From 3cfddb66feebe3ad51121d6f7ec947de7273e5ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Test=C3=A9?= Date: Thu, 19 Dec 2024 12:49:05 +0100 Subject: [PATCH 1/2] chore(ci): use limited access token to checkout repositories This approach allows checkout public and private repository, like Slab, without to worry too much about secret leakage under certain circumstances (e.g. under pull request from forks). The token has just read access on selected repositories. --- .github/workflows/aws_tfhe_backward_compat_tests.yml | 2 +- .github/workflows/aws_tfhe_fast_tests.yml | 1 + .github/workflows/aws_tfhe_integer_tests.yml | 6 +++--- .github/workflows/aws_tfhe_signed_integer_tests.yml | 6 +++--- .github/workflows/aws_tfhe_tests.yml | 5 +++-- .github/workflows/aws_tfhe_wasm_tests.yml | 2 +- .github/workflows/benchmark_boolean.yml | 6 ++++-- .github/workflows/benchmark_core_crypto.yml | 6 ++++-- .github/workflows/benchmark_erc20.yml | 6 ++++-- .github/workflows/benchmark_gpu_4090.yml | 12 ++++++++---- .github/workflows/benchmark_gpu_core_crypto.yml | 6 ++++-- .github/workflows/benchmark_gpu_erc20_common.yml | 8 +++++--- .github/workflows/benchmark_gpu_integer_common.yml | 8 +++++--- .github/workflows/benchmark_integer.yml | 6 ++++-- .github/workflows/benchmark_shortint.yml | 6 ++++-- .github/workflows/benchmark_signed_integer.yml | 6 ++++-- .github/workflows/benchmark_tfhe_fft.yml | 3 ++- .github/workflows/benchmark_tfhe_ntt.yml | 3 ++- .github/workflows/benchmark_tfhe_zk_pok.yml | 9 ++++++--- .github/workflows/benchmark_wasm_client.yml | 9 ++++++--- .github/workflows/benchmark_zk_pke.yml | 12 ++++++++---- .github/workflows/csprng_randomness_tests.yml | 2 +- .github/workflows/gpu_4090_tests.yml | 2 +- .github/workflows/gpu_fast_h100_tests.yml | 5 +++-- .github/workflows/gpu_fast_tests.yml | 5 +++-- .github/workflows/gpu_full_h100_tests.yml | 2 +- .github/workflows/gpu_full_multi_gpu_tests.yml | 5 +++-- .github/workflows/gpu_pcc.yml | 2 +- .../workflows/gpu_signed_integer_classic_tests.yml | 3 ++- .github/workflows/gpu_signed_integer_h100_tests.yml | 3 ++- .github/workflows/gpu_signed_integer_tests.yml | 5 +++-- .../workflows/gpu_unsigned_integer_classic_tests.yml | 3 ++- .../workflows/gpu_unsigned_integer_h100_tests.yml | 3 ++- .github/workflows/gpu_unsigned_integer_tests.yml | 3 ++- .github/workflows/integer_long_run_tests.yml | 2 +- .github/workflows/make_release.yml | 6 ++++-- .github/workflows/make_release_cuda.yml | 3 ++- .github/workflows/make_release_tfhe_versionable.yml | 2 ++ .github/workflows/make_release_zk_pok.yml | 3 ++- .github/workflows/sync_on_push.yml | 3 ++- 40 files changed, 121 insertions(+), 69 deletions(-) diff --git a/.github/workflows/aws_tfhe_backward_compat_tests.yml b/.github/workflows/aws_tfhe_backward_compat_tests.yml index 0909b5c4b5..93313443d8 100644 --- a/.github/workflows/aws_tfhe_backward_compat_tests.yml +++ b/.github/workflows/aws_tfhe_backward_compat_tests.yml @@ -47,7 +47,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/aws_tfhe_fast_tests.yml b/.github/workflows/aws_tfhe_fast_tests.yml index b0a19be417..8b2b6dfbbf 100644 --- a/.github/workflows/aws_tfhe_fast_tests.yml +++ b/.github/workflows/aws_tfhe_fast_tests.yml @@ -69,6 +69,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 + persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} ref: ${{ env.REF }} diff --git a/.github/workflows/aws_tfhe_integer_tests.yml b/.github/workflows/aws_tfhe_integer_tests.yml index 8f9afb17da..a2ff73d7c7 100644 --- a/.github/workflows/aws_tfhe_integer_tests.yml +++ b/.github/workflows/aws_tfhe_integer_tests.yml @@ -42,8 +42,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} - persist-credentials: "false" + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -96,7 +96,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: "false" - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/aws_tfhe_signed_integer_tests.yml b/.github/workflows/aws_tfhe_signed_integer_tests.yml index 86e0138f2d..8fadafa45d 100644 --- a/.github/workflows/aws_tfhe_signed_integer_tests.yml +++ b/.github/workflows/aws_tfhe_signed_integer_tests.yml @@ -42,8 +42,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} - persist-credentials: "false" + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -96,7 +96,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: "false" - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/aws_tfhe_tests.yml b/.github/workflows/aws_tfhe_tests.yml index 32fff6da75..9aca6dfa49 100644 --- a/.github/workflows/aws_tfhe_tests.yml +++ b/.github/workflows/aws_tfhe_tests.yml @@ -63,7 +63,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -165,7 +166,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/aws_tfhe_wasm_tests.yml b/.github/workflows/aws_tfhe_wasm_tests.yml index 6d43dc3c8f..ee185e4ac1 100644 --- a/.github/workflows/aws_tfhe_wasm_tests.yml +++ b/.github/workflows/aws_tfhe_wasm_tests.yml @@ -48,7 +48,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/benchmark_boolean.yml b/.github/workflows/benchmark_boolean.yml index 3bd97aa194..592e7aa207 100644 --- a/.github/workflows/benchmark_boolean.yml +++ b/.github/workflows/benchmark_boolean.yml @@ -51,7 +51,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -103,7 +104,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_core_crypto.yml b/.github/workflows/benchmark_core_crypto.yml index f0fd631ef9..cb35006f08 100644 --- a/.github/workflows/benchmark_core_crypto.yml +++ b/.github/workflows/benchmark_core_crypto.yml @@ -50,7 +50,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -94,7 +95,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_erc20.yml b/.github/workflows/benchmark_erc20.yml index 812ca1aecb..916ef10dfc 100644 --- a/.github/workflows/benchmark_erc20.yml +++ b/.github/workflows/benchmark_erc20.yml @@ -52,7 +52,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -72,7 +73,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Run benchmarks run: | diff --git a/.github/workflows/benchmark_gpu_4090.yml b/.github/workflows/benchmark_gpu_4090.yml index 53e2291a83..17d137b3e7 100644 --- a/.github/workflows/benchmark_gpu_4090.yml +++ b/.github/workflows/benchmark_gpu_4090.yml @@ -42,7 +42,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -63,7 +64,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Run integer benchmarks run: | @@ -116,7 +118,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -136,7 +139,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Run core crypto benchmarks run: | diff --git a/.github/workflows/benchmark_gpu_core_crypto.yml b/.github/workflows/benchmark_gpu_core_crypto.yml index fc31da8a63..cd776bb1c2 100644 --- a/.github/workflows/benchmark_gpu_core_crypto.yml +++ b/.github/workflows/benchmark_gpu_core_crypto.yml @@ -53,7 +53,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -108,7 +109,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_gpu_erc20_common.yml b/.github/workflows/benchmark_gpu_erc20_common.yml index d9dad71e1e..8f0bf060dd 100644 --- a/.github/workflows/benchmark_gpu_erc20_common.yml +++ b/.github/workflows/benchmark_gpu_erc20_common.yml @@ -14,7 +14,7 @@ on: type: string required: true secrets: - FHE_ACTIONS_TOKEN: + REPO_CHECKOUT_TOKEN: required: true SLAB_ACTION_TOKEN: required: true @@ -80,7 +80,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -134,7 +135,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_gpu_integer_common.yml b/.github/workflows/benchmark_gpu_integer_common.yml index 164a550059..a5dab4a2e6 100644 --- a/.github/workflows/benchmark_gpu_integer_common.yml +++ b/.github/workflows/benchmark_gpu_integer_common.yml @@ -26,7 +26,7 @@ on: type: boolean default: false secrets: - FHE_ACTIONS_TOKEN: + REPO_CHECKOUT_TOKEN: required: true SLAB_ACTION_TOKEN: required: true @@ -150,7 +150,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -210,7 +211,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_integer.yml b/.github/workflows/benchmark_integer.yml index a68d70c887..02ebe1a006 100644 --- a/.github/workflows/benchmark_integer.yml +++ b/.github/workflows/benchmark_integer.yml @@ -119,7 +119,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -139,7 +140,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Should run benchmarks with all precisions if: inputs.all_precisions diff --git a/.github/workflows/benchmark_shortint.yml b/.github/workflows/benchmark_shortint.yml index a68af819aa..5e5e9ab8fb 100644 --- a/.github/workflows/benchmark_shortint.yml +++ b/.github/workflows/benchmark_shortint.yml @@ -82,7 +82,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -102,7 +103,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Run benchmarks with AVX512 run: | diff --git a/.github/workflows/benchmark_signed_integer.yml b/.github/workflows/benchmark_signed_integer.yml index bbb10fc52e..31548c7a31 100644 --- a/.github/workflows/benchmark_signed_integer.yml +++ b/.github/workflows/benchmark_signed_integer.yml @@ -119,7 +119,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -139,7 +140,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Should run benchmarks with all precisions if: inputs.all_precisions diff --git a/.github/workflows/benchmark_tfhe_fft.yml b/.github/workflows/benchmark_tfhe_fft.yml index 1a7d3dff0a..4d68c93695 100644 --- a/.github/workflows/benchmark_tfhe_fft.yml +++ b/.github/workflows/benchmark_tfhe_fft.yml @@ -94,7 +94,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_tfhe_ntt.yml b/.github/workflows/benchmark_tfhe_ntt.yml index c0749695de..2fec42d7eb 100644 --- a/.github/workflows/benchmark_tfhe_ntt.yml +++ b/.github/workflows/benchmark_tfhe_ntt.yml @@ -94,7 +94,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_tfhe_zk_pok.yml b/.github/workflows/benchmark_tfhe_zk_pok.yml index 0ff2f5922d..049b422624 100644 --- a/.github/workflows/benchmark_tfhe_zk_pok.yml +++ b/.github/workflows/benchmark_tfhe_zk_pok.yml @@ -80,7 +80,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -100,7 +101,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Run benchmarks run: | @@ -131,7 +133,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_wasm_client.yml b/.github/workflows/benchmark_wasm_client.yml index 18a6acc6f6..490e59b2c2 100644 --- a/.github/workflows/benchmark_wasm_client.yml +++ b/.github/workflows/benchmark_wasm_client.yml @@ -36,7 +36,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -88,7 +89,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -176,7 +178,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/benchmark_zk_pke.yml b/.github/workflows/benchmark_zk_pke.yml index aaed0c5efe..9805c4efbc 100644 --- a/.github/workflows/benchmark_zk_pke.yml +++ b/.github/workflows/benchmark_zk_pke.yml @@ -43,7 +43,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -130,7 +131,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get benchmark details run: | @@ -150,7 +152,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Run benchmarks with AVX512 run: | @@ -187,7 +190,8 @@ jobs: with: repository: zama-ai/slab path: slab - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Send data to Slab shell: bash diff --git a/.github/workflows/csprng_randomness_tests.yml b/.github/workflows/csprng_randomness_tests.yml index 9f2e7bfc7a..f910742a8f 100644 --- a/.github/workflows/csprng_randomness_tests.yml +++ b/.github/workflows/csprng_randomness_tests.yml @@ -48,7 +48,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/gpu_4090_tests.yml b/.github/workflows/gpu_4090_tests.yml index 1115acad88..736e21fc09 100644 --- a/.github/workflows/gpu_4090_tests.yml +++ b/.github/workflows/gpu_4090_tests.yml @@ -37,7 +37,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/gpu_fast_h100_tests.yml b/.github/workflows/gpu_fast_h100_tests.yml index d53a4209b4..cd6e6812f0 100644 --- a/.github/workflows/gpu_fast_h100_tests.yml +++ b/.github/workflows/gpu_fast_h100_tests.yml @@ -31,7 +31,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -99,7 +100,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup diff --git a/.github/workflows/gpu_fast_tests.yml b/.github/workflows/gpu_fast_tests.yml index b1ea00b632..6cde0102d0 100644 --- a/.github/workflows/gpu_fast_tests.yml +++ b/.github/workflows/gpu_fast_tests.yml @@ -30,7 +30,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -97,7 +98,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup diff --git a/.github/workflows/gpu_full_h100_tests.yml b/.github/workflows/gpu_full_h100_tests.yml index 59e3a47adf..347ad3bd49 100644 --- a/.github/workflows/gpu_full_h100_tests.yml +++ b/.github/workflows/gpu_full_h100_tests.yml @@ -66,7 +66,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup diff --git a/.github/workflows/gpu_full_multi_gpu_tests.yml b/.github/workflows/gpu_full_multi_gpu_tests.yml index 8aeacd9f5c..430591e022 100644 --- a/.github/workflows/gpu_full_multi_gpu_tests.yml +++ b/.github/workflows/gpu_full_multi_gpu_tests.yml @@ -31,7 +31,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -99,7 +100,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup diff --git a/.github/workflows/gpu_pcc.yml b/.github/workflows/gpu_pcc.yml index cfae0efc88..52570b6eed 100644 --- a/.github/workflows/gpu_pcc.yml +++ b/.github/workflows/gpu_pcc.yml @@ -56,7 +56,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Set up home run: | diff --git a/.github/workflows/gpu_signed_integer_classic_tests.yml b/.github/workflows/gpu_signed_integer_classic_tests.yml index c367649ed8..9034dc22f6 100644 --- a/.github/workflows/gpu_signed_integer_classic_tests.yml +++ b/.github/workflows/gpu_signed_integer_classic_tests.yml @@ -31,7 +31,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files diff --git a/.github/workflows/gpu_signed_integer_h100_tests.yml b/.github/workflows/gpu_signed_integer_h100_tests.yml index 7f7ab4d456..91a6f64d10 100644 --- a/.github/workflows/gpu_signed_integer_h100_tests.yml +++ b/.github/workflows/gpu_signed_integer_h100_tests.yml @@ -31,7 +31,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files diff --git a/.github/workflows/gpu_signed_integer_tests.yml b/.github/workflows/gpu_signed_integer_tests.yml index aacfcc3f79..909354e1b6 100644 --- a/.github/workflows/gpu_signed_integer_tests.yml +++ b/.github/workflows/gpu_signed_integer_tests.yml @@ -38,7 +38,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files @@ -106,7 +107,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup diff --git a/.github/workflows/gpu_unsigned_integer_classic_tests.yml b/.github/workflows/gpu_unsigned_integer_classic_tests.yml index ee19d69466..c546551457 100644 --- a/.github/workflows/gpu_unsigned_integer_classic_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_classic_tests.yml @@ -31,7 +31,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files diff --git a/.github/workflows/gpu_unsigned_integer_h100_tests.yml b/.github/workflows/gpu_unsigned_integer_h100_tests.yml index 1e2bd3656e..8157d9f010 100644 --- a/.github/workflows/gpu_unsigned_integer_h100_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_h100_tests.yml @@ -31,7 +31,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files diff --git a/.github/workflows/gpu_unsigned_integer_tests.yml b/.github/workflows/gpu_unsigned_integer_tests.yml index 7e4bbaaf3b..7fe26491aa 100644 --- a/.github/workflows/gpu_unsigned_integer_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_tests.yml @@ -37,7 +37,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Check for file changes id: changed-files diff --git a/.github/workflows/integer_long_run_tests.yml b/.github/workflows/integer_long_run_tests.yml index 134cef3f6e..01058c5f18 100644 --- a/.github/workflows/integer_long_run_tests.yml +++ b/.github/workflows/integer_long_run_tests.yml @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: 'false' - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml index bca94c4e32..9ac0a737cf 100644 --- a/.github/workflows/make_release.yml +++ b/.github/workflows/make_release.yml @@ -46,7 +46,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Prepare package run: | cargo package -p tfhe @@ -82,7 +83,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Create NPM version tag if: ${{ inputs.npm_latest_tag }} run: | diff --git a/.github/workflows/make_release_cuda.yml b/.github/workflows/make_release_cuda.yml index 4700fb8083..df6396ae39 100644 --- a/.github/workflows/make_release_cuda.yml +++ b/.github/workflows/make_release_cuda.yml @@ -61,7 +61,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Set up home run: | diff --git a/.github/workflows/make_release_tfhe_versionable.yml b/.github/workflows/make_release_tfhe_versionable.yml index df0be32be9..8317036f65 100644 --- a/.github/workflows/make_release_tfhe_versionable.yml +++ b/.github/workflows/make_release_tfhe_versionable.yml @@ -61,6 +61,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Download artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: diff --git a/.github/workflows/make_release_zk_pok.yml b/.github/workflows/make_release_zk_pok.yml index c448b528b3..e88275920f 100644 --- a/.github/workflows/make_release_zk_pok.yml +++ b/.github/workflows/make_release_zk_pok.yml @@ -61,7 +61,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Download artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: diff --git a/.github/workflows/sync_on_push.yml b/.github/workflows/sync_on_push.yml index 0a550462aa..304d8d2758 100644 --- a/.github/workflows/sync_on_push.yml +++ b/.github/workflows/sync_on_push.yml @@ -16,7 +16,8 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: git-sync uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83 with: From 2f807828e6372ceb1b0541c0155895061c5a83ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Test=C3=A9?= Date: Wed, 22 Jan 2025 18:49:31 +0100 Subject: [PATCH 2/2] chore(ci): extend external contribution to all pr workflows User permission checking is done after the should-run, when there is such step, rather than before it. This way, only workflows that should run would fail id triggering actor is not allowed to launch it. Thus a repository maintainer would have to re-run only a handful of jobs that would effectively run afterward (i.e relevant code has changed and setup-instance would be called). --- .../aws_tfhe_backward_compat_tests.yml | 39 ++++++++++++- .github/workflows/aws_tfhe_fast_tests.yml | 20 ++++--- .github/workflows/aws_tfhe_integer_tests.yml | 53 +++++++++++++---- .../aws_tfhe_signed_integer_tests.yml | 52 ++++++++++++++--- .github/workflows/aws_tfhe_tests.yml | 52 ++++++++++++++--- .github/workflows/aws_tfhe_wasm_tests.yml | 40 ++++++++++++- .github/workflows/benchmark_gpu_4090.yml | 46 ++++++++++++--- .github/workflows/benchmark_wasm_client.yml | 2 +- .github/workflows/check_actor_permissions.yml | 39 +++++++++++++ .github/workflows/check_ci_files_change.yml | 41 +++++++++++++ .github/workflows/check_commit.yml | 1 + .github/workflows/check_external_pr.yml | 32 +++++++++++ .github/workflows/check_triggering_actor.yml | 29 ---------- .github/workflows/ci_lint.yml | 4 ++ .github/workflows/csprng_randomness_tests.yml | 40 ++++++++++++- .github/workflows/data_pr_close.yml | 4 ++ .github/workflows/gpu_4090_tests.yml | 40 ++++++++++++- .github/workflows/gpu_fast_h100_tests.yml | 54 ++++++++++++++---- .github/workflows/gpu_fast_tests.yml | 51 ++++++++++++++--- .github/workflows/gpu_full_h100_tests.yml | 5 +- .../workflows/gpu_full_multi_gpu_tests.yml | 52 ++++++++++++++--- .github/workflows/gpu_pcc.yml | 39 ++++++++++++- .../gpu_signed_integer_classic_tests.yml | 57 +++++++++++++++---- .../gpu_signed_integer_h100_tests.yml | 57 +++++++++++++++---- .../workflows/gpu_signed_integer_tests.yml | 52 +++++++++++++---- .../gpu_unsigned_integer_classic_tests.yml | 57 +++++++++++++++---- .../gpu_unsigned_integer_h100_tests.yml | 57 +++++++++++++++---- .../workflows/gpu_unsigned_integer_tests.yml | 55 ++++++++++++++---- .github/workflows/m1_tests.yml | 47 +++++++++++++-- 29 files changed, 930 insertions(+), 187 deletions(-) create mode 100644 .github/workflows/check_actor_permissions.yml create mode 100644 .github/workflows/check_ci_files_change.yml create mode 100644 .github/workflows/check_external_pr.yml delete mode 100644 .github/workflows/check_triggering_actor.yml diff --git a/.github/workflows/aws_tfhe_backward_compat_tests.yml b/.github/workflows/aws_tfhe_backward_compat_tests.yml index 93313443d8..f711e3f6ab 100644 --- a/.github/workflows/aws_tfhe_backward_compat_tests.yml +++ b/.github/workflows/aws_tfhe_backward_compat_tests.yml @@ -11,15 +11,47 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (backward-compat-tests) + needs: check-user-permission runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} @@ -39,7 +71,7 @@ jobs: name: Backward compatibility tests needs: [ setup-instance ] concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -48,6 +80,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -90,7 +123,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Backward compatibility tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Backward compatibility tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (backward-compat-tests) @@ -114,4 +147,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (backward-compat-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (backward-compat-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_fast_tests.yml