer tests @@ -155,7 +158,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/gpu_unsigned_integer_tests.yml b/.github/workflows/gpu_unsigned_integer_tests.yml index 0bd45246a..89f1bfcd0 100644 --- a/.github/workflows/gpu_unsigned_integer_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_tests.yml @@ -29,6 +29,9 @@ on: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" + +permissions: {} + jobs: should-run: runs-on: ubuntu-latest @@ -93,7 +96,7 @@ jobs: id: start-github-instance if: env.SECRETS_AVAILABLE == 'false' run: | - echo "runner_group=${{ env.EXTERNAL_CONTRIBUTION_RUNNER }}" >> "$GITHUB_OUTPUT" + echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT" cuda-unsigned-integer-tests: name: CUDA unsigned integer tests @@ -153,7 +156,9 @@ jobs: - name: Set pull-request URL if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request' run: | - echo "PULL_REQUEST_MD_LINK=[pull-request](${{ vars.PR_BASE_URL }}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${{ github.event.pull_request.number }}), " >> "${GITHUB_ENV}" + env: + PR_BASE_URL: ${{ vars.PR_BASE_URL }} - name: Send message if: env.SECRETS_AVAILABLE == 'true' diff --git a/.github/workflows/integer_long_run_tests.yml b/.github/workflows/integer_long_run_tests.yml index a2805da3d..43c4c424c 100644 --- a/.github/workflows/integer_long_run_tests.yml +++ b/.github/workflows/integer_long_run_tests.yml @@ -18,6 +18,9 @@ on: # Weekly tests will be triggered each Friday at 9p.m. - cron: "0 21 * * 5" + +permissions: {} + jobs: setup-instance: name: Setup instance (cpu-tests) diff --git a/.github/workflows/m1_tests.yml b/.github/workflows/m1_tests.yml index 23987dedf..5c04d5bb2 100644 --- a/.github/workflows/m1_tests.yml +++ b/.github/workflows/m1_tests.yml @@ -27,6 +27,8 @@ concurrency: group: ${{ github.workflow_ref }} cancel-in-progress: true +permissions: {} + jobs: cargo-builds-m1: if: ${{ (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml index f6aa8a328..2ea9b94b6 100644 --- a/.github/workflows/make_release.yml +++ b/.github/workflows/make_release.yml @@ -33,6 +33,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: verify_tag: uses: ./.github/workflows/verify_tagged_commit.yml @@ -108,7 +110,7 @@ jobs: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | - cargo publish -p tfhe --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + cargo publish -p tfhe --token "${CRATES_TOKEN}" "${DRY_RUN}" - name: Generate hash id: published_hash diff --git a/.github/workflows/make_release_cuda.yml b/.github/workflows/make_release_cuda.yml index fe1fd8b13..4bc300394 100644 --- a/.github/workflows/make_release_cuda.yml +++ b/.github/workflows/make_release_cuda.yml @@ -15,6 +15,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: verify_tag: uses: ./.github/workflows/verify_tagged_commit.yml @@ -157,7 +159,7 @@ jobs: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | - cargo publish -p tfhe-cuda-backend --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + cargo publish -p tfhe-cuda-backend --token "${CRATES_TOKEN}" "${DRY_RUN}" - name: Generate hash id: published_hash diff --git a/.github/workflows/make_release_tfhe_csprng.yml b/.github/workflows/make_release_tfhe_csprng.yml index 81be97fde..4e9029567 100644 --- a/.github/workflows/make_release_tfhe_csprng.yml +++ b/.github/workflows/make_release_tfhe_csprng.yml @@ -15,6 +15,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: verify_tag: uses: ./.github/workflows/verify_tagged_commit.yml @@ -79,7 +81,7 @@ jobs: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | - cargo publish -p tfhe-csprng --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + cargo publish -p tfhe-csprng --token "${CRATES_TOKEN}" "${DRY_RUN}" - name: Generate hash id: published_hash run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/make_release_tfhe_fft.yml b/.github/workflows/make_release_tfhe_fft.yml index bf797c484..7255aa295 100644 --- a/.github/workflows/make_release_tfhe_fft.yml +++ b/.github/workflows/make_release_tfhe_fft.yml @@ -16,6 +16,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: verify_tag: uses: ./.github/workflows/verify_tagged_commit.yml @@ -76,7 +78,7 @@ jobs: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | - cargo publish -p tfhe-fft --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + