From d42e2f64291136b4853908a534db8579da9edd2a Mon Sep 17 00:00:00 2001
From: Yuneng Jiang <yuneng@berri.ai>
Date: Sat, 28 Mar 2026 13:28:41 -0700
Subject: [PATCH] [Fix] Move Postgres DATABASE_URL to environment secret to
 avoid credential leak warnings

The hardcoded postgresql://postgres:postgres@localhost connection string was
being flagged by secret scanners. Move DATABASE_URL to a GHA environment
secret (integration-postgres) so the password is never in the workflow file.

Changes:
- _test-unit-services-base.yml: DATABASE_URL now comes from secrets, environment
  is derived from enable-* flags (integration-postgres, integration-redis, or
  integration-redis-postgres)
- test-unit-proxy-db.yml: switched to push-only trigger (uses secrets now)
- test-unit-security.yml: switched to push-only trigger (uses secrets now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/_test-unit-services-base.yml | 16 ++++++++++++----
 .github/workflows/test-unit-proxy-db.yml       |  7 ++++---
 .github/workflows/test-unit-security.yml       |  7 ++++---
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/_test-unit-services-base.yml b/.github/workflows/_test-unit-services-base.yml
index 86f51173be..042008f24a 100644
--- a/.github/workflows/_test-unit-services-base.yml
+++ b/.github/workflows/_test-unit-services-base.yml
@@ -44,6 +44,8 @@ on:
         required: false
       REDIS_PASSWORD:
         required: false
+      DATABASE_URL:
+        required: false
 
 permissions:
   contents: read
@@ -53,9 +55,15 @@ jobs:
     name: Run tests
     runs-on: ubuntu-latest
     timeout-minutes: ${{ inputs.timeout-minutes }}
-    # Environment is derived from enable-redis, not caller-controllable.
+    # Environment is derived from the enable-* flags, not caller-controllable.
     # This prevents callers from passing arbitrary environment names to bypass secret scoping.
-    environment: ${{ inputs.enable-redis && 'integration-redis' || '' }}
+    environment: >-
+      ${{
+        (inputs.enable-redis && inputs.enable-postgres) && 'integration-redis-postgres' ||
+        inputs.enable-redis && 'integration-redis' ||
+        inputs.enable-postgres && 'integration-postgres' ||
+        ''
+      }}
 
     services:
       postgres:
@@ -117,7 +125,7 @@ jobs:
       - name: Run Prisma migrations
         if: ${{ inputs.enable-postgres }}
         env:
-          DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/litellm_test"
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
         run: |
           poetry run prisma db push --schema litellm/proxy/schema.prisma --accept-data-loss
 
@@ -127,7 +135,7 @@ jobs:
           MAX_FAILURES: ${{ inputs.max-failures }}
           WORKERS: ${{ inputs.workers }}
           RERUNS: ${{ inputs.reruns }}
-          DATABASE_URL: ${{ inputs.enable-postgres && 'postgresql://postgres:postgres@localhost:5432/litellm_test' || '' }}
+          DATABASE_URL: ${{ inputs.enable-postgres && secrets.DATABASE_URL || '' }}
           REDIS_HOST: ${{ inputs.enable-redis && secrets.REDIS_HOST || '' }}
           REDIS_PORT: ${{ inputs.enable-redis && secrets.REDIS_PORT || '' }}
           REDIS_PASSWORD: ${{ inputs.enable-redis && secrets.REDIS_PASSWORD || '' }}
diff --git a/.github/workflows/test-unit-proxy-db.yml b/.github/workflows/test-unit-proxy-db.yml
index 0231da3f6e..db0eef1cf6 100644
--- a/.github/workflows/test-unit-proxy-db.yml
+++ b/.github/workflows/test-unit-proxy-db.yml
@@ -1,8 +1,7 @@
 name: "Unit Tests: Proxy DB Operations"
 
+# Uses DATABASE_URL secret — only runs on trusted branches, not PRs.
 on:
-  pull_request:
-    branches: [main]
   push:
     branches: [main, "litellm_*"]
 
@@ -10,7 +9,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -40,3 +39,5 @@ jobs:
       timeout-minutes: ${{ matrix.timeout }}
       enable-redis: false
       enable-postgres: true
+    secrets:
+      DATABASE_URL: ${{ secrets.DATABASE_URL }}
diff --git a/.github/workflows/test-unit-security.yml b/.github/workflows/test-unit-security.yml
index 63eed494a7..1a08608740 100644
--- a/.github/workflows/test-unit-security.yml
+++ b/.github/workflows/test-unit-security.yml
@@ -1,8 +1,7 @@
 name: "Unit Tests: Security"
 
+# Uses DATABASE_URL secret — only runs on trusted branches, not PRs.
 on:
-  pull_request:
-    branches: [main]
   push:
     branches: [main, "litellm_*"]
 
@@ -10,7 +9,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -23,3 +22,5 @@ jobs:
       timeout-minutes: 20
       enable-redis: false
       enable-postgres: true
+    secrets:
+      DATABASE_URL: ${{ secrets.DATABASE_URL }}