refactor: inline env var lookups to avoid noisy tracebacks (#8045)

Signed-off-by: Dmitry Tokarev <dtokarev@nvidia.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/generate-allure-report.yml

@@ -79,6 +79,28 @@ jobs:
                   json.dump(data, fh)
           " "$WORKFLOW_LABEL" "$RUN_URL"
 
+      - name: Redact secrets from allure results
+        if: steps.check-results.outputs.has_results == 'true'
+        run: |
+          # Defense-in-depth: strip HF tokens that may leak via pytest tracebacks
+          # (--showlocals dumps local variable values into allure statusDetails.trace).
+          # The primary fix is inlining env var lookups in tests/conftest.py; this
+          # catches any tokens that slip through via other code paths or log attachments.
+          # Uses binary mode to safely handle both text and binary attachments.
+          python3 -c "
+          import re, glob
+          pattern = re.compile(rb'hf_[A-Za-z0-9]{20,}')
+          replacement = b'<HF_TOKEN_REDACTED>'
+          for f in glob.glob('allure-results/*-result.json') + glob.glob('allure-results/*-attachment.*'):
+              with open(f, 'rb') as fh:
+                  content = fh.read()
+              sanitized = pattern.sub(replacement, content)
+              if sanitized != content:
+                  with open(f, 'wb') as fh:
+                      fh.write(sanitized)
+                  print(f'Redacted token in {f}')
+          "
+
       - name: Install Allure 2 CLI
         if: steps.check-results.outputs.has_results == 'true'
         run: |

tests/conftest.py

@@ -25,6 +25,7 @@ from tests.utils.test_output import resolve_test_output_path
 
 _logger = logging.getLogger(__name__)
 
+
 # Typed stash keys for GPU-parallel config (avoids setting unknown attrs on Config)
 _gpu_parallel_gpus_key: pytest.StashKey[list[dict]] = pytest.StashKey()
 _gpu_indices_key: pytest.StashKey[list[int] | None] = pytest.StashKey()
@@ -273,9 +274,10 @@ def download_models(model_list=None, ignore_weights=False):
     if model_list is None:
         model_list = TEST_MODELS
 
-    # Check for HF_TOKEN in environment
-    hf_token = os.environ.get("HF_TOKEN", "").strip() or None
-    if hf_token:
+    # Check for HF_TOKEN in environment. snapshot_download() picks it up
+    # automatically via huggingface_hub's token resolution (HF_TOKEN env var →
+    # ~/.cache/huggingface/token), so we don't pass it explicitly.
+    if os.environ.get("HF_TOKEN", "").strip():
         logging.info("HF_TOKEN found in environment")
     else:
         logging.warning(
@@ -311,14 +313,12 @@ def download_models(model_list=None, ignore_weights=False):
                 # Download everything except weight files
                 snapshot_download(
                     repo_id=model_id,
-                    token=hf_token,
                     ignore_patterns=weight_patterns,
                 )
             else:
                 # Download the full model snapshot (includes all files)
                 snapshot_download(
                     repo_id=model_id,
-                    token=hf_token,
                 )
             logging.info(f"Successfully pre-downloaded: {model_id}")