From b746cd3c610dcee327cb89ed974bdf8953dac853 Mon Sep 17 00:00:00 2001
From: Pepijn <pepijn@huggingface.co>
Date: Thu, 16 Apr 2026 13:30:13 +0200
Subject: [PATCH] fix(profiling): sort import + move expressions to env vars
 for zizmor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pre-commit Quality gate flagged two issues:

1. ruff/isort: `from numbers import Real` must sort after
   `from collections.abc import Callable` (stdlib alphabetical order).

2. zizmor (high): `github.head_ref`, `github.ref_name`,
   `github.event.inputs.git_ref`, and `github.event.pull_request.head.sha`
   were expanded directly in `run:` shell blocks, which zizmor flags as
   attacker-controllable. Move all four into job-level `env:` vars
   (GIT_REF, PR_NUMBER, HOST_GIT_COMMIT) so the shell only sees env-var
   references — the same pattern the workflow already uses for
   PROFILE_MODE, POLICY_FILTER, etc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/model_profiling.yml | 9 ++++++---
 src/lerobot/utils/profiling_utils.py  | 3 ++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/model_profiling.yml b/.github/workflows/model_profiling.yml
index fd0c23eee..1586d7e0b 100644
--- a/.github/workflows/model_profiling.yml
+++ b/.github/workflows/model_profiling.yml
@@ -83,6 +83,9 @@ jobs:
       POLICY_FILTER: ${{ github.event_name == 'pull_request' && 'act' || github.event.inputs.policies || '' }}
       RESULTS_REPO: ${{ github.event.inputs.results_repo || 'model-profiling-history' }}
       SHOULD_PUBLISH: ${{ github.event_name == 'pull_request' || github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_results == 'true') }}
+      GIT_REF: ${{ github.head_ref || github.ref_name || github.event.inputs.git_ref || 'main' }}
+      PR_NUMBER: ${{ github.event.pull_request.number || '' }}
+      HOST_GIT_COMMIT: ${{ github.event.pull_request.head.sha || github.event.inputs.git_commit || github.sha }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -110,7 +113,7 @@ jobs:
             -e UV_PYTHON_PREFERENCE=only-system \
             -e XDG_DATA_HOME=/tmp/xdg-data \
             -e XDG_CACHE_HOME=/tmp/xdg-cache \
-            -e HOST_GIT_COMMIT="${{ github.event.pull_request.head.sha || github.event.inputs.git_commit || github.sha }}" \
+            -e HOST_GIT_COMMIT="${HOST_GIT_COMMIT}" \
             -e HF_USER_TOKEN="${HF_USER_TOKEN}" \
             -e HF_TOKEN="${HF_USER_TOKEN}" \
             -e PROFILE_MODE="${PROFILE_MODE}" \
@@ -195,8 +198,8 @@ jobs:
                 --results_repo="${RESULTS_REPO}"
                 --profile_mode="${PROFILE_MODE}"
                 --git_commit="${HOST_GIT_COMMIT}"
-                --git_ref="${{ github.head_ref || github.ref_name || github.event.inputs.git_ref || 'main' }}"
-                --pr_number="${{ github.event.pull_request.number || '' }}"
+                --git_ref="${GIT_REF}"
+                --pr_number="${PR_NUMBER}"
               )
 
               if [[ -n "${POLICY_FILTER}" ]]; then
diff --git a/src/lerobot/utils/profiling_utils.py b/src/lerobot/utils/profiling_utils.py
index fabff6156..fd5bd7cec 100644
--- a/src/lerobot/utils/profiling_utils.py
+++ b/src/lerobot/utils/profiling_utils.py
@@ -22,15 +22,16 @@ import io
 import json
 import pstats
 import statistics
-from numbers import Real
 from collections.abc import Callable
 from dataclasses import dataclass, field
+from numbers import Real
 from pathlib import Path
 from typing import Any
 
 import torch
 from torch.utils.data._utils.collate import default_collate
 
+
 def ensure_dir(path: Path) -> Path:
     path.mkdir(parents=True, exist_ok=True)
     return path