diff --git a/.github/workflows/build_and_push_release.yaml b/.github/workflows/build_and_push_release.yaml index 7583b5a79..e43ba13db 100644 --- a/.github/workflows/build_and_push_release.yaml +++ b/.github/workflows/build_and_push_release.yaml @@ -27,7 +27,7 @@ jobs: # qemu is required for arm64 builds sudo apt install -y buildah qemu-user-static - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: # Fetch submodules (required for lightspeed-providers) submodules: 'recursive' diff --git a/.github/workflows/e2e_tests.yaml b/.github/workflows/e2e_tests.yaml index 228a71946..ec7095630 100644 --- a/.github/workflows/e2e_tests.yaml +++ b/.github/workflows/e2e_tests.yaml @@ -21,7 +21,7 @@ jobs: FAISS_VECTOR_STORE_ID: ${{ vars.FAISS_VECTOR_STORE_ID }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -31,6 +31,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/e2e_tests_lightspeed_evaluation.yaml b/.github/workflows/e2e_tests_lightspeed_evaluation.yaml index 366e414d0..03ed6d456 100644 --- a/.github/workflows/e2e_tests_lightspeed_evaluation.yaml +++ b/.github/workflows/e2e_tests_lightspeed_evaluation.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -30,6 +30,14 @@ jobs: # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + + # Fetch submodules (required for lightspeed-providers) + submodules: 'recursive' + - name: Verify actual git checkout result run: | echo "=== Git Status After Checkout ===" @@ -44,7 +52,7 @@ jobs: git log --oneline -5 - name: Checkout lightspeed-Evaluation - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: repository: lightspeed-core/lightspeed-evaluation path: lightspeed-evaluation diff --git a/.github/workflows/e2e_tests_providers.yaml b/.github/workflows/e2e_tests_providers.yaml index c26d27a75..8c825f72b 100644 --- a/.github/workflows/e2e_tests_providers.yaml +++ b/.github/workflows/e2e_tests_providers.yaml @@ -27,7 +27,7 @@ jobs: FAISS_VECTOR_STORE_ID: ${{ vars.FAISS_VECTOR_STORE_ID }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -37,6 +37,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/e2e_tests_rhaiis.yaml b/.github/workflows/e2e_tests_rhaiis.yaml index 2381733bf..e270c3c5b 100644 --- a/.github/workflows/e2e_tests_rhaiis.yaml +++ b/.github/workflows/e2e_tests_rhaiis.yaml @@ -30,7 +30,7 @@ jobs: E2E_DEFAULT_PROVIDER_OVERRIDE: vllm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -40,6 +40,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/radon.yaml b/.github/workflows/radon.yaml index f21e9e873..68bbe8696 100644 --- a/.github/workflows/radon.yaml +++ b/.github/workflows/radon.yaml @@ -12,7 +12,7 @@ jobs: pull-requests: read name: "radon" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v7 - uses: davidslusser/actions_python_radon@v1.0.0 with: src: "src"