diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index f752fac5..c40e5483 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -10,8 +10,8 @@ jobs: name: End-to-end sign and verify runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 - run: | set -euo pipefail cd model_signing diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 13d7d98a..a847f072 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml index ac6ad5da..df27e544 100644 --- a/.github/workflows/dependency_review.yml +++ b/.github/workflows/dependency_review.yml @@ -23,6 +23,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 diff --git a/.github/workflows/model_signing.yml b/.github/workflows/model_signing.yml new file mode 100644 index 00000000..7b50cc70 --- /dev/null +++ b/.github/workflows/model_signing.yml @@ -0,0 +1,47 @@ +name: Unit tests for model signing +on: + push: + branches: [main] + pull_request: + branches: [main] + types: [opened, synchronize] + +permissions: + id-token: write + +jobs: + sign-model: + name: Test model signing still works + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + with: + python-version: 3.11 + cache: pip + cache-dependency-path: model_signing/install/requirements.txt + - name: Install dependencies + run: | + set -euo pipefail + python -m venv venv + source venv/bin/activate + python -m pip install --require-hashes -r model_signing/install/requirements.txt + - name: Download bertseq2seq + run: | + set -euo pipefail + wget "https://tfhub.dev/google/bertseq2seq/bert24_en_de/1?tf-hub-format=compressed" -O bertseq2seq.tgz + mkdir -p bertseq2seq + pushd bertseq2seq + tar xvzf ../bertseq2seq.tgz + popd + rm -rf bertseq2seq.tgz + - name: Sign bertseq2seq model + run: | + set -euo pipefail + source venv/bin/activate + python3 model_signing/main.py sign --path bertseq2seq + - name: Verify signature of bertseq2seq model + run: | + set -euo pipefail + source venv/bin/activate + python3 model_signing/main.py verify --path bertseq2seq --identity https://github.com/${{ github.workflow_ref }} --identity-provider https://token.actions.githubusercontent.com diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2075cdd2..9a8d44e7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false