diff --git a/.github/workflows/alembic-validation.yml b/.github/workflows/alembic-validation.yml index e5db6758..32b01398 100644 --- a/.github/workflows/alembic-validation.yml +++ b/.github/workflows/alembic-validation.yml @@ -23,6 +23,8 @@ jobs: steps: - uses: actions/checkout@v4 with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 - name: Get changed files id: changed-files @@ -40,6 +42,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} - name: Install dependencies shell: bash @@ -81,6 +86,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} - name: Install dependencies shell: bash diff --git a/.github/workflows/core-integration-tests.yml b/.github/workflows/core-integration-tests.yml index 32d36ef0..0d748658 100644 --- a/.github/workflows/core-integration-tests.yml +++ b/.github/workflows/core-integration-tests.yml @@ -21,6 +21,7 @@ jobs: with: test-type: 'integration' use-redis: true + is-external-pr: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe to test') }} changed-files-pattern: | ** .github/workflows/reusable-test-workflow.yml diff --git a/.github/workflows/core-unit-test.yml b/.github/workflows/core-unit-test.yml index e1f0c5de..7a11eed0 100644 --- a/.github/workflows/core-unit-test.yml +++ b/.github/workflows/core-unit-test.yml @@ -21,6 +21,7 @@ jobs: with: test-type: 'unit' use-redis: true + is-external-pr: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe to test') }} changed-files-pattern: | ** .github/workflows/reusable-test-workflow.yml diff --git a/.github/workflows/fern-docs-preview.yml b/.github/workflows/fern-docs-preview.yml index b15b4c04..dfc44fe2 100644 --- a/.github/workflows/fern-docs-preview.yml +++ b/.github/workflows/fern-docs-preview.yml @@ -22,10 +22,13 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} submodules: true - name: Generate preview URL id: generate-docs + if: github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'safe to test') working-directory: fern env: FERN_TOKEN: ${{ secrets.FERN_TOKEN }} diff --git a/.github/workflows/fern-sdk-python-preview.yml b/.github/workflows/fern-sdk-python-preview.yml index 3ab669ea..4b5c8d8f 100644 --- a/.github/workflows/fern-sdk-python-preview.yml +++ b/.github/workflows/fern-sdk-python-preview.yml @@ -31,6 +31,8 @@ jobs: steps: - uses: actions/checkout@v4 with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} submodules: true fetch-depth: 0 - name: Get changed files @@ -67,6 +69,8 @@ jobs: - name: Checkout repo uses: actions/checkout@v4 with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} submodules: true - name: Generate cache key @@ -83,6 +87,7 @@ jobs: key: ${{ steps.cache-key.outputs.key }} - name: Inject env vars into environment + if: github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'safe to test') working-directory: . run: | while IFS= read -r line || [[ -n "$line" ]]; do @@ -129,6 +134,7 @@ jobs: uv run alembic upgrade head - name: Run letta server + if: github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'safe to test') working-directory: . env: LETTA_PG_DB: postgres @@ -145,7 +151,7 @@ jobs: timeout 60 bash -c 'until curl -s http://localhost:8283/health; do sleep 1; done' - name: Generate Python SDK Preview - if: steps.restore-cache.outputs.cache-hit != 'true' + if: (github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'safe to test')) && steps.restore-cache.outputs.cache-hit != 'true' working-directory: . env: FERN_TOKEN: ${{ secrets.FERN_TOKEN }} diff --git a/.github/workflows/reusable-test-workflow.yml b/.github/workflows/reusable-test-workflow.yml index 2dcfb785..c940499b 100644 --- a/.github/workflows/reusable-test-workflow.yml +++ b/.github/workflows/reusable-test-workflow.yml @@ -68,6 +68,11 @@ on: required: false type: boolean default: false + is-external-pr: + description: 'Whether this is an external PR that needs protection' + required: