ci(infra): add org guards to workflows and remove dead v0.3 docs workflow (#38665)

Adds `github.repository_owner == 'langchain-ai'` guards to 14 GitHub
Actions workflows that were missing them. Without these guards,
write-capable automation (issue/PR labeling, closing, commenting, PR
reopening, release publishing) and CI jobs fire on forks — causing
unwanted mutations, wasted runner minutes, and failed GitHub App token
generation on repos that don't have the required secrets.

Also removes `v03_api_doc_build.yml`, which pushed built docs to
`langchain-ai/langchain-api-docs-html` via `TOKEN_GITHUB_API_DOCS_HTML`
— a secret that isn't set on this repo. The workflow was dead code with
no consumers.

---

## What changed

**Write-capable workflows now guarded** (8 files):
- `auto-label-by-package` — was adding/removing issue labels on forks
- `close_unchecked_issues` — was closing issues and posting comments on
forks via GitHub App token
- `tag-external-issues` — both `tag-external` and `backfill` jobs were
generating App tokens and labeling issues on forks
- `reopen_on_assignment` — was reopening PRs and re-running workflows on
forks
- `require_issue_link` — was closing PRs, creating labels, posting
comments, and canceling workflow runs on forks
- `remove_waiting_on_author` — was removing labels on fork issues/PRs
- `pr_labeler` — was generating App tokens and adding/removing PR labels
on forks
- `pr_labeler_backfill` — same, on manual trigger from a fork

**Read-only CI workflows now guarded** (5 files):
- `check_diffs` — `build` and `check-release-options` jobs (downstream
jobs inherit the skip)
- `codspeed` — `build` job
- `check_agents_sync`, `check_versions`, `check_release_deps`

**Release workflow guarded** (1 file):
- `_release` — `build` job (all downstream jobs chain via `needs`, so
they inherit the skip). Previously relied only on `environment: Release`
approval and a `github.ref` check.

**Removed**:
- `v03_api_doc_build.yml` — dead workflow depending on unset
`TOKEN_GITHUB_API_DOCS_HTML` secret

## What was already guarded

`block_fork_main_prs`, `bump_uv_pin`, `check_extras_sync`,
`integration_tests`, `pr_lint_trailer`, `refresh_model_profiles` already
had the guard. `pr_lint` (read-only, `pull-requests: read`) and the
`_*.yml` reusable workflows (only run when called by a guarded parent)
were intentionally left unguarded.

## Release note

- GitHub Actions workflows now skip execution on forks via
`repository_owner == 'langchain-ai'` guards, preventing unwanted
issue/PR automation and CI runs outside the canonical repo.
- Removed the dead `v03_api_doc_build` workflow that depended on an
unset secret.

---

🤖 Generated with AI-agent involvement.
This commit is contained in:
Mason Daugherty
2026-07-04 21:30:23 -04:00
committed by GitHub
parent 4d4dab80bb
commit 3246caf831
15 changed files with 15 additions and 171 deletions

View File

@@ -141,7 +141,7 @@ jobs:
# Runs in isolated environment with minimal permissions for security
build:
name: 📦 Build distribution
if: github.ref == 'refs/heads/master' || inputs.dangerous-nonmaster-release
if: github.repository_owner == 'langchain-ai' && (github.ref == 'refs/heads/master' || inputs.dangerous-nonmaster-release)
environment: Release
runs-on: ubuntu-latest
permissions:

View File

@@ -9,6 +9,7 @@ permissions:
jobs:
label-by-package:
if: github.repository_owner == 'langchain-ai'
permissions:
issues: write
runs-on: ubuntu-latest

View File

@@ -23,6 +23,7 @@ permissions:
jobs:
check-sync:
name: "verify files are identical"
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
steps:
- name: "📋 Checkout Code"

View File

@@ -192,6 +192,7 @@ jobs:
# Verify _release.yml dropdown options stay in sync with package directories
check-release-options:
name: "Validate Release Options"
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6

