fix: re-subscribe and re-home workers on node re-register #489
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| zizmor: | |
| name: Zizmor (workflow audit) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| version: "0.11.26" | |
| - name: Run zizmor | |
| # Persona is ``auditor`` — the strictest level. | |
| run: uvx --from zizmor==1.26.1 zizmor --persona auditor --format github .github/workflows | |
| gitleaks: | |
| name: Gitleaks (secrets scan) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| # gitleaks scans the full git history for secrets; needs the | |
| # repo's commit graph, not just the tip. | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run gitleaks | |
| # Binary, not gitleaks-action — the action gates on a paid license for org repos. | |
| run: | | |
| curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_linux_x64.tar.gz" \ | |
| | tar xz -C /tmp gitleaks | |
| /tmp/gitleaks detect --source . --no-banner | |
| bandit: | |
| name: Bandit (Python source audit) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| version: "0.11.26" | |
| - name: Run bandit | |
| run: uvx bandit==1.9.4 -c pyproject.toml -r src/ | |
| pip-audit: | |
| name: pip-audit (dependency CVE scan) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| version: "0.11.26" | |
| - name: Run pip-audit (server) | |
| # Drop ``@ git+`` deps before auditing — not on PyPI, no CVE feed. | |
| run: | | |
| grep -v '@ git+' src/server/requirements.txt > /tmp/requirements-server-audit.txt | |
| uvx pip-audit==2.10.1 --strict \ | |
| -r /tmp/requirements-server-audit.txt | |
| - name: Run pip-audit (worker CPU) | |
| # Drop ``@ git+`` deps before auditing — not on PyPI, no CVE feed. | |
| run: | | |
| grep -v '@ git+' src/worker/requirements/requirements.txt > /tmp/requirements-worker-cpu-audit.txt | |
| uvx pip-audit==2.10.1 --strict \ | |
| --ignore-vuln GHSA-rrmf-rvhw-rf47 \ | |
| --ignore-vuln PYSEC-2026-87 \ | |
| --ignore-vuln PYSEC-2026-597 \ | |
| -r /tmp/requirements-worker-cpu-audit.txt | |
| - name: Run pip-audit (worker GPU delta) # no --strict: flashinfer-jit-cache and the vllm +cu129 wheel are unauditable on PyPI | |
| run: | | |
| uvx pip-audit==2.10.1 \ | |
| --ignore-vuln GHSA-rrmf-rvhw-rf47 \ | |
| --ignore-vuln GHSA-w8v5-vhqr-4h9v \ | |
| -r src/worker/requirements/requirements.gpu.txt |