Commit Graph
512 Commits
Author SHA1 Message Date
shin-berriandGitHub 8e652d129d Merge pull request #26356 from BerriAI/litellm_cci_gha_dedup_and_shard
[Infra] Remove CCI/GHA test duplication and semantically shard proxy DB tests
2026-04-23 18:17:56 -07:00
Yuneng Jiang 66bf890226 [Infra] Stop attaching push-only postgres workflows to a GHA environment
The `_test-unit-services-base.yml` reusable workflow attached every job
to the `integration-postgres` GHA environment to read three "secrets":
DATABASE_URL, POSTGRES_USER, POSTGRES_PASSWORD. These are not secrets —
the postgres service container is spawned per-job on localhost and
destroyed with the job, so the user/password are bootstrap values for a
throwaway container and the URL is always `postgresql://…@localhost:…`.

Each environment attachment produces a "temporarily deployed to
integration-postgres" deployment record, which the PR timeline renders
as a message per matrix shard per push. With 14 proxy-db shards that's
~14 notifications per push, drowning the PR conversation.

Changes:
* Hardcode POSTGRES_USER/POSTGRES_PASSWORD/POSTGRES_DB and the derived
  DATABASE_URL in `_test-unit-services-base.yml`.
* Delete the `environment: integration-postgres` attachment.
* Delete the `secrets:` declarations on the reusable workflow and on
  the two callers (test-unit-proxy-db.yml, test-unit-security.yml).
* The `services:` container still starts a fresh postgres per job;
  the connection string now matches what the container boots up with.

Security review: no regression. The environment wasn't gating anything
real — no protection rules configured, no approval gates, and the
branch restriction is already enforced by `on: push: branches: [...]`
on both caller workflows. Zizmor pedantic-mode findings are identical
before and after (same 6 pre-existing findings, zero new ones).

The `integration-postgres` environment and its three "secrets" in repo
settings are now unreferenced and can be deleted from repo admin.
2026-04-23 16:32:18 -07:00
Yuneng Jiang 21e08b0bb5 [Infra] Run schema-migration shard serially (workers: 0)
test_db_schema_migration.py has exactly one test, and that test is mostly
waiting on prisma subprocesses (~170s: prisma migrate deploy + prisma
migrate diff). No CPU-bound Python work inside the test body, and only
one test in the file means xdist's parallelism is unused regardless.

Previous run on commit 5df9f397e6: 10.0m wall-clock for the shard, of
which 4:56 was silence between step start and pytest banner — the cost
of 4 xdist workers each cold-starting (pytest plugin load + litellm
import + pytest-cov instrumentation) so that exactly one of them could
pick up the single test.

Switching to workers: 0 takes the serial pytest branch in the base
workflow, which already handles this case correctly (no -n, no --dist).
Single-process startup instead of 4. Expected wall-clock: ~6m.
2026-04-23 16:24:40 -07:00
Yuneng Jiang 5df9f397e6 [Infra] Match xdist workers to runner cores; revert test_proxy_utils -k split
Two changes:

1. workers: 8 -> 4 on every non-serial proxy-db shard. ubuntu-latest is a
   4-core runner; -n 8 oversubscribes 2x and workers block each other
   during their cold-start imports (pytest-cov instruments every litellm
   module per worker). Measured ~441% CPU locally with -n 8 on 8 cores
   (i.e. ~55% effective). Matching -n to physical cores should give
   ~2x faster worker startup, which is where most of the ~9m wall-clock
   per shard goes (7+ minutes is plugin load + xdist imports before any
   test runs).

2. Revert the -k split on test_proxy_utils.py. It was split into
   proxy-utils-a-h / proxy-utils-i-z as a semantic-adjacent hack; merge
   back to a single proxy-utils shard. Still uses --dist=worksteal so
   xdist can balance the 188 parametrized cases across workers.

Also drops the now-unused `keyword` input from _test-unit-services-base.yml
and its matching matrix field across all proxy-db entries.

