[Workflows] add a more secure way to run tests from a PR. #7969
Conversation
| ref: ${{ github.event.inputs.branch }} | ||
| repository: ${{ github.event.pull_request.head.repo.full_name }} |
There was a problem hiding this comment.
Does this also work if the PR is created from a fork? I thought it would not, which is why I liked the gh approach.
There was a problem hiding this comment.
I think so, yes. Cc: @glegendre01
Actually |
|
cc @DN6 |
|
|
||
| - name: Run tests | ||
| env: | ||
| PY_TEST: ${{ github.event.inputs.test }} |
There was a problem hiding this comment.
Not sure we want to allow arbitrary string inputs. e.g. This string --collect-only; whoami will run the command after ;
I suppose only users in the HF org can dispatch this workflow right? Just feels a bit risky. cc: @glegendre01 to confirm.
There was a problem hiding this comment.
There's a validation step in the workflow which looks for things like that.
|
@DN6 addressed your comments. Let's wait for @glegendre01's comments on #7969 (comment). |
What does this PR do?
Apologies for not giving enough consideration to it before. So, with the help of @glegendre01, we devised a more secure way to achieve what we did in #7942.
We tested it on a dummy repo, too, and it works perfectly fine: https://github.com/huggingface/check-pr-test-workflows/actions/runs/9126813322/job/25095821575.
It also eliminates the
ghinstallation. Shoutout to @glegendre01 for the massive help.