Merge pull request #423 from instructlab/mergify/bp/release-v0.7/pr-421

ci: Don't require secrets in medium e2e test (backport #421)

Author: danmcp

.github/workflows/e2e-nvidia-l4-x1.yml

@@ -149,8 +149,6 @@ jobs:
 
       - name: Run e2e test
         working-directory: ./instructlab
-        env:
-          HF_TOKEN: ${{ secrets.HF_TOKEN }}
         run: |
           . venv/bin/activate
           # set preserve to true so we can retain the logs

…hub/workflows/unittesting-ci-nvidia.yaml .github/workflows/unit-tests.yaml.github/workflows/unittesting-ci-nvidia.yaml renamed to .github/workflows/unit-tests.yaml .github/workflows/unittesting-ci-nvidia.yaml renamed to .github/workflows/unit-tests.yaml

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
-name: "Run 'fast' marked unit tests via Tox::pytest"
+name: "Run unit tests via Tox::pytest"
 # This tests should run only those tests that are marked as 'fast.'
 # The opposite are those that would require the mark 'slow,' which would
 # include longer-running integration and smoke tests.
@@ -10,12 +10,33 @@ name: "Run 'fast' marked unit tests via Tox::pytest"
 # to verify integration correctness.
 
 on:
-  pull_request:
-    types: [opened, reopened, synchronize]
+  # run against every merge commit to 'main' and release branches
   push:
     branches:
-      - "main"
-      - "release-**"
+      - main
+      - release-*
+  # only run on PRs that touch certain regex paths
+  pull_request_target:
+    branches:
+      - main
+      - release-*
+    paths:
+      # note this should match the merging criteria in 'mergify.yml'
+      - "**.py"
+      - "pyproject.toml"
+      - "requirements**.txt"
+      - ".github/workflows/unit-tests.yaml" # This workflow
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
 
 env:
   pytest_mark: "fast"
@@ -26,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       label: ${{ steps.start-ec2-runner.outputs.label }}
-      ec2-instance-id: ${{ steps.start-ec2-runner.outputs.label }}
+      ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id}}
 
     steps:
       - name: "Harden runner"
@@ -48,13 +69,13 @@ jobs:
           mode: start
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           ec2-image-id: ${{ vars.AWS_EC2_AMI }}
-          ec2-instance-type: ${{ vars.AWS_REGION }}
+          ec2-instance-type: ${{ env.ec2_runner_variant }}
           subnet-id: subnet-024298cefa3bedd61
           security-group-id: sg-06300447c4a5fbef3
           iam-role-name: instructlab-ci-runner
           aws-resource-tags: >
             [
-            {"Key": "Name", "Value": "instructlab-ci-github-large-runner"},
+            {"Key": "Name", "Value": "instructlab-ci-github-unittest-runner"},
             {"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
             {"Key": "GitHubRef", "Value": "${{ github.ref }}"},
             {"Key": "GitHubPR", "Value": "${{ github.event.number }}"}
@@ -64,9 +85,10 @@ jobs:
     needs:
       - start-ec2-runner
     runs-on: ${{needs.start-ec2-runner.outputs.label}}
-    # This job MUST HAVE NO PERMISSIONS and no access to any secrets
-    # because it'll run incoming user code without discretion.
-    permissions: {} # this syntax disables permissions for all available options.
+    # It is important that this job has no write permissions and has
+    # no access to any secrets. This part is where we are running
+    # untrusted code from PRs.
+    permissions: {}
     steps:
       - name: "Harden runner"
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.1
@@ -83,13 +105,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: "Verify environment variables are setup correctly"
-        run: |
-          export CUDA_HOME="/usr/local/cuda"
-          export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64"
-          export PATH="$PATH:$CUDA_HOME/bin"
-          nvidia-smi
-
       # installs in $GITHUB_WORKSPACE/venv.
       # only has to install Tox because Tox will do the other virtual environment management.
       - name: "Setup Python virtual environment"
@@ -104,6 +119,7 @@ jobs:
 
       - name: "Run unit tests with Tox and Pytest"
         run: |
+          source venv/bin/activate
           tox -e py3-unit -- -m ${{env.pytest_mark}}
 
       - name: "Show disk utilization AFTER tests"
@@ -115,11 +131,13 @@ jobs:
       - start-ec2-runner
       - run-unit-tests
     runs-on: ubuntu-latest
+    if: ${{ always() }}
     steps:
       - name: "Harden runner"
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.1
         with:
           egress-policy: audit
+
       - name: "Configure AWS credentials"
         uses: "aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502" # v4.0.2
         with:
@@ -128,10 +146,9 @@ jobs:
           aws-region: ${{ vars.AWS_REGION }}
 
       - name: "Stop EC2 runner"
-        id: start-ec2-runner
         uses: machulav/ec2-github-runner@1827d6ca7544d7044ddbd2e9360564651b463da2 # v2.3.7
         with:
           mode: stop
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           label: ${{ needs.start-ec2-runner.outputs.label }}
-          ec2-instance-type: ${{ env.ec2_runner_variant }}
+          ec2-instance-id: ${{ needs.start-ec2-runner.outputs.ec2-instance-id }}