Shard count: 14 -> 13 (+ the assert-shard-coverage guard).
2026-04-23 15:56:27 -07:00
Yuneng Jiang 584a7cd40f [Infra] Clean up proxy-db matrix job display names
Default GHA matrix job names join every matrix field, producing unreadable
check labels like:
  'proxy-db (logging-misc, tests/proxy_unit_tests/test_proxy_reject_logging.py
   tests/proxy_unit_tests/test_audit_logs_proxy.py ..., 8, loadscope, "", 15)'

Set the job's display name to '${{ matrix.test-group }}' so each check
shows just 'logging-misc', 'proxy-utils-a-h', etc.
2026-04-23 15:29:42 -07:00
Yuneng Jiang e0201ece1e [Infra] Split slow proxy-db shards to hit 7m wall-clock target
Previous run (13.8m total) was bottlenecked by shards with 9-12m wall-clock.
Setup + xdist spawn + coverage teardown is ~3m per shard, so each shard's
pytest runtime must stay under ~4m to fit inside 7m total.

Observed per-shard pytest times (before split):
  db-and-spend            9:08   (170s outlier: test_aaaasschema_migration_check)
  proxy-server            7:15
  logging-and-callbacks   6:45
  guardrails-budget-hooks 6:37
  proxy-utils             6:23
  auth-and-jwt            6:54

Split 6 shards into 12, keeping key-generation and endpoints-and-responses
(already <7m). Adds a `keyword` input to _test-unit-services-base.yml so
test_proxy_utils.py can be split by -k expression (same file, two runners).
New matrix entries:

  auth-and-jwt           -> auth-checks + jwt-and-keys
  proxy-server           -> proxy-server-core + proxy-runtime
  logging-and-callbacks  -> custom-logging + logging-misc
  db-and-spend           -> schema-migration (isolated 170s test) + db-and-spend
  guardrails-budget-hooks-> guardrails-hooks + budgets
  proxy-utils            -> proxy-utils-a-h + proxy-utils-i-z (-k split)

The -k expression split is verified to cover every one of the 64 test
functions in test_proxy_utils.py exactly once. The assert-shard-coverage
guard still catches any file not in any shard.
2026-04-23 15:25:37 -07:00
Yuneng Jiang 4a2deae92c [Fix] Infra: grant contents:write to create-release-branch caller job
The create-branch job in create-release.yml calls the reusable
create-release-branch.yml workflow, which requires contents: write.
The top-level permissions: {} blocks the inherited default, and only
the release job overrode it, so the nested call failed with:

  The nested job 'create-branch' is requesting 'contents: write',
  but is only allowed 'contents: none'.

Add the permission at the calling job level so the reusable
workflow is granted what it needs.
2026-04-23 15:11:12 -07:00
Yuneng Jiang 32c390a0f6 fix(tests): restore proxy_server.master_key in realtime fixture; add shard-coverage guard
Two fixes to proxy-db CI:

1. test_realtime_webrtc_endpoints.py's `proxy_app` fixture mutated the
   module-global `proxy_server.master_key` without restoring it, leaking
   state into any test that shared the same xdist worker. Under
   --dist=loadscope with 2 workers (GHA proxy-endpoints), this caused the
   google_endpoints tests to fail with "No api key passed in." because
   user_api_key_auth saw a set master_key and a missing API key on the
   test request. The fixture now saves and restores the original value.

2. Address the Greptile note that the semantic shard design has no
   catch-all, so a new test file added to tests/proxy_unit_tests/ without
   a matrix entry would silently skip CI. Adds an assert-shard-coverage
   job that enumerates test_*.py files and fails the workflow if any are
   not referenced by a matrix entry, with a clear message telling the
   author which semantic shard to place it in. All proxy-db shards now
   depend on this guard.
2026-04-23 15:01:25 -07:00
Yuneng Jiang c2f40e89d5 [Infra] Remove CCI/GHA test duplication and semantically shard proxy DB tests
Split into two related cleanups:

1. Delete CCI jobs that duplicate GHA coverage:
   - mcp_testing (tests/mcp_tests) — already run by test-mcp.yml
   - litellm_mapped_tests_proxy_part1/part2 (tests/test_litellm/proxy) —
     already run across test-unit-proxy-auth.yml, test-unit-proxy-endpoints.yml,
     and test-unit-proxy-infra.yml
   Add rag_endpoints and realtime_endpoints to test-unit-proxy-endpoints.yml
   (they were only covered by the deleted CCI part2 job).
   Remove the corresponding workflow wiring, coverage combine entries, and
   upload-coverage dependencies in .circleci/config.yml.