false + type: boolean + default: false jobs: changed-files: @@ -79,6 +84,8 @@ jobs: steps: - uses: actions/checkout@v4 with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 - name: Get changed files id: changed-files @@ -96,6 +103,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} - name: Generate cache key if: inputs.skip-fern-generation != true || (!contains(needs.changed-files.outputs.all_changed_files, 'fern/openapi.json') && !contains(needs.changed-files.outputs.all_changed_files, 'fern/openapi-overrides.yml')) @@ -218,6 +228,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + repository: ${{ github.event.pull_request.head.repo.full_name }} + ref: ${{ github.event.pull_request.head.ref }} - name: Install uv uses: astral-sh/setup-uv@v6 @@ -292,6 +305,7 @@ jobs: psql -h localhost -U postgres -d postgres -c 'CREATE EXTENSION vector' uv run alembic upgrade head - name: Inject env vars into environment + if: inputs.is-external-pr != true working-directory: . run: | # Get secrets and mask them before adding to environment @@ -311,7 +325,7 @@ jobs: chmod -R 755 /home/ci-runner/.letta/logs - name: Build and run docker dev server - if: inputs.use-docker + if: inputs.use-docker && inputs.is-external-pr != true env: LETTA_PG_DB: letta LETTA_PG_USER: letta @@ -329,6 +343,7 @@ jobs: bash scripts/wait_for_service.sh localhost:8083 -- echo "Service is ready" - name: Run tests + if: inputs.is-external-pr != true working-directory: ${{ steps.detect-core-dir.outputs.dir }} env: # Database configuration (shared, but values depend on Docker usage) diff --git a/.github/workflows/send-message-integration-tests.yml b/.github/workflows/send-message-integration-tests.yml index a2a6ab82..fbee82e7 100644 --- a/.github/workflows/send-message-integration-tests.yml +++ b/.github/workflows/send-message-integration-tests.yml @@ -20,6 +20,7 @@ jobs: uses: ./.github/workflows/reusable-test-workflow.yml with: test-type: 'send-message' + is-external-pr: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe to test') }} changed-files-pattern: | ** .github/workflows/reusable-test-workflow.yml diff --git a/.github/workflows/test-lmstudio.yml b/.github/workflows/test-lmstudio.yml index 83e76914..dc1c07b2 100644 --- a/.github/workflows/test-lmstudio.yml +++ b/.github/workflows/test-lmstudio.yml @@ -31,6 +31,7 @@ jobs: uses: ./.github/workflows/reusable-test-workflow.yml with: test-type: "integration" + is-external-pr: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe to test') }} install-args: "--extra postgres --extra external-tools --extra dev --extra cloud-tool-sandbox --extra google" test-command: "uv run pytest -svv tests/" timeout-minutes: 60 diff --git a/.github/workflows/test-ollama.yml b/.github/workflows/test-ollama.yml index 20bcc414..81f9dad6 100644 --- a/.github/workflows/test-ollama.yml +++ b/.github/workflows/test-ollama.yml @@ -31,6 +31,7 @@ jobs: uses: ./.github/workflows/reusable-test-workflow.yml with: test-type: "integration" + is-external-pr: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe to test') }} install-args: "--extra postgres --extra external-tools --extra dev --extra cloud-tool-sandbox --extra google" test-command: "uv run --frozen pytest -svv tests/" timeout-minutes: 60 diff --git a/.github/workflows/test-vllm.yml b/.github/workflows/test-vllm.yml index ee8448a3..dfed86e5 100644 --- a/.github/workflows/test-vllm.yml +++ b/.github/workflows/test-vllm.yml @@ -27,6 +27,7 @@ jobs: uses: ./.github/workflows/reusable-test-workflow.yml with: test-type: "integration" + is-external-pr: ${{ github.event_name == 'pull_request_target' && !contains(github.event.pull_request.labels.*.name, 'safe to test') }} install-args: "--extra postgres --extra external-tools --extra dev --extra cloud-tool-sandbox --extra google" test-command: "uv run --frozen pytest -svv tests/" timeout-minutes: 60