View File

@@ -44,6 +44,7 @@ jobs:
# intra-monorepo pins ahead of a sibling release on purpose. Maintainers can
# acknowledge an unusual coordinated release with the bypass label.
if: >-
github.repository_owner == 'langchain-ai' &&
startsWith(github.event.pull_request.title, 'release') &&
!contains(github.event.pull_request.labels.*.name, 'release-deps: acknowledged')
runs-on: ubuntu-latest

View File

@@ -19,6 +19,7 @@ permissions:
jobs:
check_version_equality:
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
steps:

View File

@@ -29,6 +29,7 @@ concurrency:
jobs:
check-boxes:
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
permissions:
contents: read

View File

@@ -29,7 +29,7 @@ jobs:
build:
name: "Detect Changes"
runs-on: ubuntu-latest
if: ${{ !contains(github.event.pull_request.labels.*.name, 'codspeed-ignore') }}
if: ${{ github.repository_owner == 'langchain-ai' && !contains(github.event.pull_request.labels.*.name, 'codspeed-ignore') }}
steps:
- name: "📋 Checkout Code"
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6

View File

@@ -42,6 +42,7 @@ concurrency:
jobs:
label:
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
permissions:
contents: read

View File

@@ -19,6 +19,7 @@ permissions:
jobs:
backfill:
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
permissions:
contents: read

View File

@@ -20,6 +20,7 @@ permissions:
jobs:
remove-label:
if: >-
github.repository_owner == 'langchain-ai' &&
github.event.issue.state == 'open' &&
contains(github.event.issue.labels.*.name, 'waiting-on-author') &&
github.event.comment.user.type != 'Bot' &&

View File

@@ -19,6 +19,7 @@ permissions:
jobs:
reopen-linked-prs:
if: github.repository_owner == 'langchain-ai'
runs-on: ubuntu-latest
permissions:
actions: write

View File

@@ -35,6 +35,7 @@ jobs:
# Skip entirely when the PR already carries "trusted-contributor" or
# "bypass-issue-check".
if: >-
github.repository_owner == 'langchain-ai' &&
!contains(github.event.pull_request.labels.*.name, 'trusted-contributor') &&
!contains(github.event.pull_request.labels.*.name, 'bypass-issue-check') &&
(

View File

@@ -44,7 +44,7 @@ concurrency:
jobs:
tag-external:
if: github.event_name != 'workflow_dispatch'
if: github.repository_owner == 'langchain-ai' && github.event_name != 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: read
@@ -112,7 +112,7 @@ jobs:
console.log(`Added '${label}' label to issue #${issue_number}`);
backfill:
if: github.event_name == 'workflow_dispatch'
if: github.repository_owner == 'langchain-ai' && github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: read

