From 1618e72299b3accc2abc867e87c692f42961186e Mon Sep 17 00:00:00 2001 From: Lan Luo Date: Tue, 2 Jun 2026 21:01:05 -0700 Subject: [PATCH 1/2] fix code scan error --- .github/workflows/blossom-ci.yml | 104 ------------------ .../build-test-linux-aarch64-jetpack.yml | 3 + .../workflows/build-test-linux-aarch64.yml | 3 + .github/workflows/build-test-linux-x86_64.yml | 3 + .../workflows/build-test-linux-x86_64_rtx.yml | 3 + .github/workflows/build-test-windows.yml | 3 + .github/workflows/build-test-windows_rtx.yml | 3 + .github/workflows/docgen.yml | 3 + .github/workflows/docker_builder.yml | 3 + .github/workflows/executorch-static-linux.yml | 3 + .github/workflows/label.yml | 3 + .github/workflows/linter.yml | 3 + .github/workflows/linux-test.yml | 3 + .github/workflows/nightlies.yml | 3 + .github/workflows/stale.yml | 5 + .github/workflows/windows-test.yml | 3 + setup.py | 41 ++++--- tests/modules/hub.py | 3 +- tools/perf/hub.py | 3 +- 19 files changed, 75 insertions(+), 123 deletions(-) delete mode 100644 .github/workflows/blossom-ci.yml diff --git a/.github/workflows/blossom-ci.yml b/.github/workflows/blossom-ci.yml deleted file mode 100644 index d5bdf0ed95..0000000000 --- a/.github/workflows/blossom-ci.yml +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright (c) 2020-2021, NVIDIA CORPORATION. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# A workflow to trigger ci on hybrid infra (github + self hosted runner) -name: Blossom-CI -on: - issue_comment: - types: [created] - workflow_dispatch: - inputs: - platform: - description: 'runs-on argument' - required: false - args: - description: 'argument' - required: false -jobs: - Authorization: - name: Authorization - runs-on: blossom - outputs: - args: ${{ env.args }} - - # This job only runs for pull request comments - if: | - contains( 'andi4191, narendasan, peri044, bowang007,', format('{0},', github.actor)) && - github.event.comment.body == '/blossom-ci' - steps: - - name: Check if comment is issued by authorized person - run: blossom-ci - env: - OPERATION: 'AUTH' - REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }} - - Vulnerability-scan: - name: Vulnerability scan - needs: [Authorization] - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - repository: ${{ fromJson(needs.Authorization.outputs.args).repo }} - ref: ${{ fromJson(needs.Authorization.outputs.args).ref }} - lfs: 'true' - - # repo specific steps - #- name: Setup java - # uses: actions/setup-java@v5 - # with: - # java-version: 1.8 - - # add blackduck properties https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631308372/Methods+for+Configuring+Analysis#Using-a-configuration-file - #- name: Setup blackduck properties - # run: | - # PROJECTS=$(mvn -am dependency:tree | grep maven-dependency-plugin | awk '{ out="com.nvidia:"$(NF-1);print out }' | grep rapids | xargs | sed -e 's/ /,/g') - # echo detect.maven.build.command="-pl=$PROJECTS -am" >> application.properties - # echo detect.maven.included.scopes=compile >> application.properties - - - name: Run blossom action - uses: NVIDIA/blossom-action@main - env: - REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }} - with: - args1: ${{ fromJson(needs.Authorization.outputs.args).args1 }} - args2: ${{ fromJson(needs.Authorization.outputs.args).args2 }} - args3: ${{ fromJson(needs.Authorization.outputs.args).args3 }} - - Job-trigger: - name: Start ci job - needs: [Vulnerability-scan] - runs-on: blossom - steps: - - name: Start ci job - run: blossom-ci - env: - OPERATION: 'START-CI-JOB' - CI_SERVER: ${{ secrets.CI_SERVER }} - REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - Upload-Log: - name: Upload log - runs-on: blossom - if : github.event_name == 'workflow_dispatch' - steps: - - name: Jenkins log for pull request ${{ fromJson(github.event.inputs.args).pr }} (click here) - run: blossom-ci - env: - OPERATION: 'POST-PROCESSING' - CI_SERVER: ${{ secrets.CI_SERVER }} - REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/build-test-linux-aarch64-jetpack.yml b/.github/workflows/build-test-linux-aarch64-jetpack.yml