diff --git a/.github/workflows/build_and_push_release.yaml b/.github/workflows/build_and_push_release.yaml index 6ae185943..3adadb288 100644 --- a/.github/workflows/build_and_push_release.yaml +++ b/.github/workflows/build_and_push_release.yaml @@ -27,7 +27,7 @@ jobs: # qemu is required for arm64 builds sudo apt install -y buildah qemu-user-static - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: # Fetch submodules (required for lightspeed-providers) submodules: 'recursive' diff --git a/.github/workflows/e2e_tests.yaml b/.github/workflows/e2e_tests.yaml index 0531d605e..fd1ceeba9 100644 --- a/.github/workflows/e2e_tests.yaml +++ b/.github/workflows/e2e_tests.yaml @@ -24,7 +24,7 @@ jobs: E2E_LLAMA_HOSTNAME: ${{ vars.E2E_LLAMA_HOSTNAME || 'llama-stack' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -34,6 +34,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/e2e_tests_lightspeed_evaluation.yaml b/.github/workflows/e2e_tests_lightspeed_evaluation.yaml index f1d036f77..03ed6d456 100644 --- a/.github/workflows/e2e_tests_lightspeed_evaluation.yaml +++ b/.github/workflows/e2e_tests_lightspeed_evaluation.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -30,6 +30,11 @@ jobs: # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Fetch submodules (required for lightspeed-providers) submodules: 'recursive' @@ -47,7 +52,7 @@ jobs: git log --oneline -5 - name: Checkout lightspeed-Evaluation - uses: actions/checkout@v4 + uses: actions/checkout@v7 with: repository: lightspeed-core/lightspeed-evaluation path: lightspeed-evaluation diff --git a/.github/workflows/e2e_tests_providers.yaml b/.github/workflows/e2e_tests_providers.yaml index 7329b468d..b4ffc5d89 100644 --- a/.github/workflows/e2e_tests_providers.yaml +++ b/.github/workflows/e2e_tests_providers.yaml @@ -49,7 +49,7 @@ jobs: E2E_DEFAULT_PROVIDER_OVERRIDE: ${{ matrix.e2e_default_provider }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -59,6 +59,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/e2e_tests_rhaiis.yaml b/.github/workflows/e2e_tests_rhaiis.yaml index 483af8875..3ff805565 100644 --- a/.github/workflows/e2e_tests_rhaiis.yaml +++ b/.github/workflows/e2e_tests_rhaiis.yaml @@ -38,7 +38,7 @@ jobs: E2E_DEFAULT_PROVIDER_OVERRIDE: vllm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 with: # On PR_TARGET → the fork (or same repo) that opened the PR. # On push → falls back to the current repository. @@ -48,6 +48,11 @@ jobs: # On push → the pushed commit that triggered the workflow. ref: ${{ github.event.pull_request.head.ref || github.sha }} + # Tests need access to secrets. + # This should be refactored if possible to mitigate the risk. + # https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target + allow-unsafe-pr-checkout: true + # Don’t keep credentials when running untrusted PR code under PR_TARGET. persist-credentials: ${{ github.event_name != 'pull_request_target' }} diff --git a/.github/workflows/radon.yaml b/.github/workflows/radon.yaml index f21e9e873..68bbe8696 100644 --- a/.github/workflows/radon.yaml +++ b/.github/workflows/radon.yaml @@ -12,7 +12,7 @@ jobs: pull-requests: read name: "radon" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v7 - uses: davidslusser/actions_python_radon@v1.0.0 with: src: "src"