mirror of
https://github.com/hwchase17/langchain.git
synced 2026-03-18 11:07:36 +00:00
bb8b057ac3
## Summary - Adds top-level `permissions: contents: read` to 5 workflows that only had job-level permissions: `pr_labeler_file`, `pr_labeler_title`, `tag-external-contributions`, `v03_api_doc_build`, `auto-label-by-package` - SHA-pins all 14 third-party actions to full commit SHAs to prevent supply chain attacks via tag hijacking ## Why **Missing top-level permissions:** Without an explicit top-level `permissions` block, workflows inherit the repository/org default token permissions, which may be overly broad. Adding `contents: read` as the default restricts the blast radius if a dependency or action step is compromised. **SHA pinning:** Mutable tags (`@v1`, `@master`) can be force-pushed by the action maintainer or an attacker who compromises their account. Pinning to a full 40-character SHA ensures the exact reviewed code always runs. Tag comments are preserved for readability. ### Actions pinned | Action | File(s) | |--------|---------| | `pypa/gh-action-pypi-publish` | `_release.yml` (2 uses) | | `ncipollo/release-action` | `_release.yml` | | `Ana06/get-changed-files` | `check_diffs.yml` | | `astral-sh/setup-uv` | `check_diffs.yml`, `uv_setup/action.yml` | | `CodSpeedHQ/action` | `check_diffs.yml` | | `google-github-actions/auth` | `integration_tests.yml` | | `aws-actions/configure-aws-credentials` | `integration_tests.yml` | | `amannn/action-semantic-pull-request` | `pr_lint.yml` | | `bcoe/conventional-release-labels` | `pr_labeler_title.yml` | | `mikefarah/yq` | `v03_api_doc_build.yml` | | `EndBug/add-and-commit` | `v03_api_doc_build.yml` | | `peter-evans/create-pull-request` | `refresh_model_profiles.yml` | ## Test plan - [x] CI passes — all workflows still resolve their actions correctly - [x] Verify no functional change: SHA refs point to the same code as the previous tags --- > This PR was generated with assistance from an AI coding agent as part of a repository posture check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
272 lines
12 KiB
YAML
272 lines
12 KiB
YAML
# Routine integration tests against partner libraries with live API credentials.
|
|
#
|
|
# Uses `make integration_tests` within each library being tested.
|
|
#
|
|
# Runs daily with the option to trigger manually.
|
|
|
|
name: "⏰ Integration Tests"
|
|
run-name: "Run Integration Tests - ${{ inputs.working-directory-force || 'all libs' }} (Python ${{ inputs.python-version-force || '3.10, 3.13' }})"
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
working-directory-force:
|
|
type: string
|
|
description: "From which folder this pipeline executes - defaults to all in matrix - example value: libs/partners/anthropic"
|
|
python-version-force:
|
|
type: string
|
|
description: "Python version to use - defaults to 3.10 and 3.13 in matrix - example value: 3.11"
|
|
schedule:
|
|
- cron: "0 13 * * *" # Runs daily at 1PM UTC (9AM EDT/6AM PDT)
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
UV_FROZEN: "true"
|
|
DEFAULT_LIBS: >-
|
|
["libs/partners/openai",
|
|
"libs/partners/anthropic",
|
|
"libs/partners/fireworks",
|
|
"libs/partners/groq",
|
|
"libs/partners/mistralai",
|
|
"libs/partners/xai",
|
|
"libs/partners/google-vertexai",
|
|
"libs/partners/google-genai",
|
|
"libs/partners/aws"]
|
|
|
|
jobs:
|
|
# Generate dynamic test matrix based on input parameters or defaults
|
|
# Only runs on the main repo (for scheduled runs) or when manually triggered
|
|
compute-matrix:
|
|
# Defend against forks running scheduled jobs, but allow manual runs from forks
|
|
if: github.repository_owner == 'langchain-ai' || github.event_name != 'schedule'
|
|
|
|
runs-on: ubuntu-latest
|
|
name: "📋 Compute Test Matrix"
|
|
outputs:
|
|
matrix: ${{ steps.set-matrix.outputs.matrix }}
|
|
python-version-min-3-11: ${{ steps.set-matrix.outputs.python-version-min-3-11 }}
|
|
steps:
|
|
- name: "🔢 Generate Python & Library Matrix"
|
|
id: set-matrix
|
|
env:
|
|
DEFAULT_LIBS: ${{ env.DEFAULT_LIBS }}
|
|
WORKING_DIRECTORY_FORCE: ${{ github.event.inputs.working-directory-force || '' }}
|
|
PYTHON_VERSION_FORCE: ${{ github.event.inputs.python-version-force || '' }}
|
|
run: |
|
|
# echo "matrix=..." where matrix is a json formatted str with keys python-version and working-directory
|
|
# python-version should default to 3.10 and 3.13, but is overridden to [PYTHON_VERSION_FORCE] if set
|
|
# working-directory should default to DEFAULT_LIBS, but is overridden to [WORKING_DIRECTORY_FORCE] if set
|