2. Re-shard test-unit-proxy-db.yml from 4 alphabetic buckets to 8 semantic
   ones (auth-and-jwt, proxy-server, logging-and-callbacks, db-and-spend,
   guardrails-budget-hooks, endpoints-and-responses, plus the existing
   serial key-generation and test_proxy_utils.py shards). New test files are
   placed in whichever group they belong to instead of reshuffling slices.
   Add a dist input to _test-unit-services-base.yml so the test_proxy_utils.py
   shard can use --dist=worksteal to spread its ~64 (many parametrized)
   functions across workers; the default --dist=loadscope pins a single file
   to a single worker, which was the root cause of that shard running 10m+.
2026-04-23 14:48:38 -07:00
Yuneng Jiang daf29d6a4a [Infra] Add standalone create-release-branch workflow
Extracts release branch creation into a separate reusable workflow
(create-release-branch.yml) that can be triggered independently via
workflow_dispatch or called from other workflows via workflow_call.

create-release.yml now dispatches it as a dependent job after the
release publishes, keeping both workflows decoupled.
2026-04-23 12:02:25 -07:00
Yuneng Jiang a12a2190d7 [Infra] Flip remaining CI jobs to Python 3.12
Stragglers from the 2026-04-21 Python 3.12 standardization:
- .github/workflows/check_duplicate_issues.yml (was 3.11)
- .github/workflows/llm-translation-testing.yml (was 3.11)
- .github/workflows/scan_duplicate_issues.yml (was 3.13)
- .circleci proxy_build_from_pip_tests (was 3.13)

The only intentional non-3.12 CI job is installing_litellm_on_python_3_13,
which exists as an explicit "latest supported Python" smoke matrix.
2026-04-22 21:26:19 -07:00
Yuneng Jiang 1b74c35b89 [Infra] Move non-API-key CCI jobs to GitHub Actions
Principle: GHA handles work that doesn't need external API keys; CCI
stays for integration tests that hit real API endpoints.

Four CCI jobs moved to new or extended GHA workflows:

1. check_code_and_doc_quality (was 25 runs: ruff + import-safety +
   21 code_coverage_tests + 3 documentation_tests + circular-imports).
   - The 21 tests/code_coverage_tests/*.py scripts and the 3
     tests/documentation_tests/*.py scripts run in the new
     .github/workflows/test-code-quality.yml workflow.
   - ruff, import-safety, and circular-imports were already run by
     .github/workflows/test-linting.yml — no new migration needed.
   - The 3 documentation_tests scripts read
     docs/my-website/docs/proxy/config_settings.md. Since docs have
     moved to BerriAI/litellm-docs, the GHA workflow checks out that
     repo and symlinks docs/my-website -> the checkout so the
     existing hardcoded paths resolve without touching the scripts.
     The stale local docs/my-website/ copy in this repo will be
     removed in a separate PR.

2. semgrep (custom-rule SAST against .semgrep/rules).
   - New .github/workflows/test-semgrep.yml.

3. installing_litellm_on_python + installing_litellm_on_python_3_13
   (pip install compat checks on Python 3.12 and 3.13).
   - New .github/workflows/test-install-litellm.yml as a matrix job.
   - 3.12 run also verifies litellm_enterprise import; 3.13 run
     skips that check (matches previous CCI behavior).
   - installing_litellm_on_python_v2_migration_resolver stays in CCI
     because it requires a postgres service.

CCI .circleci/config.yml: -112 lines, 4 jobs and their workflow refs
removed.
2026-04-22 13:38:00 -07:00
Yuneng Jiang 7b43f5981f [Fix] CI: split test_proxy_utils.py into its own proxy-db matrix entry
The "remaining" proxy-db job was consistently timing out at ~98% because
--dist=loadscope pins every test in test_proxy_utils.py (168+ parametrized
tests) to a single xdist worker. 7 workers finished their files in ~15
minutes, then one worker ran alone for another 8+ minutes and hit the
30-minute job cap.

