From 11c7d2eb4dbd56029d0007f9d9aeeb3375d81cf9 Mon Sep 17 00:00:00 2001 From: Sam Doran Date: Mon, 13 Jul 2026 16:25:32 -0400 Subject: [PATCH 1/2] Update action to v7 This addresses a bug where a test run triggered by a tag would fail. (cherry picked from commit 1937a1f1a29e276fb6ae4863e034b58f237cb612) --- .github/workflows/build_and_push_release.yaml | 2 +- .github/workflows/e2e_tests.yaml | 2 +- .github/workflows/e2e_tests_rhaiis.yaml | 2 +- .github/workflows/radon.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_and_push_release.yaml b/.github/workflows/build_and_push_release.yaml index 7583b5a79..e43ba13db 100644 --- a/.github/workflows/build_and_push_release.yaml +++ b/.github/workflows/build_and_push_release.yaml @@ -27,7 +27,7 @@ jobs: # qemu is required for arm64 builds sudo apt install -y buildah qemu-user-static - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: # Fetch submodules (required for lightspeed-providers) submodules: 'recursive' diff --git a/.github/workflows/e2e_tests.yaml b/.github/workflows/e2e_tests.yaml index 228a71946..e47948bdb 100644 --- a/.github/workflows/e2e_tests.yaml +++ b/.github/workflows/e2e_tests.yaml @@ -21,7 +21,7 @@ jobs: FAISS_VECTOR_STORE_ID: ${{ vars.FAISS_VECTOR_STORE_ID }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. diff --git a/.github/workflows/e2e_tests_rhaiis.yaml b/.github/workflows/e2e_tests_rhaiis.yaml index 54a0080e2..e4437f36d 100644 --- a/.github/workflows/e2e_tests_rhaiis.yaml +++ b/.github/workflows/e2e_tests_rhaiis.yaml @@ -28,7 +28,7 @@ jobs: FAISS_VECTOR_STORE_ID: ${{ vars.FAISS_VECTOR_STORE_ID }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. diff --git a/.github/workflows/radon.yaml b/.github/workflows/radon.yaml index f21e9e873..68bbe8696 100644 --- a/.github/workflows/radon.yaml +++ b/.github/workflows/radon.yaml @@ -12,7 +12,7 @@ jobs: pull-requests: read name: "radon" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v7 - uses: davidslusser/actions_python_radon@v1.0.0 with: src: "src" From 5db0e3ae8c49dd1322fbfbed283833b7146911ac Mon Sep 17 00:00:00 2001 From: Sam Doran Date: Mon, 13 Jul 2026 19:59:53 -0400 Subject: [PATCH 2/2] Allow unsafe This is not ideal but is equivalent to what is happening with the v4 version of the action today. Explicit opt-it is required in v7. Actions using pull_request_target that are running code from PRs from forks should be reevaluated so that tests can run without the risk of compromising the repository. (cherry picked from commit 18bb2406ae070ab762d4c953f265ffd93c1b5e42) --- .github/workflows/e2e_tests.yaml | 5 +++++ .github/workflows/e2e_tests_providers.yaml | 7 ++++++- .github/workflows/e2e_tests_rhaiis.yaml | 5 +++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e_tests.yaml b/.github/workflows/e2e_tests.yaml index e47948bdb..ec7095630 100644 --- a/.github/workflows/e2e_tests.yaml +++ b/.github/workflows/e2e_tests.yaml @@ -31,6 +31,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/e2e_tests_providers.yaml b/.github/workflows/e2e_tests_providers.yaml index 82886d6a2..9bb82f8b2 100644 --- a/.github/workflows/e2e_tests_providers.yaml +++ b/.github/workflows/e2e_tests_providers.yaml @@ -27,7 +27,7 @@ jobs: FAISS_VECTOR_STORE_ID: ${{ vars.FAISS_VECTOR_STORE_ID }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -37,6 +37,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/e2e_tests_rhaiis.yaml b/.github/workflows/e2e_tests_rhaiis.yaml index e4437f36d..347c5b968 100644 --- a/.github/workflows/e2e_tests_rhaiis.yaml +++ b/.github/workflows/e2e_tests_rhaiis.yaml @@ -38,6 +38,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }}