Commit Graph

517 Commits

Author SHA1 Message Date
Krrish Dholakia
05134fc70b
Create scorecard.yml 2026-03-30 07:47:06 -07:00
Yuneng Jiang
3b5b98327e
[Fix] Use integration-redis-postgres env for Redis workflows since Postgres always starts
GHA doesn't support conditional service containers, so the Postgres container
always starts even for Redis-only jobs. Use integration-redis-postgres
environment for any workflow with enable-redis so the Postgres container gets
valid credentials.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 14:25:29 -07:00
Yuneng Jiang
3ae80407dd
[Fix] Move Postgres username and password to environment secrets
Move POSTGRES_USER and POSTGRES_PASSWORD from hardcoded values to
environment secrets so no credentials appear in workflow files at all.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 13:31:58 -07:00
Yuneng Jiang
d42e2f6429
[Fix] Move Postgres DATABASE_URL to environment secret to avoid credential leak warnings
The hardcoded postgresql://postgres:postgres@localhost connection string was
being flagged by secret scanners. Move DATABASE_URL to a GHA environment
secret (integration-postgres) so the password is never in the workflow file.

Changes:
- _test-unit-services-base.yml: DATABASE_URL now comes from secrets, environment
  is derived from enable-* flags (integration-postgres, integration-redis, or
  integration-redis-postgres)
- test-unit-proxy-db.yml: switched to push-only trigger (uses secrets now)
- test-unit-security.yml: switched to push-only trigger (uses secrets now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 13:28:41 -07:00
Yuneng Jiang
6549f3eb1a
[Infra] Add unit test workflows for Postgres, Redis, and security test suites
Add three new GHA workflows for tests requiring service containers, plus a
reusable base workflow that provides Postgres and cloud Redis support.

New workflows:
- test-unit-proxy-db.yml: proxy DB tests (key generation, auth checks,
  remaining) using a local Postgres container with a 3-way descriptive matrix
- test-unit-caching-redis.yml: caching tests that need Redis but no provider
  API keys, using cloud Redis via the integration-redis environment
- test-unit-security.yml: proxy security tests using a local Postgres container

Reusable base (_test-unit-services-base.yml):
- Local Postgres pinned by digest (postgres@sha256:705a5d5b...)
- Cloud Redis credentials scoped to the integration-redis GHA environment
- Environment binding is derived from enable-redis flag inside the base
  (not caller-controllable) to prevent secret scope bypass
- Supports workers=0 for tests that cannot run in parallel

Security hardening:
- All actions pinned to commit SHAs
- persist-credentials: false on all checkouts
- permissions: contents: read only
- Postgres-only workflows (proxy-db, security) use zero secrets and trigger on
  both pull_request and push to main/litellm_*
- Redis workflow triggers on push only (not pull_request) to prevent external
  PRs from accessing Redis Cloud credentials
- Added ${TEST_PATH:?} guard to both _test-unit-base.yml and
  _test-unit-services-base.yml to fail fast on empty test paths
- All files pass zizmor --pedantic with zero findings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 12:06:45 -07:00
Yuneng Jiang
7851567091
[Fix] Scope documentation workflow to match CircleCI and add missing router settings
Revert path fixes for documentation tests that CircleCI never ran
(test_exception_types, test_general_setting_keys, test_readme_providers,
test_standard_logging_payload). Update the GHA workflow to run only the
4 tests CircleCI actually executed: test_env_keys, test_router_settings,
test_api_docs, test_circular_imports.

Add 2 missing router_settings keys (enable_health_check_routing,
health_check_staleness_threshold) and 27 missing general_settings keys
to config_settings.md so test_router_settings passes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 11:23:53 -07:00
Yuneng Jiang
7100ed5d0a
[Fix] Test isolation for agent health checks and documentation test path resolution
Fix agent health check tests failing with 500 errors in parallel CI by
mocking prisma_client to None. Fix documentation validation tests using
CWD-relative paths that break depending on the working directory.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 11:00:22 -07:00
yuneng-jiang
428d837704
Merge pull request #24740 from BerriAI/litellm_unit_test_workflow_isolation
[Infra] Isolate unit test workflows with hardened security posture
2026-03-28 10:30:13 -07:00
Yuneng Jiang
c717189ed2
[Infra] Remove workflows that require API keys or external services
These test suites are not pure unit tests and don't belong in Phase 1:
- litellm_utils_tests: health check tests need OPENAI_API_KEY
- pass_through_unit_tests: tests hit real Anthropic API
- router_unit_tests: tests call real OpenAI moderation endpoints
- proxy_security_tests: requires DATABASE_URL (Postgres)
- documentation_tests: requires docs directory at specific relative path

These will be re-added in later phases with proper secret scoping.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 10:16:19 -07:00
Yuneng Jiang
a34ed20901
[Infra] Fix job naming in reusable workflow callers
Rename job keys from generic 'test' to descriptive names (e.g.,
'core-utils', 'proxy-auth', 'router') so GitHub checks display as
'core-utils / run' instead of 'test / test'.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 10:07:32 -07:00
Yuneng Jiang
3d527b722d
[Infra] Add isolated unit test workflows with hardened security posture
Replace monolithic matrix workflow with individual, descriptively-named
workflow files. Each workflow uses a shared reusable base and follows
least-privilege security: zero secrets, read-only permissions, SHA-pinned
actions, persist-credentials: false, and env-var indirection to prevent
template injection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 09:56:58 -07:00
Yuneng Jiang
e0e0c5e293
[Infra] Fix zizmor artipacked warnings on schema sync workflows
Add persist-credentials: false to check-schema-sync (read-only, no push needed).
Explicitly set persist-credentials: true on sync-schema (required for git push).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 16:14:06 -07:00
Yuneng Jiang
08e29e0a9a
[Infra] Automated schema.prisma sync and drift detection
Sync all 3 schema.prisma copies and add GHA workflows to keep them in sync automatically.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 16:01:20 -07:00
yuneng-jiang
d949085310
Merge pull request #24697 from BerriAI/litellm_codeql_gha
[Infra] Improve CodeQL scanning coverage and schedule
2026-03-27 12:17:39 -07:00
Yuneng Jiang
ec4273ed8b
[Infra] Improve CodeQL scanning coverage and schedule
Switch query suite from security-extended to security-and-quality to
match the default GitHub Advanced Security setup. Run scheduled scans
daily instead of weekly. Remove paths-ignore for _experimental/out so
build artifacts are also scanned.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:04:09 -07:00
Yuneng Jiang
ca3457b091
Pin nodejs-wheel-binaries in CI workflows running prisma generate
prisma generate internally runs `npm install prisma@5.4.2` against the
npm registry at runtime. Without a bundled Node.js, this causes
ECONNRESET failures on flaky GitHub Actions network and leaves the
npm transitive dependency tree unpinned.

Pre-install nodejs-wheel-binaries==24.13.1 (matching the Dockerfiles)
so prisma uses the bundled Node/npm instead of fetching from the
registry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 11:25:03 -07:00
Krrish Dholakia
ff63df25a2
Merge pull request #24663 from BerriAI/litellm_test_branch_03_26_2026_p1
Add zizmor to ci/cd
2026-03-27 08:59:07 -07:00
Krrish Dholakia
a671275f5c ci: add zizmor github action 2026-03-27 05:33:21 -07:00
Krrish Dholakia
dfb543369b fix: address zizmor comments 2026-03-26 21:09:01 -07:00
Yuneng Jiang
ba8455a3be
[Infra] Migrate PyPI publishing from CircleCI to GitHub Actions OIDC
- Add .github/workflows/publish_to_pypi.yml with OIDC trusted publisher
- Remove publish_to_pypi job from .circleci/config.yml
- Zero long-lived tokens, all actions SHA-pinned, build deps version-pinned
2026-03-26 19:02:14 -07:00
Yuneng Jiang
84be6f69ef fix google-cloud-aiplatform pin to be compatible with google-genai==1.22.0
Pin to 1.115.0 (latest version that doesn't require google-genai>=1.59.0).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 22:37:43 -07:00
Yuneng Jiang
1beb687f54 pin GHA dependencies + remove unused load test files
Pin all pip install commands to exact versions and SHA-pin all GitHub
Actions to prevent supply chain attacks. Remove snok/install-poetry
in favor of direct pip install. Delete orphaned load test scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 22:32:08 -07:00
Krrish Dholakia
df2a36dd27 docs: document new github + gitlab ci scripts 2026-03-25 20:17:10 -07:00
Yuneng Jiang
b90a0af0d7 remove extra @ 2026-03-25 17:46:37 -07:00
Yuneng Jiang
a989587525 re-add helm unit test with checksum pin 2026-03-25 17:38:36 -07:00
Yuneng Jiang
f86b240d7e pin github scripts + remove unused 2026-03-25 17:38:36 -07:00
Ishaan Jaffer
3e8a6f24b7 ci: remove all publish/deploy workflows as part of supply chain incident response 2026-03-24 18:03:04 -07:00
Ishaan Jaffer
3d5b1ecb3b ci: remove publish-migrations and reset_stable workflows 2026-03-24 17:59:07 -07:00
DmitriyAlergant
1310a275d2 ci: narrow codeql guard to schedule-only
Use event_name check so push/PR-triggered CodeQL scans still run on
forks — only the scheduled run is skipped.
2026-03-23 21:39:11 -04:00
DmitriyAlergant
91bc095e18 ci: skip scheduled workflows on forks
Add `if: github.repository == 'BerriAI/litellm'` guard to scheduled
jobs in stale.yml, codeql.yml, and create_daily_staging_branch.yml.