View File

@@ -1,167 +0,0 @@
# Build the API reference documentation for v0.3 branch.
#
# Manual trigger only.
#
# Built HTML pushed to langchain-ai/langchain-api-docs-html.
#
# Looks for langchain-ai org repos in packages.yml and checks them out.
# Calls prep_api_docs_build.py.
name: "📚 API Docs (v0.3)"
run-name: "Build & Deploy API Reference (v0.3)"
on:
workflow_dispatch:
permissions:
contents: read
env:
PYTHON_VERSION: "3.11"
jobs:
build:
if: github.repository == 'langchain-ai/langchain' || github.event_name != 'schedule'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
ref: v0.3
path: langchain
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
with:
repository: langchain-ai/langchain-api-docs-html
path: langchain-api-docs-html
token: ${{ secrets.TOKEN_GITHUB_API_DOCS_HTML }}
- name: "📋 Extract Repository List with yq"
id: get-unsorted-repos
uses: mikefarah/yq@e2f1d5ccf73239195bf92280cd47596751492449 # master
with:
cmd: |
# Extract repos from packages.yml that are in the langchain-ai org
# (excluding 'langchain' itself)
yq '
.packages[]
| select(
(
(.repo | test("^langchain-ai/"))
and
(.repo != "langchain-ai/langchain")
)
or
(.include_in_api_ref // false)
)
| .repo
' langchain/libs/packages.yml
- name: "📋 Parse YAML & Checkout Repositories"
env:
REPOS_UNSORTED: ${{ steps.get-unsorted-repos.outputs.result }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Get unique repositories
REPOS=$(echo "$REPOS_UNSORTED" | sort -u)
# Checkout each unique repository
for repo in $REPOS; do
# Validate repository format (allow any org with proper format)
if [[ ! "$repo" =~ ^[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+$ ]]; then
echo "Error: Invalid repository format: $repo"
exit 1
fi
REPO_NAME=$(echo $repo | cut -d'/' -f2)
# Additional validation for repo name
if [[ ! "$REPO_NAME" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
echo "Error: Invalid repository name: $REPO_NAME"
exit 1
fi
echo "Checking out $repo to $REPO_NAME"
# Special handling for langchain-tavily: checkout by commit hash
if [[ "$REPO_NAME" == "langchain-tavily" ]]; then
git clone https://github.com/$repo.git $REPO_NAME
cd $REPO_NAME
git checkout f3515654724a9e87bdfe2c2f509d6cdde646e563
cd ..
else
git clone --depth 1 --branch v0.3 https://github.com/$repo.git $REPO_NAME
fi
done
- name: "🐍 Setup Python ${{ env.PYTHON_VERSION }}"
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
id: setup-python
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: "📦 Install Initial Python Dependencies using uv"
working-directory: langchain
run: |
python -m pip install -U uv
python -m uv pip install --upgrade --no-cache-dir pip setuptools pyyaml
- name: "📦 Organize Library Directories"
# Places cloned partner packages into libs/partners structure
run: python langchain/.github/scripts/prep_api_docs_build.py
- name: "🧹 Clear Prior Build"
run:
# Remove artifacts from prior docs build
rm -rf langchain-api-docs-html/api_reference_build/html
- name: "📦 Install Documentation Dependencies using uv"
working-directory: langchain
run: |
# Install all partner packages in editable mode with overrides
python -m uv pip install $(ls ./libs/partners | grep -v azure-ai | xargs -I {} echo "./libs/partners/{}") --overrides ./docs/vercel_overrides.txt --prerelease=allow
# Install langchain-azure-ai with tools extra
python -m uv pip install "./libs/partners/azure-ai[tools]" --overrides ./docs/vercel_overrides.txt --prerelease=allow
# Install core langchain and other main packages
python -m uv pip install libs/core libs/langchain libs/text-splitters libs/community libs/experimental libs/standard-tests
# Install Sphinx and related packages for building docs
python -m uv pip install -r docs/api_reference/requirements.txt
- name: "🔧 Configure Git Settings"
working-directory: langchain
run: |
git config --local user.email "actions@github.com"
git config --local user.name "Github Actions"
- name: "📚 Build API Documentation"
working-directory: langchain
run: |
# Generate the API reference RST files
python docs/api_reference/create_api_rst.py
# Build the HTML documentation using Sphinx
# -T: show full traceback on exception
# -E: don't use cached environment (force rebuild, ignore cached doctrees)
# -b html: build HTML docs (vs PDS, etc.)
# -d: path for the cached environment (parsed document trees / doctrees)
# - Separate from output dir for faster incremental builds
# -c: path to conf.py
# -j auto: parallel build using all available CPU cores
python -m sphinx -T -E -b html -d ../langchain-api-docs-html/_build/doctrees -c docs/api_reference docs/api_reference ../langchain-api-docs-html/api_reference_build/html -j auto
# Post-process the generated HTML
python docs/api_reference/scripts/custom_formatter.py ../langchain-api-docs-html/api_reference_build/html
# Default index page is blank so we copy in the actual home page.
cp ../langchain-api-docs-html/api_reference_build/html/{reference,index}.html
# Removes Sphinx's intermediate build artifacts after the build is complete.
rm -rf ../langchain-api-docs-html/_build/
# Commit and push changes to langchain-api-docs-html repo
- uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
with:
cwd: langchain-api-docs-html
message: "Update API docs build from v0.3 branch"