Skip to content

ci: Enable GH Actions testing for forked PRs #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vishal-bala wants to merge 6 commits into
base: main
Choose a base branch
from
Open

ci: Enable GH Actions testing for forked PRs #462

vishal-bala wants to merge 6 commits into from

Conversation

@vishal-bala
Copy link
Collaborator

@vishal-bala vishal-bala commented Jan 12, 2026
edited
Loading

Changes

  • Adds smoke test to ensure all modules are importable with only required dependencies
  • Updates workflows to use latest versions of actions
  • Updates testing workflow to only test on latest versions of Redis images
  • Tests notebooks only on redis-py==7.x
  • Adds process for supporting testing workflows on PRs from forked repos
    • Adds .github/workflows/test-fork-pr.yml - Manual workflow for testing fork PRs with secrets
    • Adds .github/actions/run-service-tests/action.yml - Reusable composite action for service tests
    • Updates .github/workflows/test.yml to use the composite action and skip service tests on fork PRs

Fork PR Testing

GitHub does not provide repository secrets to workflows triggered by pull_request events from forks, even when maintainers approve the workflow run. This prevents our service tests from running on fork PRs since they require API keys for OpenAI, Cohere, Mistral, Voyage, Azure OpenAI, AWS, Google Cloud, and HuggingFace.

This PR adds a new Test Fork PR workflow that maintainers can manually trigger after reviewing fork PR code. The workflow accepts a PR number as input, validates that it's from a fork, checks out the fork's code at the exact commit SHA, runs the full test suite with secrets, and posts results as a "Service Tests" check on the PR using the GitHub Checks API. This satisfies branch protection requirements while maintaining security through explicit maintainer review and SHA pinning to prevent race conditions.

The service test logic has been extracted into a composite action (.github/actions/run-service-tests/action.yml) to avoid duplication between the regular and fork PR workflows.

Security Considerations

Important: The fork PR workflow runs untrusted code from external contributors with full access to repository secrets. Maintainers must carefully review fork PR code before triggering the workflow to ensure:

  • No malicious code that could exfiltrate secrets (e.g., logging secrets, sending them to external endpoints)
  • No code that modifies workflow files or test infrastructure to expose secrets
  • No attempts to access or modify cloud resources using the provided credentials
  • Test code changes are legitimate and don't introduce backdoors

The workflow pins to the exact commit SHA at trigger time, preventing attackers from pushing malicious commits after approval. However, the initial review is critical since the workflow executes arbitrary Python code with access to production API keys and cloud credentials.

Maintainer Workflow for Fork PRs

When a PR is opened from an external fork, the regular test workflow runs but skips the service tests. To run the full test suite:

  1. Review the fork PR code for security issues
  2. Navigate to ActionsTest Fork PR workflow
  3. Click Run workflow, enter the PR number, and click Run workflow again
  4. Test results will appear as a "Service Tests" check on the PR

If the contributor pushes new commits, review the changes and re-trigger the workflow. Same-repository PRs continue to work as before with no manual intervention required.

@vishal-bala vishal-bala self-assigned this Jan 12, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 16, 2026
View reviewed changes
@vishal-bala
Copy link
Collaborator Author

vishal-bala commented Jan 16, 2026

@claude

@claude
Copy link
Contributor

claude bot commented Jan 16, 2026
edited
Loading

Claude finished @vishal-bala's task —— View job

Code Review: CI Workflow Optimizations

Todo List:

  • Read repository guidelines from CLAUDE.md
  • Analyze new smoke test file
  • Review workflow changes and updates
  • Check security concerns from GitHub Advanced Security
  • Provide comprehensive code review feedback

✅ Overall Assessment

This PR introduces sensible CI optimizations that reduce resource usage while maintaining comprehensive test coverage. The changes are well-structured and follow GitHub Actions best practices.

🎯 Key Improvements

1. Smart Import Testing
The new tests/test_imports.py is excellent - it validates that all modules can be imported with minimal dependencies, catching import issues early in the CI pipeline.

# tests/test_imports.py:47-50
def sanity_check_imports(package_name: str) -> int:
    # Clean implementation that walks all modules and reports failures clearly

2. Efficient Resource Usage

  • Testing only on latest Redis images (redis/redis-stack-server:latest, redis:latest) reduces CI time
  • Notebook testing restricted to redis-py==7.x with python==3.11 is a pragmatic optimization
  • Updated to latest action versions for better performance and security

3. Enhanced Fork PR Support
The new .github/workflows/test-fork-pr.yml provides a secure way to test fork PRs manually, properly handling:

  • ✅ Explicit permissions declaration
  • ✅ PR validation logic
  • ✅ Check run status updates

🔒 Security Review

ADDRESSED: The GitHub Advanced Security warning about missing permissions is correctly handled in the new fork PR workflow:

# .github/workflows/test-fork-pr.yml:11-14
permissions:
  contents: read
  checks: write
  pull-requests: read

RECOMMENDATION: Consider adding explicit permissions to other workflows for consistency:

# Missing from .github/workflows/test.yml
permissions:
  contents: read

🛠️ Technical Details

Workflow Structure:

  • ✅ Service tests run first with all API keys, only on main repo PRs
  • ✅ Matrix testing covers Python 3.9-3.13 with redis-py 5.x, 6.x, 7.x
  • ✅ Proper conditional execution prevents secret exposure in forks

Import Testing Integration:
The smoke test runs in the service-tests action before full dependency installation:

# .github/actions/run-service-tests/action.yml:47-50
- name: Test module imports
  shell: bash
  run: |
    uv run python -m tests.test_imports redisvl

📝 Minor Suggestions

  1. Action Version Consistency: All actions updated to latest versions - good practice
  2. Error Handling: The import test provides excellent error reporting with full tracebacks
  3. Documentation: Consider adding a comment in test.yml explaining why only latest Redis images are tested

✨ Code Quality

  • Style: Follows repository conventions and GitHub Actions best practices
  • Logic: Sound conditional execution and dependency management
  • Security: Proper secret handling and fork PR isolation
  • Testing: Comprehensive smoke testing before full test suite

Verdict:Approve - This is a well-implemented optimization that improves CI efficiency while maintaining test coverage and security.

@vishal-bala vishal-bala changed the title ci: Minor optimizations to GH Actions test workflow ci: Enable GH Actions testing for forked PRs Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vishal-bala vishal-bala

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vishal-bala