This matches the existing pattern in auto_update_price_and_context_window.yml
and prevents these workflows from running unnecessarily on fork repositories.
2026-03-23 21:29:00 -04:00
joereyna
d118bf4818 chore: add poetry check --lock to lint CI to prevent stale lockfile merges 2026-03-19 14:36:02 -07:00
yuneng-jiang
195c0ee54d
Merge pull request #23917 from BerriAI/litellm_/loving-noyce
[Fix] Add contents:write permission to ghcr_deploy release job
2026-03-17 17:27:36 -07:00
yuneng-jiang
b8ffbba352 [Fix] Add contents:write permission to release job in ghcr_deploy workflow
The release job was failing with "Resource not accessible by integration"
because other jobs explicitly set permissions, causing GitHub to scope the
default token down for all jobs. The release job needs contents:write to
create GitHub releases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 17:23:39 -07:00
codspeed-hq[bot]
be20a8a93d
Add CodSpeed performance benchmarks (#23676)
Co-authored-by: codspeed-hq[bot] <117304815+codspeed-hq[bot]@users.noreply.github.com>
2026-03-14 18:44:36 -07:00
Krrish Dholakia
e0b3fcb34c refactor: update pr template to invite users to slack oss 2026-03-14 15:19:40 -07:00
Chesars
0fc407cfdd ci: exclude enterprise/ from black --check in linting workflow
Contributors don't have local access to enterprise/ files,
so the check would always fail on unformatted enterprise code.
2026-03-12 14:27:00 -03:00
Cesar Garcia
f79744cee2
Merge pull request #18648 from Chesars/fix-black-check-ci
fix: check Black formatting in CI instead of auto-formatting
2026-03-12 14:24:37 -03:00
yuneng-jiang
202b5b29de Add daily internal dev branch creation job
Adds a new job to the existing daily staging branch workflow that creates
a `litellm_internal_dev_MM_DD_YYYY` branch from main twice a day. This
branch serves as a staging area before merging into main to improve
stability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 15:53:42 -07:00
Joe Reyna
cbbd51a5ce
fix(codeql): switch to security-extended to fix OOM failures (#23226)
* fix(codeql): switch to security-extended query suite

The security-and-quality suite produces result sets > 2 GiB on this
codebase, causing fatal OOM failures and blocking CI. Switching to
security-extended reduces query scope to security-only checks, which
still complete successfully. Quality/maintainability checks are
already covered by the existing lint pipeline.

* fix(codeql): exclude OOM queries from security-extended
2026-03-11 07:38:01 -07:00
Joe Reyna
40210ce750
fix(codeql): remove ruby from language matrix (#23227) 2026-03-10 20:45:23 -07:00
Sameer Kankute
0ee4d90d7e Fix enterpise bump yml 2026-03-09 16:43:40 +05:30
Sameer Kankute
4d92c720c7 Fix enterpise bump yml 2026-03-09 16:39:38 +05:30
Sameer Kankute
a52a4fd28a fix(enterprise): create PR for version bump instead of pushing to protected main
Made-with: Cursor
2026-03-09 16:31:27 +05:30
Julio Quinteros Pro
512a5fa3c7
Merge pull request #22788 from BerriAI/fix/azure-batches-add-tenacity-ci
Add tenacity to e2e Azure batch CI and revert importorskip
2026-03-04 11:50:44 -03:00
Julio Quinteros Pro
75b2e40cd3 Remove incompatible openai==1.100.1 pin from linting CI
The linting workflow force-installed openai==1.100.1 which conflicts
with litellm's requirement of openai>=2.8.0, causing pip dependency
resolver errors and CI cancellation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 11:46:31 -03:00
Julio Quinteros Pro
aa62ddaf0a Add tenacity to e2e Azure batch CI and revert importorskip
PR #22785 used pytest.importorskip which causes exit code 5 (all
skipped) in CI. Instead, add tenacity to the CI workflow pip install
and restore direct imports.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 11:45:14 -03:00
Sameer Kankute
213bf11ede
Merge pull request #22763 from BerriAI/litellm_test_e2e_batches_test
feat(tests): add proxy e2e azure batches test
2026-03-04 18:28:52 +05:30
Sameer Kankute
7b6a972fed Add this test in cicd 2026-03-04 17:21:00 +05:30
Sameer Kankute
49738bb3e3 ci: add proxy e2e azure batches workflow
- Run test_e2e_managed_batch with -vv -s for terminal output on failure
- PostgreSQL, Poetry, Prisma setup
- Upload logs as artifact on failure

Made-with: Cursor
2026-03-04 17:15:33 +05:30
Cesar Garcia
fe8fa3abe0
Merge pull request #17308 from Chesars/fix/python-multipart-version-constraint
chore: update python-multipart constraint to >=0.0.18
2026-03-03 15:17:57 -03:00