CI tweaks + further security hardening (#9055)

* tweaks * more fix
2025-03-31 12:20:26 +08:00 · 2024-08-07 18:27:01 +01:00 · 2024-08-07 18:27:01 +01:00 · a58b6ac1af
commit a58b6ac1af
parent 8b33393586
17 changed files with 252 additions and 54 deletions
--- a/.github/workflows/delete-stale-spaces.yml
+++ b/.github/workflows/delete-stale-spaces.yml
@ -12,8 +12,13 @@ on:
        required: true
        default: "7"

+permissions: {}
+
 jobs:
  delete-old-spaces:
+    permissions:
+      contents: read
+    environment: deploy_spaces
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/generate-changeset.yml
+++ b/.github/workflows/generate-changeset.yml
@ -13,10 +13,14 @@ concurrency:
  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  get-pr:
    runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      pull-requests: read
    if: github.event.workflow_run.conclusion == 'success'
    outputs:
      found_pr: ${{ steps.pr_details.outputs.found_pr }}
@ -38,6 +42,8 @@ jobs:
      pr_number: ${{ needs.get-pr.outputs.pr_number }}
      message: changes~pending~null
  version:
+    permissions:
+      contents: read
    environment: changeset
    name: version
    needs: get-pr
--- a/.github/workflows/previews-build.yml
+++ b/.github/workflows/previews-build.yml
@ -13,10 +13,15 @@ concurrency:
  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
    name: "changes"
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
    outputs:
      should_run: ${{ steps.changes.outputs.should_run }}
      sha: ${{ steps.changes.outputs.sha }}
@ -29,6 +34,8 @@ jobs:
          filter: "visual"
          token: ${{ secrets.GITHUB_TOKEN }}
  build:
+    permissions:
+      contents: read
    name: "previews-build"
    runs-on: ubuntu-22.04
    needs: changes
--- a/.github/workflows/previews-deploy.yml
+++ b/.github/workflows/previews-deploy.yml
@ -41,7 +41,7 @@ jobs:
  comment-spaces-start:
    needs: changes
    uses: "./.github/workflows/comment-queue.yml"
-    if: ${{github.event.workflow_run.conclusion == 'success' && needs.changes.outputs.should_run == 'true' }}
+    if: ${{ needs.changes.outputs.should_run == 'true' }}
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
@ -150,7 +150,7 @@ jobs:
  comment-spaces-failure:
    uses: "./.github/workflows/comment-queue.yml"
    needs: [deploy, changes]
-    if: always() && github.event.workflow_run.conclusion == 'success' && needs.deploy.result == 'failure' && needs.changes.outputs.should_run == 'true'
+    if: always() &&  needs.deploy.result == 'failure' && needs.changes.outputs.should_run == 'true'
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
--- a/.github/workflows/storybook-build.yml
+++ b/.github/workflows/storybook-build.yml
@ -16,8 +16,13 @@ concurrency:
  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
+    permissions:
+      contents: read
+      pull-requests: read
    name: "changes"
    runs-on: ubuntu-latest
    outputs:
@ -33,6 +38,8 @@ jobs:
          filter: "visual"
          token: ${{ secrets.GITHUB_TOKEN }}
  build:
+    permissions:
+      contents: read
    name: :storybook-build
    runs-on: ubuntu-22.04
    needs: changes
--- a/.github/workflows/storybook-deploy.yml
+++ b/.github/workflows/storybook-deploy.yml
@ -10,6 +10,8 @@ concurrency:
  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
    name: "changes"
@ -47,9 +49,12 @@ jobs:
      message: |
        storybook~pending~null
  update-status:
+    permissions:
+      actions: read
+      statuses: write
    runs-on: ubuntu-latest
    needs: changes
-    if: ${{ github.event.workflow_run.conclusion == 'success' && (needs.changes.outputs.should_run == 'false' || contains(needs.changes.outputs.labels, 'no-visual-update')) }}
+    if: ${{  (needs.changes.outputs.should_run == 'false' || contains(needs.changes.outputs.labels, 'no-visual-update')) }}
    steps:
      - name: update status
        uses: gradio-app/github/actions/set-commit-status@main
@ -59,18 +64,19 @@ jobs:
          name: "UI Tests"
          run_id: ${{ needs.changes.outputs.run_id }}
  deploy:
+    permissions:
+      actions: read
+      contents: read
    environment: storybook
    name: "storybook-deploy"
    needs: changes
-    if: ${{ github.event.workflow_run.conclusion == 'success' && needs.changes.outputs.should_run == 'true' && github.repository == 'gradio-app/gradio' && !contains(needs.changes.outputs.labels, 'no-visual-update') }}
+    if: ${{  needs.changes.outputs.should_run == 'true' && github.repository == 'gradio-app/gradio' && !contains(needs.changes.outputs.labels, 'no-visual-update') }}
    runs-on: ubuntu-latest
    outputs:
      changes: ${{ steps.publish-chromatic.outputs.changeCount }}
      errors: ${{ steps.publish-chromatic.outputs.errorCount }}
      storybook_url: ${{ steps.publish-chromatic.outputs.storybookUrl }}
      build_url: ${{ steps.publish-chromatic.outputs.buildUrl }}
-    permissions:
-      actions: read
    steps:
      - uses: actions/checkout@v4
        with:
@ -104,14 +110,14 @@ jobs:
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
-      pr_number: ${{ github.event.workflow_run.conclusion == 'success' && needs.changes.outputs.pr_number }}
+      pr_number: ${{ needs.changes.outputs.pr_number }}
      message: |
        storybook~success~${{ needs.deploy.outputs.storybook_url }}

