Merge remote-tracking branch 'origin/main' into cf-600

Author: aseembits93

.github/workflows/codeflash-optimize.yaml

@@ -3,7 +3,8 @@ name: CodeFlash
 on:
   pull_request_target:
     paths:
-      - "**"
+      - '**'  # Trigger for all paths
+
   workflow_dispatch:
 
 concurrency:
@@ -13,7 +14,14 @@ concurrency:
 jobs:
   optimize:
     name: Optimize new Python code
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+      github.event_name == 'workflow_dispatch' ||
+      contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+      github.event.pull_request.user.login != 'misrasaurabh1' &&
+      github.event.pull_request.user.login != 'KRRT7'
+      ? 'external-trusted-contributors' : ''
+    }}
     if: ${{ github.actor != 'codeflash-ai[bot]' }}
     runs-on: ubuntu-latest
     env:
@@ -29,18 +37,25 @@ jobs:
           fetch-depth: 0
       - name: Validate PR
         run: |
-          # Checking for any workflow changes for security risks
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
-            echo "Workflow changes detected."
+          # Check for any workflow changes
+          if git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}" | grep -q "^.github/workflows/"; then
+            echo "⚠️ Workflow changes detected."
 
-            # Check if the PR author is allowed
+            # Get the PR author
             AUTHOR="${{ github.event.pull_request.user.login }}"
-            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
-              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
-              exit 1
+            echo "PR Author: $AUTHOR"
+
+            # Allowlist check
+            if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
+              echo "✅ Authorized user ($AUTHOR). Proceeding."
+            elif [[ "${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR is open. Proceeding with appropriate protections."
             else
-              echo "Authorized user ($AUTHOR). Proceeding."
+              echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
             fi
+          else
+            echo "✅ No workflow file changes detected. Proceeding."
           fi
 
       - name: 🐍 Set up Python 3.11 for CLI

.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml

@@ -1,12 +1,23 @@
 name: end-to-end-test
 
 on:
+  # Use pull_request_target for everything to ensure access to secrets
   pull_request_target:
+    paths:
+      - '**'  # Trigger for all paths
+
   workflow_dispatch:
 
 jobs:
   bubble-sort-optimization-pytest-no-git:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -24,18 +35,25 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Validate PR
         run: |
-          # Checking for any workflow changes for security risks
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
-            echo "Workflow changes detected."
+          # Check for any workflow changes
+          if git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}" | grep -q "^.github/workflows/"; then
+            echo "⚠️ Workflow changes detected."
 
-            # Check if the PR author is allowed
+            # Get the PR author
             AUTHOR="${{ github.event.pull_request.user.login }}"
-            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
-              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
-              exit 1
+            echo "PR Author: $AUTHOR"
+
+            # Allowlist check
+            if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
+              echo "✅ Authorized user ($AUTHOR). Proceeding."
+            elif [[ "${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
-              echo "Authorized user ($AUTHOR). Proceeding."
+              echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
             fi
+          else
+            echo "✅ No workflow file changes detected. Proceeding."
           fi
 
       - name: Set up Python 3.11 for CLI

.github/workflows/end-to-end-test-bubblesort-unittest.yaml

@@ -1,12 +1,23 @@
 name: end-to-end-test
 
 on:
+  # Use pull_request_target for everything to ensure access to secrets
   pull_request_target:
+    paths:
+      - '**'  # Trigger for all paths
+
   workflow_dispatch:
 
 jobs:
   bubble-sort-optimization-unittest:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -24,18 +35,25 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Validate PR
         run: |
-          # Checking for any workflow changes for security risks
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
-            echo "Workflow changes detected."
+          # Check for any workflow changes
+          if git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}" | grep -q "^.github/workflows/"; then
+            echo "⚠️ Workflow changes detected."
 
