github/langchain
1
0
Fork 0
mirror of https://github.com/hwchase17/langchain.git synced 2026-03-18 11:07:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
15,454 Commits 1,103 Branches 1,186 Tags
de5d68c3fb09dc0d5acdb9789abfcddcb586a614
Commit Graph

4 Commits

Author SHA1 Message Date
John Kennedy
bb8b057ac3 ci(infra): add top-level permissions and SHA-pin third-party actions [INF-0000] (#35588) 
## Summary

- Adds top-level `permissions: contents: read` to 5 workflows that only
had job-level permissions: `pr_labeler_file`, `pr_labeler_title`,
`tag-external-contributions`, `v03_api_doc_build`,
`auto-label-by-package`
- SHA-pins all 14 third-party actions to full commit SHAs to prevent
supply chain attacks via tag hijacking

## Why

**Missing top-level permissions:** Without an explicit top-level
`permissions` block, workflows inherit the repository/org default token
permissions, which may be overly broad. Adding `contents: read` as the
default restricts the blast radius if a dependency or action step is
compromised.

**SHA pinning:** Mutable tags (`@v1`, `@master`) can be force-pushed by
the action maintainer or an attacker who compromises their account.
Pinning to a full 40-character SHA ensures the exact reviewed code
always runs. Tag comments are preserved for readability.

### Actions pinned

| Action | File(s) |
|--------|---------|
| `pypa/gh-action-pypi-publish` | `_release.yml` (2 uses) |
| `ncipollo/release-action` | `_release.yml` |
| `Ana06/get-changed-files` | `check_diffs.yml` |
| `astral-sh/setup-uv` | `check_diffs.yml`, `uv_setup/action.yml` |
| `CodSpeedHQ/action` | `check_diffs.yml` |
| `google-github-actions/auth` | `integration_tests.yml` |
| `aws-actions/configure-aws-credentials` | `integration_tests.yml` |
| `amannn/action-semantic-pull-request` | `pr_lint.yml` |
| `bcoe/conventional-release-labels` | `pr_labeler_title.yml` |
| `mikefarah/yq` | `v03_api_doc_build.yml` |
| `EndBug/add-and-commit` | `v03_api_doc_build.yml` |
| `peter-evans/create-pull-request` | `refresh_model_profiles.yml` |

## Test plan

- [x] CI passes — all workflows still resolve their actions correctly
- [x] Verify no functional change: SHA refs point to the same code as
the previous tags

---

> This PR was generated with assistance from an AI coding agent as part
of a repository posture check.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 07:20:05 +00:00
Mason Daugherty
0081deae96 feat(infra): schedule daily model profile refresh with job summary (#35354) 
- Schedules the `refresh_model_profiles` workflow to run daily at 08:00
UTC (manual trigger available).
- Adds a job summary step that reports whether a PR was created/updated
or skipped because profiles were already up to date.
- Each run supersedes any stale PR from a previous run since the action
force-pushes to a fixed branch (`bot/refresh-model-profiles`).
 2026-02-20 00:43:09 -05:00
Mason Daugherty
e95e869d9e chore(infra): add GitHub App token generation step (#35334) 2026-02-19 22:48:51 -05:00
Mason Daugherty
59be7d734f feat(infra): model profile bump tool (#35331) 2026-02-19 13:03:10 -05:00