  comment-chromatic-fail:
    uses: "./.github/workflows/comment-queue.yml"
    needs: [deploy, changes]
-    if: always() && github.event.workflow_run.conclusion == 'success' && needs.deploy.result == 'failure'
+    if: always() && needs.deploy.result == 'failure'
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
--- a/.github/workflows/test-functional-lite.yml
+++ b/.github/workflows/test-functional-lite.yml
@ -11,8 +11,13 @@ concurrency:
  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
+    permissions:
+      contents: read
+      pull-requests: read
    name: "changes"
    runs-on: ubuntu-latest
    outputs:
@ -29,6 +34,8 @@ jobs:
          filter: "functional"
          token: ${{ secrets.GITHUB_TOKEN }}
  test:
+    permissions:
+      contents: read
    name: "functional-test-lite"
    runs-on: ubuntu-latest
    needs: changes
--- a/.github/workflows/test-functional.yml
+++ b/.github/workflows/test-functional.yml
@ -11,8 +11,13 @@ concurrency:
  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
+    permissions:
+      contents: read
+      pull-requests: read
    name: "changes"
    runs-on: ubuntu-latest
    outputs:
@ -29,6 +34,8 @@ jobs:
          filter: "functional"
          token: ${{ secrets.GITHUB_TOKEN }}
  test:
+    permissions:
+      contents: read
    name: "functional-test"
    runs-on: ubuntu-latest
    needs: changes
--- a/.github/workflows/test-hygiene.yml
+++ b/.github/workflows/test-hygiene.yml
@ -11,8 +11,12 @@ concurrency:
  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  test:
+    permissions:
+      contents: read
    name: "hygiene-test"
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/test-python.yml
+++ b/.github/workflows/test-python.yml
@ -15,8 +15,13 @@ env:
  NODE_OPTIONS: "--max-old-space-size=4096"
  HF_TOKEN: ${{ vars.HF_TOKEN }}