b/.github/workflows/aws_tfhe_fast_tests.yml index 8b2b6dfbbf..a69f540636 100644 --- a/.github/workflows/aws_tfhe_fast_tests.yml +++ b/.github/workflows/aws_tfhe_fast_tests.yml @@ -36,7 +36,7 @@ jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: csprng_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.csprng_any_changed }} zk_pok_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.zk_pok_any_changed }} @@ -62,7 +62,6 @@ jobs: user_docs_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.user_docs_any_changed || steps.changed-files.outputs.dependencies_any_changed }} - ci_file_changed: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.ci_any_changed }} any_file_changed: ${{ env.IS_PULL_REQUEST == 'false' || steps.aggregated-changes.outputs.any_changed }} steps: - name: Checkout tfhe-rs @@ -122,13 +121,9 @@ jobs: - '!tfhe/src/c_api/**' - 'tfhe/docs/**/**.md' - README.md - ci: - - .github/** - - ci/** - name: Aggregate file changes id: aggregated-changes - # CI files are not included in this aggregator. if: ( steps.changed-files.outputs.dependencies_any_changed == 'true' || steps.changed-files.outputs.csprng_any_changed == 'true' || steps.changed-files.outputs.zk_pok_any_changed == 'true' || @@ -143,13 +138,20 @@ jobs: run: | echo "any_changed=true" >> "$GITHUB_OUTPUT" + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + # Fail if the triggering actor is not part of Zama organization. # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. check-user-permission: - needs: should-run + needs: check-ci-files if: github.event_name != 'pull_request_target' || - (github.event_name == 'pull_request_target' && needs.should-run.outputs.ci_file_changed == 'false') - uses: ./.github/workflows/check_triggering_actor.yml + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml secrets: TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/aws_tfhe_integer_tests.yml b/.github/workflows/aws_tfhe_integer_tests.yml index a2ff73d7c7..ef17a1d0fc 100644 --- a/.github/workflows/aws_tfhe_integer_tests.yml +++ b/.github/workflows/aws_tfhe_integer_tests.yml @@ -10,16 +10,31 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} # We clear the cache to reduce memory pressure because of the numerous processes of cargo # nextest TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1" NO_BIG_PARAMS: FALSE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' push: branches: - main @@ -28,12 +43,11 @@ jobs: should-run: if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + (github.event_name == 'pull_request_target' && contains(github.event.label.name, 'approved')) || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: integer_test: ${{ github.event_name == 'workflow_dispatch' || steps.changed-files.outputs.integer_any_changed }} @@ -44,6 +58,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -61,13 +76,30 @@ jobs: - tfhe/src/integer/** - .github/workflows/aws_tfhe_integer_tests.yml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (unsigned-integer-tests) - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.integer_test == 'true') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.integer_test == 'true') || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest outputs: @@ -88,7 +120,7 @@ jobs: name: Unsigned integer tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -97,6 +129,7 @@ jobs: with: persist-credentials: "false" token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -104,7 +137,7 @@ jobs: toolchain: stable - name: Should skip big parameters set - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' run: | echo "NO_BIG_PARAMS=TRUE" >> "${GITHUB_ENV}" @@ -130,7 +163,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Unsigned Integer tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned Integer tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (unsigned-integer-tests) @@ -154,4 +187,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (unsigned-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (unsigned-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_signed_integer_tests.yml b/.github/workflows/aws_tfhe_signed_integer_tests.yml index 8fadafa45d..981e99804a 100644 --- a/.github/workflows/aws_tfhe_signed_integer_tests.yml +++ b/.github/workflows/aws_tfhe_signed_integer_tests.yml @@ -10,16 +10,31 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} # We clear the cache to reduce memory pressure because of the numerous processes of cargo # nextest TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1" NO_BIG_PARAMS: FALSE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' push: branches: - main @@ -29,11 +44,11 @@ jobs: if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + ((github.event_name == 'pull_request_target' || github.event_name == 'pull_request_target') && contains(github.event.label.name, 'approved')) || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: integer_test: ${{ github.event_name == 'workflow_dispatch' || steps.changed-files.outputs.integer_any_changed }} @@ -44,6 +59,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -61,13 +77,30 @@ jobs: - tfhe/src/integer/** - .github/workflows/aws_tfhe_signed_integer_tests.yml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (unsigned-integer-tests) - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.integer_test == 'true') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || - (github.event_name == 'pull_request' && contains(github.event.label.name, 'approved')) || + (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.integer_test == 'true') || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest outputs: @@ -88,7 +121,7 @@ jobs: name: Signed integer tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -97,6 +130,7 @@ jobs: with: persist-credentials: "false" token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -104,7 +138,7 @@ jobs: toolchain: stable - name: Should skip big parameters set - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' run: | echo "NO_BIG_PARAMS=TRUE" >> "${GITHUB_ENV}" @@ -134,7 +168,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Signed Integer tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Signed Integer tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (signed-integer-tests) @@ -158,4 +192,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (signed-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (signed-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_tests.yml b/.github/workflows/aws_tfhe_tests.yml index 9aca6dfa49..6dbbd215d3 100644 --- a/.github/workflows/aws_tfhe_tests.yml +++ b/.github/workflows/aws_tfhe_tests.yml @@ -10,13 +10,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" @@ -27,7 +42,7 @@ jobs: if: github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') permissions: - pull-requests: write + pull-requests: read outputs: csprng_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.csprng_any_changed }} zk_pok_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.zk_pok_any_changed }} @@ -65,6 +80,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -132,11 +148,28 @@ jobs: run: | echo "any_changed=true" >> "$GITHUB_OUTPUT" + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cpu-tests) - if: github.event_name != 'pull_request' || + if: github.event_name != 'pull_request_target' || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.any_file_changed == 'true') - needs: should-run + needs: [ should-run, check-user-permission ] runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} @@ -154,11 +187,11 @@ jobs: cpu-tests: name: CPU tests - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') needs: [ should-run, setup-instance ] concurrency: - group: ${{ github.workflow }}_${{github.event_name}}_${{ github.ref }} + group: ${{ github.workflow }}_${{github.event_name}}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -167,6 +200,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -241,7 +275,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "CPU tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "CPU tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cpu-tests) @@ -265,4 +299,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cpu-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cpu-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/aws_tfhe_wasm_tests.yml b/.github/workflows/aws_tfhe_wasm_tests.yml index ee185e4ac1..6292d8ab8c 100644 --- a/.github/workflows/aws_tfhe_wasm_tests.yml +++ b/.github/workflows/aws_tfhe_wasm_tests.yml @@ -10,16 +10,49 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (wasm-tests) + needs: check-user-permission if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved') }} runs-on: ubuntu-latest outputs: @@ -40,7 +73,7 @@ jobs: name: WASM tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -49,6 +82,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -109,7 +143,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "WASM tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "WASM tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (wasm-tests) @@ -133,4 +167,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (wasm-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (wasm-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/benchmark_gpu_4090.yml b/.github/workflows/benchmark_gpu_4090.yml index 17d137b3e7..b97a0f2676 100644 --- a/.github/workflows/benchmark_gpu_4090.yml +++ b/.github/workflows/benchmark_gpu_4090.yml @@ -11,20 +11,53 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} FAST_BENCH: TRUE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Weekly benchmarks will be triggered each Friday at 9p.m. - cron: "0 21 * * 5" jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + cuda-integer-benchmarks: name: Cuda integer benchmarks (RTX 4090) + needs: check-user-permission if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs' || contains(github.event.label.name, '4090_bench') }} @@ -33,10 +66,6 @@ jobs: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ["self-hosted", "4090-desktop"] timeout-minutes: 1440 # 24 hours - strategy: - fail-fast: false - max-parallel: 1 - steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 @@ -44,6 +73,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Get benchmark details run: | @@ -101,7 +131,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Integer RTX 4090 full benchmarks finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Integer RTX 4090 full benchmarks finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" cuda-core-crypto-benchmarks: name: Cuda core crypto benchmarks (RTX 4090) @@ -186,11 +216,11 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Core crypto RTX 4090 full benchmarks finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Core crypto RTX 4090 full benchmarks finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" remove_github_label: name: Remove 4090 bench label - if: ${{ always() && github.event_name == 'pull_request' }} + if: ${{ always() && github.event_name == 'pull_request_target' }} needs: [cuda-integer-benchmarks, cuda-core-crypto-benchmarks] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/benchmark_wasm_client.yml b/.github/workflows/benchmark_wasm_client.yml index 490e59b2c2..3cf984d607 100644 --- a/.github/workflows/benchmark_wasm_client.yml +++ b/.github/workflows/benchmark_wasm_client.yml @@ -28,7 +28,7 @@ jobs: (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') permissions: - pull-requests: write + pull-requests: read outputs: wasm_bench: ${{ steps.changed-files.outputs.wasm_bench_any_changed }} steps: diff --git a/.github/workflows/check_actor_permissions.yml b/.github/workflows/check_actor_permissions.yml new file mode 100644 index 0000000000..4538da5a35 --- /dev/null +++ b/.github/workflows/check_actor_permissions.yml @@ -0,0 +1,39 @@ +# Check if an actor is a collaborator and has write access +name: Check Actor Permissions + +on: + workflow_call: + inputs: + username: + type: string + default: ${{ github.triggering_actor }} + outputs: + is_authorized: + value: ${{ jobs.check-actor-permission.outputs.actor_authorized }} + secrets: + TOKEN: + required: true + +jobs: + check-actor-permission: + runs-on: ubuntu-latest + outputs: + actor_authorized: ${{ steps.check-access.outputs.require-result }} + steps: + - name: Get User Permission + id: check-access + uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103 # v2.3.0 + with: + require: write + username: ${{ inputs.username }} + env: + GITHUB_TOKEN: ${{ secrets.TOKEN }} + + - name: Check User Permission + if: (inputs.username != 'dependabot' || inputs.username != 'cla-bot') && + steps.check-access.outputs.require-result == 'false' + run: | + echo "${{ inputs.username }} does not have permissions on this repo." + echo "Current permission level is ${{ steps.check-access.outputs.user-permission }}" + echo "Job originally triggered by ${{ github.actor }}" + exit 1 diff --git a/.github/workflows/check_ci_files_change.yml b/.github/workflows/check_ci_files_change.yml new file mode 100644 index 0000000000..2ad56cb65f --- /dev/null +++ b/.github/workflows/check_ci_files_change.yml @@ -0,0 +1,41 @@ +# Check if there is any change in CI files since last commit +name: Check changes in CI files + +on: + workflow_call: + inputs: + checkout_ref: + type: string + required: true + outputs: + ci_file_changed: + value: ${{ jobs.check-changes.outputs.ci_file_changed }} + secrets: + REPO_CHECKOUT_TOKEN: + required: true + +jobs: + check-changes: + runs-on: ubuntu-latest + permissions: + pull-requests: read + outputs: + ci_file_changed: ${{ steps.changed-files.outputs.ci_any_changed }} + steps: + - name: Checkout tfhe-rs + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + fetch-depth: 0 + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ inputs.checkout_ref }} + + - name: Check for file changes + id: changed-files + uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f + with: + since_last_remote_commit: true + files_yaml: | + ci: + - .github/** + - ci/** diff --git a/.github/workflows/check_commit.yml b/.github/workflows/check_commit.yml index d871c7320b..d21cac7eda 100644 --- a/.github/workflows/check_commit.yml +++ b/.github/workflows/check_commit.yml @@ -2,6 +2,7 @@ name: Check commit