ci: Enable GH Actions testing for forked PRs (#462)

# Changes

- Adds smoke test to ensure all modules are importable with only
required dependencies
- Updates workflows to use latest versions of actions
- Updates testing workflow to only test on latest versions of Redis
images
- Tests notebooks only on `redis-py==7.x`
- Adds process for supporting testing workflows on PRs from forked repos
- Adds `.github/workflows/test-fork-pr.yml` - Manual workflow for
testing fork PRs with secrets
- Adds `.github/actions/run-service-tests/action.yml` - Reusable
composite action for service tests
- Updates `.github/workflows/test.yml` to use the composite action and
skip service tests on fork PRs

# Fork PR Testing

GitHub does not provide repository secrets to workflows triggered by
`pull_request` events from forks, even when maintainers approve the
workflow run. This prevents our service tests from running on fork PRs
since they require API keys for OpenAI, Cohere, Mistral, Voyage, Azure
OpenAI, AWS, Google Cloud, and HuggingFace.

This PR adds a new `Test Fork PR` workflow that maintainers can manually
trigger after reviewing fork PR code. The workflow accepts a PR number
as input, validates that it's from a fork, checks out the fork's code at
the exact commit SHA, runs the full test suite with secrets, and posts
results as a "Service Tests" check on the PR using the GitHub Checks
API. This satisfies branch protection requirements while maintaining
security through explicit maintainer review and SHA pinning to prevent
race conditions.

The service test logic has been extracted into a composite action
(`.github/actions/run-service-tests/action.yml`) to avoid duplication
between the regular and fork PR workflows.

### Security Considerations

**Important**: The fork PR workflow runs untrusted code from external
contributors with full access to repository secrets. Maintainers must
carefully review fork PR code before triggering the workflow to ensure:

- No malicious code that could exfiltrate secrets (e.g., logging
secrets, sending them to external endpoints)
- No code that modifies workflow files or test infrastructure to expose
secrets
- No attempts to access or modify cloud resources using the provided
credentials
- Test code changes are legitimate and don't introduce backdoors

The workflow pins to the exact commit SHA at trigger time, preventing
attackers from pushing malicious commits after approval. However, the
initial review is critical since the workflow executes arbitrary Python
code with access to production API keys and cloud credentials.

### Maintainer Workflow for Fork PRs

When a PR is opened from an external fork, the regular test workflow
runs but skips the service tests. To run the full test suite:

1. Review the fork PR code for security issues
2. Navigate to **Actions** → **Test Fork PR** workflow
3. Click **Run workflow**, enter the PR number, and click **Run
workflow** again
4. Test results will appear as a "Service Tests" check on the PR

If the contributor pushes new commits, review the changes and re-trigger
the workflow. Same-repository PRs continue to work as before with no
manual intervention required.

Author: vishal-bala

.github/actions/run-service-tests/action.yml

@@ -0,0 +1,65 @@
+name: 'Run Service Tests'
+description: 'Run the full RedisVL service test suite with all API integrations'
+
+inputs:
+  python-version:
+    description: 'Python version to use'
+    required: true
+  uv-version:
+    description: 'uv version to use'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Cache HuggingFace Models
+      uses: actions/cache@v5
+      with:
+        path: hf_cache
+        key: ${{ runner.os }}-hf-cache
+
+    - name: Set HuggingFace token
+      shell: bash
+      run: |
+        mkdir -p ~/.huggingface
+        echo '{"token":"$HF_TOKEN"}' > ~/.huggingface/token
+
+    - name: Install Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: ${{ inputs.python-version }}
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v6
+      with:
+        version: ${{ inputs.uv-version }}
+        enable-cache: true
+        python-version: ${{ inputs.python-version }}
+        cache-dependency-glob: |
+          pyproject.toml
+          uv.lock
+
+    - name: Install required dependencies
+      shell: bash
+      run: |
+        uv sync
+
+    - name: Test module imports
+      shell: bash
+      run: |
+        uv run python -m tests.test_imports redisvl
+
+    - name: Install all dependencies
+      shell: bash
+      run: |
+        uv sync --all-extras
+
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v1
+      with:
+        credentials_json: ${{ env.GOOGLE_CREDENTIALS }}
+
+    - name: Run full test suite
+      shell: bash
+      run: |
+        make test-all

.github/workflows/claude.yml

@@ -25,7 +25,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 

.github/workflows/lint.yml

@@ -31,10 +31,10 @@ jobs:
 
     steps:
     - name: Check out repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Install Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: ${{ matrix.python-version }}
 