+permissions: {}
+
 jobs:
  changes:
+    permissions:
+      contents: read
+      pull-requests: read
    name: "changes"
    runs-on: ubuntu-latest
    outputs:
@ -33,6 +38,8 @@ jobs:
          filter: "gradio"
          token: ${{ secrets.GITHUB_TOKEN }}
  test:
+    permissions:
+      contents: read
    name: "test-${{ matrix.os }}-${{ matrix.test-type == 'flaky' && 'flaky' || 'not-flaky'}}"
    needs: changes
    if: needs.changes.outputs.should_run == 'true'
--- a/.github/workflows/tests-js.yml
+++ b/.github/workflows/tests-js.yml
@ -16,8 +16,13 @@ concurrency:
  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
+    permissions:
+      contents: read
+      pull-requests: read
    name: "changes"
    runs-on: ubuntu-latest
    outputs:
@ -34,6 +39,8 @@ jobs:
          filter: "js"
          token: ${{ secrets.GITHUB_TOKEN }}
  test:
+    permissions:
+      contents: read
    name: js-test
    runs-on: ubuntu-22.04
    needs: changes
--- a/.github/workflows/trigger-changeset.yml
+++ b/.github/workflows/trigger-changeset.yml
@ -7,9 +7,10 @@ on:
  issue_comment:
    types: [edited]

+permissions: {}
+
 jobs:
  changeset:
-    permissions: write-all
    runs-on: ubuntu-22.04
    if: github.event.sender.login != 'gradio-pr-bot'
    steps:
--- a/.github/workflows/update-checks.yml
+++ b/.github/workflows/update-checks.yml
@ -10,6 +10,8 @@ concurrency:
  group: "${{ github.event.workflow_run.id}}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
    name: "changes"
@ -36,6 +38,10 @@ jobs:
        with:
          path: output.json
  update-status:
+    permissions:
+      actions: read
+      statuses: write
+      contents: read
    environment: commit_status
    runs-on: ubuntu-latest
    needs: changes
--- a/.github/workflows/website-build.yml
+++ b/.github/workflows/website-build.yml
@ -1,11 +1,10 @@
 name: "website-build"

 on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - 5.0-dev
+  workflow_run:
+    workflows: ["docs-deploy"]
+    types:
+      - completed

 env:
  CI: true
@ -13,7 +12,7 @@ env:
  NODE_OPTIONS: "--max-old-space-size=4096"

 concurrency:
-  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
+  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
  cancel-in-progress: true

 jobs:
@ -24,6 +23,8 @@ jobs:
      should_run: ${{ steps.changes.outputs.should_run }}
      sha: ${{ steps.changes.outputs.sha }}
      gradio_version: ${{ steps.changes.outputs.gradio_version }}
+      source_repo: ${{ steps.changes.outputs.source_repo }}
+      source_branch: ${{ steps.changes.outputs.source_branch }}
    steps:
      - uses: actions/checkout@v4
      - uses: "gradio-app/gradio/.github/actions/changes@main"
@ -31,6 +32,10 @@ jobs:
        with:
          filter: "website"
          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/upload-artifact@v4
+        with:
+          path: output.json
+          name: changes
  build:
    name: "website-build"
    runs-on: ubuntu-22.04
@ -38,6 +43,9 @@ jobs:
    if: needs.changes.outputs.should_run == 'true' || (github.ref_name == 'main' && github.repository == 'gradio-app/gradio')
    steps:
      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.changes.outputs.source_branch }}
+          repository: ${{ needs.changes.outputs.source_repo }}
      - name: install dependencies
        uses: "gradio-app/gradio/.github/actions/install-all-deps@main"
        with:
@ -54,14 +62,3 @@ jobs:
        with:
          name: website
          path: js/_website/.vercel
-
-      - name: upload website json artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: website-json
-          path: js/_website/src/lib/json
-      - name: upload website json templates
-        uses: actions/upload-artifact@v4
-        with:
-          name: website-templates
-          path: js/_website/src/lib/templates
--- a/.github/workflows/website-deploy.yml
+++ b/.github/workflows/website-deploy.yml
@ -10,8 +10,11 @@ concurrency:
  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  changes:
+    if: github.event.workflow_run.conclusion == 'success'
    name: "changes"
    runs-on: ubuntu-latest
    permissions:
@ -38,7 +41,7 @@ jobs:
  comment-deploy-start:
    needs: changes
    uses: "./.github/workflows/comment-queue.yml"
-    if: github.event.workflow_run.conclusion == 'success' && needs.changes.outputs.should_run == 'true'
+    if: needs.changes.outputs.should_run == 'true'
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
@ -49,7 +52,7 @@ jobs:
    name: "website-deploy"
    runs-on: ubuntu-latest
    needs: changes
-    if: github.event.workflow_run.conclusion == 'success' && (needs.changes.outputs.should_run == 'true' || github.event.workflow_run.event == 'push')
+    if: needs.changes.outputs.should_run == 'true' || github.event.workflow_run.event == 'push'
    permissions:
      actions: read
    outputs:
@ -58,18 +61,6 @@ jobs:
      VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
      VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          name: website-json
-          path: js/_website/lib/json
-          run-id: ${{ github.event.workflow_run.id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/download-artifact@v4
-        with:
-          name: website-templates
-          path: js/_website/lib/templates
-          run-id: ${{ github.event.workflow_run.id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: download website artifacts
        uses: actions/download-artifact@v4
        with:
@ -80,17 +71,6 @@ jobs:
      - name: list files
        run: ls -R .

