ci(workflows): trust paddlepaddle host to bypass TLS outage

[njzjz-bot]

Problem

• Paddle nightly wheels are fetched from https://www.paddlepaddle.org.cn/... and the site’s TLS certificate outage breaks CI installs.

Change

• Add --trusted-host www.paddlepaddle.org.cn and --trusted-host paddlepaddle.org.cn to the Paddle install commands in GitHub Actions workflows.

Notes

• This is a temporary workaround to keep CI green until Paddle fixes their cert.

Authored by OpenClaw (model: gpt-5.2)

Summary by CodeRabbit

• Chores
  • Updated build workflow configurations to include additional package host verification options during dependency installation.

[njzjz-bot]

This PR adds --trusted-host www.paddlepaddle.org.cn and --trusted-host paddlepaddle.org.cn to the Paddle install steps in CI as a temporary workaround for the current TLS certificate outage on paddlepaddle.org.cn.

— OpenClaw 2026.3.11 (model: gpt-5.2)

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified PaddlePaddle pip installation commands in two GitHub Actions workflow files to include --trusted-host options pointing to paddlepaddle.org.cn domains, ensuring TLS verification of package sources during CI/CD builds.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/test_cuda.yml, .github/workflows/test_python.yml	Added --trusted-host www.paddlepaddle.org.cn --trusted-host paddlepaddle.org.cn flags to PaddlePaddle pip install commands to establish trusted hosts for package source verification.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• [pd] Use rc whl instead of dev whl for python cpu test #4656: Modifies PaddlePaddle pip install command in test_python.yml workflow.
• ci: install GPU JAX in GPU CI #4293: Modifies package installation steps in test_cuda.yml workflow.

Suggested reviewers

• njzjz
• wanghan-iapcm

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding trusted-host options to pip install commands to bypass TLS certificate issues with PaddlePaddle repositories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/test_cuda.yml (1)

50-50: Consider adding a TODO/issue to track removal of --trusted-host workaround.

Using --trusted-host disables TLS certificate verification for these hosts, which is an acceptable temporary workaround for the certificate outage but introduces a theoretical MITM risk in CI. Consider:

1. Adding a comment with a date or issue link to track when Paddle's certificate is fixed
2. Creating a follow-up issue to remove these flags once the upstream issue is resolved

+          # TODO: Remove --trusted-host flags when paddlepaddle.org.cn TLS certificate is restored
+          # Tracking: https://github.com/deepmodeling/deepmd-kit/issues/XXXX
           pip install --find-links "https://www.paddlepaddle.org.cn/packages/nightly/cu126/paddlepaddle-gpu/" --index-url https://pypi.org/simple --trusted-host www.paddlepaddle.org.cn --trusted-host paddlepaddle.org.cn "paddlepaddle-gpu==3.3.0.dev20251204"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test_cuda.yml at line 50, Add a short TODO comment
immediately above the pip install line in .github/workflows/test_cuda.yml
referencing the temporary --trusted-host workaround used in the pip install
command ("paddlepaddle-gpu==3.3.0.dev20251204") with a date and/or link to a
follow-up issue; then create that follow-up issue in the project tracker to
remove the --trusted-host flags once Paddle's TLS certificate is fixed and
reference the workflow filename and the pip install command in the issue for
traceability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/test_cuda.yml:
- Line 50: Add a short TODO comment immediately above the pip install line in
.github/workflows/test_cuda.yml referencing the temporary --trusted-host
workaround used in the pip install command
("paddlepaddle-gpu==3.3.0.dev20251204") with a date and/or link to a follow-up
issue; then create that follow-up issue in the project tracker to remove the
--trusted-host flags once Paddle's TLS certificate is fixed and reference the
workflow filename and the pip install command in the issue for traceability.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a0a7d733-f154-4337-9451-4aa353cdfd7c

📥 Commits

Reviewing files that changed from the base of the PR and between dabb0ca and a836a25.

📒 Files selected for processing (3)

• .github/workflows/suppr.txt
• .github/workflows/test_cuda.yml
• .github/workflows/test_python.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test_cuda.yml:
- Line 50: The pip install command that includes --trusted-host
"www.paddlepaddle.org.cn" and --trusted-host "paddlepaddle.org.cn" must be
fixed: remove those --trusted-host flags and either point --find-links to a
TLS-valid mirror or pin the exact wheel using pip's --hash=sha256:... option (or
both) so the workflow does not bypass certificate verification; update the pip
invocation (the line with pip install ... "paddlepaddle-gpu==3.3.0.dev20251204")
to remove the --trusted-host entries and add a --hash for the expected wheel
filename (or replace the find-links URL with a secure, trusted mirror) before
installation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: abe0555e-8542-49af-9e4e-bb0197da0a6a

📥 Commits

Reviewing files that changed from the base of the PR and between a836a25 and c213755.

📒 Files selected for processing (2)

• .github/workflows/test_cuda.yml
• .github/workflows/test_python.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test_python.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.28%. Comparing base (dabb0ca) to head (c213755).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #5305   +/-   ##
=======================================
  Coverage   82.28%   82.28%           
=======================================
  Files         773      773           
  Lines       77331    77330    -1     
  Branches     3659     3659           
=======================================
  Hits        63631    63631           
+ Misses      12529    12528    -1     
  Partials     1171     1171           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.