Give test_proxy_utils.py its own matrix entry so its tests spread across
all 8 workers, and add it to the "remaining" ignore list.
2026-04-20 16:56:31 -07:00
Yuneng Jiang aff4717494 [Infra] Expand CI branch filters for non-main PR targets
Required test-unit-* and related workflows only triggered on PRs targeting
main, so feature PRs routed through litellm_internal_staging or
litellm_oss_branch never dispatched the full suite. Branch protection
reported BLOCKED even when CircleCI was green.

Expand pull_request and push branch filters to also match
litellm_internal_staging, litellm_oss_branch, and "litellm_**" (using **
so branch names containing "/" also match).
2026-04-15 15:39:57 -07:00
yuneng-jiangandGitHub 72a461ba4a Merge pull request #25733 from BerriAI/litellm_guardMainBranch
[Infra] Guard main to only accept PRs from staging and hotfix branches
2026-04-14 20:54:29 -07:00
joereyna ccbdaa9187 fix(ci): increase test-server-root-path timeout to 30m 2026-04-14 19:42:10 -07:00
Yuneng Jiang 38f8d7a008 Point contributors toward litellm_oss_branch in guard error messages 2026-04-14 18:41:59 -07:00
Yuneng Jiang ab71d3d700 Also reject PRs from forks, not just non-allowlisted branches 2026-04-14 18:39:54 -07:00
Yuneng Jiang 45d1e1b341 [Infra] Guard main branch with PR source-branch check
Adds a GHA that fails PRs to main unless the head branch is
'litellm_internal_staging' or 'litellm_hotfix_*'. Also fails merge_group
events since merge queue is not in use.
2026-04-14 18:19:14 -07:00
Yuneng Jiang 83c459225c [Fix] CI: fix GHA timeouts and uv lock --check failures
1. exclude-newer: change from absolute "2026-04-10" to relative "3 days".
   All pinned deps were published before the 3-day cutoff. Re-locked so
   uv lock --check passes in test-mcp.yml and test-linting.yml.

2. test_eager_tiktoken_load: run all 10 env var values in a single
   subprocess instead of spawning 10 separate processes. Each cold
   import litellm takes ~78s on CI, so the old loop took ~13 min on a
   single xdist worker. Now takes ~78s total.

3. proxy-db remaining timeout: increase from 20 to 30 minutes. The
   remaining group has 51 test files and was consistently timing out at
   71% across all branches (pre-existing issue, not migration-related).
2026-04-11 09:04:49 -07:00
a6c30b30bf build: migrate packaging, CI, and Docker from Poetry to uv (#25007)
* build: migrate packaging metadata to uv

* ci: move automation and local tooling to uv

* docker: migrate image builds and runtime setup to uv

* docs: update install and deployment guidance for uv

* chore: align auxiliary scripts and tests with uv

* test: harden test_litellm isolation

* fix: keep release and health check images self-contained

* build: pin uv tooling and health check deps

* test: isolate bedrock image request formatting from suite state

* test: cover sandbox executor requirements flow

* ci: fix circleci no-op command steps

* ci: fix circleci publish workflow parsing

* fix: stabilize remaining uv migration CI checks

* ci: increase matrix test timeout headroom

* fix: restore published docker and license coverage

* fix: restore proxy runtime build parity

* fix: restore proxy extras parity and venv migrations

* ci: persist uv path across circleci steps

* fix: keep psycopg binary in default test env

* docker: preserve prisma cache across stages

* test: run local proxy checks through uv python

* build: restore runtime deps moved into ci

* build: refresh uv lock after upstream merge

* fix: restore module import in test_check_migration after merge

The conflict resolution imported only the function but the test body
references check_migration as a module throughout.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: revert dependency promotions, remove nodejs-wheel-binaries, fix Docker layer caching

- Move google-generativeai, Pillow, tenacity back to ci group (they are
  lazily imported and bloat the base SDK install needlessly)
- Remove nodejs-wheel-binaries from extra_proxy and proxy-dev (redundant
  in Docker where system Node.js is already installed via apk)
- Remove all nodejs-wheel node replacement and venv npm patching blocks
  from Dockerfiles since the wheel is no longer installed
- Add --no-default-groups to CodSpeed benchmark workflow so the benchmark
  environment matches the old minimal pip install footprint
- Apply standard uv two-phase Docker pattern: copy metadata first, install
  deps (cached layer), then copy source and install project
- Replace CircleCI enterprise no-op with proper uv sync command

