src.custom_exceptions.ExposedSecretsError: Detected one or more exposed secrets. Please review the findings below, and if you feel they have been made in error, please file a GitHub issue and link to this job URL. Findings: {'filename': '/home/runner/work/instructlab/instructlab/pull-request-changes/.github/workflows/e2e-nvidia-t4-x1.yml', 'job_name': 'e2e-small-test', 'exposed_secrets': {'GH_TOKEN': '${{ secrets.GITHUB_TOKEN }}'}}

WAT? I just copied from other jobs verbatim. Bug in the action? @courtneypacheco @ktdreyer advice?

@ktdreyer ignoring the security check, any idea how this can be tested, considering that there's no Run workflow button for these jobs? (because the workflow_dispatch setting is not added to them)

I believe it's a mistake in the ci action that it targets workflows of pull_request_target type, fix here: instructlab/ci-actions#14

One idea to make landing this less risky is:

• first, merge just bare "workflow_dispatch" addition (without inputs) - this should be relatively safe.
• then on second stage, we can add inputs - at this point we should be able to test pre-merge with the Run button.

@ktdreyer @courtneypacheco thoughts?

This pull request has merge conflicts that must be resolved before it can be merged. @booxter please rebase it. https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

Skipping yamllint long lines failure here: #3360 since I don't think we should split the lines for these files. The long lines are for gh comment steps.

@Mergifyio rebase

rebase

✅ Branch has been successfully rebased

To pass gate, we'll need to disable enforcement of security-check, as I explain in: #3353

Testing new functionality on this PR: #3101

So it's impossible to use gh without a token in CI, even for checkouts (I was hoping we could stay token-less by removing Slack / Discord / PR commenting functionality). We can use a regular checkout action to access a particular PR, probably. But this escalates into a territory where I'd like DevOps folks to step in and advise.

tl;dr we need a way to Run workflow for small and medium jobs that are ALSO triggered on pull_request_target - which makes security-lint job fail if we try to pull a secret like GH_TOKEN. This is not a problem for large jobs that are not pull_request_target and hence the linter rule is not executed on these other workflow files.

I don't have capacity to complete it.