Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/actions/setup-python-env/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,9 @@ runs:
- name: Install extra packages
if: inputs.extra-packages != ''
shell: bash
run: pip install ${{ inputs.extra-packages }}
env:
EXTRA_PACKAGES: ${{ inputs.extra-packages }}
# Pass packages via env var to prevent shell-injection from the input value.
# Word-splitting on $EXTRA_PACKAGES is intentional (space-separated list).
# shellcheck disable=SC2086
run: pip install $EXTRA_PACKAGES
2 changes: 1 addition & 1 deletion .github/workflows/actionlint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
run: sudo apt-get update && sudo apt-get install -y shellcheck

- name: Run actionlint
uses: reviewdog/action-actionlint@v1
uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
with:
fail_level: failure
reporter: github-check
3 changes: 3 additions & 0 deletions .github/workflows/aria-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ on:
- '.github/workflows/aria-tests.yml'
workflow_dispatch: # Manual trigger

permissions:
contents: read

concurrency:
group: aria-tests-${{ github.ref }}
cancel-in-progress: true
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/auto-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:

permissions:
contents: read

concurrency: auto-validation

jobs:
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/azureml-train.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,12 +55,19 @@ jobs:
with:
inlineScript: |
az extension add -n ml -y
az account set --subscription "${{ github.event.inputs.subscriptionId }}"
az configure --defaults group="${{ github.event.inputs.resourceGroup }}" workspace="${{ github.event.inputs.workspaceName }}"
az account set --subscription "$SUBSCRIPTION_ID"
az configure --defaults group="$RESOURCE_GROUP" workspace="$WORKSPACE_NAME"
env:
SUBSCRIPTION_ID: ${{ github.event.inputs.subscriptionId }}
RESOURCE_GROUP: ${{ github.event.inputs.resourceGroup }}
WORKSPACE_NAME: ${{ github.event.inputs.workspaceName }}

- name: Submit Azure ML job
uses: azure/cli@v2
with:
inlineScript: |
echo "Submitting job from ${{ github.event.inputs.jobFile }} ..."
az ml job create -f "${{ github.event.inputs.jobFile }}" --set compute="${{ github.event.inputs.compute }}" --stream
echo "Submitting job from $JOB_FILE ..."
az ml job create -f "$JOB_FILE" --set compute="$COMPUTE_TARGET" --stream
env:
JOB_FILE: ${{ github.event.inputs.jobFile }}
COMPUTE_TARGET: ${{ github.event.inputs.compute }}
2 changes: 1 addition & 1 deletion .github/workflows/broken-links.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
uses: actions/checkout@v4

- name: Check links in docs and markdown
uses: lycheeverse/lychee-action@v2
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
with:
fail: true
args: >-
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ci-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ on:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTC

permissions:
contents: read

concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/code-quality.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
branches: [ main, dev ]
workflow_dispatch:

permissions:
contents: read

concurrency:
group: quality-${{ github.ref }}
cancel-in-progress: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/coverage-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ jobs:
- name: Download main baseline
if: github.event_name == 'pull_request'
id: dl-base
uses: dawidd6/action-download-artifact@v6
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
with:
name: coverage-main-baseline
workflow: coverage-report.yml
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-automerge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/devcontainer-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
pull_request:
branches: [ main ]

permissions:
contents: read

jobs:
build-and-test:
runs-on: ubuntu-latest
Expand All @@ -14,6 +17,6 @@ jobs:
uses: actions/checkout@v4

- name: Build and test devcontainer
uses: devcontainers/ci@v0.2
uses: devcontainers/ci@b63b30de439b47a52267f241112c5b453b673db5 # v0.3
with:
runCmd: python -m pytest tests -q --maxfail=1
3 changes: 3 additions & 0 deletions .github/workflows/e2e-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
pull_request:
branches: [ main ]

permissions:
contents: read

concurrency:
group: e2e-${{ github.ref }}
cancel-in-progress: true
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/llm-maker-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- 'ai-projects/llm-maker/**'
workflow_dispatch:

permissions:
contents: read

jobs:
test-llm-maker:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/markdown-quality.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@v4

- name: Lint Markdown files
uses: DavidAnson/markdownlint-cli2-action@v20
uses: DavidAnson/markdownlint-cli2-action@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
with:
globs: |
**/*.md
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/nightly-regression.yml
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ jobs:

- name: Download previous baseline artifact
id: download-prev
uses: dawidd6/action-download-artifact@v6
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
workflow: nightly-regression.yml
Expand Down
17 changes: 9 additions & 8 deletions .github/workflows/pr-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,20 +63,21 @@ jobs:
fetch-depth: 0