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: regenerate uv.lock after removing nodejs-wheel-binaries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): use cache/restore instead of cache to prevent cache poisoning

The old workflow used actions/cache/restore (read-only). The uv migration
changed it to actions/cache (read-write), which zizmor flags as a cache
poisoning risk. Restore the safer read-only variant.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): disable setup-uv built-in cache to silence cache-poisoning alert

The setup-uv action enables caching by default, which zizmor flags as a
cache poisoning risk. Disable it since we already use a read-only
cache/restore step.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): disable setup-uv cache in publish workflow

Silences zizmor cache-poisoning alert. Publishing workflow runs
infrequently on protected branches so caching adds no real benefit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(test): remove duplicate verbose_logger mock in test_check_migration

The logger was patched twice — first via mocker.patch() then via
mocker.patch.object(autospec=True). The second call fails because
autospec cannot inspect an already-mocked attribute. Remove the
redundant first patch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): free disk space before Docker build in test-server-root-path

The Dockerfile.non_root build ran out of disk on the CI runner. Remove
Android SDK, .NET, Boost, and GHC toolchains (~12GB) to free space.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 11:46:23 -07:00
Yuneng Jiang 3a02c0ac6b [Infra] Migrate Redis caching tests from GHA to CircleCI
Redis caching unit tests (test_dual_cache, test_redis_batch_optimizations,
test_router_utils) required Redis secrets that should live in CircleCI.

- Add redis_caching_unit_tests job to CircleCI config
- Delete test-unit-caching-redis.yml GHA workflow
- Remove all Redis plumbing (inputs, secrets, env vars) from
  _test-unit-services-base.yml and its callers
2026-04-08 09:07:12 -07:00
Yuneng JiangandClaude Opus 4.6 30565581be [Infra] Pin cosign.pub verification to initial commit hash
Pin all cosign public key references to the immutable commit hash
(0112e53) that first introduced the key, instead of fetching it from
the release tag. This addresses the concern that an attacker with push
access could replace the key on main/tags and re-sign tampered images.

Docs now show two verification methods: commit hash (recommended) and
release tag (convenience), with explanation of why the hash is stronger.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 22:53:23 -07:00
d132b1bf51 [Infra] Remove Redundant Matrix Unit Test Workflow (#25251)
* Remove redundant matrix unit test workflow

All test paths in test-litellm-matrix.yml are fully covered by the
newer semantic unit test workflows (test-unit-*.yml), making the
matrix workflow redundant CI spend.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add Codecov coverage reporting to semantic unit test workflows

Add coverage collection (--cov) and Codecov OIDC upload to both
reusable base workflows and all 12 caller workflows, replacing the
coverage reporting that was previously only in the matrix workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Move id-token/pull-requests permissions to job level for multi-job workflows

For workflows with multiple jobs (llm-providers, proxy-db), move
id-token: write and pull-requests: write from workflow level to job
level so permissions are scoped to only the jobs that need them.
Removes zizmor inline suppressions that were masking the issue.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 16:52:38 -07:00
a60e19aeb8 Remove flaky proxy_e2e_azure_batches_tests CI workflow (#25247)
The proxy_e2e_azure_batches_tests workflow is consistently flaky and
does not provide reliable signal on whether changes break anything.
Remove the workflow from both CircleCI and GitHub Actions, along with
the test directory it exclusively used.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 16:49:14 -07:00
yuneng-jiangGitHubClaude Opus 4.6Krrish Dholakiagreptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
39c1042258 [Docs] Add cosign Docker image verification steps to security blog posts (#25122)
* docs(blog): add cosign Docker image verification instructions

Add steps for verifying Docker images with cosign to three security blog posts:
CI/CD v2, Security Townhall, and Security Update.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(proxy): add cosign verification to Docker/Helm/Terraform deploy page

Add image signature verification steps to the main deployment doc so
users pulling Docker images know how to verify them with cosign.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: fixes

* Update index.md

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* [Docs] Scope cosign signing docs to GHCR and specify starting version

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* [Docs] Add starting version callout to ci_cd_v2 blog post

