Merge branch 'main' into main

Author: misrasaurabh1

.github/workflows/codeflash-optimize.yaml

@@ -1,7 +1,7 @@
 name: CodeFlash
 
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - "**"
   workflow_dispatch:
@@ -13,6 +13,7 @@ concurrency:
 jobs:
   optimize:
     name: Optimize new Python code
+    environment: external-trusted-contributors
     if: ${{ github.actor != 'codeflash-ai[bot]' }}
     runs-on: ubuntu-latest
     env:
@@ -26,6 +27,21 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: 🐍 Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -43,4 +59,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run codeflash
+          poetry run codeflash

.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   bubble-sort-optimization-pytest-no-git:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5

.github/workflows/end-to-end-test-bubblesort-unittest.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   bubble-sort-optimization-unittest:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +54,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_bubblesort_unittest.py
+          poetry run python tests/scripts/end_to_end_test_bubblesort_unittest.py

.github/workflows/end-to-end-test-coverage.yaml

@@ -1,11 +1,12 @@
 name: Coverage E2E
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   end-to-end-test-coverage:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -19,6 +20,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -37,4 +53,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_coverage.py
+          poetry run python tests/scripts/end_to_end_test_coverage.py

.github/workflows/end-to-end-test-futurehouse.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   futurehouse-structure:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +54,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_futurehouse.py
+          poetry run python tests/scripts/end_to_end_test_futurehouse.py

.github/workflows/end-to-end-test-init-optim.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   init-optimization:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +54,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_init_optimization.py
+          poetry run python tests/scripts/end_to_end_test_init_optimization.py

.github/workflows/end-to-end-test-tracer-replay.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   tracer-replay:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,22 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
+
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +55,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_tracer_replay.py
+          poetry run python tests/scripts/end_to_end_test_tracer_replay.py

.github/workflows/end-to-end-topological-sort-test.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   topological-sort-optimization:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,24 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fiif git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "end-to-end-topological-sort-test.yaml"; then
+            echo "This workflow file has been modified. Exiting for security."
+            exit 1
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +57,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_topological_sort.py
+          poetry run python tests/scripts/end_to_end_test_topological_sort.py