Skip to content

Commit fd823e8

Browse files
authored
fix untrusted fork secret mixing (#13970)
1 parent 3d3eedf commit fd823e8

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

.github/workflows/pr_comment_gpu_tests.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,9 @@ jobs:
147147

148148
- name: Run pytest
149149
env:
150-
HF_TOKEN: ${{ secrets.DIFFUSERS_HF_HUB_READ_TOKEN }}
150+
# No secrets here: this step runs untrusted fork code (pytest imports the PR's
151+
# conftest.py/plugins), so exposing a token would let a malicious PR exfiltrate
152+
# it. Public Hub models download without auth; gated-repo tests are unsupported.
151153
# https://pytorch.org/docs/stable/notes/randomness.html#avoiding-nondeterministic-algorithms
152154
CUBLAS_WORKSPACE_CONFIG: :16:8
153155
# Forwarded via env (not interpolated into the script) to avoid breakage on

0 commit comments

Comments
 (0)