litellm

tiennm99/litellm

Fork 0

mirror of https://github.com/tiennm99/litellm.git synced 2026-06-25 05:07:03 +00:00

Commit Graph

Author	SHA1	Message	Date
Yuneng Jiang	3ae80407dd	[Fix] Move Postgres username and password to environment secrets Move POSTGRES_USER and POSTGRES_PASSWORD from hardcoded values to environment secrets so no credentials appear in workflow files at all. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 13:31:58 -07:00
Yuneng Jiang	d42e2f6429	[Fix] Move Postgres DATABASE_URL to environment secret to avoid credential leak warnings The hardcoded postgresql://postgres:postgres@localhost connection string was being flagged by secret scanners. Move DATABASE_URL to a GHA environment secret (integration-postgres) so the password is never in the workflow file. Changes: - _test-unit-services-base.yml: DATABASE_URL now comes from secrets, environment is derived from enable-* flags (integration-postgres, integration-redis, or integration-redis-postgres) - test-unit-proxy-db.yml: switched to push-only trigger (uses secrets now) - test-unit-security.yml: switched to push-only trigger (uses secrets now) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 13:28:41 -07:00
Yuneng Jiang	6549f3eb1a	[Infra] Add unit test workflows for Postgres, Redis, and security test suites Add three new GHA workflows for tests requiring service containers, plus a reusable base workflow that provides Postgres and cloud Redis support. New workflows: - test-unit-proxy-db.yml: proxy DB tests (key generation, auth checks, remaining) using a local Postgres container with a 3-way descriptive matrix - test-unit-caching-redis.yml: caching tests that need Redis but no provider API keys, using cloud Redis via the integration-redis environment - test-unit-security.yml: proxy security tests using a local Postgres container Reusable base (_test-unit-services-base.yml): - Local Postgres pinned by digest (postgres@sha256:705a5d5b...) - Cloud Redis credentials scoped to the integration-redis GHA environment - Environment binding is derived from enable-redis flag inside the base (not caller-controllable) to prevent secret scope bypass - Supports workers=0 for tests that cannot run in parallel Security hardening: - All actions pinned to commit SHAs - persist-credentials: false on all checkouts - permissions: contents: read only - Postgres-only workflows (proxy-db, security) use zero secrets and trigger on both pull_request and push to main/litellm_* - Redis workflow triggers on push only (not pull_request) to prevent external PRs from accessing Redis Cloud credentials - Added ${TEST_PATH:?} guard to both _test-unit-base.yml and _test-unit-services-base.yml to fail fast on empty test paths - All files pass zizmor --pedantic with zero findings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-28 12:06:45 -07:00

Author

SHA1

Message

Date

Yuneng Jiang

3ae80407dd

[Fix] Move Postgres username and password to environment secrets

Move POSTGRES_USER and POSTGRES_PASSWORD from hardcoded values to
environment secrets so no credentials appear in workflow files at all.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-28 13:31:58 -07:00

Yuneng Jiang

d42e2f6429

[Fix] Move Postgres DATABASE_URL to environment secret to avoid credential leak warnings

The hardcoded postgresql://postgres:postgres@localhost connection string was
being flagged by secret scanners. Move DATABASE_URL to a GHA environment
secret (integration-postgres) so the password is never in the workflow file.

Changes:
- _test-unit-services-base.yml: DATABASE_URL now comes from secrets, environment
  is derived from enable-* flags (integration-postgres, integration-redis, or
  integration-redis-postgres)
- test-unit-proxy-db.yml: switched to push-only trigger (uses secrets now)
- test-unit-security.yml: switched to push-only trigger (uses secrets now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-28 13:28:41 -07:00

Yuneng Jiang

6549f3eb1a

[Infra] Add unit test workflows for Postgres, Redis, and security test suites

Add three new GHA workflows for tests requiring service containers, plus a
reusable base workflow that provides Postgres and cloud Redis support.

New workflows:
- test-unit-proxy-db.yml: proxy DB tests (key generation, auth checks,
  remaining) using a local Postgres container with a 3-way descriptive matrix
- test-unit-caching-redis.yml: caching tests that need Redis but no provider
  API keys, using cloud Redis via the integration-redis environment
- test-unit-security.yml: proxy security tests using a local Postgres container

Reusable base (_test-unit-services-base.yml):
- Local Postgres pinned by digest (postgres@sha256:705a5d5b...)
- Cloud Redis credentials scoped to the integration-redis GHA environment
- Environment binding is derived from enable-redis flag inside the base
  (not caller-controllable) to prevent secret scope bypass
- Supports workers=0 for tests that cannot run in parallel

Security hardening:
- All actions pinned to commit SHAs
- persist-credentials: false on all checkouts
- permissions: contents: read only
- Postgres-only workflows (proxy-db, security) use zero secrets and trigger on
  both pull_request and push to main/litellm_*
- Redis workflow triggers on push only (not pull_request) to prevent external
  PRs from accessing Redis Cloud credentials
- Added ${TEST_PATH:?} guard to both _test-unit-base.yml and
  _test-unit-services-base.yml to fail fast on empty test paths
- All files pass zizmor --pedantic with zero findings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-28 12:06:45 -07:00

3 Commits