From 6443612fa3b4ffa23b38e7b1dcc47b3d9b866e73 Mon Sep 17 00:00:00 2001 From: Mason Daugherty Date: Wed, 8 Apr 2026 19:02:58 -0400 Subject: [PATCH] ci: pin all actions to full-length commit SHAs (#36621) Pin all remaining GitHub Actions references to full-length commit SHAs, matching the convention already established by third-party actions in this repo. This is a prerequisite for enabling GitHub's "Require actions to be pinned to a full-length commit SHA" repository ruleset, which mitigates tag-hijacking supply chain attacks. --- .../workflows/_compile_integration_test.yml | 2 +- .github/workflows/_lint.yml | 2 +- .github/workflows/_refresh_model_profiles.yml | 6 ++-- .github/workflows/_release.yml | 32 +++++++++---------- .github/workflows/_test.yml | 2 +- .github/workflows/_test_pydantic.yml | 2 +- .github/workflows/_test_vcr.yml | 2 +- .github/workflows/auto-label-by-package.yml | 2 +- .github/workflows/check_agents_sync.yml | 2 +- .github/workflows/check_core_versions.yml | 2 +- .github/workflows/check_diffs.yml | 10 +++--- .github/workflows/close_unchecked_issues.yml | 6 ++-- .github/workflows/codspeed.yml | 6 ++-- .github/workflows/integration_tests.yml | 10 +++--- .github/workflows/pr_labeler.yml | 12 +++---- .github/workflows/pr_labeler_backfill.yml | 6 ++-- .github/workflows/reopen_on_assignment.yml | 2 +- .github/workflows/require_issue_link.yml | 8 ++--- .github/workflows/tag-external-issues.yml | 16 +++++----- .github/workflows/v03_api_doc_build.yml | 6 ++-- 20 files changed, 68 insertions(+), 68 deletions(-) diff --git a/.github/workflows/_compile_integration_test.yml b/.github/workflows/_compile_integration_test.yml index b725c0fb3b0..90c95be5a5a 100644 --- a/.github/workflows/_compile_integration_test.yml +++ b/.github/workflows/_compile_integration_test.yml @@ -35,7 +35,7 @@ jobs: timeout-minutes: 20 name: "Python ${{ inputs.python-version }}" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Set up Python ${{ inputs.python-version }} + UV" uses: "./.github/actions/uv_setup" diff --git a/.github/workflows/_lint.yml b/.github/workflows/_lint.yml index 492a2f6c01c..426c0b2794e 100644 --- a/.github/workflows/_lint.yml +++ b/.github/workflows/_lint.yml @@ -38,7 +38,7 @@ jobs: timeout-minutes: 20 steps: - name: "📋 Checkout Code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Set up Python ${{ inputs.python-version }} + UV" uses: "./.github/actions/uv_setup" diff --git a/.github/workflows/_refresh_model_profiles.yml b/.github/workflows/_refresh_model_profiles.yml index 9976b1b73d3..947201711d6 100644 --- a/.github/workflows/_refresh_model_profiles.yml +++ b/.github/workflows/_refresh_model_profiles.yml @@ -91,11 +91,11 @@ jobs: runs-on: ubuntu-latest steps: - name: "📋 Checkout" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "📋 Checkout langchain-profiles CLI" if: inputs.cli-path == '' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: langchain-ai/langchain ref: ${{ inputs.cli-ref }} @@ -169,7 +169,7 @@ jobs: - name: "🔑 Generate GitHub App token" id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ secrets.MODEL_PROFILE_BOT_APP_ID }} private-key: ${{ secrets.MODEL_PROFILE_BOT_PRIVATE_KEY }} diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml index 547cd02057c..3ef75cf248f 100644 --- a/.github/workflows/_release.yml +++ b/.github/workflows/_release.yml @@ -76,7 +76,7 @@ jobs: version: ${{ steps.check-version.outputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python + uv uses: "./.github/actions/uv_setup" @@ -100,7 +100,7 @@ jobs: working-directory: ${{ inputs.working-directory }} - name: Upload build - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: dist path: ${{ inputs.working-directory }}/dist/ @@ -130,7 +130,7 @@ jobs: outputs: release-body: ${{ steps.generate-release-body.outputs.release-body }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: langchain-ai/langchain path: langchain @@ -233,9 +233,9 @@ jobs: id-token: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: dist path: ${{ inputs.working-directory }}/dist/ @@ -264,7 +264,7 @@ jobs: contents: read timeout-minutes: 20 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # We explicitly *don't* set up caching here. This ensures our tests are # maximally sensitive to catching