refactor(ci): workflows improvements (#1535)

* refactor(ci): consolidate documentation workflows * refactor(ci): improve quality workflow * refactor(ci): edit security workflow * refactor(ci): improve testing workflows * fix(ci): several fixes * chore(ci): renaming + permissions * chore(ci): remove now unused dockerfiles * chore(docs): add license headers to dockerfiles * chore(ci): add cache-binary false to setup-buildx actions * fix(ci): several fixes * dgb(ci): explicit env in the workflow * fix(ci): more explicit env vars for writing * fix(ci): nightly gpu tag
2025-07-19 20:09:12 +02:00
parent e6e1f085d4
commit 89f59b0703
19 changed files with 654 additions and 733 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -0,0 +1,54 @@
+# Copyright 2025 The HuggingFace Inc. team. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This workflow handles secret scanning using TruffleHog to detect sensitive information in the codebase.
+name: Security
+permissions:
+  contents: read
+
+on:
+  # Allows running this workflow manually from the Actions tab
+  workflow_dispatch:
+
+  # Triggers the workflow on push events to main
+  push:
+    branches:
+      - main
+
+  # Triggers the workflow on pull request events targeting main
+  pull_request:
+    branches:
+      - main
+
+# Ensures that only the latest commit for a PR or branch is built, canceling older runs.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  # This job runs TruffleHog to scan the full history of the repository for secrets.
+  trufflehog:
+    name: Secret Leaks Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4 # zizmor: ignore[unpinned-uses]
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@v3.90.0  # zizmor: ignore[unpinned-uses]
+        with:
+          extra_args: --only-verified