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Krrish Dholakia <krrish+github@berri.ai>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-04-06 09:59:27 -07:00
joereyna 6cc56f58fd Fix broken codeql-action SHA in scorecard workflow 2026-04-03 11:36:02 -07:00
yuneng-jiangandGitHub 0f88968da9 Merge pull request #24804 from joereyna/feat/add-codecov-to-ci
Re-add Codecov coverage reporting to GHA matrix workflow
2026-04-01 09:46:55 -07:00
joereyna c903845266 Use unique filenames per matrix job to preserve all coverage reports 2026-03-31 16:44:13 -07:00
joereyna 98a51e088d Remove debug step from upload-coverage job 2026-03-31 16:44:13 -07:00
joereyna 695d726352 Revert to --cov=litellm, add checkout and root_dir to upload job 2026-03-31 16:44:13 -07:00
joereyna b8eac3059a Measure coverage from repo root so filenames include litellm/ prefix 2026-03-31 16:44:13 -07:00
joereyna fdfd0e58ed Force coverage path remapping via explicit coverage xml step 2026-03-31 16:44:13 -07:00
joereyna 57c22d3a41 Add debug step to inspect coverage XML paths 2026-03-31 16:44:13 -07:00
joereyna e7e0637f53 Fix coverage source paths for Codecov 2026-03-31 16:44:13 -07:00
joereyna 13660572ca Add pull-requests write permission for Codecov PR comments 2026-03-31 16:44:13 -07:00
joereyna aaa5973b88 Use OIDC for Codecov upload instead of static token 2026-03-31 16:44:13 -07:00
joereyna 8358650660 Isolate Codecov upload into separate job to protect CODECOV_TOKEN 2026-03-31 16:44:13 -07:00
joereyna b3eee71084 Pin codecov-action to immutable SHA (v5.5.4) 2026-03-31 16:44:12 -07:00
joereyna d38498c3ef Re-add Codecov coverage upload to GHA matrix workflow 2026-03-31 16:44:12 -07:00
Yuneng JiangandClaude Opus 4.6 8071691ffc [Fix] Address review feedback on release workflow
- Use nullish coalescing for potentially null response body
- Create release as draft first, then publish atomically to avoid partial-release state
- Pin cosign.pub URL to release tag instead of main branch

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 16:26:20 -07:00
Yuneng JiangandClaude Opus 4.6 05368d9b1a [Infra] Add cosign verification section to release notes
Prepend Docker image signature verification instructions to auto-generated
release notes, using the cosign public key committed to the repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 15:46:34 -07:00
Yuneng JiangandClaude Opus 4.6 0112e53046 [Infra] Add release workflow and cosign public key
Add create-release.yml workflow triggered via workflow_dispatch to create
GitHub releases with auto-generated notes. Add cosign public key for
container image signature verification.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 14:30:27 -07:00
7066c895f6 chore: harden npm supply chain — pin overrides, enforce npm ci, add ignore-scripts (#24838)
* chore: harden npm supply chain — pin overrides, enforce npm ci, add ignore-scripts

Replace open-ended >= version overrides with exact pins matching lockfile
versions across all 6 package.json files. Remove dead overrides for packages
not present in lockfiles. Switch CI and devcontainer from npm install to
npm ci for deterministic lockfile-based installs.

Add .npmrc to all 7 JS project directories with ignore-scripts=true (blocks
postinstall RAT vectors like the axios@1.14.1 supply chain attack) and
min-release-age=3d (refuses packages published <3 days ago, requires npm
>=11.10). Remove Yarn-only resolutions field from docs/my-website.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: bump sharp to 0.33.5 in docs, add docs .npmrc

sharp 0.32.x uses postinstall to download native binaries, which breaks
with ignore-scripts=true. sharp 0.33+ distributes via optionalDependencies
instead, making it compatible with the new .npmrc hardening.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: remove docs .npmrc to fix Vercel deploy

Vercel's build for docs/my-website uses npm install which needs
sharp 0.32.6's postinstall script. Since we don't control Vercel's
build process, remove the .npmrc from docs rather than fight it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: Dockerfile npm ci + nvm checksum verification