and PR compliance on: pull_request: + jobs: check-commit-pr: name: Check commit and PR diff --git a/.github/workflows/check_external_pr.yml b/.github/workflows/check_external_pr.yml new file mode 100644 index 0000000000..4dc7b569ee --- /dev/null +++ b/.github/workflows/check_external_pr.yml @@ -0,0 +1,32 @@ +# Check if a pull request fulfill pre-conditions to be accepted +name: Check PR from fork + +on: + pull_request_target: + paths: + - '.github/**' + - 'ci/**' + +jobs: + # Fail if the triggering actor is not part of Zama organization. + check-user-permission: + name: Check event user permissions + uses: ./.github/workflows/check_actor_permissions.yml + with: + username: ${{ github.event.pull_request.user.login }} + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + + write-comment: + name: Write PR comment + if: ${{ always() && needs.check-user-permission.outputs.is_authorized == 'false' }} + needs: check-user-permission + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Write warning + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b + with: + message: | + CI files have changed. Only Zama organization members are authorized to modify these files. diff --git a/.github/workflows/check_triggering_actor.yml b/.github/workflows/check_triggering_actor.yml deleted file mode 100644 index 0596647428..0000000000 --- a/.github/workflows/check_triggering_actor.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Check if triggering actor is a collaborator and has write access -name: Check Triggering Actor - -on: - workflow_call: - secrets: - TOKEN: - required: true - -jobs: - check-actor-permission: - runs-on: ubuntu-latest - steps: - - name: Get User Permission - id: check-access - uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103 # v2.3.0 - with: - require: write - username: ${{ github.triggering_actor }} - env: - GITHUB_TOKEN: ${{ secrets.TOKEN }} - - - name: Check User Permission - if: steps.check-access.outputs.require-result == 'false' - run: | - echo "${{ github.triggering_actor }} does not have permissions on this repo." - echo "Current permission level is ${{ steps.check-access.outputs.user-permission }}" - echo "Job originally triggered by ${{ github.actor }}" - exit 1 diff --git a/.github/workflows/ci_lint.yml b/.github/workflows/ci_lint.yml index 0cd3b54aa0..5063a16635 100644 --- a/.github/workflows/ci_lint.yml +++ b/.github/workflows/ci_lint.yml @@ -14,6 +14,9 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} - name: Get actionlint run: | @@ -31,3 +34,4 @@ jobs: with: allowlist: | slsa-framework/slsa-github-generator + ./ diff --git a/.github/workflows/csprng_randomness_tests.yml b/.github/workflows/csprng_randomness_tests.yml index f910742a8f..9f03fced26 100644 --- a/.github/workflows/csprng_randomness_tests.yml +++ b/.github/workflows/csprng_randomness_tests.yml @@ -10,16 +10,49 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (csprng-randomness-tests) + needs: check-user-permission if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved') }} runs-on: ubuntu-latest outputs: @@ -40,7 +73,7 @@ jobs: name: CSPRNG randomness tests needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} steps: @@ -49,6 +82,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -65,7 +99,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "tfhe-csprng randomness check finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "tfhe-csprng randomness check finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (csprng-randomness-tests) @@ -89,4 +123,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (csprng-randomness-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (csprng-randomness-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/data_pr_close.yml b/.github/workflows/data_pr_close.yml index 7e323f7170..35aefb85cd 100644 --- a/.github/workflows/data_pr_close.yml +++ b/.github/workflows/data_pr_close.yml @@ -8,6 +8,8 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} PR_BRANCH: ${{ github.head_ref || github.ref_name }} CLOSE_TYPE: ${{ github.event.pull_request.merged && 'merge' || 'close' }} @@ -15,6 +17,8 @@ env: on: pull_request: types: [ closed ] + pull_request_target: + types: [ closed ] # The same pattern is used for jobs that use the github api: # - save the result of the API call in the env var "GH_API_RES". Since the var is multiline diff --git a/.github/workflows/gpu_4090_tests.yml b/.github/workflows/gpu_4090_tests.yml index 736e21fc09..f3ef61c03f 100644 --- a/.github/workflows/gpu_4090_tests.yml +++ b/.github/workflows/gpu_4090_tests.yml @@ -11,24 +11,57 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + cuda-tests-linux: name: CUDA tests (RTX 4090) + needs: check-user-permission if: github.event_name == 'workflow_dispatch' || contains(github.event.label.name, '4090_test') || (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ["self-hosted", "4090-desktop"] @@ -38,6 +71,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -69,7 +103,7 @@ jobs: make test_high_level_api_gpu - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 - if: ${{ always() && github.event_name == 'pull_request' }} + if: ${{ always() && github.event_name == 'pull_request_target' }} with: labels: 4090_test github_token: ${{ secrets.GITHUB_TOKEN }} @@ -80,4 +114,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "CUDA RTX 4090 tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "CUDA RTX 4090 tests finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_fast_h100_tests.yml b/.github/workflows/gpu_fast_h100_tests.yml index cd6e6812f0..6dfcd08a0c 100644 --- a/.github/workflows/gpu_fast_h100_tests.yml +++ b/.github/workflows/gpu_fast_h100_tests.yml @@ -11,19 +11,34 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-h100-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA H100 tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -101,6 +134,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -146,7 +180,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Fast H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Fast H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -170,4 +204,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_fast_tests.yml b/.github/workflows/gpu_fast_tests.yml index 6cde0102d0..c17bb45ada 100644 --- a/.github/workflows/gpu_fast_tests.yml +++ b/.github/workflows/gpu_fast_tests.yml @@ -11,18 +11,32 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -32,6 +46,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -56,10 +71,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name == 'workflow_dispatch' || needs.should-run.outputs.gpu_test == 'true' runs-on: ubuntu-latest outputs: @@ -79,10 +111,10 @@ jobs: cuda-tests-linux: name: CUDA tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -99,6 +131,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -144,7 +177,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests) @@ -168,4 +201,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_full_h100_tests.yml b/.github/workflows/gpu_full_h100_tests.yml index 347ad3bd49..c33cdbe4c3 100644 --- a/.github/workflows/gpu_full_h100_tests.yml +++ b/.github/workflows/gpu_full_h100_tests.yml @@ -11,7 +11,6 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} on: workflow_dispatch: @@ -110,7 +109,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Full H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Full H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -133,4 +132,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_full_multi_gpu_tests.yml b/.github/workflows/gpu_full_multi_gpu_tests.yml index 430591e022..853267555c 100644 --- a/.github/workflows/gpu_full_multi_gpu_tests.yml +++ b/.github/workflows/gpu_full_multi_gpu_tests.yml @@ -11,19 +11,34 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-tests-multi-gpu) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA multi-GPU tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -101,6 +134,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -149,7 +183,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Multi-GPU tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Multi-GPU tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests-multi-gpu) @@ -173,4 +207,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-tests-multi-gpu) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-tests-multi-gpu) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_pcc.yml b/.github/workflows/gpu_pcc.yml index 52570b6eed..0b35cea9ab 100644 --- a/.github/workflows/gpu_pcc.yml +++ b/.github/workflows/gpu_pcc.yml @@ -11,13 +11,45 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-pcc) + needs: check-user-permission runs-on: ubuntu-latest outputs: runner-name: ${{ steps.start-instance.outputs.label }} @@ -37,7 +69,7 @@ jobs: name: CUDA post-commit checks needs: setup-instance concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -57,6 +89,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Set up home run: | @@ -100,7 +133,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "CUDA AWS post-commit checks finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "CUDA AWS post-commit checks finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-pcc) @@ -124,4 +157,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-pcc) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-pcc) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_signed_integer_classic_tests.yml b/.github/workflows/gpu_signed_integer_classic_tests.yml index 9034dc22f6..c9a2f4d0f8 100644 --- a/.github/workflows/gpu_signed_integer_classic_tests.yml +++ b/.github/workflows/gpu_signed_integer_classic_tests.yml @@ -11,19 +11,34 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-signed-classic-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA signed integer tests with classical PBS needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Integer GPU signed integer tests with classical PBS finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Integer GPU signed integer tests with classical PBS finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-signed-classic-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-signed-classic-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-signed-classic-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_signed_integer_h100_tests.yml b/.github/workflows/gpu_signed_integer_h100_tests.yml index 91a6f64d10..4b9ad2a9d4 100644 --- a/.github/workflows/gpu_signed_integer_h100_tests.yml +++ b/.github/workflows/gpu_signed_integer_h100_tests.yml @@ -11,19 +11,34 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-h100-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name != 'pull_request_target' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA H100 signed integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_signed_integer_tests.yml b/.github/workflows/gpu_signed_integer_tests.yml index 909354e1b6..3f8de5ab62 100644 --- a/.github/workflows/gpu_signed_integer_tests.yml +++ b/.github/workflows/gpu_signed_integer_tests.yml @@ -11,17 +11,28 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} FAST_TESTS: TRUE NIGHTLY_TESTS: FALSE - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: - - opened - - synchronize + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" @@ -30,7 +41,7 @@ jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -40,6 +51,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -64,10 +76,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-signed-integer-tests) runs-on: ubuntu-latest - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || github.event_name == 'workflow_dispatch' || needs.should-run.outputs.gpu_test == 'true' @@ -88,10 +117,10 @@ jobs: cuda-signed-integer-tests: name: CUDA signed integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -108,6 +137,7 @@ jobs: with: persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -147,7 +177,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-signed-integer-tests.result }} - SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-signed-integer-tests.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Base GPU tests finished with status: ${{ needs.cuda-signed-integer-tests.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests) @@ -171,4 +201,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-signed-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-signed-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_unsigned_integer_classic_tests.yml b/.github/workflows/gpu_unsigned_integer_classic_tests.yml index c546551457..b01f7e9905 100644 --- a/.github/workflows/gpu_unsigned_integer_classic_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_classic_tests.yml @@ -11,19 +11,34 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-unsigned-classic-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name == 'workflow_dispatch' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA unsigned integer tests with classical PBS needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Unsigned integer GPU classic tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned integer GPU classic tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-unsigned-classic-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-unsigned-classic-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-unsigned-classic-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_unsigned_integer_h100_tests.yml b/.github/workflows/gpu_unsigned_integer_h100_tests.yml index 8157d9f010..c009878f6a 100644 --- a/.github/workflows/gpu_unsigned_integer_h100_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_h100_tests.yml @@ -11,19 +11,34 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} + IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }} + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [ labeled ] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -33,6 +48,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -57,10 +73,27 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-h100-tests) - needs: should-run - if: github.event_name != 'pull_request' || + needs: [ should-run, check-user-permission ] + if: github.event_name == 'workflow_dispatch' || (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') || (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') runs-on: ubuntu-latest @@ -81,10 +114,10 @@ jobs: cuda-tests-linux: name: CUDA H100 unsigned integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -98,6 +131,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -129,7 +166,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-tests-linux.result }} - SLACK_MESSAGE: "Unsigned integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned integer GPU H100 tests finished with status: ${{ needs.cuda-tests-linux.