Merge branch 'main' into catch-a-logging-exception

Author: misrasaurabh1

.github/workflows/codeflash-optimize.yaml

@@ -1,7 +1,7 @@
 name: CodeFlash
 
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - "**"
   workflow_dispatch:
@@ -13,6 +13,7 @@ concurrency:
 jobs:
   optimize:
     name: Optimize new Python code
+    environment: external-trusted-contributors
     if: ${{ github.actor != 'codeflash-ai[bot]' }}
     runs-on: ubuntu-latest
     env:
@@ -26,6 +27,21 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: 🐍 Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -43,4 +59,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run codeflash
+          poetry run codeflash

.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   bubble-sort-optimization-pytest-no-git:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5

.github/workflows/end-to-end-test-bubblesort-unittest.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   bubble-sort-optimization-unittest:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +54,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_bubblesort_unittest.py
+          poetry run python tests/scripts/end_to_end_test_bubblesort_unittest.py

.github/workflows/end-to-end-test-coverage.yaml

@@ -1,11 +1,12 @@
 name: Coverage E2E
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   end-to-end-test-coverage:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -19,6 +20,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -37,4 +53,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_coverage.py
+          poetry run python tests/scripts/end_to_end_test_coverage.py

.github/workflows/end-to-end-test-futurehouse.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   futurehouse-structure:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +54,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_futurehouse.py
+          poetry run python tests/scripts/end_to_end_test_futurehouse.py

.github/workflows/end-to-end-test-init-optim.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   init-optimization:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,21 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +54,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_init_optimization.py
+          poetry run python tests/scripts/end_to_end_test_init_optimization.py

.github/workflows/end-to-end-test-tracer-replay.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   tracer-replay:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,22 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fi
+
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +55,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_tracer_replay.py
+          poetry run python tests/scripts/end_to_end_test_tracer_replay.py

.github/workflows/end-to-end-topological-sort-test.yaml

@@ -1,11 +1,12 @@
 name: end-to-end-test
 
 on:
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
 
 jobs:
   topological-sort-optimization:
+    environment: external-trusted-contributors
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -21,6 +22,24 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Validate PR
+        run: |
+          # Checking for any workflow changes for security risks
+          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
+            echo "Workflow changes detected."
+
+            # Check if the PR author is allowed
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
+              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
+            else
+              echo "Authorized user ($AUTHOR). Proceeding."
+            fi
+          fiif git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "end-to-end-topological-sort-test.yaml"; then
+            echo "This workflow file has been modified. Exiting for security."
+            exit 1
+          fi
 
       - name: Set up Python 3.11 for CLI
         uses: astral-sh/setup-uv@v5
@@ -38,4 +57,4 @@ jobs:
         id: optimize_code
         run: |
           source .venv/bin/activate
-          poetry run python tests/scripts/end_to_end_test_topological_sort.py
+          poetry run python tests/scripts/end_to_end_test_topological_sort.py

.github/workflows/label-workflow-changes.yml

@@ -0,0 +1,55 @@
+name: PR Labeler
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+    types: [opened, synchronize, reopened]
+
+jobs:
+  label-workflow-changes:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Label PR with workflow changes
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const labelName = 'workflow-modified';
+
+            // Check if the label exists
+            try {
+              const labels = await github.rest.issues.listLabelsForRepo({
+                owner: context.repo.owner,
+                repo: context.repo.repo
+              });
+              
+              const labelExists = labels.data.some(label => label.name === labelName);
+              
+              if (!labelExists) {
+                // Create the label if it doesn't exist
+                await github.rest.issues.createLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  name: labelName,
+                  color: 'f9d0c4',
+                  description: 'This PR modifies GitHub Actions workflows'
+                });
+                console.log(`Label "${labelName}" created`);
+              } else {
+                console.log(`Label "${labelName}" already exists`);
+              }
+            } catch (error) {
+              console.error(`Failed to check or create label: ${error.message}`);
+              throw error;
+            }
+
+            // Add the label to the PR
+            await github.rest.issues.addLabels({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: [labelName]
+            });
+            console.log(`Label "${labelName}" added to the PR.`);