CI/CD - Test pipeline #778
Conversation
This reverts commit 059daa9. modified: .github/workflows/build-image.yml new file: dockerfile/cuda11.1.1.dockerfile
This reverts commit 4f23173. modified: dockerfile/cuda11.1.1.dockerfile
…using version control.
**Description** - Deprecated API arguments, 'interpolation', when numpy >v1.22.0. And it was removed since v2.4.0. - Pandas to_exel() failed in unit test. Solution - Update the NumPy API usage to support NumPy 1.22.0+ while maintaining backward compatibility with earlier versions. - Fixed the pandas to_excel() API compatibility issue. In newer versions of pandas (2.0+), the 'sheet_name' parameter must be passed as a keyword argument rather than a positional argument --------- Co-authored-by: Hongtao Zhang <hongtaozhang@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
**Description** <img width="2289" height="969" alt="image" src="https://github.com/user-attachments/assets/c6531e62-ae06-4f1c-bed9-ddab6e3ffbec" /> **Solution** Bump CodeQL action version to V3 Co-authored-by: Hongtao Zhang <hongtaozhang@microsoft.com>
There was a problem hiding this comment.
Pull request overview
Updates CI/CD-related tooling and compatibility fixes to support running the CodeQL pipeline across languages/environments.
Changes:
- Update GitHub CodeQL workflow to use
github/codeql-action@v3. - Improve runtime compatibility in Python code (NumPy percentile API, Pandas Excel/DF APIs).
- Update CUDA 11.1.1 Dockerfile dependencies and build steps (Go install, temporary Rust install for build).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
superbench/benchmarks/base.py |
Makes percentile computation compatible with both newer and older NumPy versions. |
superbench/analyzer/result_summary.py |
Adjusts Pandas API usage for column dropping and Excel output parameters. |
superbench/analyzer/file_handler.py |
Uses keyword args for to_excel sheet naming to match Pandas API expectations. |
dockerfile/cuda11.1.1.dockerfile |
Adds Go tooling and installs Rust temporarily during third_party build. |
.github/workflows/codeql-analysis.yml |
Bumps CodeQL GitHub Action from v2 to v3. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| add-apt-repository -y ppa:longsleep/golang-backports && \ | ||
| apt-get update && \ | ||
| apt-get install -y golang-1.24-go=1.24* && \ |
There was a problem hiding this comment.
Adding the third-party PPA ppa:longsleep/golang-backports and installing golang-1.24-go from it introduces a supply-chain risk because the build runs package installation scripts from an external, mutable repository with root privileges. If that PPA or its distribution path is compromised, an attacker could ship a malicious Go toolchain that executes during image build and later inside any container based on this image. Prefer using an official, vendor-maintained source or a pinned, verified artifact (e.g., with a checksum or signature) so the exact bits executed in the build are controlled and auditable.
| ADD third_party third_party | ||
| RUN make -C third_party cuda -o nvbandwidth | ||
| # Install Rust temporarily for wandb build (required by megatron_lm target), then remove | ||
| RUN curl https://sh.rustup.rs -sSf | sh -s -- -y && \ |
There was a problem hiding this comment.
Executing curl https://sh.rustup.rs -sSf | sh -s -- -y during the Docker build runs remote code from the network as root without any integrity verification. If the Rust installer endpoint, DNS, or any point on the TLS path is compromised, an attacker can supply arbitrary shell script content, compromising the build container and any artifacts or secrets handled there. Prefer fetching a specific, versioned installer artifact and verifying its checksum or signature before execution, or using a trusted package manager source where possible.
|
Test done and close this PR. |
Description
Test CodeQL pipeline.