add command to deply a pr

No description provided.
not-lain changed pull request status to open

Following the creation of this PR, an ephemeral Space Wauplin/gradio-space-ci-ci-pr-7 has been started. Any changes pushed to this PR will be synced with the test Space.
Since this PR has not been created by a trusted author, the ephemeral Space has not been configured with the correct hardware, storage, and secrets. An admin must configure it manually.
(This is an automated message.)

thank you AI Wauplin ✨✨

        # TODO:
        # this is limited to the owner only
        # check if it works with organizations

=> what I would do is to rely on the trusted_authors list for that. It works both for users and orgs.

trusted_authors: List[str] = EPHEMERAL_SPACES_CONFIG["trusted_authors"]

if(... and in trusted_authors)

Also important to keep in mind:

  • deploying ephemeral Space always happen (no matter if trusted author or not, no matter if deploy comment or not)
  • configuring ephemeral Space should only happen:
    • if PR opened by trusted author
    • OR if a trusted author write a comment with a command /trust_pr AND that comment is made after the last commit
  • as soon as a new commit is pushed to the PR, the ephemeral Space should be deleted and recreated from scratch to avoid any leaks (i.e. the /trust_pr command should only be valid for the previous commits, not the following ones)

thanks for clarifying things, i'll update this pr shortly to add the necessary utilities.
also can you add me to the list of trusted users on this repo momentarily, i might need an ephemeral space on this one to debug things slowly (if the ephemeral space and the original space slash when writing on the dataset then there is no need, just wanted to highlight that beforehand )


also can you add me to the list of trusted users on this repo momentarily, i might need an ephemeral space on this one to debug things slowly

Can you try duplicating this Space and make a PR on your duplicated Space first? This shouldn't be the normal workflow but it'd be a good way to test if Space CI also works with duplicated Spaces. You can duplicate it going on + set a HF_TOKEN with your user access token. No need to add a space_ci_secret. Thanks in advance for trying it! (and if it doesn't work, I'll add you to trusted authors yes :))

@Wauplin it didn't not work, it says I don't have access to , could you create a temp dataset? or better yet create a temp organization and add me there (I might need to take a look at the space logs), you can make a copy of both the dataset and the space there

i can create the organization and and use my token there, problem is with the dataset, coz i have no idea what data it contains


Arf, true. You need to change this line in your duplicated Space and replace it with "not-lain/gradio-space-ci-report". And you should create this dataset repo first as well (with an empty file report.jsonl in it. Nothing really important , we don't need to share it in an org - a new one is fine.


What I want to check is if the Space CI will work in the duplicated Space. This error is more related to this Space logic itself which I don't care much to solve (it's not meant to be duplicated anyway)

@Wauplin thanks a lot for the feedback, i'll start working on it


cc @Wauplin for review.
if you want to try this out before merging I set up a space at

how this works is that we added 2 functions set_config and unset_config and each one of them is triggered by /trust_pr or untrust_pr
If someone not in the trusted_authors updates a PR, we trigger the unset_config function by default.

the only things i did not setup yet are the recover_after_restart, and maybe an automated message after using either of these commands

ok this breaks down after a commit is made by an untrusted author, i'll fix this in a bit


I think we can update the default trusted list based on the _event parameter after using the get_discussion_details function.



@Wauplin this is ready for a review rn
I have pretty much the same code in if you want to try it out.
I tried my best to try every possible combination i can think of, would suggest you reach out to someone to help you out try all possible combinations (unfortunately I don't have any friends on HF so i did my best so far), and all I can say that it does what it says so far.

  • when a trusted author says : /trust_pr we configure it
  • when a trusted author says : /untrust_pr we reset the ephemeral space configuration
  • when a new commit is uploaded we reset the ephemeral space if a trusted author does not make it

unfortunately I don't have any friends on HF so i did my best so far

My best friend on the Hub is usually me connecting with a fake account 😄💔

What would be the use case to use /untrust_pr exactly? When would a user want to use it? (genuinely asking as I might be missing something).

As I see it, a PR is "not trusted" by default. If a trusted author comment /trust_pr, then the PR is considered as "trusted" and the ephemeral Space can be configured. However, as soon as a new commit is pushed, it shouldn't be trusted anymore. As suggested in this comment I do think we should delete and recreate the ephemeral Space in case of new untrusted commits on the PR. So what I would do:

  1. on each comment or commit, check if the ephemeral PR is in sync. If it's already in sync, then do nothing.
  2. on each comment or commit, check if the PR changes should be considered as trusted. 2 rules apply here: either PR author is trusted (same as now) OR a comment /trust_pr has been added after the last commit on the PR. This can be checked by listing all commits and comments and checking their creation timestamp.
  3. if the PR is trusted, sync it. If secrets/variables/hardware have to be set, set them.
  4. if the PR is not trusted:
    1. if the ephemeral Space has something configured (variables/secrets/hardware), delete it + recreate
    2. if the ephemeral Space is not configured, then sync it normally

Does that make sense to you? Do you see a corner case that would not be handled by the above logic?