breakage. @@ -285,7 +285,7 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: dist path: ${{ inputs.working-directory }}/dist/ @@ -434,7 +434,7 @@ jobs: AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT_NAME }} LANGCHAIN_TESTS_USER_AGENT: ${{ secrets.LANGCHAIN_TESTS_USER_AGENT }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # We implement this conditional as Github Actions does not have good support # for conditionally needing steps. https://github.com/actions/runner/issues/491 @@ -452,7 +452,7 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 if: startsWith(inputs.working-directory, 'libs/core') with: name: dist @@ -517,11 +517,11 @@ jobs: # No API keys needed for now - deepagents `make test` only runs unit tests steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: path: langchain - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ matrix.package.repo }} path: ${{ matrix.package.name }} @@ -531,7 +531,7 @@ jobs: with: python-version: ${{ matrix.python-version }} - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: dist path: dist/ @@ -578,14 +578,14 @@ jobs: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python + uv uses: "./.github/actions/uv_setup" with: python-version: ${{ env.PYTHON_VERSION }} - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: dist path: ${{ inputs.working-directory }}/dist/ @@ -620,14 +620,14 @@ jobs: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python + uv uses: "./.github/actions/uv_setup" with: python-version: ${{ env.PYTHON_VERSION }} - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: dist path: ${{ inputs.working-directory }}/dist/ diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index bc7ad2705d9..c19878fe9ad 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -33,7 +33,7 @@ jobs: name: "Python ${{ inputs.python-version }}" steps: - name: "📋 Checkout Code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Set up Python ${{ inputs.python-version }} + UV" uses: "./.github/actions/uv_setup" diff --git a/.github/workflows/_test_pydantic.yml b/.github/workflows/_test_pydantic.yml index e0ef92363ed..af2919490f4 100644 --- a/.github/workflows/_test_pydantic.yml +++ b/.github/workflows/_test_pydantic.yml @@ -36,7 +36,7 @@ jobs: name: "Pydantic ~=${{ inputs.pydantic-version }}" steps: - name: "📋 Checkout Code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Set up Python ${{ inputs.python-version }} + UV" uses: "./.github/actions/uv_setup" diff --git a/.github/workflows/_test_vcr.yml b/.github/workflows/_test_vcr.yml index 45520b6b7d7..1a1e56e4663 100644 --- a/.github/workflows/_test_vcr.yml +++ b/.github/workflows/_test_vcr.yml @@ -34,7 +34,7 @@ jobs: timeout-minutes: 20 name: "Python ${{ inputs.python-version }}" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Set up Python ${{ inputs.python-version }} + UV" uses: "./.github/actions/uv_setup" diff --git a/.github/workflows/auto-label-by-package.yml b/.github/workflows/auto-label-by-package.yml index a9dfd651685..a1178f56e8a 100644 --- a/.github/workflows/auto-label-by-package.yml +++ b/.github/workflows/auto-label-by-package.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Sync package labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const body = context.payload.issue.body || ""; diff --git a/.github/workflows/check_agents_sync.yml b/.github/workflows/check_agents_sync.yml index 52403e8a471..0a41e08ad59 100644 --- a/.github/workflows/check_agents_sync.yml +++ b/.github/workflows/check_agents_sync.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "📋 Checkout Code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🔍 Check CLAUDE.md and AGENTS.md are in sync" run: | diff --git a/.github/workflows/check_core_versions.yml b/.github/workflows/check_core_versions.yml index 6f88747d517..4cdbf2a0e1a 100644 --- a/.github/workflows/check_core_versions.yml +++ b/.github/workflows/check_core_versions.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "✅ Verify pyproject.toml & version.py Match" run: | diff --git a/.github/workflows/check_diffs.yml b/.github/workflows/check_diffs.yml index c311575ef62..72ada1acc5e 100644 --- a/.github/workflows/check_diffs.yml +++ b/.github/workflows/check_diffs.yml @@ -46,9 +46,9 @@ jobs: if: ${{ !contains(github.event.pull_request.labels.