mirror of
https://github.com/hwchase17/langchain.git
synced 2026-03-15 17:42:54 +00:00
bb8b057ac3
## Summary - Adds top-level `permissions: contents: read` to 5 workflows that only had job-level permissions: `pr_labeler_file`, `pr_labeler_title`, `tag-external-contributions`, `v03_api_doc_build`, `auto-label-by-package` - SHA-pins all 14 third-party actions to full commit SHAs to prevent supply chain attacks via tag hijacking ## Why **Missing top-level permissions:** Without an explicit top-level `permissions` block, workflows inherit the repository/org default token permissions, which may be overly broad. Adding `contents: read` as the default restricts the blast radius if a dependency or action step is compromised. **SHA pinning:** Mutable tags (`@v1`, `@master`) can be force-pushed by the action maintainer or an attacker who compromises their account. Pinning to a full 40-character SHA ensures the exact reviewed code always runs. Tag comments are preserved for readability. ### Actions pinned | Action | File(s) | |--------|---------| | `pypa/gh-action-pypi-publish` | `_release.yml` (2 uses) | | `ncipollo/release-action` | `_release.yml` | | `Ana06/get-changed-files` | `check_diffs.yml` | | `astral-sh/setup-uv` | `check_diffs.yml`, `uv_setup/action.yml` | | `CodSpeedHQ/action` | `check_diffs.yml` | | `google-github-actions/auth` | `integration_tests.yml` | | `aws-actions/configure-aws-credentials` | `integration_tests.yml` | | `amannn/action-semantic-pull-request` | `pr_lint.yml` | | `bcoe/conventional-release-labels` | `pr_labeler_title.yml` | | `mikefarah/yq` | `v03_api_doc_build.yml` | | `EndBug/add-and-commit` | `v03_api_doc_build.yml` | | `peter-evans/create-pull-request` | `refresh_model_profiles.yml` | ## Test plan - [x] CI passes — all workflows still resolve their actions correctly - [x] Verify no functional change: SHA refs point to the same code as the previous tags --- > This PR was generated with assistance from an AI coding agent as part of a repository posture check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>