Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI/Build] Give PR cleanup job PR write access #10139

Merged
merged 1 commit into from
Nov 8, 2024
Merged

[CI/Build] Give PR cleanup job PR write access #10139

merged 1 commit into from
Nov 8, 2024

Conversation

russellb
Copy link
Collaborator

@russellb russellb commented Nov 8, 2024

When I ran this job on my own fork, it had the necessary permissions
to edit my own PR. Here, we need to explicitly grant the workflow PR
write access.

Since we are giving the GITHUB_TOKEN some level of elevated access, it
is safer to use pull_request_event instead of pull_request. The
difference is that pull_request_event runs in the context of main
instead of the PR. In other words, a PR will not run this workflow
using changes from the PR itself. This prevents a malicious PR from
editing this workflow, or a script that it executes, to do something
malicious with the github token.

Signed-off-by: Russell Bryant rbryant@redhat.com

@russellb russellb mentioned this pull request Nov 8, 2024
Merged
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 8, 2024

👋 Hi! Thank you for contributing to the vLLM project.
Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can do one of these:

  • Add ready label to the PR
  • Enable auto-merge.

🚀

@mergify mergify bot added the ci/build label Nov 8, 2024
xuechendi
xuechendi approved these changes Nov 8, 2024
View reviewed changes
Copy link
Contributor

@xuechendi xuechendi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@russellb
[CI/Build] Give PR cleanup job PR write access
a0c0c43 
When I ran this job on my own fork, it had the necessary permissions
to edit my own PR. Here, we need to explicitly grant the workflow PR
write access.

Since we are giving the GITHUB_TOKEN some level of elevated access, it
is safer to use `pull_request_event` instead of `pull_request`. The
difference is that `pull_request_event` runs in the context of `main`
instead of the PR. In other words, a PR will not run this workflow
using changes from the PR itself. This prevents a malicious PR from
editing this workflow, or a script that it executes, to do something
malicious with the github token.

Finally, run this on the reopened event, but not synchronize. It's not
relevant for sync (new commits being pushed).

Signed-off-by: Russell Bryant <rbryant@redhat.com>
njhill
njhill approved these changes Nov 8, 2024
View reviewed changes
Copy link
Member

@njhill njhill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @russellb

@njhill njhill added the ready ONLY add when PR is ready to merge/full CI is needed label Nov 8, 2024
@DarkLight1337 DarkLight1337 merged commit 6bb52b0 into vllm-project:main Nov 8, 2024
40 checks passed
Isotr0py pushed a commit to Isotr0py/vllm that referenced this pull request Nov 8, 2024
@russellb @Isotr0py
[CI/Build] Give PR cleanup job PR write access (vllm-project#10139)
c783237 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Isotr0py <2037008807@qq.com>
omer-dayan pushed a commit to omer-dayan/vllm that referenced this pull request Nov 10, 2024
@russellb @omer-dayan
[CI/Build] Give PR cleanup job PR write access (vllm-project#10139)
c972bb0 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: OmerD <omer@run.ai>
JC1DA pushed a commit to JC1DA/vllm that referenced this pull request Nov 11, 2024
@russellb @JC1DA
[CI/Build] Give PR cleanup job PR write access (vllm-project#10139)
d4e7cd2 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Loc Huynh <jc1da.3011@gmail.com>
jeejeelee pushed a commit to jeejeelee/vllm that referenced this pull request Nov 11, 2024
@russellb @jeejeelee
[CI/Build] Give PR cleanup job PR write access (vllm-project#10139)
7c71496 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Jee Jee Li <pandaleefree@gmail.com>
rickyyx pushed a commit to rickyyx/vllm that referenced this pull request Nov 13, 2024
@russellb @rickyyx
[CI/Build] Give PR cleanup job PR write access (vllm-project#10139)
8f48b3c 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
sumitd2 pushed a commit to sumitd2/vllm that referenced this pull request Nov 14, 2024
@russellb @sumitd2
[CI/Build] Give PR cleanup job PR write access (vllm-project#10139)
d299195 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Signed-off-by: Sumit Dubey <sumit.dubey2@ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@njhill njhill njhill approved these changes

@xuechendi xuechendi xuechendi approved these changes

Assignees
No one assigned
Labels
ci/build ready ONLY add when PR is ready to merge/full CI is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@russellb @xuechendi @njhill @DarkLight1337