cargo publish -p tfhe-fft --token "${CRATES_TOKEN}" "${DRY_RUN}" - name: Generate hash id: published_hash diff --git a/.github/workflows/make_release_tfhe_ntt.yml b/.github/workflows/make_release_tfhe_ntt.yml index e81ff1c9a..595509f77 100644 --- a/.github/workflows/make_release_tfhe_ntt.yml +++ b/.github/workflows/make_release_tfhe_ntt.yml @@ -16,6 +16,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: verify_tag: uses: ./.github/workflows/verify_tagged_commit.yml @@ -75,7 +77,7 @@ jobs: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | - cargo publish -p tfhe-ntt --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + cargo publish -p tfhe-ntt --token "${CRATES_TOKEN}" "${DRY_RUN}" - name: Generate hash id: published_hash diff --git a/.github/workflows/make_release_tfhe_versionable.yml b/.github/workflows/make_release_tfhe_versionable.yml index 8e963f492..41bc867f4 100644 --- a/.github/workflows/make_release_tfhe_versionable.yml +++ b/.github/workflows/make_release_tfhe_versionable.yml @@ -10,6 +10,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: verify_tag: uses: ./.github/workflows/verify_tagged_commit.yml @@ -72,7 +74,7 @@ jobs: env: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} run: | - cargo publish -p tfhe-versionable-derive --token ${{ env.CRATES_TOKEN }} + cargo publish -p tfhe-versionable-derive --token "${CRATES_TOKEN}" - name: Generate hash id: published_hash run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" @@ -145,7 +147,7 @@ jobs: env: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} run: | - cargo publish -p tfhe-versionable --token ${{ env.CRATES_TOKEN }} + cargo publish -p tfhe-versionable --token "${CRATES_TOKEN}" - name: Generate hash id: published_hash run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/make_release_zk_pok.yml b/.github/workflows/make_release_zk_pok.yml index be242dd61..1c6817d27 100644 --- a/.github/workflows/make_release_zk_pok.yml +++ b/.github/workflows/make_release_zk_pok.yml @@ -15,6 +15,8 @@ env: SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} +permissions: {} + jobs: package: runs-on: ubuntu-latest @@ -77,7 +79,7 @@ jobs: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | - cargo publish -p tfhe-zk-pok --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + cargo publish -p tfhe-zk-pok --token "${CRATES_TOKEN}" "${DRY_RUN}" - name: Verify hash id: published_hash run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/parameters_check.yml b/.github/workflows/parameters_check.yml index bbed16b6e..e01bf4578 100644 --- a/.github/workflows/parameters_check.yml +++ b/.github/workflows/parameters_check.yml @@ -12,6 +12,8 @@ on: - "main" workflow_dispatch: +permissions: {} + jobs: params-curves-security-check: runs-on: large_ubuntu_16-22.04 diff --git a/.github/workflows/placeholder_workflow.yml b/.github/workflows/placeholder_workflow.yml index dc9e95f37..1864be28d 100644 --- a/.github/workflows/placeholder_workflow.yml +++ b/.github/workflows/placeholder_workflow.yml @@ -4,6 +4,8 @@ name: Placeholder Workflow on: workflow_dispatch: +permissions: {} + jobs: placeholder: name: Placeholder diff --git a/.github/workflows/sync_on_push.yml b/.github/workflows/sync_on_push.yml index 304d8d275..577d9fe8a 100644 --- a/.github/workflows/sync_on_push.yml +++ b/.github/workflows/sync_on_push.yml @@ -7,6 +7,8 @@ on: - 'main' workflow_dispatch: +permissions: {} + jobs: sync-repo: if: ${{ github.repository == 'zama-ai/tfhe-rs' }} diff --git a/.github/workflows/verify_tagged_commit.yml b/.github/workflows/verify_tagged_commit.yml index 811d23c8e..b2db783a3 100644 --- a/.github/workflows/verify_tagged_commit.yml +++ b/.github/workflows/verify_tagged_commit.yml @@ -9,6 +9,8 @@ on: READ_ORG_TOKEN: required: true +permissions: {} + jobs: checks: runs-on: ubuntu-latest @@ -26,7 +28,10 @@ jobs: - name: Actor authorized run: | - if [ "${{ steps.actor_check.outputs.authorized }}" == "false" ]; then - echo "Actor '${{ github.triggering_actor }}' is not authorized to perform release" + if [ "${ACTOR_CHECK_OUTPUT}" == "false" ]; then + echo "Actor '${TRIGGERING_ACTOR}' is not authorized to perform release" exit 1 fi + env: + TRIGGERING_ACTOR: ${{ github.triggering_actor }} + ACTOR_CHECK_OUTPUT: ${{ steps.actor_check.outputs.authorized }}