diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ede6eac74..d7f22fa75 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,19 +1,14 @@ name: Tests on: - workflow_run: - # DO NOT CHANGE THIS TO pull_request_target as it will leak secrets to external contributors before maintainer approves the CI run. - # DO NOT CHANGE THIS to pull_request as it will prevent us from running CI on PRs from external contributors with secrets *after* approval. - # Learn more: - # - https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes/ - # - https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ - # - https://dvc.org/blog/testing-external-contributions-using-github-actions-secrets/ - # - https://github.com/orgs/community/discussions/179107 - workflows: - - "Ensure Contributor Is Trusted to Run CI" # filename: ensure-contributor-is-trusted-to-run-ci.yml + pull_request: types: - - completed - + - opened + - synchronize + - labeled + - unlabeled + paths-ignore: + - "packages/docs/**" permissions: contents: read @@ -37,44 +32,20 @@ env: TURBO_TELEMETRY_DISABLED: "1" concurrency: - group: ${{ github.workflow }}-pr-${{ github.event.workflow_run.pull_requests[0].number || github.run_id }} + group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: determine-changes: - if: > - github.event.workflow_run.conclusion == 'success' && - github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.pull_requests[0].number != null runs-on: ubuntu-latest outputs: core: ${{ steps.filter.outputs.core }} evals: ${{ steps.filter.outputs.evals }} server: ${{ steps.filter.outputs.server }} docs-only: ${{ steps.filter.outputs.docs-only }} - labels: ${{ steps.pr.outputs.labels }} steps: - - name: Resolve PR labels - id: pr - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - pr_number=$(jq -r '.workflow_run.pull_requests[0].number // empty' "$GITHUB_EVENT_PATH") - if [ -z "$pr_number" ]; then - echo "No associated pull request found." - exit 1 - fi - pr=$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${pr_number}") - labels=$(jq -cr '[.labels[].name]' <<< "$pr") - base_sha=$(jq -r '.base.sha' <<< "$pr") - echo "labels=${labels}" >> "$GITHUB_OUTPUT" - echo "base-sha=${base_sha}" >> "$GITHUB_OUTPUT" - - name: Check out repository code uses: actions/checkout@v4 - with: - fetch-depth: 0 - ref: "${{ github.event.workflow_run.head_sha }}" - name: Log GitHub API rate limit env: @@ -105,8 +76,6 @@ jobs: - uses: dorny/paths-filter@v3 id: filter with: - base: ${{ steps.pr.outputs.base-sha }} - ref: ${{ github.event.workflow_run.head_sha }} filters: | core: - '.github/workflows/ci.yml' @@ -160,7 +129,7 @@ jobs: } # Check if skip-evals label is present - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'skip-evals') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'skip-evals') }}" == "true" ]]; then echo "skip-evals label found - skipping all evals" echo "skip-all-evals=true" >> $GITHUB_OUTPUT emit_categories @@ -176,7 +145,7 @@ jobs: fi # Check for skip-regression-evals label - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'skip-regression-evals') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'skip-regression-evals') }}" == "true" ]]; then echo "skip-regression-evals label found - regression evals will be skipped" else echo "Regression evals will run by default" @@ -185,22 +154,22 @@ jobs: # Check for specific labels echo "skip-all-evals=false" >> $GITHUB_OUTPUT - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'combination') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'combination') }}" == "true" ]]; then add_category "combination" fi - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'extract') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'extract') }}" == "true" ]]; then add_category "extract" fi - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'act') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'act') }}" == "true" ]]; then add_category "act" fi - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'observe') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'observe') }}" == "true" ]]; then add_category "observe" fi - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'targeted-extract') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'targeted-extract') }}" == "true" ]]; then add_category "targeted_extract" fi - if [[ "${{ contains(fromJson(needs.determine-changes.outputs.labels), 'agent') }}" == "true" ]]; then + if [[ "${{ contains(github.event.pull_request.labels.