fix(security): remediate workflow vulnerability in .github/workflows/full_tests.yml

2026-05-31 19:01:28 +00:00 · 2026-03-05 08:26:21 +00:00
3 changed files with 4 additions and 28 deletions
--- a/.github/workflows/full_tests.yml
+++ b/.github/workflows/full_tests.yml
@@ -200,7 +200,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Get Docker Hub Token and Delete Image
-        # zizmor: ignore[template-injection]
        env:
          DOCKERHUB_LEROBOT_USERNAME: ${{ secrets.DOCKERHUB_LEROBOT_USERNAME }}
          DOCKERHUB_LEROBOT_PASSWORD: ${{ secrets.DOCKERHUB_LEROBOT_PASSWORD }}
@@ -232,4 +231,4 @@ jobs:
            exit 1
          fi

-# TODO(Steven): Check dockerimages pull in ubuntu
+# TODO(Steven): Check dockerimages pull in ubuntu
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -119,7 +119,6 @@ jobs:
      HF_LEROBOT_HOME: /home/user_lerobot/.cache/huggingface/lerobot
      TORCH_HOME: /home/user_lerobot/.cache/torch
      TRITON_CACHE_DIR: /home/user_lerobot/.cache/triton
-      HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }}
    container:
      image: ${{ needs.build-docker-cpu-nightly.outputs.image_tag }} # zizmor: ignore[unpinned-images]
      options: --shm-size "16gb"
@@ -131,10 +130,6 @@ jobs:
        shell: bash
        working-directory: /lerobot
    steps:
-      - name: Login to Hugging Face
-        run: |
-          echo "$HF_USER_TOKEN" | hf auth login --token --add-to-git-credential
-          hf auth whoami
      - name: Run pytest on CPU
        run: pytest tests -vv --maxfail=10
      - name: Run end-to-end tests
@@ -151,7 +146,6 @@ jobs:
      HF_LEROBOT_HOME: /home/user_lerobot/.cache/huggingface/lerobot
      TORCH_HOME: /home/user_lerobot/.cache/torch
      TRITON_CACHE_DIR: /home/user_lerobot/.cache/triton
-      HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }}
    container:
      image: ${{ needs.build-docker-gpu-nightly.outputs.image_tag }} # zizmor: ignore[unpinned-images]
      options: --gpus all --shm-size "16gb"
@@ -163,10 +157,6 @@ jobs:
        shell: bash
        working-directory: /lerobot
    steps:
-      - name: Login to Hugging Face
-        run: |
-          echo "$HF_USER_TOKEN" | hf auth login --token --add-to-git-credential
-          hf auth whoami
      - name: Run pytest on GPU
        run: pytest tests -vv --maxfail=10
      - name: Run end-to-end tests
@@ -184,7 +174,6 @@ jobs:
      TORCH_HOME: /home/user_lerobot/.cache/torch
      TRITON_CACHE_DIR: /home/user_lerobot/.cache/triton
      CUDA_VISIBLE_DEVICES: "0,1,2,3"
-      HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }}
    container:
      image: ${{ needs.build-docker-gpu-nightly.outputs.image_tag }} # zizmor: ignore[unpinned-images]
      options: --gpus all --shm-size "16gb"
@@ -196,10 +185,6 @@ jobs:
        shell: bash
        working-directory: /lerobot
    steps:
-      - name: Login to Hugging Face
-        run: |
-          echo "$HF_USER_TOKEN" | hf auth login --token --add-to-git-credential
-          hf auth whoami
      - name: Verify GPU availability
        run: |
          nvidia-smi
@@ -207,4 +192,5 @@ jobs:

      - name: Run multi-GPU training tests
      # TODO(Steven): Investigate why motors tests are failing in multi-GPU setup
-        run: pytest tests -vv --maxfail=10 --ignore=tests/motors/
+        run: pytest tests -vv --maxfail=10 --ignore=tests/motors/
+        timeout-minutes: 10
--- a/.github/workflows/unbound_deps_tests.yml
+++ b/.github/workflows/unbound_deps_tests.yml
@@ -48,7 +48,6 @@ jobs:
      MUJOCO_GL: egl
      HF_HOME: /mnt/cache/.cache/huggingface
      HF_LEROBOT_HOME: /mnt/cache/.cache/huggingface/lerobot
-      HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }}
    steps:
      - uses: actions/checkout@v6
        with:
@@ -80,10 +79,7 @@ jobs:

      - name: Install lerobot with all extras
        run: uv sync --extra all # TODO(Steven): Make flash-attn optional
-      - name: Login to Hugging Face
-        run: |
-          uv run hf auth login --token "$HF_USER_TOKEN" --add-to-git-credential
-          uv run hf auth whoami
+
      - name: Run pytest (all extras)
        run: uv run pytest tests -vv

@@ -141,7 +137,6 @@ jobs:
      HF_LEROBOT_HOME: /home/user_lerobot/.cache/huggingface/lerobot
      TORCH_HOME: /home/user_lerobot/.cache/torch
      TRITON_CACHE_DIR: /home/user_lerobot/.cache/triton
-      HF_USER_TOKEN: ${{ secrets.LEROBOT_HF_USER }}
    container:
      image: ${{ needs.build-and-push-docker.outputs.image_tag }} # zizmor: ignore[unpinned-images]
      options: --gpus all --shm-size "16gb"
@@ -153,10 +148,6 @@ jobs:
        shell: bash
        working-directory: /lerobot
    steps:
-      - name: Login to Hugging Face
-        run: |
-          hf auth login --token "$HF_USER_TOKEN" --add-to-git-credential
-          hf auth whoami
      - name: Run pytest on GPU
        run: pytest tests -vv
      - name: Run end-to-end tests