From fd198a4a28847cb082bdf3eb9daa8abad2c6ae3b Mon Sep 17 00:00:00 2001 From: "Arman C. Kizilkale" Date: Tue, 5 May 2026 18:02:21 -0400 Subject: [PATCH 1/3] Add explicit GITHUB_TOKEN permissions to workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes the five `actions/missing-workflow-permissions` CodeQL alerts. - publish.yml: workflow-level `contents: read`; the `publish-github-release` job overrides with `contents: write` (needed by softprops/action-gh-release to create the GitHub Release). PyPI upload uses TWINE_USERNAME/PASSWORD, not GITHUB_TOKEN, so no extra scope needed there. - run_tests.yml: `contents: read` + `pull-requests: write` (for marocchino/sticky-pull-request-comment posting coverage results). - run_tests_staging.yml / run_tests_prod.yml: `contents: read` only — these are scheduled callers that delegate to run_tests.yml, and the PR-comment step has `if: github.event_name == 'pull_request'` so it never fires on cron runs. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish.yml | 5 +++++ .github/workflows/run_tests.yml | 4 ++++ .github/workflows/run_tests_prod.yml | 3 +++ .github/workflows/run_tests_staging.yml | 3 +++ 4 files changed, 15 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3f81a785..db25c54b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,6 +8,9 @@ on: tags: - '[0-9]+.[0-9]+.[0-9a-zA-Z]+' # Matches 1.2.3, 1.2.3alpha1 etc. +permissions: + contents: read + jobs: publish-pypi: runs-on: ubuntu-latest @@ -32,6 +35,8 @@ jobs: needs: publish-pypi name: Create Release runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v4 - name: Create Release diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml index f2bc0370..a8a48ebf 100644 --- a/.github/workflows/run_tests.yml +++ b/.github/workflows/run_tests.yml @@ -22,6 +22,10 @@ on: required: true type: string +permissions: + contents: read + pull-requests: write # for sticky-pull-request-comment posting coverage results + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/run_tests_prod.yml b/.github/workflows/run_tests_prod.yml index 81d8192f..689a5210 100644 --- a/.github/workflows/run_tests_prod.yml +++ b/.github/workflows/run_tests_prod.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 6,18 * * *' +permissions: + contents: read + jobs: sdk-python-tests-prod: uses: Clarifai/clarifai-python/.github/workflows/run_tests.yml@master diff --git a/.github/workflows/run_tests_staging.yml b/.github/workflows/run_tests_staging.yml index 5587cdc0..db9da94e 100644 --- a/.github/workflows/run_tests_staging.yml +++ b/.github/workflows/run_tests_staging.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 6,18 * * *' +permissions: + contents: read + jobs: sdk-python-tests-staging: uses: Clarifai/clarifai-python/.github/workflows/run_tests.yml@master From 8f5714d9b377ab55dde29142c5ce5bd57fa3be93 Mon Sep 17 00:00:00 2001 From: "Arman C. Kizilkale" Date: Tue, 5 May 2026 18:02:44 -0400 Subject: [PATCH 2/3] Bump torch to 2.8.0 in test runner fixtures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes Dependabot alerts #35, #37, #45, #46: - CVE-2025-2953 (low) "PyTorch susceptible to local Denial of Service" — patched in 2.7.1-rc1 - CVE-2025-3730 (medium) "PyTorch Improper Resource Shutdown or Release" — patched in 2.8.0 These are dummy fixtures used by the SDK's runner-protocol tests, not production SDK code. Bumping to 2.8.0 covers both CVEs. Co-Authored-By: Claude Opus 4.7 (1M context) --- tests/runners/dummy_vllm_models/requirements.txt | 2 +- tests/runners/hf_mbart_model/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/runners/dummy_vllm_models/requirements.txt b/tests/runners/dummy_vllm_models/requirements.txt index 7d543f6a..f83e0f2e 100644 --- a/tests/runners/dummy_vllm_models/requirements.txt +++ b/tests/runners/dummy_vllm_models/requirements.txt @@ -4,6 +4,6 @@ optimum==1.23.3 openai clarifai>=11.5.2 psutil -torch==2.6.0 +torch==2.8.0 vllm>=0.8.0 transformers>=4.50.1 diff --git a/tests/runners/hf_mbart_model/requirements.txt b/tests/runners/hf_mbart_model/requirements.txt index 51efb6d4..58782dec 100644 --- a/tests/runners/hf_mbart_model/requirements.txt +++ b/tests/runners/hf_mbart_model/requirements.txt @@ -5,5 +5,5 @@ requests sentencepiece>=0.2.0 tiktoken>=0.9.0 tokenizers>=0.21.1 -torch==2.6.0 +torch==2.8.0 transformers>=4.51.3 From 3e11ae625e2474da6bedd98acaff924395d429be Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 6 May 2026 10:58:45 +0000 Subject: [PATCH 3/3] Refactor run_tests.yml: move pull-requests:write to dedicated PR-only coverage-comment job Agent-Logs-Url: https://github.com/Clarifai/clarifai-python/sessions/5d065865-0235-4e06-add6-90ef405f2466 Co-authored-by: sanjaychelliah <65780631+sanjaychelliah@users.noreply.github.com> --- .github/workflows/run_tests.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml index a8a48ebf..a009491a 100644 --- a/.github/workflows/run_tests.yml +++ b/.github/workflows/run_tests.yml @@ -24,7 +24,6 @@ on: permissions: contents: read - pull-requests: write # for sticky-pull-request-comment posting coverage results jobs: build: @@ -116,9 +115,26 @@ jobs: indicators: true output: both thresholds: '50 80' + - name: Upload coverage report artifact + uses: actions/upload-artifact@v4 + if: runner.os == 'Linux' && matrix.python-version == '3.11' + with: + name: coverage-report + path: code-coverage-results.md + + coverage-comment: + needs: build + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + permissions: + pull-requests: write # for sticky-pull-request-comment posting coverage results + steps: + - name: Download coverage report + uses: actions/download-artifact@v4 + with: + name: coverage-report - name: Add Coverage PR Comment uses: marocchino/sticky-pull-request-comment@v2 - if: github.event_name == 'pull_request' && runner.os == 'Linux' && matrix.python-version == '3.11' with: - recreate: true - path: code-coverage-results.md + recreate: true + path: code-coverage-results.md