index 5cda6acec5..f78e316712 100644 --- a/.github/workflows/build-test-linux-aarch64-jetpack.yml +++ b/.github/workflows/build-test-linux-aarch64-jetpack.yml @@ -13,6 +13,9 @@ on: - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+ workflow_dispatch: +permissions: + contents: read + jobs: generate-matrix: uses: pytorch/test-infra/.github/workflows/generate_binary_build_matrix.yml@main diff --git a/.github/workflows/build-test-linux-aarch64.yml b/.github/workflows/build-test-linux-aarch64.yml index eea7ec01fa..524b0f5e4a 100644 --- a/.github/workflows/build-test-linux-aarch64.yml +++ b/.github/workflows/build-test-linux-aarch64.yml @@ -13,6 +13,9 @@ on: - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+ workflow_dispatch: +permissions: + contents: read + jobs: generate-matrix: uses: pytorch/test-infra/.github/workflows/generate_binary_build_matrix.yml@main diff --git a/.github/workflows/build-test-linux-x86_64.yml b/.github/workflows/build-test-linux-x86_64.yml index 7c067709a6..55faf3ea7c 100644 --- a/.github/workflows/build-test-linux-x86_64.yml +++ b/.github/workflows/build-test-linux-x86_64.yml @@ -13,6 +13,9 @@ on: - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+ workflow_dispatch: +permissions: + contents: read + jobs: generate-matrix: uses: pytorch/test-infra/.github/workflows/generate_binary_build_matrix.yml@main diff --git a/.github/workflows/build-test-linux-x86_64_rtx.yml b/.github/workflows/build-test-linux-x86_64_rtx.yml index b7f86d1fa6..69e353d189 100644 --- a/.github/workflows/build-test-linux-x86_64_rtx.yml +++ b/.github/workflows/build-test-linux-x86_64_rtx.yml @@ -13,6 +13,9 @@ on: - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+ workflow_dispatch: +permissions: + contents: read + jobs: generate-matrix: uses: pytorch/test-infra/.github/workflows/generate_binary_build_matrix.yml@main diff --git a/.github/workflows/build-test-windows.yml b/.github/workflows/build-test-windows.yml index f092e5a7d0..60401a82d9 100644 --- a/.github/workflows/build-test-windows.yml +++ b/.github/workflows/build-test-windows.yml @@ -13,6 +13,9 @@ on: - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+ workflow_dispatch: +permissions: + contents: read + jobs: generate-matrix: uses: pytorch/test-infra/.github/workflows/generate_binary_build_matrix.yml@main diff --git a/.github/workflows/build-test-windows_rtx.yml b/.github/workflows/build-test-windows_rtx.yml index 53d2bd6a35..82781df9d9 100644 --- a/.github/workflows/build-test-windows_rtx.yml +++ b/.github/workflows/build-test-windows_rtx.yml @@ -13,6 +13,9 @@ on: - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+ workflow_dispatch: +permissions: + contents: read + jobs: generate-matrix: uses: pytorch/test-infra/.github/workflows/generate_binary_build_matrix.yml@main diff --git a/.github/workflows/docgen.yml b/.github/workflows/docgen.yml index bf4e7619a8..26de4c6344 100644 --- a/.github/workflows/docgen.yml +++ b/.github/workflows/docgen.yml @@ -8,6 +8,9 @@ on: push: branches: [main] +permissions: + contents: read + jobs: build-docs: runs-on: linux.g5.4xlarge.nvidia.gpu diff --git a/.github/workflows/docker_builder.yml b/.github/workflows/docker_builder.yml index 24b7fe0fb2..f29a813238 100644 --- a/.github/workflows/docker_builder.yml +++ b/.github/workflows/docker_builder.yml @@ -11,6 +11,9 @@ on: - 'docs/**' workflow_dispatch: +permissions: + contents: read + # If pushes to main are made in rapid succession, # cancel existing docker builds and use newer commits concurrency: diff --git a/.github/workflows/executorch-static-linux.yml b/.github/workflows/executorch-static-linux.yml index 4273d70229..f91dee4c9c 100644 --- a/.github/workflows/executorch-static-linux.yml +++ b/.github/workflows/executorch-static-linux.yml @@ -24,6 +24,9 @@ on: default: "" type: string +permissions: + contents: read + jobs: select-matrix: runs-on: ubuntu-latest diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index f428d6e2bc..e224848be1 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -8,6 +8,9 @@ name: Labeler on: [pull_request_target] +permissions: + contents: read + jobs: label: permissions: diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index af16185129..7d99841ac7 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, synchronize, ready_for_review, review_requested, reopened] +permissions: + contents: read + jobs: cpp-linting: name: C++ Linting diff --git a/.github/workflows/linux-test.yml b/.github/workflows/linux-test.yml index d055276143..2dac5bf90b 100644 --- a/.github/workflows/linux-test.yml +++ b/.github/workflows/linux-test.yml @@ -69,6 +69,9 @@ on: type: boolean required: false +permissions: + contents: read + jobs: test: strategy: diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index 1769a3abce..709efe7eca 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -5,6 +5,9 @@ on: - cron: '30 9 * * *' workflow_dispatch: +permissions: + contents: read + jobs: cut_nightly: runs-on: ubuntu-latest diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b67f5bfea5..db7863833a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,11 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: write + issues: write + pull-requests: write + jobs: stale: diff --git a/.github/workflows/windows-test.yml b/.github/workflows/windows-test.yml index 0d919ca3c3..60e768343a 100644 --- a/.github/workflows/windows-test.yml +++ b/.github/workflows/windows-test.yml @@ -47,6 +47,9 @@ on: description: "Whether to use TensorRT-RTX" default: false type: boolean +permissions: + contents: read + jobs: test: strategy: diff --git a/setup.py b/setup.py index d0f5b77afb..54cf44b1bc 100644 --- a/setup.py +++ b/setup.py @@ -339,25 +339,32 @@ def copy_libtorchtrt(multilinux=False, rt_only=False): dir_path + "/trtorch/lib/libtrtorch.so", ) elif rt_only: - os.system( - "tar -xzf " - + dir_path - + "/../bazel-bin/libtorchtrt_runtime.tar.gz --strip-components=1 -C " - + dir_path - + "/torch_tensorrt" + subprocess.run( + [ + "tar", + "-xzf", + dir_path + "/../bazel-bin/libtorchtrt_runtime.tar.gz", + "--strip-components=1", + "-C", + dir_path + "/torch_tensorrt", + ], + check=True, ) else: - os.system( - "tar -xzf " - + dir_path - + "/../bazel-bin/libtorchtrt.tar.gz " - + "--exclude='torch_tensorrt/src' " - + "--exclude='torch_tensorrt/src/*' " - + "--exclude='torch_tensorrt/examples' " - + "--exclude='torch_tensorrt/examples/*' " - + "--strip-components=1 -C " - + dir_path - + "/torch_tensorrt" + subprocess.run( + [ + "tar", + "-xzf", + dir_path + "/../bazel-bin/libtorchtrt.tar.gz", + "--exclude=torch_tensorrt/src", + "--exclude=torch_tensorrt/src/*", + "--exclude=torch_tensorrt/examples", + "--exclude=torch_tensorrt/examples/*", + "--strip-components=1", + "-C", + dir_path + "/torch_tensorrt", + ], + check=True, ) diff --git a/tests/modules/hub.py b/tests/modules/hub.py index e810df0404..6aebe214ec 100644 --- a/tests/modules/hub.py +++ b/tests/modules/hub.py @@ -102,7 +102,8 @@ def main(): manifest = {"version": torch_version} # Creating an empty manifest file for overwriting post setup - os.system("touch {}".format(MANIFEST_FILE)) + with open(MANIFEST_FILE, "a"): + pass else: manifest_exists = True diff --git a/tools/perf/hub.py b/tools/perf/hub.py index e135aa0f67..2fdfa925c0 100644 --- a/tools/perf/hub.py +++ b/tools/perf/hub.py @@ -132,7 +132,8 @@ def main(): manifest = {"version": torch_version} # Creating an empty manifest file for overwriting post setup - os.system("touch {}".format(MANIFEST_FILE)) + with open(MANIFEST_FILE, "a"): + pass else: # Load manifest if already exists with open(MANIFEST_FILE, "r") as f: From 43b89c667b513e56268a7613150ee9413c1c6082 Mon Sep 17 00:00:00 2001 From: Lan Luo Date: Wed, 3 Jun 2026 14:05:58 -0700 Subject: [PATCH 2/2] test --- .github/workflows/codeql.yml | 102 +++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..57f3c366e0 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,102 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + workflow_dispatch: + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: c-cpp + build-mode: autobuild + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file