review fixes

.github/workflows/checks-workflows.yml

@@ -1,4 +1,4 @@
-name: Worflows check
+name: Checks for GitHub workflows
 
 on:
   push:
@@ -13,7 +13,7 @@ env:
   PYTHON_VERSION: "3.11"
 
 jobs:
-  lint-vizro-all:
+  checks-workflows:
     runs-on: ubuntu-latest
 
     steps:
@@ -24,8 +24,6 @@ jobs:
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
-      - name: Workflows check
+      - name: Checks for GitHub workflows
         run: |
-          pip install pyyaml
-          cd .github/workflows
-          python ../../tools/yaml_check.py
+          python tools/scan_yaml_for_risky_text.py.py .github/workflows 

.github/workflows/test-integration-vizro-ai.yml

@@ -102,16 +102,7 @@ jobs:
         with:
           payload: |
             {
-              "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-                  }
-                }
-              ]
+              "text": "Vizro-ai ${{ matrix.hatch-env }} integration tests build result: ${{ job.status }}\nBranch: ${{ github.head_ref }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/vizro-qa-tests-trigger.yml

@@ -1,4 +1,4 @@
-name: Vizro qa tests trigger
+name: Vizro QA tests trigger
 
 on:
   push:
@@ -12,25 +12,35 @@ env:
   FORCE_COLOR: 1
 
 jobs:
-  vizro-qa-trigger-fork:
+  vizro-qa-test-trigger-fork:
     if: ${{ github.event.pull_request.head.repo.fork }}
-    name: Vizro qa tests trigger
+    name: Vizro QA ${{ matrix.label }} trigger
     runs-on: ubuntu-latest
+    matrix:
+      include:
+        - label: integration tests
+        - label: notebooks tests
     steps:
       - name: Passed fork step
         run: echo "Success!"
 
-  vizro-qa-trigger:
+  vizro-qa-tests-trigger:
     if: ${{ ! github.event.pull_request.head.repo.fork }}
-    name: Vizro qa tests trigger
+    name: Vizro QA ${{ matrix.label }} trigger
     runs-on: ubuntu-latest
+    matrix:
+      include:
+        - label: integration tests
+          file: ${{ secrets.VIZRO_QA_INTEGRATION_TESTS_WORKFLOW }}
+        - label: notebooks test
+          file: ${{ secrets.VIZRO_QA_NOTEBOOKS_TESTS_WORKFLOW }}
     steps:
       - uses: actions/checkout@v4
       - name: Tests trigger
         run: |
           export INPUT_OWNER=${{ secrets.VIZRO_QA_ORG }}
           export INPUT_REPO=${{ secrets.VIZRO_QA_REPO }}
-          export INPUT_WORKFLOW_FILE_NAME=${{ secrets.VIZRO_QA_INTEGRATION_TESTS_WORKFLOW }}
+          export INPUT_WORKFLOW_FILE_NAME=${{ matrix.label }}
           export INPUT_GITHUB_TOKEN=${{ secrets.VIZRO_SVC_PAT }}
           export INPUT_REF=${{ github.head_ref }}
           tools/trigger-workflow-and-wait.sh

tools/scan_yaml_for_risky_text.py.py

@@ -0,0 +1,16 @@
+import sys
+from pathlib import Path
+
+# according to this article: https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
+# we should avoid using `pull_request_target` for security reasons
+risky_text = "pull_request_target"
+
+
+def find_risky_files(path: str):
+    return {str(file) for file in Path(path).rglob("*.yml") if f"{risky_text}" in file.read_text()}
+
+
+if __name__ == '__main__':
+    risky_files = find_risky_files(sys.argv[1])
+    if risky_files:
+        sys.exit(f"{risky_text} found in files {risky_files}.")