-            # Check if the PR author is allowed
+            # Get the PR author
             AUTHOR="${{ github.event.pull_request.user.login }}"
-            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
-              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
-              exit 1
+            echo "PR Author: $AUTHOR"
+
+            # Allowlist check
+            if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
+              echo "✅ Authorized user ($AUTHOR). Proceeding."
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
-              echo "Authorized user ($AUTHOR). Proceeding."
+              echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
             fi
+          else
+            echo "✅ No workflow file changes detected. Proceeding."
           fi
 
       - name: Set up Python 3.11 for CLI

.github/workflows/end-to-end-test-coverage.yaml

@@ -1,12 +1,23 @@
 name: Coverage E2E
 
 on:
+  # Use pull_request_target for everything to ensure access to secrets
   pull_request_target:
+    paths:
+      - '**'  # Trigger for all paths
+
   workflow_dispatch:
 
 jobs:
   end-to-end-test-coverage:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -22,18 +33,25 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Validate PR
         run: |
-          # Checking for any workflow changes for security risks
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
-            echo "Workflow changes detected."
+          # Check for any workflow changes
+          if git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}" | grep -q "^.github/workflows/"; then
+            echo "⚠️ Workflow changes detected."
 
-            # Check if the PR author is allowed
+            # Get the PR author
             AUTHOR="${{ github.event.pull_request.user.login }}"
-            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
-              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
-              exit 1
+            echo "PR Author: $AUTHOR"
+
+            # Allowlist check
+            if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
+              echo "✅ Authorized user ($AUTHOR). Proceeding."
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
-              echo "Authorized user ($AUTHOR). Proceeding."
+              echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
             fi
+          else
+            echo "✅ No workflow file changes detected. Proceeding."
           fi
 
       - name: Set up Python 3.11 for CLI

.github/workflows/end-to-end-test-futurehouse.yaml

@@ -1,12 +1,23 @@
 name: end-to-end-test
 
 on:
+  # Use pull_request_target for everything to ensure access to secrets
   pull_request_target:
+    paths:
+      - '**'  # Trigger for all paths
+
   workflow_dispatch:
 
 jobs:
   futurehouse-structure:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -24,18 +35,25 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Validate PR
         run: |
-          # Checking for any workflow changes for security risks
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
-            echo "Workflow changes detected."
+          # Check for any workflow changes
+          if git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}" | grep -q "^.github/workflows/"; then
+            echo "⚠️ Workflow changes detected."
 
-            # Check if the PR author is allowed
+            # Get the PR author
             AUTHOR="${{ github.event.pull_request.user.login }}"
-            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
-              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
-              exit 1
+            echo "PR Author: $AUTHOR"
+
+            # Allowlist check
+            if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
+              echo "✅ Authorized user ($AUTHOR). Proceeding."
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
-              echo "Authorized user ($AUTHOR). Proceeding."
+              echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
             fi
+          else
+            echo "✅ No workflow file changes detected. Proceeding."
           fi
 
       - name: Set up Python 3.11 for CLI

.github/workflows/end-to-end-test-init-optim.yaml

@@ -1,12 +1,22 @@
 name: end-to-end-test
 
 on:
+  # Use pull_request_target for everything to ensure access to secrets
   pull_request_target:
+    paths:
+      - '**'  # Trigger for all paths
   workflow_dispatch:
 
 jobs:
   init-optimization:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -24,18 +34,25 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Validate PR
         run: |
-          # Checking for any workflow changes for security risks
-          if git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep -q "^.github/workflows/"; then
-            echo "Workflow changes detected."
+          # Check for any workflow changes
+          if git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}" | grep -q "^.github/workflows/"; then
+            echo "⚠️ Workflow changes detected."
 
-            # Check if the PR author is allowed
+            # Get the PR author
             AUTHOR="${{ github.event.pull_request.user.login }}"
-            if [[ "$AUTHOR" != "misrasaurabh1" && "$AUTHOR" != "KRRT7" ]]; then
-              echo "Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
-              exit 1
+            echo "PR Author: $AUTHOR"
+
+            # Allowlist check
+            if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
+              echo "✅ Authorized user ($AUTHOR). Proceeding."
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
-              echo "Authorized user ($AUTHOR). Proceeding."
+              echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
+              exit 1
             fi
+          else
+            echo "✅ No workflow file changes detected. Proceeding."
           fi
 
       - name: Set up Python 3.11 for CLI