mirror of
https://github.com/hwchase17/langchain.git
synced 2026-03-18 11:07:36 +00:00
bb8b057ac3
## Summary - Adds top-level `permissions: contents: read` to 5 workflows that only had job-level permissions: `pr_labeler_file`, `pr_labeler_title`, `tag-external-contributions`, `v03_api_doc_build`, `auto-label-by-package` - SHA-pins all 14 third-party actions to full commit SHAs to prevent supply chain attacks via tag hijacking ## Why **Missing top-level permissions:** Without an explicit top-level `permissions` block, workflows inherit the repository/org default token permissions, which may be overly broad. Adding `contents: read` as the default restricts the blast radius if a dependency or action step is compromised. **SHA pinning:** Mutable tags (`@v1`, `@master`) can be force-pushed by the action maintainer or an attacker who compromises their account. Pinning to a full 40-character SHA ensures the exact reviewed code always runs. Tag comments are preserved for readability. ### Actions pinned | Action | File(s) | |--------|---------| | `pypa/gh-action-pypi-publish` | `_release.yml` (2 uses) | | `ncipollo/release-action` | `_release.yml` | | `Ana06/get-changed-files` | `check_diffs.yml` | | `astral-sh/setup-uv` | `check_diffs.yml`, `uv_setup/action.yml` | | `CodSpeedHQ/action` | `check_diffs.yml` | | `google-github-actions/auth` | `integration_tests.yml` | | `aws-actions/configure-aws-credentials` | `integration_tests.yml` | | `amannn/action-semantic-pull-request` | `pr_lint.yml` | | `bcoe/conventional-release-labels` | `pr_labeler_title.yml` | | `mikefarah/yq` | `v03_api_doc_build.yml` | | `EndBug/add-and-commit` | `v03_api_doc_build.yml` | | `peter-evans/create-pull-request` | `refresh_model_profiles.yml` | ## Test plan - [x] CI passes — all workflows still resolve their actions correctly - [x] Verify no functional change: SHA refs point to the same code as the previous tags --- > This PR was generated with assistance from an AI coding agent as part of a repository posture check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
32 lines
758 B
YAML
32 lines
758 B
YAML
# Label PRs based on changed files.
|
|
#
|
|
# See `.github/pr-file-labeler.yml` to see rules for each label/directory.
|
|
|
|
name: "🏷️ Pull Request Labeler"
|
|
|
|
on:
|
|
# Safe since we're not checking out or running the PR's code
|
|
# Never check out the PR's head in a pull_request_target job
|
|
pull_request_target:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
labeler:
|
|
name: "label"
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
issues: write
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Label Pull Request
|
|
uses: actions/labeler@v6
|
|
with:
|
|
repo-token: "${{ secrets.GITHUB_TOKEN }}"
|
|
configuration-path: .github/pr-file-labeler.yml
|
|
sync-labels: false
|