search

pytorch / test-infra

This repository hosts code that supports the testing infrastructure for the main PyTorch repo. For example, this repo hosts the logic to track disabled tests and slow tests, as well as our continuation integration jobs HUD/dashboard.
https://hud.pytorch.org/
Other
77 stars 74 forks source link

Nova jobs couldn't get secrets from the caller's environment #5550

Open huydhn opened 1 month ago

huydhn commented 1 month ago

GitHub secrets can be accessible from an environment (best practice) or be available repo-wide. The latter is not secure with self-hosted runners as we have learnt in the past. However, AFAICT, trying to pass secrets from the caller's environment to Nova jobs is not possible atm as there is no way to set the environment variable with Nova.

Here is what I try to do (and fail):

jobs:
  test-passing-secrets-not-working:
    uses: ./.github/workflows/linux_job.yml
    environment: test-passing-secrets <--- invalid GH syntax
    secrets: inherit
    with:
      runner: linux.2xlarge
      script: |
        # Try to access SECRET_FOOBAR here

This limits the usefulness of Nova jobs, for example it cannot be use to access HuggingFace, upload to pypi or conda where secret tokens are needed.

This is more like an issue with the way GitHub handle reusable workflows where it currently doesn't allow environment to be set. However, maybe there is a workaround that folks know.

cc @seemethere @ZainRizvi

Ref

https://docs.github.com/en/actions/sharing-automations/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow

clee2000 commented 3 weeks ago

Notes: this isn't specific to NOVA, it's all reusable actions. We should bring this up to GH during the next meeting