diff --git a/.github/actions/uv_setup/action.yml b/.github/actions/uv_setup/action.yml index a1087ed318f..6b2d3cb7b21 100644 --- a/.github/actions/uv_setup/action.yml +++ b/.github/actions/uv_setup/action.yml @@ -27,7 +27,7 @@ runs: using: composite steps: - name: Install uv and set the python version - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@0ca8f610542aa7f4acaf39e65cf4eb3c35091883 # v7 with: version: ${{ env.UV_VERSION }} python-version: ${{ inputs.python-version }} diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml index f8125837861..8443cca30bf 100644 --- a/.github/workflows/_release.yml +++ b/.github/workflows/_release.yml @@ -218,7 +218,7 @@ jobs: path: ${{ inputs.working-directory }}/dist/ - name: Publish to test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: ${{ inputs.working-directory }}/dist/ verbose: true @@ -576,7 +576,7 @@ jobs: path: ${{ inputs.working-directory }}/dist/ - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: ${{ inputs.working-directory }}/dist/ verbose: true @@ -618,7 +618,7 @@ jobs: path: ${{ inputs.working-directory }}/dist/ - name: Create Tag - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1 with: artifacts: "dist/*" token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/auto-label-by-package.yml b/.github/workflows/auto-label-by-package.yml index 537d5105073..0a4ed67c0ca 100644 --- a/.github/workflows/auto-label-by-package.yml +++ b/.github/workflows/auto-label-by-package.yml @@ -4,6 +4,9 @@ on: issues: types: [opened, edited] +permissions: + contents: read + jobs: label-by-package: permissions: diff --git a/.github/workflows/check_diffs.yml b/.github/workflows/check_diffs.yml index d6a8d8e40b7..fafcdd78571 100644 --- a/.github/workflows/check_diffs.yml +++ b/.github/workflows/check_diffs.yml @@ -54,7 +54,7 @@ jobs: python-version: "3.11" - name: "📂 Get Changed Files" id: files - uses: Ana06/get-changed-files@v2.3.0 + uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0 - name: "🔍 Analyze Changed Files & Generate Build Matrix" id: set-matrix run: | @@ -185,7 +185,7 @@ jobs: - uses: actions/checkout@v6 - name: "📦 Install UV Package Manager" - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@0ca8f610542aa7f4acaf39e65cf4eb3c35091883 # v7 with: # Pinned to 3.13.11 to work around CodSpeed walltime segfault on 3.13.12+ # See: https://github.com/CodSpeedHQ/pytest-codspeed/issues/106 @@ -202,7 +202,7 @@ jobs: working-directory: ${{ matrix.job-configs.working-directory }} - name: "⚡ Run Benchmarks: ${{ matrix.job-configs.working-directory }}" - uses: CodSpeedHQ/action@v4 + uses: CodSpeedHQ/action@a50965600eafa04edcd6717761f55b77e52aafbd # v4 env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} ANTHROPIC_FILES_API_IMAGE_ID: ${{ secrets.ANTHROPIC_FILES_API_IMAGE_ID }} diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index 73fdf16777b..15359521e96 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -103,7 +103,7 @@ jobs: path: langchain-google - name: "🔐 Authenticate to Google Cloud" id: "auth" - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}" - uses: actions/checkout@v6 @@ -111,7 +111,7 @@ jobs: repository: langchain-ai/langchain-aws path: langchain-aws - name: "🔐 Configure AWS Credentials" - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@fb7eb401298e393da51cdcb2feb1ed0183619014 # v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/pr_labeler_file.yml b/.github/workflows/pr_labeler_file.yml index c7e1f70494a..a23350cb5ca 100644 --- a/.github/workflows/pr_labeler_file.yml +++ b/.github/workflows/pr_labeler_file.yml @@ -10,6 +10,9 @@ on: pull_request_target: types: [opened, synchronize, reopened] +permissions: + contents: read + jobs: labeler: name: "label" diff --git a/.github/workflows/pr_labeler_title.yml b/.github/workflows/pr_labeler_title.yml index a713369e85a..e2448b0663e 100644 --- a/.github/workflows/pr_labeler_title.yml +++ b/.github/workflows/pr_labeler_title.yml @@ -11,6 +11,9 @@ on: pull_request_target: types: [opened, edited] +permissions: + contents: read + jobs: pr-title-labeler: name: "label" @@ -22,7 +25,7 @@ jobs: steps: - name: Label PR based on title - uses: bcoe/conventional-release-labels@v1 + uses: bcoe/conventional-release-labels@b503ca473654e07521c051628c5f1f969e7436da # v1 with: token: ${{ secrets.GITHUB_TOKEN }} type_labels: >- diff --git a/.github/workflows/pr_lint.yml b/.github/workflows/pr_lint.yml index 7d766caff78..1cd47cbd59c 100644 --- a/.github/workflows/pr_lint.yml +++ b/.github/workflows/pr_lint.yml @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "✅ Validate Conventional Commits Format" - uses: amannn/action-semantic-pull-request@v6 + uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/refresh_model_profiles.yml b/.github/workflows/refresh_model_profiles.yml index 5969da9d271..5c71d5ed60b 100644 --- a/.github/workflows/refresh_model_profiles.yml +++ b/.github/workflows/refresh_model_profiles.yml @@ -68,7 +68,7 @@ jobs: - name: "🔀 Create pull request" id: create-pr - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8 with: token: ${{ steps.app-token.outputs.token }} branch: bot/refresh-model-profiles diff --git a/.github/workflows/tag-external-contributions.yml b/.github/workflows/tag-external-contributions.yml index 37b917055d8..59f227bbf1a 100644 --- a/.github/workflows/tag-external-contributions.yml +++ b/.github/workflows/tag-external-contributions.yml @@ -22,6 +22,9 @@ on: pull_request_target: types: [opened] +permissions: + contents: read + jobs: tag-external: runs-on: ubuntu-latest diff --git a/.github/workflows/v03_api_doc_build.yml b/.github/workflows/v03_api_doc_build.yml index 9ccc5e75d73..db682f5fa4e 100644 --- a/.github/workflows/v03_api_doc_build.yml +++ b/.github/workflows/v03_api_doc_build.yml @@ -13,6 +13,9 @@ run-name: "Build & Deploy API Reference (v0.3)" on: workflow_dispatch: +permissions: + contents: read + env: PYTHON_VERSION: "3.11" @@ -36,7 +39,7 @@ jobs: - name: "📋 Extract Repository List with yq" id: get-unsorted-repos - uses: mikefarah/yq@master + uses: mikefarah/yq@88a31ae8c6b34aad77d2efdecc146113cb3315d0 # master with: cmd: | # Extract repos from packages.yml that are in the langchain-ai org @@ -158,7 +161,7 @@ jobs: rm -rf ../langchain-api-docs-html/_build/ # Commit and push changes to langchain-api-docs-html repo - - uses: EndBug/add-and-commit@v9 + - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9 with: cwd: langchain-api-docs-html message: "Update API docs build from v0.3 branch"