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-h100-tests) @@ -153,4 +190,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/gpu_unsigned_integer_tests.yml b/.github/workflows/gpu_unsigned_integer_tests.yml index 7fe26491aa..958974cf81 100644 --- a/.github/workflows/gpu_unsigned_integer_tests.yml +++ b/.github/workflows/gpu_unsigned_integer_tests.yml @@ -11,16 +11,29 @@ env: SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }} FAST_TESTS: TRUE NIGHTLY_TESTS: FALSE + REF: ${{ github.event.pull_request.head.sha || github.sha }} on: # Allows you to run this workflow manually from the Actions tab as an alternative. workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: - - opened - - synchronize + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' schedule: # Nightly tests @ 1AM after each work day - cron: "0 1 * * MON-FRI" @@ -29,7 +42,7 @@ jobs: should-run: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read outputs: gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }} steps: @@ -39,6 +52,7 @@ jobs: fetch-depth: 0 persist-credentials: 'false' token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Check for file changes id: changed-files @@ -63,9 +77,26 @@ jobs: - scripts/integer-tests.sh - ci/slab.toml + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + setup-instance: name: Setup instance (cuda-unsigned-integer-tests) - needs: should-run + needs: [ should-run, check-user-permission ] if: (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || github.event_name == 'workflow_dispatch' || needs.should-run.outputs.gpu_test == 'true' @@ -87,10 +118,10 @@ jobs: cuda-unsigned-integer-tests: name: CUDA unsigned integer tests needs: [ should-run, setup-instance ] - if: github.event_name != 'pull_request' || - (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped') + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.setup-instance.result != 'skipped') concurrency: - group: ${{ github.workflow }}_${{ github.ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} runs-on: ${{ needs.setup-instance.outputs.runner-name }} strategy: @@ -104,6 +135,10 @@ jobs: steps: - name: Checkout tfhe-rs uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: 'false' + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Setup Hyperstack dependencies uses: ./.github/actions/hyperstack_setup @@ -143,7 +178,7 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ needs.cuda-unsigned-integer-tests.result }} - SLACK_MESSAGE: "Unsigned integer GPU tests finished with status: ${{ needs.cuda-unsigned-integer-tests.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Unsigned integer GPU tests finished with status: ${{ needs.cuda-unsigned-integer-tests.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" teardown-instance: name: Teardown instance (cuda-tests) @@ -167,4 +202,4 @@ jobs: uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 env: SLACK_COLOR: ${{ job.status }} - SLACK_MESSAGE: "Instance teardown (cuda-unsigned-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "Instance teardown (cuda-unsigned-integer-tests) finished with status: ${{ job.status }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" diff --git a/.github/workflows/m1_tests.yml b/.github/workflows/m1_tests.yml index 88138dd452..07c48ba382 100644 --- a/.github/workflows/m1_tests.yml +++ b/.github/workflows/m1_tests.yml @@ -2,8 +2,20 @@ name: Tests on M1 CPU on: workflow_dispatch: + # Trigger pull_request event on CI files to be able to test changes before merging to main branch. + # Workflow would fail if changes come from a forked repository since secrets are not available with this event. pull_request: - types: [labeled] + types: [ labeled ] + paths: + - '.github/**' + - 'ci/**' + # General entry point for Zama's pull request as well as contribution from forks. + pull_request_target: + types: [ labeled ] + paths: + - '**' + - '!.github/**' + - '!ci/**' # Have a nightly build for M1 tests schedule: # * is a special character in YAML so you have to quote this string @@ -21,14 +33,35 @@ env: # We clear the cache to reduce memory pressure because of the numerous processes of cargo # nextest TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1" + REF: ${{ github.event.pull_request.head.sha || github.sha }} concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} + group: ${{ github.workflow }}_${{ github.head_ref || github.ref }} cancel-in-progress: true jobs: + check-ci-files: + uses: ./.github/workflows/check_ci_files_change.yml + with: + checkout_ref: ${{ github.event.pull_request.head.sha || github.sha }} + secrets: + REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }} + + # Fail if the triggering actor is not part of Zama organization. + # If pull_request_target is emitted and CI files have changed, skip this job. This would skip following jobs. + check-user-permission: + needs: check-ci-files + if: github.event_name != 'pull_request_target' || + (github.event_name == 'pull_request_target' && needs.check-ci-files.outputs.ci_file_changed == 'false') + uses: ./.github/workflows/check_actor_permissions.yml + secrets: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + cargo-builds-m1: - if: ${{ (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'm1_test') }} + needs: check-user-permission + if: ${{ (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') || + github.event_name == 'workflow_dispatch' || + contains(github.event.label.name, 'm1_test') }} runs-on: ["self-hosted", "m1mac"] # 12 hours, default is 6 hours, hopefully this is more than enough timeout-minutes: 720 @@ -37,6 +70,8 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: "false" + token: ${{ secrets.REPO_CHECKOUT_TOKEN }} + ref: ${{ env.REF }} - name: Install latest stable uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 @@ -178,7 +213,7 @@ jobs: if: ${{ always() }} steps: - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 - if: ${{ github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request_target' }} with: labels: m1_test github_token: ${{ secrets.GITHUB_TOKEN }} @@ -191,6 +226,8 @@ jobs: SLACK_COLOR: ${{ needs.cargo-builds-m1.result }} SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png - SLACK_MESSAGE: "M1 tests finished with status: ${{ needs.cargo-builds-m1.result }}. (${{ env.ACTION_RUN_URL }})" + SLACK_MESSAGE: "M1 tests finished with status: ${{ needs.cargo-builds-m1.result }} on '${{ env.BRANCH }}'. (${{ env.ACTION_RUN_URL }})" SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + MSG_MINIMAL: event,action url,commit + BRANCH: ${{ github.head_ref || github.ref }}