-      - name: deploy json to aws
-        if: startsWith(needs.changes.outputs.source_branch, 'changeset-release/') && needs.changes.outputs.source_repo == 'gradio-app/gradio'
-        run: |
-          export AWS_ACCESS_KEY_ID=${{ secrets.DOCS_JSON_AWS_S3_ACCESS_KEY }}
-          export AWS_SECRET_ACCESS_KEY=${{ secrets.DOCS_JSON_AWS_S3_SECRET_ACCESS_KEY }}
-          export AWS_DEFAULT_REGION=us-west-2
-          version=$(jq -r .version js/_website/lib/json/version.json)
-          aws s3 cp ./js/_website/lib/json/ s3://gradio-docs-json/$version/ --recursive
-          aws s3 cp ./js/_website/lib/templates/ s3://gradio-docs-json/$version/templates/ --recursive
-
-      # preview
      - name: Pull Vercel Environment Information
        shell: bash
        if: needs.changes.outputs.pr_number != 'false'
@ -116,7 +96,7 @@ jobs:
  comment-deploy-success:
    uses: "./.github/workflows/comment-queue.yml"
    needs: [deploy, changes]
-    if: github.event.workflow_run.conclusion == 'success' && needs.deploy.result == 'success' && needs.changes.outputs.pr_number != 'false'
+    if: needs.deploy.result == 'success' && needs.changes.outputs.pr_number != 'false'
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
@ -125,7 +105,7 @@ jobs:
  comment-deploy-failure:
    uses: "./.github/workflows/comment-queue.yml"
    needs: [deploy, changes]
-    if: always() && github.event.workflow_run.conclusion == 'success' && needs.deploy.result == 'failure' && needs.changes.outputs.pr_number != 'false'
+    if: always() &&  needs.deploy.result == 'failure' && needs.changes.outputs.pr_number != 'false'
    secrets:
      gh_token: ${{ secrets.COMMENT_TOKEN }}
    with:
--- a/.github/workflows/website-docs-build.yml
+++ b/.github/workflows/website-docs-build.yml
@ -0,0 +1,58 @@
+name: "docs-build"
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - 5.0-dev
+
+env:
+  CI: true
+  PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
+  NODE_OPTIONS: "--max-old-space-size=4096"
+
+concurrency:
+  group: "${{ github.event.pull_request.number }}-${{ github.ref_name }}-${{ github.workflow }}"
+  cancel-in-progress: true
+
+jobs:
+  changes:
+    name: "changes"
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.changes.outputs.should_run }}
+      sha: ${{ steps.changes.outputs.sha }}
+      gradio_version: ${{ steps.changes.outputs.gradio_version }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: "gradio-app/gradio/.github/actions/changes@main"
+        id: changes
+        with:
+          filter: "website"
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  build:
+    name: "docs-build"
+    runs-on: ubuntu-22.04
+    needs: changes
+    if: needs.changes.outputs.should_run == 'true' || (github.ref_name == 'main' && github.repository == 'gradio-app/gradio')
+    steps:
+      - uses: actions/checkout@v4
+      - name: install dependencies
+        uses: "gradio-app/gradio/.github/actions/install-all-deps@main"
+        with:
+          skip_build: true
+      - name: generate docs
+        run: pip install boto3 && python js/_website/generate_jsons/generate.py
+
+      - name: upload website json artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: website-json
+          path: js/_website/src/lib/json
