codeflash-ai · Saga4 · Apr 11, 2025 · Apr 11, 2025
diff --git a/.github/workflows/codeflash-optimize.yaml b/.github/workflows/codeflash-optimize.yaml
@@ -1,7 +1,6 @@
 name: CodeFlash
 
 on:
-  # Use pull_request_target for everything to ensure access to secrets
   pull_request_target:
     paths:
       - '**'  # Trigger for all paths
@@ -15,7 +14,14 @@ concurrency:
 jobs:
   optimize:
     name: Optimize new Python code
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+      github.event_name == 'workflow_dispatch' ||
+      contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+      github.event.pull_request.user.login != 'misrasaurabh1' &&
+      github.event.pull_request.user.login != 'KRRT7'
+      ? 'external-trusted-contributors' : ''
+    }}
     if: ${{ github.actor != 'codeflash-ai[bot]' }}
     runs-on: ubuntu-latest
     env:
@@ -42,8 +48,8 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
-              echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
+            elif [[ "${{ github.event.pull_request.state }}" == "open" ]]; then
+              echo "✅ PR is open. Proceeding with appropriate protections."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."
               exit 1

diff --git a/.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml b/.github/workflows/end-to-end-test-bubblesort-pytest-no-git.yaml
@@ -10,7 +10,14 @@ on:
 
 jobs:
   bubble-sort-optimization-pytest-no-git:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -39,7 +46,7 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
+            elif [[ "${{ github.event.pull_request.state }}" == "open" ]]; then
               echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."

diff --git a/.github/workflows/end-to-end-test-bubblesort-unittest.yaml b/.github/workflows/end-to-end-test-bubblesort-unittest.yaml
@@ -10,7 +10,14 @@ on:
 
 jobs:
   bubble-sort-optimization-unittest:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -39,7 +46,7 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
               echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."

diff --git a/.github/workflows/end-to-end-test-coverage.yaml b/.github/workflows/end-to-end-test-coverage.yaml
@@ -10,7 +10,14 @@ on:
 
 jobs:
   end-to-end-test-coverage:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -37,7 +44,7 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
               echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."

diff --git a/.github/workflows/end-to-end-test-futurehouse.yaml b/.github/workflows/end-to-end-test-futurehouse.yaml
@@ -10,7 +10,14 @@ on:
 
 jobs:
   futurehouse-structure:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -39,7 +46,7 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
               echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."

diff --git a/.github/workflows/end-to-end-test-init-optim.yaml b/.github/workflows/end-to-end-test-init-optim.yaml
@@ -9,7 +9,14 @@ on:
 
 jobs:
   init-optimization:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -38,7 +45,7 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
               echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."

diff --git a/.github/workflows/end-to-end-test-tracer-replay.yaml b/.github/workflows/end-to-end-test-tracer-replay.yaml
@@ -9,7 +9,14 @@ on:
 
 jobs:
   tracer-replay:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod
@@ -38,7 +45,7 @@ jobs:
             # Allowlist check
             if [[ "$AUTHOR" == "misrasaurabh1" || "$AUTHOR" == "KRRT7" ]]; then
               echo "✅ Authorized user ($AUTHOR). Proceeding."
-            elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.state }}" == "open" ]]; then
+            elif [["${{ github.event.pull_request.state }}" == "open" ]]; then
               echo "✅ PR triggered by 'pull_request_target' and is open. Assuming protection rules are in place. Proceeding."
             else
               echo "⛔ Unauthorized user ($AUTHOR) attempting to modify workflows. Exiting."

diff --git a/.github/workflows/end-to-end-topological-sort-test.yaml b/.github/workflows/end-to-end-topological-sort-test.yaml
@@ -10,7 +10,14 @@ on:
 
 jobs:
   topological-sort-optimization:
-    environment: external-trusted-contributors
+    # Dynamically determine if environment is needed only when workflow files change and contributor is external
+    environment: ${{
+                   github.event_name == 'workflow_dispatch' ||
+                   contains(toJSON(github.event.pull_request.files.*.filename), '.github/workflows/') &&
+                   github.event.pull_request.user.login != 'misrasaurabh1' &&
+                   github.event.pull_request.user.login != 'KRRT7'
+                   ? 'external-trusted-contributors': ''
+    }}
     runs-on: ubuntu-latest
     env:
       CODEFLASH_AIS_SERVER: prod