diff --git a/.github/workflows/codeflash-optimize.yaml b/.github/workflows/codeflash-optimize.yaml index d04b1e884..2e619dd4d 100644 --- a/.github/workflows/codeflash-optimize.yaml +++ b/.github/workflows/codeflash-optimize.yaml @@ -1,7 +1,7 @@ name: CodeFlash on: - pull_request: + pull_request_target: paths: - "**" workflow_dispatch: @@ -13,6 +13,7 @@ concurrency: jobs: optimize: name: Optimize new Python code + environment: external-trusted-contributors if: ${{ github.actor != 'codeflash-ai[bot]' }} runs-on: ubuntu-latest env: @@ -26,6 +27,21 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi - name: 🐍 Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -43,4 +59,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run codeflash \ No newline at end of file + poetry run codeflash diff --git a/.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml b/.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml index 793c07860..e8fb9947e 100644 --- a/.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml +++ b/.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml @@ -1,11 +1,12 @@ name: end-to-end-test on: - pull_request: + pull_request_target: workflow_dispatch: jobs: bubble-sort-optimization-pytest-no-git: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -21,6 +22,21 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 diff --git a/.github/workflows/end-to-end-test-bubblesort-unittest.yaml b/.github/workflows/end-to-end-test-bubblesort-unittest.yaml index 9fcf04f7d..d0fd8a8e6 100644 --- a/.github/workflows/end-to-end-test-bubblesort-unittest.yaml +++ b/.github/workflows/end-to-end-test-bubblesort-unittest.yaml @@ -1,11 +1,12 @@ name: end-to-end-test on: - pull_request: + pull_request_target: workflow_dispatch: jobs: bubble-sort-optimization-unittest: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -21,6 +22,21 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -38,4 +54,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run python tests/scripts/end_to_end_test_bubblesort_unittest.py \ No newline at end of file + poetry run python tests/scripts/end_to_end_test_bubblesort_unittest.py diff --git a/.github/workflows/end-to-end-test-coverage.yaml b/.github/workflows/end-to-end-test-coverage.yaml index 91a3faf2d..aeb62787b 100644 --- a/.github/workflows/end-to-end-test-coverage.yaml +++ b/.github/workflows/end-to-end-test-coverage.yaml @@ -1,11 +1,12 @@ name: Coverage E2E on: - pull_request: + pull_request_target: workflow_dispatch: jobs: end-to-end-test-coverage: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -19,6 +20,21 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -37,4 +53,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run python tests/scripts/end_to_end_test_coverage.py \ No newline at end of file + poetry run python tests/scripts/end_to_end_test_coverage.py diff --git a/.github/workflows/end-to-end-test-futurehouse.yaml b/.github/workflows/end-to-end-test-futurehouse.yaml index f0c3ae409..7fb7ea2bc 100644 --- a/.github/workflows/end-to-end-test-futurehouse.yaml +++ b/.github/workflows/end-to-end-test-futurehouse.yaml @@ -1,11 +1,12 @@ name: end-to-end-test on: - pull_request: + pull_request_target: workflow_dispatch: jobs: futurehouse-structure: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -21,6 +22,21 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -38,4 +54,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run python tests/scripts/end_to_end_test_futurehouse.py \ No newline at end of file + poetry run python tests/scripts/end_to_end_test_futurehouse.py diff --git a/.github/workflows/end-to-end-test-init-optim.yaml b/.github/workflows/end-to-end-test-init-optim.yaml index 5d6bded10..24f563840 100644 --- a/.github/workflows/end-to-end-test-init-optim.yaml +++ b/.github/workflows/end-to-end-test-init-optim.yaml @@ -1,11 +1,12 @@ name: end-to-end-test on: - pull_request: + pull_request_target: workflow_dispatch: jobs: init-optimization: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -21,6 +22,21 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -38,4 +54,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run python tests/scripts/end_to_end_test_init_optimization.py \ No newline at end of file + poetry run python tests/scripts/end_to_end_test_init_optimization.py diff --git a/.github/workflows/end-to-end-test-tracer-replay.yaml b/.github/workflows/end-to-end-test-tracer-replay.yaml index 2902575b1..853e73341 100644 --- a/.github/workflows/end-to-end-test-tracer-replay.yaml +++ b/.github/workflows/end-to-end-test-tracer-replay.yaml @@ -1,11 +1,12 @@ name: end-to-end-test on: - pull_request: + pull_request_target: workflow_dispatch: jobs: tracer-replay: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -21,6 +22,22 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fi + - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -38,4 +55,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run python tests/scripts/end_to_end_test_tracer_replay.py \ No newline at end of file + poetry run python tests/scripts/end_to_end_test_tracer_replay.py diff --git a/.github/workflows/end-to-end-topological-sort-test.yaml b/.github/workflows/end-to-end-topological-sort-test.yaml index 76d28b858..6ead46031 100644 --- a/.github/workflows/end-to-end-topological-sort-test.yaml +++ b/.github/workflows/end-to-end-topological-sort-test.yaml @@ -1,11 +1,12 @@ name: end-to-end-test on: - pull_request: + pull_request_target: workflow_dispatch: jobs: topological-sort-optimization: + environment: external-trusted-contributors runs-on: ubuntu-latest env: CODEFLASH_AIS_SERVER: prod @@ -21,6 +22,24 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} + - name: Validate PR + run: | + # Checking for any workflow changes for security risks + if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then + echo "Workflow changes detected." + + # Check if the PR author is allowed + AUTHOR="${{ github.event.pull_request.user.login }}" + if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then + echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting." + exit 1 + else + echo "Authorized user ($AUTHOR). Proceeding." + fi + fiif git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "end-to-end-topological-sort-test.yaml"; then + echo "This workflow file has been modified. Exiting for security." + exit 1 + fi - name: Set up Python 3.11 for CLI uses: astral-sh/setup-uv@v5 @@ -38,4 +57,4 @@ jobs: id: optimize_code run: | source .venv/bin/activate - poetry run python tests/scripts/end_to_end_test_topological_sort.py \ No newline at end of file + poetry run python tests/scripts/end_to_end_test_topological_sort.py