*.name, 'agent') }}" == "true" ]]; then add_category "agent" fi emit_categories @@ -212,8 +181,6 @@ jobs: steps: - name: Check out repository code uses: actions/checkout@v4 - with: - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -247,8 +214,6 @@ jobs: steps: - name: Check out repository code uses: actions/checkout@v4 - with: - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -294,7 +259,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -334,7 +298,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -367,7 +330,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -412,7 +374,9 @@ jobs: name: server/integration/${{ matrix.test.name }} runs-on: ubuntu-latest needs: [build-server-sea, discover-server-tests, run-build] - if: needs.discover-server-tests.outputs.has-integration-tests == 'true' + if: > + needs.discover-server-tests.outputs.has-integration-tests == 'true' && + github.event.pull_request.head.repo.full_name == github.repository strategy: fail-fast: false @@ -435,7 +399,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -483,7 +446,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -510,7 +472,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 50 if: > - needs.discover-e2e-tests.outputs.has-e2e-tests == 'true' + needs.discover-e2e-tests.outputs.has-e2e-tests == 'true' && + github.event.pull_request.head.repo.full_name == github.repository env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -528,8 +491,6 @@ jobs: steps: - name: Check out repository code uses: actions/checkout@v4 - with: - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -558,7 +519,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 50 if: > - needs.discover-e2e-tests.outputs.has-e2e-tests == 'true' + needs.discover-e2e-tests.outputs.has-e2e-tests == 'true' && + github.event.pull_request.head.repo.full_name == github.repository env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -576,8 +538,6 @@ jobs: steps: - name: Check out repository code uses: actions/checkout@v4 - with: - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -614,7 +574,8 @@ jobs: needs.run-e2e-bb-tests.result != 'failure' && needs.run-e2e-bb-tests.result != 'cancelled' && needs.determine-evals.outputs.skip-all-evals != 'true' && - needs.determine-evals.outputs.eval-categories != '[]' + needs.determine-evals.outputs.eval-categories != '[]' && + github.event.pull_request.head.repo.full_name == github.repository }} runs-on: ubuntu-latest timeout-minutes: 90 @@ -634,8 +595,6 @@ jobs: steps: - name: Check out repository code uses: actions/checkout@v4 - with: - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -725,7 +684,6 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 1 - ref: "${{ github.event.workflow_run.head_sha }}" - uses: ./.github/actions/setup-node-pnpm-turbo with: @@ -832,7 +790,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RUN_ID: ${{ github.run_id }} - PULL_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number || '' }} + PULL_NUMBER: ${{ github.event.pull_request.number }} TESTS_FAILED: ${{ steps.coverage-status.outputs.tests_failed }} TOTAL_COVERAGE: ${{ steps.coverage-status.outputs.total_coverage }} run: | diff --git a/.github/workflows/ensure-contributor-is-trusted-to-run-ci.yml b/.github/workflows/ensure-contributor-is-trusted-to-run-ci.yml deleted file mode 100644 index 5ac9b7047..000000000 --- a/.github/workflows/ensure-contributor-is-trusted-to-run-ci.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Ensure Contributor Is Trusted to Run CI -# Used as a gate to prevent untrusted contributors from exfiltrating our github secrets via malicious PR. -# This workflow will be blocked until a maintainer clicks the "Approve workflow runs" button. -# Then the ci.yml workflow will be allowed to run with secrets (it waits for this workflow to run). -# It needs to be two steps, do not attempt to use pull_request_target in ci.yml as -# that mode does not wait for "Approve workflow runs" to be clicked, secrets are leaked immediately. - -# Learn more: -# - https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ -# - https://dvc.org/blog/testing-external-contributions-using-github-actions-secrets/ -# - https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets -# - https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes/ -# - https://github.com/orgs/community/discussions/179107 - -on: - pull_request: - types: - - opened - - reopened - - synchronize - - labeled - - unlabeled - paths-ignore: - - "packages/docs/**" - -permissions: - contents: read - -jobs: - gate: - runs-on: ubuntu-latest - steps: - # no-op - - run: "true"