- Replace npm install with npm ci in Dockerfile.non_root,
  Dockerfile.custom_ui, and spend-logs/Dockerfile for deterministic
  lockfile-based installs
- Replace curl-pipe-bash nvm install with download-then-verify pattern
  in build_admin_ui.sh, build_ui.sh, and build_ui_custom_path.sh
- Update nvm from v0.38.0 (2021) to v0.40.4 (Jan 2026) with SHA256
  checksum verification before execution

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: macOS sha256sum compat + clarify min-release-age scope

- Use shasum -a 256 fallback on macOS where sha256sum is unavailable
- Clarify in .npmrc comments that min-release-age only protects local
  npm install, not npm ci (used in CI)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 13:41:37 -07:00
Krrish DholakiaandGitHub 05134fc70b Create scorecard.yml 2026-03-30 07:47:06 -07:00
Yuneng JiangandClaude Opus 4.6 3b5b98327e [Fix] Use integration-redis-postgres env for Redis workflows since Postgres always starts
GHA doesn't support conditional service containers, so the Postgres container
always starts even for Redis-only jobs. Use integration-redis-postgres
environment for any workflow with enable-redis so the Postgres container gets
valid credentials.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 14:25:29 -07:00
Yuneng JiangandClaude Opus 4.6 3ae80407dd [Fix] Move Postgres username and password to environment secrets
Move POSTGRES_USER and POSTGRES_PASSWORD from hardcoded values to
environment secrets so no credentials appear in workflow files at all.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 13:31:58 -07:00
Yuneng JiangandClaude Opus 4.6 d42e2f6429 [Fix] Move Postgres DATABASE_URL to environment secret to avoid credential leak warnings
The hardcoded postgresql://postgres:postgres@localhost connection string was
being flagged by secret scanners. Move DATABASE_URL to a GHA environment
secret (integration-postgres) so the password is never in the workflow file.

Changes:
- _test-unit-services-base.yml: DATABASE_URL now comes from secrets, environment
  is derived from enable-* flags (integration-postgres, integration-redis, or
  integration-redis-postgres)
- test-unit-proxy-db.yml: switched to push-only trigger (uses secrets now)
- test-unit-security.yml: switched to push-only trigger (uses secrets now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 13:28:41 -07:00
Yuneng JiangandClaude Opus 4.6 6549f3eb1a [Infra] Add unit test workflows for Postgres, Redis, and security test suites
Add three new GHA workflows for tests requiring service containers, plus a
reusable base workflow that provides Postgres and cloud Redis support.

New workflows:
- test-unit-proxy-db.yml: proxy DB tests (key generation, auth checks,
  remaining) using a local Postgres container with a 3-way descriptive matrix
- test-unit-caching-redis.yml: caching tests that need Redis but no provider
  API keys, using cloud Redis via the integration-redis environment
- test-unit-security.yml: proxy security tests using a local Postgres container

Reusable base (_test-unit-services-base.yml):
- Local Postgres pinned by digest (postgres@sha256:705a5d5b...)
- Cloud Redis credentials scoped to the integration-redis GHA environment
- Environment binding is derived from enable-redis flag inside the base
  (not caller-controllable) to prevent secret scope bypass
- Supports workers=0 for tests that cannot run in parallel

Security hardening:
- All actions pinned to commit SHAs
- persist-credentials: false on all checkouts
- permissions: contents: read only
- Postgres-only workflows (proxy-db, security) use zero secrets and trigger on
  both pull_request and push to main/litellm_*
- Redis workflow triggers on push only (not pull_request) to prevent external
  PRs from accessing Redis Cloud credentials
- Added ${TEST_PATH:?} guard to both _test-unit-base.yml and
  _test-unit-services-base.yml to fail fast on empty test paths
- All files pass zizmor --pedantic with zero findings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 12:06:45 -07:00
Yuneng JiangandClaude Opus 4.6 7851567091 [Fix] Scope documentation workflow to match CircleCI and add missing router settings
Revert path fixes for documentation tests that CircleCI never ran
(test_exception_types, test_general_setting_keys, test_readme_providers,
test_standard_logging_payload). Update the GHA workflow to run only the
4 tests CircleCI actually executed: test_env_keys, test_router_settings,
test_api_docs, test_circular_imports.

Add 2 missing router_settings keys (enable_health_check_routing,
health_check_staleness_threshold) and 27 missing general_settings keys
to config_settings.md so test_router_settings passes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 11:23:53 -07:00