chore(ci): use limited access token to checkout repositories

This approach allows checkout public and private repository, like Slab, without to worry too much about secret leakage under certain circumstances (e.g. under pull request from forks). The token has just read access on selected repositories.
zama-ai · Jan 17, 2025 · 3cfddb6 · 3cfddb6
1 parent a882262
commit 3cfddb6
Show file tree

Hide file tree

Showing 40 changed files with 121 additions and 69 deletions.
diff --git a/.github/workflows/aws_tfhe_backward_compat_tests.yml b/.github/workflows/aws_tfhe_backward_compat_tests.yml
@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: 'false'
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Install latest stable
         uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203

diff --git a/.github/workflows/aws_tfhe_fast_tests.yml b/.github/workflows/aws_tfhe_fast_tests.yml
@@ -69,6 +69,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+          persist-credentials: 'false'
           token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
           ref: ${{ env.REF }}
 

diff --git a/.github/workflows/aws_tfhe_integer_tests.yml b/.github/workflows/aws_tfhe_integer_tests.yml
@@ -42,8 +42,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
-          persist-credentials: "false"
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Check for file changes
         id: changed-files
@@ -96,7 +96,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: "false"
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Install latest stable
         uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203

diff --git a/.github/workflows/aws_tfhe_signed_integer_tests.yml b/.github/workflows/aws_tfhe_signed_integer_tests.yml
@@ -42,8 +42,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
-          persist-credentials: "false"
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Check for file changes
         id: changed-files
@@ -96,7 +96,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: "false"
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Install latest stable
         uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203

diff --git a/.github/workflows/aws_tfhe_tests.yml b/.github/workflows/aws_tfhe_tests.yml
@@ -63,7 +63,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Check for file changes
         id: changed-files
@@ -165,7 +166,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: 'false'
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Install latest stable
         uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203

diff --git a/.github/workflows/aws_tfhe_wasm_tests.yml b/.github/workflows/aws_tfhe_wasm_tests.yml
@@ -48,7 +48,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           persist-credentials: 'false'
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Install latest stable
         uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203

diff --git a/.github/workflows/benchmark_boolean.yml b/.github/workflows/benchmark_boolean.yml
@@ -51,7 +51,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -103,7 +104,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_core_crypto.yml b/.github/workflows/benchmark_core_crypto.yml
@@ -50,7 +50,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -94,7 +95,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_erc20.yml b/.github/workflows/benchmark_erc20.yml
@@ -52,7 +52,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -72,7 +73,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Run benchmarks
         run: |

diff --git a/.github/workflows/benchmark_gpu_4090.yml b/.github/workflows/benchmark_gpu_4090.yml
@@ -42,7 +42,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -63,7 +64,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Run integer benchmarks
         run: |
@@ -116,7 +118,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -136,7 +139,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Run core crypto benchmarks
         run: |

diff --git a/.github/workflows/benchmark_gpu_core_crypto.yml b/.github/workflows/benchmark_gpu_core_crypto.yml
@@ -53,7 +53,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Setup Hyperstack dependencies
         uses: ./.github/actions/hyperstack_setup
@@ -108,7 +109,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_gpu_erc20_common.yml b/.github/workflows/benchmark_gpu_erc20_common.yml
@@ -14,7 +14,7 @@ on:
         type: string
         required: true
     secrets:
-      FHE_ACTIONS_TOKEN:
+      REPO_CHECKOUT_TOKEN:
         required: true
       SLAB_ACTION_TOKEN:
         required: true
@@ -80,7 +80,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Setup Hyperstack dependencies
         uses: ./.github/actions/hyperstack_setup
@@ -134,7 +135,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_gpu_integer_common.yml b/.github/workflows/benchmark_gpu_integer_common.yml
@@ -26,7 +26,7 @@ on:
         type: boolean
         default: false
     secrets:
-      FHE_ACTIONS_TOKEN:
+      REPO_CHECKOUT_TOKEN:
         required: true
       SLAB_ACTION_TOKEN:
         required: true
@@ -150,7 +150,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Setup Hyperstack dependencies
         uses: ./.github/actions/hyperstack_setup
@@ -210,7 +211,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_integer.yml b/.github/workflows/benchmark_integer.yml
@@ -119,7 +119,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -139,7 +140,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Should run benchmarks with all precisions
         if: inputs.all_precisions

diff --git a/.github/workflows/benchmark_shortint.yml b/.github/workflows/benchmark_shortint.yml
@@ -82,7 +82,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -102,7 +103,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Run benchmarks with AVX512
         run: |

diff --git a/.github/workflows/benchmark_signed_integer.yml b/.github/workflows/benchmark_signed_integer.yml
@@ -119,7 +119,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -139,7 +140,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Should run benchmarks with all precisions
         if: inputs.all_precisions

diff --git a/.github/workflows/benchmark_tfhe_fft.yml b/.github/workflows/benchmark_tfhe_fft.yml
@@ -94,7 +94,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_tfhe_ntt.yml b/.github/workflows/benchmark_tfhe_ntt.yml
@@ -94,7 +94,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash

diff --git a/.github/workflows/benchmark_tfhe_zk_pok.yml b/.github/workflows/benchmark_tfhe_zk_pok.yml
@@ -80,7 +80,8 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Get benchmark details
         run: |
@@ -100,7 +101,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Run benchmarks
         run: |
@@ -131,7 +133,8 @@ jobs:
         with:
           repository: zama-ai/slab
           path: slab
-          token: ${{ secrets.FHE_ACTIONS_TOKEN }}
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
 
       - name: Send data to Slab
         shell: bash