What I'm afraid with unsetting configuration is that:

  • it might fail. If the delete_secret or delete_hardware HTTP fail for any reason, then there can be a security breach
  • it might leak cached files. Let's say the Space caches a private model on a persistent storage, reloading the Space -even without secrets- would make the weights accessible in the cache.
  • maybe other cases I'm not thinking about

A delete + recreate is more abrupt but at least it ensures better security. Do you see my point?

@Wauplin yessss, i'll switch to you a delete and recreate approach then🫡


Following the creation of this PR, an ephemeral Space Wauplin/gradio-space-ci-ci-pr-7 has been started. Any changes pushed to this PR will be synced with the test Space.
Since this PR has not been created by a trusted author, the ephemeral Space has not been configured with the correct hardware, storage, and secrets. An admin must configure it manually.
(This is an automated message.)


Hi @not-lain , sorry for response delay. So I reviewed your PR and the logic looks good to me. Two comments though:

  • would it be possible to factorize sync_ci_space and rebuild_space. Both are doing somehow the same thing so duplicating the logic is not needed. You could have a rebuild_space method that would be just a delete_repo + sync_ci_space call.
  • same comment for configure_ephemeral_space and set_config that should be factorized. One is checking the trusted author while the other don't. Maybe better to have a method to configure the ephemeral Space and move the "let's see if it's safe"-logic (i.e. the logic that checks the /trust command in one case or the PR author on the other case) to a upper level. Do you see what I mean?

@Wauplin on it 🫡

just wanted to highlight that we need to revise the way we are updating the repo card too, (doing some revisions on the code rn and will upload a new version soon)


Hi @not-lain , I've spent some time reviewing and trying your PR. To be honest I still think there are some major security flaws in the process. Currently:

  1. If a new commit is pushed by an untrusted author to a trusted PR, it is deployed as if it was trusted (since CI Space is not unconfigured). This is very problematic since a "/trust" command should only be valid on the latest commit before the comment is sent.
  2. Related to 1. and as mentioned in this comment, I don't think a /untrust command is necessary. I don't see a valid use case for it. Since a /trust command only applies to latest commit, I don't think someone will need to /untrust something. If a user trusted a PR by mistake and an actual security problem is found, then it's better to manually delete the CI Space as quickly as possible.
  3. as mentioned in this comment, we cannot just "unconfigure" a Space. If a PR was trusted and is not anymore, we have to delete it entirely. Only "removing the config" is not enough (what if error while doing it? what if someone written in persistent storage?)
  4. related to 1. and 3., if a new commit is pushed to a PR we have to have some logic to determine if the CI Space is synced but also to know if it's configured or not. Hard to tell how to do this is a reliable way, except by deleting+recreating it all the time.

To be honest I think the problems listed above require some deep changes in the code (both in your changes and in the original code on main). I'm picky about this, but since this feature would allow running arbitrary users's code, we have to be extra careful.


All in all, I will push back on implementing this feature. I'm sorry for the time you've invested on it and I hope you understand my concerns. What I don't want is to have a feature to maintain that might have security flaws. The current framework does work properly for most use cases since it deploys configured CI Space on trusted authors and unconfigured CI Space on untrusted author. The logic stays simple which reduces the scope of possible attacks. Also, I don't think that being able to trust PRs is a feature that would make the Gradio Space CI more used. What we miss more is visibility and stability IMO.

If we ever build built-in integration for a proper CI on the Hub, we will for sure think about trusting individual commits. Until then, I don't think we should not add it to the POC. Hope you understand my decision and happy to see you around on other issues/repos 🤗


it's ok here's some extra follow backs :

  • there's a bit of a problem with readme title which can be fixes by using force_download=True when working with snapshot_download
  • In regards to /untrust_pr i added that one so even the space author could reset their ephemeral space hardware instead of keeping it on, it's mostly to avoid people coming back to the ephemeral space and waking it up, probably costing the user more resources.
  • pt 3 : I already implemented the logic we are rebuilding the space from scratch.
  • pt 4 and 1 : thanks for raising this, yes there was indeed something wrong with the logic (if we grant temporarly trust status to untrusted author it indeed stays there after they make a new commit) I didn't notice this because the command required trust status and the pr needed an untrusted author and restarting will trigger another logic for me. but yes this indeed is a security vulnerability (maybe adding it to the readme metadata might solve it, just voicing my ideas).

I also agree with you we need to push this one back, thanks for the feedback @Wauplin , hope this will one day be considered as part of a builtin features, until then, take care ✨

not-lain changed pull request status to closed