- name: Check PR size
id: size
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
BASE_SHA=${{ github.event.pull_request.base.sha }}
HEAD_SHA=${{ github.event.pull_request.head.sha }}

ADDITIONS=$(git diff $BASE_SHA...$HEAD_SHA --numstat | awk '{sum+=$1} END {print sum}')
DELETIONS=$(git diff $BASE_SHA...$HEAD_SHA --numstat | awk '{sum+=$2} END {print sum}')
FILES_CHANGED=$(git diff $BASE_SHA...$HEAD_SHA --name-only | wc -l)
ADDITIONS=$(git diff "$BASE_SHA"..."$HEAD_SHA" --numstat | awk '{sum+=$1} END {print sum}')
DELETIONS=$(git diff "$BASE_SHA"..."$HEAD_SHA" --numstat | awk '{sum+=$2} END {print sum}')
FILES_CHANGED=$(git diff "$BASE_SHA"..."$HEAD_SHA" --name-only | wc -l)

echo "Files changed: $FILES_CHANGED"
echo "Lines added: $ADDITIONS"
echo "Lines deleted: $DELETIONS"

# Warn if PR is very large
if [ $FILES_CHANGED -gt 50 ] || [ $ADDITIONS -gt 1000 ]; then
if [ "$FILES_CHANGED" -gt 50 ] || [ "$ADDITIONS" -gt 1000 ]; then
echo "⚠️ Warning: This is a large PR. Consider breaking it into smaller PRs for easier review."
echo "pr_size=large" >> $GITHUB_OUTPUT
else
Expand All @@ -95,7 +96,7 @@ jobs:
uses: actions/checkout@v4

- name: Label PR based on files changed
uses: actions/labeler@v5
uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: .github/labeler.yml
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pr-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ on:
required: false
default: '10'

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/quantum-ai-smoke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
- '.github/workflows/quantum-ai-smoke.yml'
workflow_dispatch:

permissions:
contents: read

jobs:
smoke-quantum-ai:
name: Smoke Quantum Code LLM
Expand Down
14 changes: 8 additions & 6 deletions .github/workflows/quantum-orchestration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,26 +15,28 @@ on:
branches: [ main ]
workflow_dispatch:
inputs:
AZURE_CREDENTIALS:
description: "Service principal JSON for azure/login (optional; recommended via GitHub Secret)"
required: false
type: string
LOGIC_APP_URL:
description: "Logic App URL for optional notifications"
required: false
type: string

# Credentials must come exclusively from the AZURE_CREDENTIALS repository secret.
# Never pass service principal JSON as a workflow_dispatch input — it would be
# visible in the GitHub Actions UI and potentially captured in runner logs.
permissions:
contents: read

jobs:
run-quantum:
runs-on: windows-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- name: Azure Login
if: ${{ inputs.AZURE_CREDENTIALS != '' }}
if: ${{ secrets.AZURE_CREDENTIALS != '' }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Move secret guard out of step if

This condition uses secrets.AZURE_CREDENTIALS directly in if, which GitHub Actions does not support for conditionals (the docs require mapping the secret to an env var first and checking that env var). As written, the Azure Login step can be skipped even when the secret exists, so the subsequent orchestration script runs unauthenticated and fails against Azure resources.

Useful? React with 👍 / 👎.

uses: azure/login@v2
with:
creds: ${{ inputs.AZURE_CREDENTIALS }}
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Run Orchestration
Comment on lines 35 to 40

Copilot AI Apr 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Azure Login step is now conditional on secrets.AZURE_CREDENTIALS being non-empty, but the orchestration step always runs afterward. If the secret is missing/misconfigured, the workflow will skip login and likely fail later inside the PowerShell scripts with less actionable errors. Consider removing the if: so the login step fails fast when creds are required, or add an explicit guard step that checks the secret and exits with a clear message before running orchestration.

Copilot uses AI. Check for mistakes.
shell: pwsh
run: |
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ jobs:
cat CHANGELOG.md

- name: Create GitHub Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
with:
tag_name: ${{ steps.version.outputs.version }}
name: Release ${{ steps.version.outputs.version }}
Expand All @@ -85,7 +85,7 @@ jobs:
git archive --format=zip --prefix=aria-${{ steps.version.outputs.version_number }}/ HEAD > release-artifacts/aria-${{ steps.version.outputs.version_number }}.zip

- name: Upload release artifacts
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
with:
tag_name: ${{ steps.version.outputs.version }}
files: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Mark stale issues and PRs
uses: actions/stale@v9
uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
Loading