mirror of
https://github.com/tiennm99/litellm.git
synced 2026-06-30 01:03:03 +00:00
Yuneng Jiang
66bf890226
The `_test-unit-services-base.yml` reusable workflow attached every job to the `integration-postgres` GHA environment to read three "secrets": DATABASE_URL, POSTGRES_USER, POSTGRES_PASSWORD. These are not secrets — the postgres service container is spawned per-job on localhost and destroyed with the job, so the user/password are bootstrap values for a throwaway container and the URL is always `postgresql://…@localhost:…`. Each environment attachment produces a "temporarily deployed to integration-postgres" deployment record, which the PR timeline renders as a message per matrix shard per push. With 14 proxy-db shards that's ~14 notifications per push, drowning the PR conversation. Changes: * Hardcode POSTGRES_USER/POSTGRES_PASSWORD/POSTGRES_DB and the derived DATABASE_URL in `_test-unit-services-base.yml`. * Delete the `environment: integration-postgres` attachment. * Delete the `secrets:` declarations on the reusable workflow and on the two callers (test-unit-proxy-db.yml, test-unit-security.yml). * The `services:` container still starts a fresh postgres per job; the connection string now matches what the container boots up with. Security review: no regression. The environment wasn't gating anything real — no protection rules configured, no approval gates, and the branch restriction is already enforced by `on: push: branches: [...]` on both caller workflows. Zizmor pedantic-mode findings are identical before and after (same 6 pre-existing findings, zero new ones). The `integration-postgres` environment and its three "secrets" in repo settings are now unreferenced and can be deleted from repo admin.
190 lines
6.1 KiB
YAML
190 lines
6.1 KiB
YAML
name: _Unit Test Services Base (Reusable)
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
test-path:
|
|
description: "Pytest path(s) to run"
|
|
required: true
|
|
type: string
|
|
workers:
|
|
description: "Number of pytest-xdist workers (0 = no parallelism)"
|
|
required: false
|
|
type: number
|
|
default: 2
|
|
reruns:
|
|
description: "Number of reruns for flaky tests"
|
|
required: false
|
|
type: number
|
|
default: 2
|
|
timeout-minutes:
|
|
description: "Job timeout in minutes"
|
|
required: false
|
|
type: number
|
|
default: 20
|
|
max-failures:
|
|
description: "Stop after this many failures"
|
|
required: false
|
|
type: number
|
|
default: 10
|
|
enable-postgres:
|
|
description: "Start a local Postgres service container and run Prisma migrations"
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
dist:
|
|
description: "pytest-xdist distribution mode (loadscope|load|worksteal|loadfile|no)"
|
|
required: false
|
|
type: string
|
|
default: "loadscope"
|
|
artifact-name:
|
|
description: "Unique name for the coverage artifact (must be unique per run)"
|
|
required: false
|
|
type: string
|
|
default: "run"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
# The postgres service container below is spawned per-job on localhost and
|
|
# destroyed with the job. Nothing outside the runner can reach it. The
|
|
# user/password/database here are not secrets — they're bootstrap values
|
|
# for a throwaway container — so we hardcode them instead of attaching
|
|
# every matrix shard to a GHA environment just to read three "secrets"
|
|
# (which also produces a "temporarily deployed to …" notification on the
|
|
# PR timeline per shard per push).
|
|
jobs:
|
|
run:
|
|
name: Run tests
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: ${{ inputs.timeout-minutes }}
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres@sha256:705a5d5b5836f3fcba0d02c4d281e6a7dd9ed2dd4078640f08a1e1e9896e097d # postgres:14
|
|
env:
|
|
POSTGRES_USER: litellm
|
|
POSTGRES_PASSWORD: litellm
|
|
POSTGRES_DB: litellm_test
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd "pg_isready"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
|
|
steps:
|
|
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
|
|
with:
|
|
python-version: "3.12"
|
|
|
|
- name: Set up uv
|
|
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
|
|
with:
|
|
version: "0.10.9"
|
|
|
|
- name: Cache uv dependencies
|
|
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
|
|
with:
|
|
path: |
|
|
~/.cache/uv
|
|
.venv
|
|
key: ${{ runner.os }}-uv-services-${{ hashFiles('uv.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-uv-services-
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
uv sync --frozen --group ci --group proxy-dev --extra google --extra proxy --extra semantic-router
|
|
|
|
- name: Generate Prisma client
|
|
env:
|
|
PRISMA_BINARY_CACHE_DIR: ${{ runner.temp }}/prisma-cache
|
|
run: |
|
|
uv run --no-sync prisma generate --schema litellm/proxy/schema.prisma
|
|
|
|
- name: Run Prisma migrations
|
|
if: ${{ inputs.enable-postgres }}
|
|
env:
|
|
DATABASE_URL: "postgresql://litellm:litellm@localhost:5432/litellm_test"
|
|
run: |
|
|
uv run --no-sync prisma db push --schema litellm/proxy/schema.prisma --accept-data-loss
|
|
|
|
- name: Run tests
|
|
env:
|
|
TEST_PATH: ${{ inputs.test-path }}
|
|
MAX_FAILURES: ${{ inputs.max-failures }}
|
|
WORKERS: ${{ inputs.workers }}
|
|
RERUNS: ${{ inputs.reruns }}
|
|
DIST: ${{ inputs.dist }}
|
|
DATABASE_URL: ${{ inputs.enable-postgres && 'postgresql://litellm:litellm@localhost:5432/litellm_test' || '' }}
|
|
run: |
|
|
if [ "${WORKERS}" = "0" ]; then
|
|
uv run --no-sync pytest ${TEST_PATH:?} \
|
|
--tb=short -vv \
|
|
--maxfail="${MAX_FAILURES}" \
|
|
--reruns "${RERUNS}" \
|
|
--reruns-delay 1 \
|
|
--durations=20 \
|
|
--cov=litellm \
|
|
--cov-report=xml:coverage.xml \
|
|
--cov-config=pyproject.toml
|
|
else
|
|
uv run --no-sync pytest ${TEST_PATH:?} \
|
|
--tb=short -vv \
|
|
--maxfail="${MAX_FAILURES}" \
|
|
-n "${WORKERS}" \
|
|
--reruns "${RERUNS}" \
|
|
--reruns-delay 1 \
|
|
--dist="${DIST}" \
|
|
--durations=20 \
|
|
--cov=litellm \
|
|
--cov-report=xml:coverage.xml \
|
|
--cov-config=pyproject.toml
|
|
fi
|
|
|
|
- name: Save coverage report
|
|
if: always()
|
|
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
|
|
with:
|
|
name: coverage-${{ inputs.artifact-name }}-${{ github.run_id }}-${{ github.run_attempt }}
|
|
path: coverage.xml
|
|
retention-days: 1
|
|
|
|
upload-coverage:
|
|
name: Upload coverage to Codecov
|
|
needs: run
|
|
if: always()
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Download coverage report
|
|
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
|
|
with:
|
|
pattern: coverage-${{ inputs.artifact-name }}-${{ github.run_id }}-${{ github.run_attempt }}
|
|
path: coverage-reports
|
|
merge-multiple: true
|
|
|
|
- name: Upload to Codecov
|
|
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
|
|
with:
|
|
use_oidc: true
|
|
directory: coverage-reports
|
|
root_dir: ${{ github.workspace }}
|
|
fail_ci_if_error: false
|