.github/workflows/release.yml

@@ -14,10 +14,10 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -50,10 +50,10 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 

.github/workflows/test-fork-pr.yml

@@ -0,0 +1,136 @@
+name: Test Fork PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Pull Request number to test'
+        required: true
+        type: number
+
+permissions:
+  contents: read
+  checks: write
+  pull-requests: read
+
+env:
+  PYTHON_VERSION: "3.11"
+  UV_VERSION: "0.7.13"
+
+jobs:
+  setup:
+    name: Validate PR
+    runs-on: ubuntu-latest
+    outputs:
+      head_sha: ${{ steps.pr-info.outputs.head_sha }}
+      head_repo: ${{ steps.pr-info.outputs.head_repo }}
+    steps:
+      - name: Get PR information
+        id: pr-info
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: ${{ inputs.pr_number }}
+            });
+
+            if (pr.data.state !== 'open') {
+              core.setFailed(`PR #${{ inputs.pr_number }} is not open`);
+              return;
+            }
+
+            if (pr.data.head.repo.full_name === `${context.repo.owner}/${context.repo.repo}`) {
+              core.setFailed(`PR #${{ inputs.pr_number }} is not from a fork. Use the regular workflow.`);
+              return;
+            }
+
+            core.setOutput('head_sha', pr.data.head.sha);
+            core.setOutput('head_repo', pr.data.head.repo.full_name);
+
+            console.log(`Testing PR #${{ inputs.pr_number }}`);
+            console.log(`  Head SHA: ${pr.data.head.sha}`);
+            console.log(`  Head Repo: ${pr.data.head.repo.full_name}`);
+
+  service-tests:
+    name: Service Tests
+    runs-on: ubuntu-latest
+    needs: setup
+    steps:
+      - name: Create check run
+        id: check
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const check = await github.rest.checks.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              name: 'Service Tests',
+              head_sha: '${{ needs.setup.outputs.head_sha }}',
+              status: 'in_progress',
+              started_at: new Date().toISOString()
+            });
+            core.setOutput('check_id', check.data.id);
+
+      - name: Check out fork PR code
+        uses: actions/checkout@v6
+        with:
+          repository: ${{ needs.setup.outputs.head_repo }}
+          ref: ${{ needs.setup.outputs.head_sha }}
+
+      - name: Run service tests
+        uses: ./.github/actions/run-service-tests
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          uv-version: ${{ env.UV_VERSION }}
+        env:
+          HF_HOME: ${{ github.workspace }}/hf_cache
+          HF_TOKEN: ${{ secrets.HF_TOKEN }}
+          GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          GCP_LOCATION: ${{ secrets.GCP_LOCATION }}
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          COHERE_API_KEY: ${{ secrets.COHERE_API_KEY }}
+          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
+          VOYAGE_API_KEY: ${{ secrets.VOYAGE_API_KEY }}
+          AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
+          AZURE_OPENAI_ENDPOINT: ${{ secrets.AZURE_OPENAI_ENDPOINT }}
+          AZURE_OPENAI_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_DEPLOYMENT_NAME }}
+          OPENAI_API_VERSION: ${{ secrets.OPENAI_API_VERSION }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          LANGCACHE_WITH_ATTRIBUTES_API_KEY: ${{ secrets.LANGCACHE_WITH_ATTRIBUTES_API_KEY }}
+          LANGCACHE_WITH_ATTRIBUTES_CACHE_ID: ${{ secrets.LANGCACHE_WITH_ATTRIBUTES_CACHE_ID }}
+          LANGCACHE_WITH_ATTRIBUTES_URL: ${{ secrets.LANGCACHE_WITH_ATTRIBUTES_URL }}
+          LANGCACHE_NO_ATTRIBUTES_API_KEY: ${{ secrets.LANGCACHE_NO_ATTRIBUTES_API_KEY }}
+          LANGCACHE_NO_ATTRIBUTES_CACHE_ID: ${{ secrets.LANGCACHE_NO_ATTRIBUTES_CACHE_ID }}
+          LANGCACHE_NO_ATTRIBUTES_URL: ${{ secrets.LANGCACHE_NO_ATTRIBUTES_URL }}
+
+      - name: Update check run (success)
+        if: success()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.checks.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              check_run_id: ${{ steps.check.outputs.check_id }},
+              status: 'completed',
+              conclusion: 'success',
+              completed_at: new Date().toISOString()
+            });
+
+      - name: Update check run (failure)
+        if: failure()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.checks.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              check_run_id: ${{ steps.check.outputs.check_id }},
+              status: 'completed',
+              conclusion: 'failure',
+              completed_at: new Date().toISOString()
+            });

