diff --git a/.github/workflows/test-mlc-script-features.yml b/.github/workflows/test-mlc-script-features.yml index 88708f577..8280cdf53 100644 --- a/.github/workflows/test-mlc-script-features.yml +++ b/.github/workflows/test-mlc-script-features.yml @@ -148,17 +148,18 @@ jobs: Write-Host "run_step=false" | Out-File -FilePath $Env:GITHUB_ENV -Append } - - name: Retrieve secrets from Keeper + - name: Load secret if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master + id: op-load-secret + uses: 1password/load-secrets-action@v2 with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.op-load-secret.outputs.PAT }} if: github.repository_owner == 'mlcommons' && env.run_step == 'true' run: | git config --global user.name "mlcommons-bot" diff --git a/.github/workflows/test-mlperf-inference-bert-deepsparse-tf-onnxruntime-pytorch.yml b/.github/workflows/test-mlperf-inference-bert-deepsparse-tf-onnxruntime-pytorch.yml index 73f0d4adb..bec131ac9 100644 --- a/.github/workflows/test-mlperf-inference-bert-deepsparse-tf-onnxruntime-pytorch.yml +++ b/.github/workflows/test-mlperf-inference-bert-deepsparse-tf-onnxruntime-pytorch.yml @@ -9,8 +9,34 @@ on: - '!**.md' jobs: + fetch-secret: + runs-on: ubuntu-latest + outputs: + encrypted_secret: ${{ steps.encrypt-secret.outputs.encrypted_secret }} + steps: + - name: Load secret + id: op-load-secret + uses: 1password/load-secrets-action@v2 + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential + + - name: Encrypt secret + id: encrypt-secret + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + run: | + # AES-256 encrypt + encrypted=$(echo "${{ steps.op-load-secret.outputs.pat }}" | \ + openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + echo "encrypted_secret=$encrypted" >> $GITHUB_OUTPUT + build: name: MLPerf Inference Bert ${{ matrix.backend }} on ${{ matrix.os }} + needs: [fetch-secret] runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -58,17 +84,25 @@ jobs: else echo "run_step=false" >> $GITHUB_ENV fi - - name: Retrieve secrets from Keeper - if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master - with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + - name: Decrypt secret + id: decrypt-secret + shell: bash + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + encrypted_secret: ${{ needs.fetch-secret.outputs.encrypted_secret }} + run: | + echo "Running on OS: ${{ matrix.os }}" + + # Decrypt + decrypted=$(echo "$encrypted_secret" | \ + openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + + echo "::add-mask::$decrypted" + echo "DECRYPTED_SECRET=$decrypted" >> $GITHUB_OUTPUT - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.decrypt-secret.outputs.decrypted_secret }} if: github.repository_owner == 'mlcommons' && env.run_step == 'true' run: | git config --global user.name "mlcommons-bot" diff --git a/.github/workflows/test-mlperf-inference-mlcommons-cpp-resnet50.yml b/.github/workflows/test-mlperf-inference-mlcommons-cpp-resnet50.yml index 737132572..ebfdc6863 100644 --- a/.github/workflows/test-mlperf-inference-mlcommons-cpp-resnet50.yml +++ b/.github/workflows/test-mlperf-inference-mlcommons-cpp-resnet50.yml @@ -9,8 +9,34 @@ on: - '!**.md' jobs: + fetch-secret: + runs-on: ubuntu-latest + outputs: + encrypted_secret: ${{ steps.encrypt-secret.outputs.encrypted_secret }} + steps: + - name: Load secret + id: op-load-secret + uses: 1password/load-secrets-action@v2 + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential + + - name: Encrypt secret + id: encrypt-secret + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + run: | + # AES-256 encrypt + encrypted=$(echo "${{ steps.op-load-secret.outputs.pat }}" | \ + openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + echo "encrypted_secret=$encrypted" >> $GITHUB_OUTPUT + build: name: MLPerf inference MLCommons C++ ResNet50 + needs: [fetch-secret] runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -56,17 +82,25 @@ jobs: else echo "run_step=false" >> $GITHUB_ENV fi - - name: Retrieve secrets from Keeper - if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master - with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + - name: Decrypt secret + id: decrypt-secret + shell: bash + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + encrypted_secret: ${{ needs.fetch-secret.outputs.encrypted_secret }} + run: | + echo "Running on OS: ${{ matrix.os }}" + + # Decrypt + decrypted=$(echo "$encrypted_secret" | \ + openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + + echo "::add-mask::$decrypted" + echo "DECRYPTED_SECRET=$decrypted" >> $GITHUB_OUTPUT - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.decrypt-secret.outputs.decrypted_secret }} USER: mlcommons-bot EMAIL: mlcommons-bot@users.noreply.github.com if: github.repository_owner == 'mlcommons' && env.run_step == 'true' diff --git a/.github/workflows/test-mlperf-inference-resnet50-closed-division.yml b/.github/workflows/test-mlperf-inference-resnet50-closed-division.yml index 586317439..fcc33736e 100644 --- a/.github/workflows/test-mlperf-inference-resnet50-closed-division.yml +++ b/.github/workflows/test-mlperf-inference-resnet50-closed-division.yml @@ -5,8 +5,34 @@ on: - cron: '0 0 * * 0' # Runs once a week on Sunday at 00:00 UTC workflow_dispatch: {} # Allows manual triggering of the workflow jobs: + fetch-secret: + runs-on: ubuntu-latest + outputs: + encrypted_secret: ${{ steps.encrypt-secret.outputs.encrypted_secret }} + steps: + - name: Load secret + id: op-load-secret + uses: 1password/load-secrets-action@v2 + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential + + - name: Encrypt secret + id: encrypt-secret + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + run: | + # AES-256 encrypt + encrypted=$(echo "${{ steps.op-load-secret.outputs.pat }}" | \ + openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + echo "encrypted_secret=$encrypted" >> $GITHUB_OUTPUT + build: name: MLPerf inference MLCommons ResNet50 Closed Division + needs: [fetch-secret] runs-on: ${{ matrix.os }} env: MLC_INDEX: "on" @@ -81,17 +107,25 @@ jobs: Write-Host "run_step=false" | Out-File -FilePath $Env:GITHUB_ENV -Append } - - name: Retrieve secrets from Keeper - if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master - with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + - name: Decrypt secret + id: decrypt-secret + shell: bash + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + encrypted_secret: ${{ needs.fetch-secret.outputs.encrypted_secret }} + run: | + echo "Running on OS: ${{ matrix.os }}" + + # Decrypt + decrypted=$(echo "$encrypted_secret" | \ + openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + + echo "::add-mask::$decrypted" + echo "DECRYPTED_SECRET=$decrypted" >> $GITHUB_OUTPUT - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.decrypt-secret.outputs.decrypted_secret }} if: github.repository_owner == 'mlcommons' && env.run_step == 'true' run: | git config --global user.name "mlcommons-bot" diff --git a/.github/workflows/test-mlperf-inference-resnet50.yml b/.github/workflows/test-mlperf-inference-resnet50.yml index 9bc5db424..fc727062f 100644 --- a/.github/workflows/test-mlperf-inference-resnet50.yml +++ b/.github/workflows/test-mlperf-inference-resnet50.yml @@ -9,7 +9,33 @@ on: - '!**.md' jobs: + fetch-secret: + runs-on: ubuntu-latest + outputs: + encrypted_secret: ${{ steps.encrypt-secret.outputs.encrypted_secret }} + steps: + - name: Load secret + id: op-load-secret + uses: 1password/load-secrets-action@v2 + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential + + - name: Encrypt secret + id: encrypt-secret + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + run: | + # AES-256 encrypt + encrypted=$(echo "${{ steps.op-load-secret.outputs.pat }}" | \ + openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + echo "encrypted_secret=$encrypted" >> $GITHUB_OUTPUT + mlc-run-with-results-upload: + needs: [fetch-secret] runs-on: ${{ matrix.os }} env: MLC_INDEX: "on" @@ -82,17 +108,25 @@ jobs: Write-Host "run_step=false" | Out-File -FilePath $Env:GITHUB_ENV -Append } - - name: Retrieve secrets from Keeper - if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master - with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + - name: Decrypt secret + id: decrypt-secret + shell: bash + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + encrypted_secret: ${{ needs.fetch-secret.outputs.encrypted_secret }} + run: | + echo "Running on OS: ${{ matrix.os }}" + + # Decrypt + decrypted=$(echo "$encrypted_secret" | \ + openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + + echo "::add-mask::$decrypted" + echo "DECRYPTED_SECRET=$decrypted" >> $GITHUB_OUTPUT - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.decrypt-secret.outputs.decrypted_secret }} if: github.repository_owner == 'mlcommons' && env.run_step == 'true' run: | git config --global user.name "mlcommons-bot" diff --git a/.github/workflows/test-mlperf-inference-retinanet.yml b/.github/workflows/test-mlperf-inference-retinanet.yml index 40e749831..b6136a7ce 100644 --- a/.github/workflows/test-mlperf-inference-retinanet.yml +++ b/.github/workflows/test-mlperf-inference-retinanet.yml @@ -9,7 +9,33 @@ on: - '!