Skip to content

fix: re-subscribe and re-home workers on node re-register #489

fix: re-subscribe and re-home workers on node re-register

fix: re-subscribe and re-home workers on node re-register #489

Workflow file for this run

name: security
on:
pull_request:
paths-ignore:
- '**.md'
- 'docs/**'
push:
branches: [main]
paths-ignore:
- '**.md'
- 'docs/**'
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
zizmor:
name: Zizmor (workflow audit)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "0.11.26"
- name: Run zizmor
# Persona is ``auditor`` — the strictest level.
run: uvx --from zizmor==1.26.1 zizmor --persona auditor --format github .github/workflows
gitleaks:
name: Gitleaks (secrets scan)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
# gitleaks scans the full git history for secrets; needs the
# repo's commit graph, not just the tip.
fetch-depth: 0
persist-credentials: false
- name: Run gitleaks
# Binary, not gitleaks-action — the action gates on a paid license for org repos.
run: |
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz" \
| tar xz -C /tmp gitleaks
/tmp/gitleaks detect --source . --no-banner
bandit:
name: Bandit (Python source audit)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "0.11.26"
- name: Run bandit
run: uvx bandit==1.9.4 -c pyproject.toml -r src/
pip-audit:
name: pip-audit (dependency CVE scan)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "0.11.26"
- name: Run pip-audit (server)
# Drop ``@ git+`` deps before auditing — not on PyPI, no CVE feed.
run: |
grep -v '@ git+' src/server/requirements.txt > /tmp/requirements-server-audit.txt
uvx pip-audit==2.10.1 --strict \
-r /tmp/requirements-server-audit.txt
- name: Run pip-audit (worker CPU)
# Drop ``@ git+`` deps before auditing — not on PyPI, no CVE feed.
run: |
grep -v '@ git+' src/worker/requirements/requirements.txt > /tmp/requirements-worker-cpu-audit.txt
uvx pip-audit==2.10.1 --strict \
--ignore-vuln GHSA-rrmf-rvhw-rf47 \
--ignore-vuln PYSEC-2026-87 \
--ignore-vuln PYSEC-2026-597 \
-r /tmp/requirements-worker-cpu-audit.txt
- name: Run pip-audit (worker GPU delta) # no --strict: flashinfer-jit-cache and the vllm +cu129 wheel are unauditable on PyPI
run: |
uvx pip-audit==2.10.1 \
--ignore-vuln GHSA-rrmf-rvhw-rf47 \
--ignore-vuln GHSA-w8v5-vhqr-4h9v \
-r src/worker/requirements/requirements.gpu.txt