prevent secret leakage with pull_request_target

- in this way the action is used from the base repository - also use new secret HUGGINGFACE_TOKEN (username:token) - f.e. `noreply@github.com:hf_lkaugfklagwrjglaslzfgkjzzf` - change pr prompt file to validate_pr_prompt.txt
2024-08-30 20:32:17 +00:00 · 2022-10-28 17:54:50 +02:00 · 2022-10-28 17:54:50 +02:00 · 61013e8eee
commit 61013e8eee
parent 48d4fccd61
1 changed files with 4 additions and 3 deletions
--- a/.github/workflows/test-invoke-conda.yml
+++ b/.github/workflows/test-invoke-conda.yml
@ -4,7 +4,7 @@ on:
    branches:
      - 'main'
      - 'development'
-  pull_request:
+  pull_request_target:
    branches:
      - 'main'
      - 'development'
@ -48,7 +48,7 @@ jobs:

      - name: set test prompt to Pull Request validation
        if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/development' }}
-        run: echo "TEST_PROMPTS=tests/pr_prompt.txt" >> $GITHUB_ENV
+        run: echo "TEST_PROMPTS=tests/validate_pr_prompt.txt" >> $GITHUB_ENV

      - name: set conda environment name
        run: echo "CONDA_ENV_NAME=invokeai" >> $GITHUB_ENV
@ -69,7 +69,8 @@ jobs:
          [[ -d models/ldm/stable-diffusion-v1 ]] \
            || mkdir -p models/ldm/stable-diffusion-v1
          [[ -r models/ldm/stable-diffusion-v1/model.ckpt ]] \
-            || curl -o models/ldm/stable-diffusion-v1/model.ckpt ${{ secrets.SD_V1_4_URL }}
+            || curl --user "${{ secrets.HUGGINGFACE_TOKEN }}" \
+              -O -L https://huggingface.co/CompVis/stable-diffusion-v-1-4-original/resolve/main/sd-v1-4.ckpt

      - name: Activate Conda Env
        uses: conda-incubator/setup-miniconda@v2