**.md' jobs: + fetch-secret: + runs-on: ubuntu-latest + outputs: + encrypted_secret: ${{ steps.encrypt-secret.outputs.encrypted_secret }} + steps: + - name: Load secret + id: op-load-secret + uses: 1password/load-secrets-action@v2 + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential + + - name: Encrypt secret + id: encrypt-secret + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + run: | + # AES-256 encrypt + encrypted=$(echo "${{ steps.op-load-secret.outputs.pat }}" | \ + openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + echo "encrypted_secret=$encrypted" >> $GITHUB_OUTPUT + mlc-run: + needs: [fetch-secret] runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -77,17 +103,25 @@ jobs: Write-Host "run_step=false" | Out-File -FilePath $Env:GITHUB_ENV -Append } - - name: Retrieve secrets from Keeper - if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master - with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + - name: Decrypt secret + id: decrypt-secret + shell: bash + env: + ENCRYPTION_KEY: ${{ secrets.ENCRYPTION_KEY }} + encrypted_secret: ${{ needs.fetch-secret.outputs.encrypted_secret }} + run: | + echo "Running on OS: ${{ matrix.os }}" + + # Decrypt + decrypted=$(echo "$encrypted_secret" | \ + openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 \ + -pass pass:"$ENCRYPTION_KEY" -base64) + + echo "::add-mask::$decrypted" + echo "DECRYPTED_SECRET=$decrypted" >> $GITHUB_OUTPUT - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.decrypt-secret.outputs.decrypted_secret }} if: github.repository_owner == 'mlcommons' && env.run_step == 'true' run: | git config --global user.name "mlcommons-bot" diff --git a/.github/workflows/test-mlperf-inference-rgat.yml b/.github/workflows/test-mlperf-inference-rgat.yml index f8b0e6116..948b5e802 100644 --- a/.github/workflows/test-mlperf-inference-rgat.yml +++ b/.github/workflows/test-mlperf-inference-rgat.yml @@ -11,6 +11,7 @@ on: jobs: rgat-inference-run: name: ${{ matrix.os }} - ${{ matrix.backend }} - ${{ matrix.implementation }} + needs: [fetch-secret] runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -37,17 +38,19 @@ jobs: run: | mlcr run,mlperf,inference,generate-run-cmds,_submission,_short --adr.inference-src.tags=_branch.dev --pull_changes=yes --pull_inference_changes=yes --submitter="MLCommons" --hw_name=gh_${{ matrix.os }}_x86 --model=rgat --implementation=${{ matrix.implementation }} --backend=${{ matrix.backend }} --device=cpu --scenario=Offline --test_query_count=500 --adr.compiler.tags=gcc --category=datacenter --quiet -v --target_qps=1 - - name: Retrieve secrets from Keeper - id: ksecrets - uses: Keeper-Security/ksm-action@master + - name: Load secret + if: github.repository_owner == 'mlcommons' && env.run_step == 'true' + id: op-load-secret + uses: 1password/load-secrets-action@v2 with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.op-load-secret.outputs.PAT }} run: | git config --global user.name "mlcommons-bot" git config --global user.email "mlcommons-bot@users.noreply.github.com" diff --git a/.github/workflows/test-mlperf-inference-tvm-resnet50.yml b/.github/workflows/test-mlperf-inference-tvm-resnet50.yml index b2ae35d04..393d1c5cd 100644 --- a/.github/workflows/test-mlperf-inference-tvm-resnet50.yml +++ b/.github/workflows/test-mlperf-inference-tvm-resnet50.yml @@ -46,17 +46,18 @@ jobs: else echo "run_step=false" >> $GITHUB_ENV fi - - name: Retrieve secrets from Keeper + - name: Load secret if: github.repository_owner == 'mlcommons' && env.run_step == 'true' - id: ksecrets - uses: Keeper-Security/ksm-action@master + id: op-load-secret + uses: 1password/load-secrets-action@v2 with: - keeper-secret-config: ${{ secrets.KSM_CONFIG }} - secrets: |- - ubwkjh-Ii8UJDpG2EoU6GQ/field/Access Token > env:PAT + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + PAT: op://7basd2jirojjckncf6qnq3azai/bzbaco3uxoqs2rcyu42rvuccga/credential - name: Push Results env: - GITHUB_TOKEN: ${{ env.PAT }} + GITHUB_TOKEN: ${{ steps.op-load-secret.outputs.PAT }} USER: mlcommons-bot EMAIL: mlcommons-bot@users.noreply.github.com if: github.repository_owner == 'mlcommons' && env.run_step == 'true'