mirror of
https://github.com/hwchase17/langchain.git
synced 2026-07-11 18:18:51 +00:00
Adds `github.repository_owner == 'langchain-ai'` guards to 14 GitHub
Actions workflows that were missing them. Without these guards,
write-capable automation (issue/PR labeling, closing, commenting, PR
reopening, release publishing) and CI jobs fire on forks — causing
unwanted mutations, wasted runner minutes, and failed GitHub App token
generation on repos that don't have the required secrets.
Also removes `v03_api_doc_build.yml`, which pushed built docs to
`langchain-ai/langchain-api-docs-html` via `TOKEN_GITHUB_API_DOCS_HTML`
— a secret that isn't set on this repo. The workflow was dead code with
no consumers.
---
## What changed
**Write-capable workflows now guarded** (8 files):
- `auto-label-by-package` — was adding/removing issue labels on forks
- `close_unchecked_issues` — was closing issues and posting comments on
forks via GitHub App token
- `tag-external-issues` — both `tag-external` and `backfill` jobs were
generating App tokens and labeling issues on forks
- `reopen_on_assignment` — was reopening PRs and re-running workflows on
forks
- `require_issue_link` — was closing PRs, creating labels, posting
comments, and canceling workflow runs on forks
- `remove_waiting_on_author` — was removing labels on fork issues/PRs
- `pr_labeler` — was generating App tokens and adding/removing PR labels
on forks
- `pr_labeler_backfill` — same, on manual trigger from a fork
**Read-only CI workflows now guarded** (5 files):
- `check_diffs` — `build` and `check-release-options` jobs (downstream
jobs inherit the skip)
- `codspeed` — `build` job
- `check_agents_sync`, `check_versions`, `check_release_deps`
**Release workflow guarded** (1 file):
- `_release` — `build` job (all downstream jobs chain via `needs`, so
they inherit the skip). Previously relied only on `environment: Release`
approval and a `github.ref` check.
**Removed**:
- `v03_api_doc_build.yml` — dead workflow depending on unset
`TOKEN_GITHUB_API_DOCS_HTML` secret
## What was already guarded
`block_fork_main_prs`, `bump_uv_pin`, `check_extras_sync`,
`integration_tests`, `pr_lint_trailer`, `refresh_model_profiles` already
had the guard. `pr_lint` (read-only, `pull-requests: read`) and the
`_*.yml` reusable workflows (only run when called by a guarded parent)
were intentionally left unguarded.
## Release note
- GitHub Actions workflows now skip execution on forks via
`repository_owner == 'langchain-ai'` guards, preventing unwanted
issue/PR automation and CI runs outside the canonical repo.
- Removed the dead `v03_api_doc_build` workflow that depended on an
unset secret.
---
🤖 Generated with AI-agent involvement.
86 lines
3.0 KiB
YAML
86 lines
3.0 KiB
YAML
# CodSpeed performance benchmarks.
|
|
#
|
|
# Runs benchmarks on changed packages and uploads results to CodSpeed.
|
|
# Separated from the main CI workflow so that push-to-master baseline runs
|
|
# are never cancelled by subsequent merges (cancel-in-progress is only
|
|
# enabled for pull_request events).
|
|
|
|
name: "⚡ CodSpeed"
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
pull_request:
|
|
|
|
# On PRs, cancel stale runs when new commits are pushed.
|
|
# On push-to-master, never cancel — these runs populate CodSpeed baselines.
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.sha || github.ref }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
UV_FROZEN: "true"
|
|
UV_NO_SYNC: "true"
|
|
|
|
jobs:
|
|
build:
|
|
name: "Detect Changes"
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.repository_owner == 'langchain-ai' && !contains(github.event.pull_request.labels.*.name, 'codspeed-ignore') }}
|
|
steps:
|
|
- name: "📋 Checkout Code"
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
- name: "🐍 Setup Python 3.11"
|
|
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
|
|
with:
|
|
python-version: "3.11"
|
|
- name: "📂 Get Changed Files"
|
|
id: files
|
|
uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
|
|
with:
|
|
format: json
|
|
- name: "🔍 Analyze Changed Files"
|
|
id: set-matrix
|
|
env:
|
|
ALL_CHANGED_FILES: ${{ steps.files.outputs.all }}
|
|
run: |
|
|
python -m pip install packaging requests
|
|
python .github/scripts/check_diff.py "$ALL_CHANGED_FILES" >> $GITHUB_OUTPUT
|
|
outputs:
|
|
codspeed: ${{ steps.set-matrix.outputs.codspeed }}
|
|
|
|
benchmarks:
|
|
name: "⚡ CodSpeed Benchmarks"
|
|
needs: [build]
|
|
if: ${{ needs.build.outputs.codspeed != '[]' }}
|
|
runs-on: codspeed-macro
|
|
strategy:
|
|
matrix:
|
|
job-configs: ${{ fromJson(needs.build.outputs.codspeed) }}
|
|
fail-fast: false
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
|
|
- name: "📦 Install UV Package Manager"
|
|
uses: astral-sh/setup-uv@0ca8f610542aa7f4acaf39e65cf4eb3c35091883 # v7
|
|
with:
|
|
# Pinned to 3.13.11 to work around CodSpeed walltime segfault on 3.13.12+
|
|
# See: https://github.com/CodSpeedHQ/pytest-codspeed/issues/106
|
|
python-version: "3.13.11"
|
|
|
|
- name: "📦 Install Test Dependencies"
|
|
run: uv sync --group test
|
|
working-directory: ${{ matrix.job-configs.working-directory }}
|
|
|
|
- name: "⚡ Run Benchmarks: ${{ matrix.job-configs.working-directory }}"
|
|
uses: CodSpeedHQ/action@a50965600eafa04edcd6717761f55b77e52aafbd # v4
|
|
with:
|
|
token: ${{ secrets.CODSPEED_TOKEN }}
|
|
run: |
|
|
cd ${{ matrix.job-configs.working-directory }}
|
|
uv run --no-sync pytest ./tests/benchmarks --codspeed
|
|
mode: ${{ matrix.job-configs.codspeed-mode }}
|