diff --git a/.github/workflows/_compile_integration_test.yml b/.github/workflows/_compile_integration_test.yml index 2b40762ad2d..d3267d2b138 100644 --- a/.github/workflows/_compile_integration_test.yml +++ b/.github/workflows/_compile_integration_test.yml @@ -12,6 +12,9 @@ on: type: string description: "Python version to use" +permissions: + contents: read + env: UV_FROZEN: "true" diff --git a/.github/workflows/_integration_test.yml b/.github/workflows/_integration_test.yml index e64a4a62dff..39a29e6e09b 100644 --- a/.github/workflows/_integration_test.yml +++ b/.github/workflows/_integration_test.yml @@ -12,6 +12,9 @@ on: type: string description: "Python version to use" +permissions: + contents: read + env: UV_FROZEN: "true" diff --git a/.github/workflows/_lint.yml b/.github/workflows/_lint.yml index 3f191af6bab..22145ad04c6 100644 --- a/.github/workflows/_lint.yml +++ b/.github/workflows/_lint.yml @@ -12,6 +12,9 @@ on: type: string description: "Python version to use" +permissions: + contents: read + env: WORKDIR: ${{ inputs.working-directory == '' && '.' || inputs.working-directory }} diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index 352d0bcb542..4bc564e4884 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -12,6 +12,9 @@ on: type: string description: "Python version to use" +permissions: + contents: read + env: UV_FROZEN: "true" UV_NO_SYNC: "true" diff --git a/.github/workflows/_test_doc_imports.yml b/.github/workflows/_test_doc_imports.yml index b745ab0232a..b2ce8f445b5 100644 --- a/.github/workflows/_test_doc_imports.yml +++ b/.github/workflows/_test_doc_imports.yml @@ -8,6 +8,9 @@ on: type: string description: "Python version to use" +permissions: + contents: read + env: UV_FROZEN: "true" diff --git a/.github/workflows/_test_pydantic.yml b/.github/workflows/_test_pydantic.yml index 1ee049726ca..b290690dad1 100644 --- a/.github/workflows/_test_pydantic.yml +++ b/.github/workflows/_test_pydantic.yml @@ -17,6 +17,9 @@ on: type: string description: "Pydantic version to test." +permissions: + contents: read + env: UV_FROZEN: "true" UV_NO_SYNC: "true" diff --git a/.github/workflows/check-broken-links.yml b/.github/workflows/check-broken-links.yml index 4b25ac14e61..52bfb6f21a4 100644 --- a/.github/workflows/check-broken-links.yml +++ b/.github/workflows/check-broken-links.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 13 * * *' +permissions: + contents: read + jobs: check-links: if: github.repository_owner == 'langchain-ai' || github.event_name != 'schedule' diff --git a/.github/workflows/check_core_versions.yml b/.github/workflows/check_core_versions.yml index e46abba04e4..5ee0f935828 100644 --- a/.github/workflows/check_core_versions.yml +++ b/.github/workflows/check_core_versions.yml @@ -6,6 +6,9 @@ on: - 'libs/core/pyproject.toml' - 'libs/core/langchain_core/version.py' +permissions: + contents: read + jobs: check_version_equality: runs-on: ubuntu-latest diff --git a/.github/workflows/check_diffs.yml b/.github/workflows/check_diffs.yml index 0cb3b9be883..2b726e1b9cd 100644 --- a/.github/workflows/check_diffs.yml +++ b/.github/workflows/check_diffs.yml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + env: UV_FROZEN: "true" UV_NO_SYNC: "true" diff --git a/.github/workflows/check_new_docs.yml b/.github/workflows/check_new_docs.yml index 716013b0877..16ccb42c6bc 100644 --- a/.github/workflows/check_new_docs.yml +++ b/.github/workflows/check_new_docs.yml @@ -15,6 +15,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 2e2ba6bc1e3..c738ae286dc 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -7,6 +7,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + env: AZURE_OPENAI_CHAT_DEPLOYMENT_NAME: foo AZURE_OPENAI_LEGACY_CHAT_DEPLOYMENT_NAME: foo diff --git a/.github/workflows/people.yml b/.github/workflows/people.yml index 354edcf1e5a..dd87437ea0b 100644 --- a/.github/workflows/people.yml +++ b/.github/workflows/people.yml @@ -11,7 +11,8 @@ jobs: langchain-people: if: github.repository_owner == 'langchain-ai' || github.event_name != 'schedule' runs-on: ubuntu-latest - permissions: write-all + permissions: + contents: write steps: - name: Dump GitHub context env: @@ -23,4 +24,4 @@ jobs: run: mkdir -p /home/runner/work/_temp/_github_home && printf "[safe]\n\tdirectory = /github/workspace" > /home/runner/work/_temp/_github_home/.gitconfig - uses: ./.github/actions/people with: - token: ${{ secrets.LANGCHAIN_PEOPLE_GITHUB_TOKEN }} \ No newline at end of file + token: ${{ secrets.LANGCHAIN_PEOPLE_GITHUB_TOKEN }} diff --git a/.github/workflows/run_notebooks.yml b/.github/workflows/run_notebooks.yml index 259ece11a22..22454fd58f8 100644 --- a/.github/workflows/run_notebooks.yml +++ b/.github/workflows/run_notebooks.yml @@ -14,6 +14,9 @@ on: schedule: - cron: '0 13 * * *' +permissions: + contents: read + env: UV_FROZEN: "true" diff --git a/.github/workflows/scheduled_test.yml b/.github/workflows/scheduled_test.yml index 1b5b094818b..cb8359b60f5 100644 --- a/.github/workflows/scheduled_test.yml +++ b/.github/workflows/scheduled_test.yml @@ -12,6 +12,9 @@ on: schedule: - cron: '0 13 * * *' +permissions: + contents: read + env: POETRY_VERSION: "1.8.4" UV_FROZEN: "true"