.github/workflows/test.yml

@@ -20,50 +20,20 @@ jobs:
   service-tests:
     name: Service Tests
     runs-on: ubuntu-latest
-    env:
-      HF_HOME: ${{ github.workspace }}/hf_cache
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
-
-      - name: Cache HuggingFace Models
-        uses: actions/cache@v4
-        with:
-          path: hf_cache
-          key: ${{ runner.os }}-hf-cache
-
-      - name: Set HuggingFace token
-        run: |
-          mkdir -p ~/.huggingface
-          echo '{"token":"${{ secrets.HF_TOKEN }}"}' > ~/.huggingface/token
+        uses: actions/checkout@v6
 
-      - name: Install Python
-        uses: actions/setup-python@v5
+      - name: Run service tests
+        uses: ./.github/actions/run-service-tests
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          version: ${{ env.UV_VERSION }}
-          enable-cache: true
-          python-version: ${{ env.PYTHON_VERSION }}   # sets UV_PYTHON
-          cache-dependency-glob: |
-            pyproject.toml
-            uv.lock
-
-      - name: Install dependencies
-        run: |
-          uv sync --all-extras
-
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v1
-        with:
-          credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
-
-      - name: Run full test suite and prime the HF cache
+          uv-version: ${{ env.UV_VERSION }}
         env:
+          HF_HOME: ${{ github.workspace }}/hf_cache
           HF_TOKEN: ${{ secrets.HF_TOKEN }}
+          GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           GCP_LOCATION: ${{ secrets.GCP_LOCATION }}
           GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
@@ -82,25 +52,22 @@ jobs:
           LANGCACHE_NO_ATTRIBUTES_API_KEY: ${{ secrets.LANGCACHE_NO_ATTRIBUTES_API_KEY }}
           LANGCACHE_NO_ATTRIBUTES_CACHE_ID: ${{ secrets.LANGCACHE_NO_ATTRIBUTES_CACHE_ID }}
           LANGCACHE_NO_ATTRIBUTES_URL: ${{ secrets.LANGCACHE_NO_ATTRIBUTES_URL }}
-        run: |
-          make test-all
 
   test:
-    name: Python ${{ matrix.python-version }} - redis-py ${{ matrix.redis-py-version }} [redis ${{ matrix.redis-version }}]
+    name: Python ${{ matrix.python-version }} - redis-py ${{ matrix.redis-py-version }} [${{ matrix.redis-image }}]
     runs-on: ubuntu-latest
     needs: service-tests
     env:
       HF_HOME: ${{ github.workspace }}/hf_cache
     strategy:
       fail-fast: false
       matrix:
-        # 3.11 tests are run in the service-tests job
-        python-version: ["3.9", "3.10", "3.12", "3.13"] 
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         redis-py-version: ["5.x", "6.x", "7.x"]
-        redis-version: ["6.2.6-v9", "latest", "8.4.0"]
+        redis-image: ["redis/redis-stack-server:latest", "redis:latest"]
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Cache HuggingFace Models
         uses: actions/cache@v4
@@ -138,16 +105,7 @@ jobs:
 
       - name: Set Redis image name
         run: |
-          if [[ "${{ matrix.redis-version }}" == "8.4.0" ]]; then
-            echo "REDIS_IMAGE=redis:${{ matrix.redis-version }}" >> $GITHUB_ENV
-          else
-            echo "REDIS_IMAGE=redis/redis-stack-server:${{ matrix.redis-version }}" >> $GITHUB_ENV
-          fi
-
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v1
-        with:
-          credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
+          echo "REDIS_IMAGE=${{ matrix.redis-image }}" >> $GITHUB_ENV
 
       - name: Run tests
         env:
@@ -156,8 +114,24 @@ jobs:
         run: |
           make test
 
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        if: (
+            matrix.redis-py-version == '7.x' &&
+            matrix.redis-image == 'redis/redis-stack-server:latest' &&
+            matrix.python-version == '3.11' &&
+            (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
+          )
+        with:
+          credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}
+
       - name: Run notebooks
-        if: matrix.redis-py-version == '6.x' && matrix.redis-version == 'latest'
+        if: (
+            matrix.redis-py-version == '7.x' &&
+            matrix.redis-image == 'redis/redis-stack-server:latest' &&
+            matrix.python-version == '3.11' &&
+            (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
+          )
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           GCP_LOCATION: ${{ secrets.GCP_LOCATION }}
@@ -180,7 +154,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Install Python
         uses: actions/setup-python@v5