From 7f82977bb68cb1327fc41dc9551ed25fe0a685de Mon Sep 17 00:00:00 2001
From: "hf-secutity-analysis[bot]"
 <265538906+hf-secutity-analysis[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 12:23:12 +0000
Subject: [PATCH] fix(security): remediate workflow vulnerability in
 .github/workflows/nightly.yml

---
 .github/workflows/nightly.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 563b5957d..4d74c7fb5 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -133,7 +133,7 @@ jobs:
     steps:
       - name: Login to Hugging Face
         run: |
-          hf auth login --token "$HF_USER_TOKEN" --add-to-git-credential
+          echo "$HF_USER_TOKEN" | hf auth login --token --add-to-git-credential
           hf auth whoami
       - name: Run pytest on CPU
         run: pytest tests -vv --maxfail=10
@@ -165,7 +165,7 @@ jobs:
     steps:
       - name: Login to Hugging Face
         run: |
-          hf auth login --token "$HF_USER_TOKEN" --add-to-git-credential
+          echo "$HF_USER_TOKEN" | hf auth login --token --add-to-git-credential
           hf auth whoami
       - name: Run pytest on GPU
         run: pytest tests -vv --maxfail=10
@@ -198,7 +198,7 @@ jobs:
     steps:
       - name: Login to Hugging Face
         run: |
-          hf auth login --token "$HF_USER_TOKEN" --add-to-git-credential
+          echo "$HF_USER_TOKEN" | hf auth login --token --add-to-git-credential
           hf auth whoami
       - name: Verify GPU availability
         run: |
@@ -207,4 +207,4 @@ jobs:
 
       - name: Run multi-GPU training tests
       # TODO(Steven): Investigate why motors tests are failing in multi-GPU setup
-        run: pytest tests -vv --maxfail=10 --ignore=tests/motors/
+        run: pytest tests -vv --maxfail=10 --ignore=tests/motors/
\ No newline at end of file