github/langchain
1
0
Fork 0
mirror of https://github.com/hwchase17/langchain.git synced 2026-06-09 10:17:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(infra): port four CI governance workflows (#37511)

Browse Source 
Four GitHub Actions workflows ported from the Deep Agents monorepo to
enforce repository hygiene rules that were not previously applied here.

## Changes

- **Fork-main PR guard**: closes PRs from forks whose head is `main` or
`master`, with a sticky comment explaining how to reopen from a feature
branch. Prevents the "Update branch" → admin-override path that lets a
`Merge branch 'master' into master` commit land on the default branch
and bypass squash-only policy. Maintainers can override with a
`bypass-fork-main-check` label.
- **Monthly uv pin bump**: opens a PR on the first of each month to
advance `UV_VERSION` in the composite setup action. Probes
`releases.astral.sh` across four architectures before committing so CI
doesn't race a lagging mirror on fresh-release days — the gap
Dependabot's `github-actions` ecosystem can't cover because it tracks
`uses:` SHA pins, not the inline `UV_VERSION` value.
- **Extras-sync validation**: a Python script (`check_extras_sync.py`)
and companion workflow that detect version-constraint drift between
`[project.dependencies]` and `[project.optional-dependencies]` across
every `libs/**/pyproject.toml`. Runs on PRs touching any
`pyproject.toml` and on pushes to `master`; is a no-op on packages that
declare no extras.
- **Banned-trailer pre-merge lint**: rejects PR descriptions containing
a `Co-authored-by: ... <noreply@anthropic.com>` trailer before the PR
reaches merge, where the org ruleset would reject the squash-push
anyway. Posts a sticky comment with remediation steps; updates it to a
"resolved" state when the trailer is removed, rather than deleting
(which requires elevated token scope on fork PRs).
This commit is contained in:
Mason Daugherty
2026-05-18 15:12:21 -07:00
committed by GitHub
parent 12d5e78c3b
commit 2458a7912e
5 changed files with 717 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
.github/workflows/check_extras_sync.yml vendored Normal file
View File

@@ -0,0 +1,73 @@
# See `.github/scripts/check_extras_sync.py` for the rationale.
name: "🔍 Check Extras Sync"
on:
pull_request:
paths:
- "libs/**/pyproject.toml"
- ".github/scripts/check_extras_sync.py"
- ".github/workflows/check_extras_sync.yml"
push:
branches: [master]
paths:
- "libs/**/pyproject.toml"
- ".github/scripts/check_extras_sync.py"
- ".github/workflows/check_extras_sync.yml"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
check-extras-sync:
if: github.repository_owner == 'langchain-ai'
name: "Verify extras match required deps"
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: "📋 Checkout Code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: "🐍 Set up Python and uv"
uses: "./.github/actions/uv_setup"
with:
python-version: "3.13"
enable-cache: "false"
- name: "🔍 Check extras sync"
# Iterate every package pyproject.toml under libs/. The script
# no-ops on packages without [project.optional-dependencies], so
# this is harmless on packages without extras and automatically
# picks up new partners as they're added. No `-maxdepth` cap so
# deeper future restructures (e.g. `libs/partners/<group>/<pkg>/`)
# are picked up automatically.
run: |
set -euo pipefail
mapfile -t files < <(
find libs -name pyproject.toml \
-not -path "*/.venv/*" \
-not -path "*/node_modules/*" \
-not -path "*/build/*" \
-not -path "*/dist/*" \
-not -path "*/.tox/*" \
| sort
)
if [ ${#files[@]} -eq 0 ]; then
echo "::error::No pyproject.toml files found under libs/"
exit 1
fi
failed=()
for f in "${files[@]}"; do
if ! python .github/scripts/check_extras_sync.py "$f"; then
failed+=("$f")
fi
done
if [ ${#failed[@]} -gt 0 ]; then
echo "::error::Extras-sync check failed for ${#failed[@]} package(s):"
printf '::error:: %s\n' "${failed[@]}"
exit 1
fi