*.name, 'ci-ignore') }} steps: - name: "📋 Checkout Code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Setup Python 3.11" - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" - name: "📂 Get Changed Files" @@ -155,7 +155,7 @@ jobs: run: working-directory: ${{ matrix.job-configs.working-directory }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Set up Python ${{ matrix.job-configs.python-version }} + UV" uses: "./.github/actions/uv_setup" @@ -190,9 +190,9 @@ jobs: name: "Validate Release Options" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Setup Python 3.11" - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" - name: "📦 Install Dependencies" diff --git a/.github/workflows/close_unchecked_issues.yml b/.github/workflows/close_unchecked_issues.yml index c86b00f2b22..be1dfeb8f63 100644 --- a/.github/workflows/close_unchecked_issues.yml +++ b/.github/workflows/close_unchecked_issues.yml @@ -32,18 +32,18 @@ jobs: issues: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ secrets.ORG_MEMBERSHIP_APP_ID }} private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }} - name: Validate issue checkboxes if: steps.app-token.outcome == 'success' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app-token.outputs.token }} script: | diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 16d3f2fb88a..8149791f339 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -32,9 +32,9 @@ jobs: if: ${{ !contains(github.event.pull_request.labels.*.name, 'codspeed-ignore') }} steps: - name: "📋 Checkout Code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "🐍 Setup Python 3.11" - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.11" - name: "📂 Get Changed Files" @@ -58,7 +58,7 @@ jobs: job-configs: ${{ fromJson(needs.build.outputs.codspeed) }} fail-fast: false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "📦 Install UV Package Manager" uses: astral-sh/setup-uv@0ca8f610542aa7f4acaf39e65cf4eb3c35091883 # v7 diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index 0f4277c1545..f2384a3ef80 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -92,12 +92,12 @@ jobs: working-directory: ${{ fromJSON(needs.compute-matrix.outputs.matrix).working-directory }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: path: langchain # These libraries exist outside of the monorepo and need to be checked out separately - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: langchain-ai/langchain-google path: langchain-google @@ -106,7 +106,7 @@ jobs: uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}" - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: langchain-ai/langchain-aws path: langchain-aws @@ -234,11 +234,11 @@ jobs: path: libs/deepagents steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: path: langchain - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: ${{ matrix.package.repo }} path: ${{ matrix.package.name }} diff --git a/.github/workflows/pr_labeler.yml b/.github/workflows/pr_labeler.yml index 0870f1673de..bcdd764ceee 100644 --- a/.github/workflows/pr_labeler.yml +++ b/.github/workflows/pr_labeler.yml @@ -51,12 +51,12 @@ jobs: steps: # Checks out the BASE branch (safe for pull_request_target — never # the PR head). Needed to load .github/scripts/pr-labeler*. - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Generate GitHub App token if: github.event.action == 'opened' id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ secrets.ORG_MEMBERSHIP_APP_ID }} private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }} @@ -72,7 +72,7 @@ jobs: - name: Check org membership if: github.event.action == 'opened' id: check-membership - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app-token.outputs.token }} script: | @@ -86,7 +86,7 @@ jobs: core.setOutput('is-external', isExternal ? 