Conversation
* Use literal version instead of scm version. * Update version info ---------
* [to #53688079] Update README.md * Add Github workflow * Update Integration workflow * Update github workflow --------- Signed-off-by: pitt-liang <lq262469@alibaba-inc.com>
* Fix github workflow --------- Signed-off-by: pitt-liang <lq262469@alibaba-inc.com>
* fix: Hacky way to wait prediction service to be ready * ci: Fix github workflow * ci: Fix integration test. --------- Signed-off-by: pitt-liang <lq262469@alibaba-inc.com>
* fix: update ModelScopeEstimator image * fix: fix duplicate filter * fix: update huggingface-inference and modelscope-inference image --------- Co-authored-by: yutou.zy <yutou.zy@alibaba-inc.com>
Signed-off-by: pitt-liang <lq262469@alibaba-inc.com>
* Fix list training_job logs. * Supports dedicated resource. --------- Signed-off-by: pitt-liang <lq262469@alibaba-inc.com>
* increase service gateway readiness threshold. * create openai API client from predictor.
* feat: support experiment * feat: add more API and testcase of experiment * feat: add experiment_config for processor * fix: update experiment.list return and its testcase * feat: add estimator with experiment testcase and bugfix * feat: adjust output channel logic of estimator and related testcase * fix: add result check in processor test and addd experiemnt_config in schema file
…nt and training * add GitHub Actions workflow for release triggering * fix lint error * update to development version * enable labels supports for training job * feat: supports list[str] for job command * docs: switch README.md to Chinese * fix predictor.wait_for_ready * fix model data configuration in model deployment * add credential source hint in pai.toolkit.config * Add labels for training_job from QuickStart model * fix unit test error * update release trigger * support label in model deploy
* add labels for service deploy via QuickStart model * fix base_url for openai client generated via predictor * fix: fix workflow step name * remove integration test in Github workflow * fix missing labels in AlgorithmEstimator.fit
* update to development version * add logging utils * replace get_logger customized for pai module
* fix: fix release_trigger github action * fix tensorboard initialize * fix setup_default_session * fix toolkit used for config initialization * fix service console url pattern
#19) * RegisteredModel.get_estimator support training methods
* vendor pai-dsw sdk * fix pai.toolkit.config in dsw notebook * fix ClientFactory create dsw_client * fix prompt_with_dsw_default_role return * fix get roles in workspace and oss endpoint config
* feat: pai.tookkit.config supports vpc network * feat: add network parameter for session * feat: add `Network` enum
* bump to develop version: 0.4.9.dev0 * chore: upgrade trainingservice pop sdk * feat: trainingjob supports use spot instance * feat: model recipe support use_spot_instance * feat: support advance settings for jobs * hack: add `resource_type` field for CreateTrainingJobRequest * fix type annotation for `resource_type` * fix: model recipe missing input/output channels
* feat: eas storage config supports * fix: fix `has_docker` check pending * fix: fix AlgorithmEstimator init * add RawStorageConfig used for eas storage configuration * fix test case run for spot_instance * fix ModelRecipe.run not return job instance * add test case for custom args in model recipe * add test case for RawStorageConfig
* build: support both `pai` and `alipai` package release * switch readthedocs and package name to `pai`
* fix: correct vpc endpoint used for network detection * feat: setup default session in DSW * fix network config * fix endpoint of pai-eas vpc network * bump to dev version
* feat: estimator support config output channel value * fix: ensure the workspace_id is type string * doc: remove tutorial example * doc: add model_training_recipe document
* update aiworkspace lib * update model recipe default output channels format with oss endpoint * add test case for model compression Co-authored-by: yutou.zy <yutou.zy@alibaba-inc.com>
* hotfix: not compress the source code in training job * fix lint error * remove OSS endpoint patch
|
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python 3.8 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.8" | ||
| - name: Install pre-commit hook | ||
| run: | | ||
| pip install pre-commit | ||
| - name: Linting | ||
| run: pre-commit run --all-files | ||
| doc-lint: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to explicitly declare a restrictive permissions: block for the workflow or each job, instead of relying on the potentially broad repository default. For a pure lint workflow that just checks out code and runs local tools, the minimal required permission is contents: read.
The best way to fix this without changing existing functionality is to add a top-level permissions: block after the on: section in .github/workflows/lint.yaml, setting contents: read. This will apply to both common-lint and doc-lint jobs, which do not need to write to the repository or otherwise modify GitHub resources. No changes to the individual jobs or steps are required, and no imports or external dependencies are involved because this is a YAML workflow definition.
Concretely: in .github/workflows/lint.yaml, insert:
permissions:
contents: readbetween the existing on: [push] and concurrency: keys.
| @@ -2,6 +2,9 @@ | ||
|
|
||
| on: [push] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python 3.8 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.8" | ||
| - name: Install Nox | ||
| run: | | ||
| pip install nox | ||
| - name: Linting | ||
| run: nox -s doc |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to explicitly define a permissions block either at the workflow root (so it applies to all jobs) or per job, granting only the minimal scopes required. For this workflow, the jobs only need to read repository contents to allow actions/checkout to function; they do not need to write to contents, issues, or pull requests.
The best minimal fix while preserving behavior is to add a root-level permissions block just under the workflow name (or above on:), setting contents: read. This will apply to both common-lint and doc-lint jobs, and they will continue to function exactly as before, but with the GITHUB_TOKEN restricted to read-only repository contents. No other scopes (like pull-requests or issues) are needed because the jobs do not interact with those APIs.
Concretely, edit .github/workflows/lint.yaml near the top: insert
permissions:
contents: readafter name: Lint test (line 1) and before on: [push] (line 3). No imports or additional methods are required because this is YAML configuration only.
| @@ -1,5 +1,8 @@ | ||
| name: Lint test | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: [push] | ||
|
|
||
| concurrency: |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python 3.8 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.8" | ||
| - name: Install Nox | ||
| run: | | ||
| pip install nox | ||
| - name: Linting | ||
| run: nox -s unit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, to fix this problem you should explicitly declare the minimal required GITHUB_TOKEN permissions for the workflow or for each job. For a unit-test workflow that only checks out code and runs tests, contents: read is usually sufficient. Defining this at the top level makes it apply to all jobs unless overridden.
The best minimal fix here is to add a permissions: block at the root of the workflow, just under the on: trigger. This will constrain GITHUB_TOKEN for the unit-test job (and any future jobs) without changing any steps. We do not need additional imports or changes to steps; we only add YAML configuration.
Concretely, in .github/workflows/unit.yaml, insert:
permissions:
contents: readbetween the on: [push] line and the existing concurrency: block. No other files or regions need to be changed.
| @@ -2,6 +2,9 @@ | ||
|
|
||
| on: [push] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true |
7 participants
No description provided.