+      - name: upload website json templates
+        uses: actions/upload-artifact@v4
+        with:
+          name: website-templates
+          path: js/_website/src/lib/templates
--- a/.github/workflows/website-docs-deploy.yml
+++ b/.github/workflows/website-docs-deploy.yml
@ -0,0 +1,93 @@
+name: "docs-deploy"
+
+on:
+  workflow_run:
+    workflows: ["docs-build"]
+    types:
+      - completed
+
+concurrency:
+  group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  changes:
+    if: github.event.workflow_run.conclusion == 'success'
+    name: "changes"
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+    outputs:
+      should_run: ${{ steps.json.outputs.should_run }}
+      sha: ${{ steps.json.outputs.sha }}
+      pr_number: ${{ steps.json.outputs.pr_number }}
+      source_branch: ${{ steps.json.outputs.source_branch }}
+      source_repo: ${{ steps.json.outputs.source_repo }}
+      labels: ${{ steps.json.outputs.labels }}
+      run_id: ${{ steps.json.outputs.run_id }}
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: changes
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+      - uses: gradio-app/github/actions/json-to-output@main
+        id: json
+        with:
+          path: output.json
+      - uses: actions/upload-artifact@v4
+        with:
+          path: output.json
+          name: changes
+  comment-deploy-start:
+    needs: changes
+    uses: "./.github/workflows/comment-queue.yml"
+    if: needs.changes.outputs.should_run == 'true'
+    secrets:
+      gh_token: ${{ secrets.COMMENT_TOKEN }}
+    with:
+      pr_number: ${{ needs.changes.outputs.pr_number }}
+      message: website~pending~null
+  deploy:
+    environment: deploy_website
+    name: "website-deploy"
+    runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.should_run == 'true' || github.event.workflow_run.event == 'push'
+    permissions:
+      actions: read
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: website-json
+          path: js/_website/lib/json
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: website-templates
+          path: js/_website/lib/templates
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: deploy json to aws
+        if: startsWith(needs.changes.outputs.source_branch, 'changeset-release/') && needs.changes.outputs.source_repo == 'gradio-app/gradio'
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.DOCS_JSON_AWS_S3_ACCESS_KEY }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.DOCS_JSON_AWS_S3_SECRET_ACCESS_KEY }}
+          export AWS_DEFAULT_REGION=us-west-2
+          version=$(jq -r .version js/_website/lib/json/version.json)
+          aws s3 cp ./js/_website/lib/json/ s3://gradio-docs-json/$version/ --recursive
+          aws s3 cp ./js/_website/lib/templates/ s3://gradio-docs-json/$version/templates/ --recursive
+  comment-deploy-failure:
+    uses: "./.github/workflows/comment-queue.yml"
+    needs: [deploy, changes]
+    if: always() && needs.deploy.result == 'failure' && needs.changes.outputs.pr_number != 'false'
+    secrets:
+      gh_token: ${{ secrets.COMMENT_TOKEN }}
+    with:
+      pr_number: ${{ needs.changes.outputs.pr_number }}
+      message: website~failure~https://github.com/gradio-app/gradio/actions/runs/${{github.run_id}}/