'true' : 'false'); - name: Apply PR labels - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: IS_EXTERNAL: ${{ steps.check-membership.outputs.is-external }} with: @@ -180,7 +180,7 @@ jobs: # event fires and triggers require_issue_link.yml. - name: Apply contributor tier label if: github.event.action == 'opened' && steps.check-membership.outputs.is-external == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app-token.outputs.token }} script: | @@ -192,7 +192,7 @@ jobs: - name: Add external label if: github.event.action == 'opened' && steps.check-membership.outputs.is-external == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: # Use App token so the "labeled" event propagates to downstream # workflows (e.g. require_issue_link.yml). Events created by the diff --git a/.github/workflows/pr_labeler_backfill.yml b/.github/workflows/pr_labeler_backfill.yml index ba75f58257e..93eb2e53f9d 100644 --- a/.github/workflows/pr_labeler_backfill.yml +++ b/.github/workflows/pr_labeler_backfill.yml @@ -26,17 +26,17 @@ jobs: issues: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ secrets.ORG_MEMBERSHIP_APP_ID }} private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }} - name: Backfill labels on open PRs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app-token.outputs.token }} script: | diff --git a/.github/workflows/reopen_on_assignment.yml b/.github/workflows/reopen_on_assignment.yml index 76943488ccd..615682183dd 100644 --- a/.github/workflows/reopen_on_assignment.yml +++ b/.github/workflows/reopen_on_assignment.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Find and reopen matching PRs - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; diff --git a/.github/workflows/require_issue_link.yml b/.github/workflows/require_issue_link.yml index 126fd65c54c..36e2a5bcb95 100644 --- a/.github/workflows/require_issue_link.yml +++ b/.github/workflows/require_issue_link.yml @@ -50,7 +50,7 @@ jobs: steps: - name: Check for issue link and assignee id: check-link - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; @@ -283,7 +283,7 @@ jobs: if: >- env.ENFORCE_ISSUE_LINK == 'true' && (steps.check-link.outputs.has-link != 'true' || steps.check-link.outputs.is-assigned != 'true') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; @@ -312,7 +312,7 @@ jobs: if: >- env.ENFORCE_ISSUE_LINK == 'true' && steps.check-link.outputs.has-link == 'true' && steps.check-link.outputs.is-assigned == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; @@ -366,7 +366,7 @@ jobs: if: >- env.ENFORCE_ISSUE_LINK == 'true' && (steps.check-link.outputs.has-link != 'true' || steps.check-link.outputs.is-assigned != 'true') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; diff --git a/.github/workflows/tag-external-issues.yml b/.github/workflows/tag-external-issues.yml index fe32849d539..0ff72a244bd 100644 --- a/.github/workflows/tag-external-issues.yml +++ b/.github/workflows/tag-external-issues.yml @@ -51,11 +51,11 @@ jobs: issues: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ secrets.ORG_MEMBERSHIP_APP_ID }} private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }} @@ -63,7 +63,7 @@ jobs: - name: Check if contributor is external if: steps.app-token.outcome == 'success' id: check-membership - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app-token.outputs.token }} script: | @@ -78,7 +78,7 @@ jobs: - name: Apply contributor tier label if: steps.check-membership.outputs.is-external == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: # GITHUB_TOKEN is fine here — no downstream workflow chains # off tier labels on issues (unlike PRs where App token is @@ -94,7 +94,7 @@ jobs: - name: Add external/internal label if: steps.check-membership.outputs.is-external != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -119,17 +119,17 @@ jobs: issues: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ secrets.ORG_MEMBERSHIP_APP_ID }} private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }} - name: Backfill labels on open issues - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.app-token.outputs.token }} script: | diff --git a/.github/workflows/v03_api_doc_build.yml b/.github/workflows/v03_api_doc_build.yml index 7b3f8f2d6b4..46bd5f3d04d 100644 --- a/.github/workflows/v03_api_doc_build.yml +++ b/.github/workflows/v03_api_doc_build.yml @@ -26,12 +26,12 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: v0.3 path: langchain - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: langchain-ai/langchain-api-docs-html path: langchain-api-docs-html @@ -94,7 +94,7 @@ jobs: done - name: "🐍 Setup Python ${{ env.PYTHON_VERSION }}" - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 id: setup-python with: python-version: ${{ env.PYTHON_VERSION }}