mirror of
https://github.com/hwchase17/langchain.git
synced 2026-03-18 02:53:16 +00:00
bb8b057ac3
## Summary - Adds top-level `permissions: contents: read` to 5 workflows that only had job-level permissions: `pr_labeler_file`, `pr_labeler_title`, `tag-external-contributions`, `v03_api_doc_build`, `auto-label-by-package` - SHA-pins all 14 third-party actions to full commit SHAs to prevent supply chain attacks via tag hijacking ## Why **Missing top-level permissions:** Without an explicit top-level `permissions` block, workflows inherit the repository/org default token permissions, which may be overly broad. Adding `contents: read` as the default restricts the blast radius if a dependency or action step is compromised. **SHA pinning:** Mutable tags (`@v1`, `@master`) can be force-pushed by the action maintainer or an attacker who compromises their account. Pinning to a full 40-character SHA ensures the exact reviewed code always runs. Tag comments are preserved for readability. ### Actions pinned | Action | File(s) | |--------|---------| | `pypa/gh-action-pypi-publish` | `_release.yml` (2 uses) | | `ncipollo/release-action` | `_release.yml` | | `Ana06/get-changed-files` | `check_diffs.yml` | | `astral-sh/setup-uv` | `check_diffs.yml`, `uv_setup/action.yml` | | `CodSpeedHQ/action` | `check_diffs.yml` | | `google-github-actions/auth` | `integration_tests.yml` | | `aws-actions/configure-aws-credentials` | `integration_tests.yml` | | `amannn/action-semantic-pull-request` | `pr_lint.yml` | | `bcoe/conventional-release-labels` | `pr_labeler_title.yml` | | `mikefarah/yq` | `v03_api_doc_build.yml` | | `EndBug/add-and-commit` | `v03_api_doc_build.yml` | | `peter-evans/create-pull-request` | `refresh_model_profiles.yml` | ## Test plan - [x] CI passes — all workflows still resolve their actions correctly - [x] Verify no functional change: SHA refs point to the same code as the previous tags --- > This PR was generated with assistance from an AI coding agent as part of a repository posture check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
110 lines
3.9 KiB
YAML
110 lines
3.9 KiB
YAML
name: Auto Label Issues by Package
|
|
|
|
on:
|
|
issues:
|
|
types: [opened, edited]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
label-by-package:
|
|
permissions:
|
|
issues: write
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Sync package labels
|
|
uses: actions/github-script@v8
|
|
with:
|
|
script: |
|
|
const body = context.payload.issue.body || "";
|
|
|
|
// Extract text under "### Package" (handles " (Required)" suffix and being last section)
|
|
const match = body.match(/### Package[^\n]*\n([\s\S]*?)(?:\n###|$)/i);
|
|
if (!match) return;
|
|
|
|
const packageSection = match[1].trim();
|
|
|
|
// Mapping table for package names to labels
|
|
const mapping = {
|
|
"langchain": "langchain",
|
|
"langchain-openai": "openai",
|
|
"langchain-anthropic": "anthropic",
|
|
"langchain-classic": "langchain-classic",
|
|
"langchain-core": "core",
|
|
"langchain-model-profiles": "model-profiles",
|
|
"langchain-tests": "standard-tests",
|
|
"langchain-text-splitters": "text-splitters",
|
|
"langchain-chroma": "chroma",
|
|
"langchain-deepseek": "deepseek",
|
|
"langchain-exa": "exa",
|
|
"langchain-fireworks": "fireworks",
|
|
"langchain-groq": "groq",
|
|
"langchain-huggingface": "huggingface",
|
|
"langchain-mistralai": "mistralai",
|
|
"langchain-nomic": "nomic",
|
|
"langchain-ollama": "ollama",
|
|
"langchain-openrouter": "openrouter",
|
|
"langchain-perplexity": "perplexity",
|
|
"langchain-qdrant": "qdrant",
|
|
"langchain-xai": "xai",
|
|
};
|
|
|
|
// All possible package labels we manage
|
|
const allPackageLabels = Object.values(mapping);
|
|
const selectedLabels = [];
|
|
|
|
// Check if this is checkbox format (multiple selection)
|
|
const checkboxMatches = packageSection.match(/- \[x\]\s+([^\n\r]+)/gi);
|
|
if (checkboxMatches) {
|
|
// Handle checkbox format
|
|
for (const match of checkboxMatches) {
|
|
const packageName = match.replace(/- \[x\]\s+/i, '').trim();
|
|
const label = mapping[packageName];
|
|
if (label && !selectedLabels.includes(label)) {
|
|
selectedLabels.push(label);
|
|
}
|
|
}
|
|
} else {
|
|
// Handle dropdown format (single selection)
|
|
const label = mapping[packageSection];
|
|
if (label) {
|
|
selectedLabels.push(label);
|
|
}
|
|
}
|
|
|
|
// Get current issue labels
|
|
const issue = await github.rest.issues.get({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.issue.number
|
|
});
|
|
|
|
const currentLabels = issue.data.labels.map(label => label.name);
|
|
const currentPackageLabels = currentLabels.filter(label => allPackageLabels.includes(label));
|
|
|
|
// Determine labels to add and remove
|
|
const labelsToAdd = selectedLabels.filter(label => !currentPackageLabels.includes(label));
|
|
const labelsToRemove = currentPackageLabels.filter(label => !selectedLabels.includes(label));
|
|
|
|
// Add new labels
|
|
if (labelsToAdd.length > 0) {
|
|
await github.rest.issues.addLabels({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.issue.number,
|
|
labels: labelsToAdd
|
|
});
|
|
}
|
|
|
|
// Remove old labels
|
|
for (const label of labelsToRemove) {
|
|
await github.rest.issues.removeLabel({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.issue.number,
|
|
name: label
|
|
});
|
|
}
|