|
python_version='["3.10", "3.13"]'
|
|
python_version_min_3_11='["3.11", "3.13"]'
|
|
working_directory="$DEFAULT_LIBS"
|
|
if [ -n "$PYTHON_VERSION_FORCE" ]; then
|
|
python_version="[\"$PYTHON_VERSION_FORCE\"]"
|
|
# Bound forced version to >= 3.11 for packages requiring it
|
|
if [ "$(echo "$PYTHON_VERSION_FORCE >= 3.11" | bc -l)" -eq 1 ]; then
|
|
python_version_min_3_11="[\"$PYTHON_VERSION_FORCE\"]"
|
|
else
|
|
python_version_min_3_11='["3.11"]'
|
|
fi
|
|
fi
|
|
if [ -n "$WORKING_DIRECTORY_FORCE" ]; then
|
|
working_directory="[\"$WORKING_DIRECTORY_FORCE\"]"
|
|
fi
|
|
matrix="{\"python-version\": $python_version, \"working-directory\": $working_directory}"
|
|
echo $matrix
|
|
echo "matrix=$matrix" >> $GITHUB_OUTPUT
|
|
echo "python-version-min-3-11=$python_version_min_3_11" >> $GITHUB_OUTPUT
|
|
|
|
# Run integration tests against partner libraries with live API credentials
|
|
integration-tests:
|
|
if: github.repository_owner == 'langchain-ai' || github.event_name != 'schedule'
|
|
name: "🐍 Python ${{ matrix.python-version }}: ${{ matrix.working-directory }}"
|
|
runs-on: ubuntu-latest
|
|
needs: [compute-matrix]
|
|
timeout-minutes: 30
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
python-version: ${{ fromJSON(needs.compute-matrix.outputs.matrix).python-version }}
|
|
working-directory: ${{ fromJSON(needs.compute-matrix.outputs.matrix).working-directory }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
path: langchain
|
|
|
|
# These libraries exist outside of the monorepo and need to be checked out separately
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
repository: langchain-ai/langchain-google
|
|
path: langchain-google
|
|
- name: "🔐 Authenticate to Google Cloud"
|
|
id: "auth"
|
|
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
|
|
with:
|
|
credentials_json: "${{ secrets.GOOGLE_CREDENTIALS }}"
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
repository: langchain-ai/langchain-aws
|
|
path: langchain-aws
|
|
- name: "🔐 Configure AWS Credentials"
|
|
uses: aws-actions/configure-aws-credentials@fb7eb401298e393da51cdcb2feb1ed0183619014 # v6
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
aws-region: ${{ secrets.AWS_REGION }}
|
|
- name: "📦 Organize External Libraries"
|
|
run: |
|
|
rm -rf \
|
|
langchain/libs/partners/google-genai \
|
|
langchain/libs/partners/google-vertexai
|
|
mv langchain-google/libs/genai langchain/libs/partners/google-genai
|
|
mv langchain-google/libs/vertexai langchain/libs/partners/google-vertexai
|
|
mv langchain-aws/libs/aws langchain/libs/partners/aws
|
|
|
|
- name: "🐍 Set up Python ${{ matrix.python-version }} + UV"
|
|
uses: "./langchain/.github/actions/uv_setup"
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
|
|
- name: "📦 Install Dependencies"
|
|
# Partner packages use [tool.uv.sources] in their pyproject.toml to resolve
|
|
# langchain-core/langchain to local editable installs, so `uv sync` automatically
|
|
# tests against the versions from the current branch (not published releases).
|
|
|
|
# TODO: external google/aws don't have local resolution since they live in
|
|
# separate repos, so they pull `core`/`langchain_v1` from PyPI. We should update
|
|
# their dev groups to use git source dependencies pointing to the current
|
|
# branch's latest commit SHA to fully test against local langchain changes.
|
|
run: |
|
|
echo "Running scheduled tests, installing dependencies with uv..."
|
|
cd langchain/${{ matrix.working-directory }}
|
|
uv sync --group test --group test_integration
|
|
|
|
- name: "🚀 Run Integration Tests"
|
|
# WARNING: All secrets below are available to every matrix job regardless of
|
|
# which package is being tested. This is intentional for simplicity, but means
|
|
# any test file could technically access any key. Only use for trusted code.
|
|
env:
|
|
LANGCHAIN_TESTS_USER_AGENT: ${{ secrets.LANGCHAIN_TESTS_USER_AGENT }}
|
|
|
|
AI21_API_KEY: ${{ secrets.AI21_API_KEY }}
|
|
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
|
ANTHROPIC_FILES_API_IMAGE_ID: ${{ secrets.ANTHROPIC_FILES_API_IMAGE_ID }}
|
|
ANTHROPIC_FILES_API_PDF_ID: ${{ secrets.ANTHROPIC_FILES_API_PDF_ID }}
|
|
ASTRA_DB_API_ENDPOINT: ${{ secrets.ASTRA_DB_API_ENDPOINT }}
|
|
ASTRA_DB_APPLICATION_TOKEN: ${{ secrets.ASTRA_DB_APPLICATION_TOKEN }}
|
|
ASTRA_DB_KEYSPACE: ${{ secrets.ASTRA_DB_KEYSPACE }}
|
|
AZURE_OPENAI_API_VERSION: ${{ secrets.AZURE_OPENAI_API_VERSION }}
|
|
AZURE_OPENAI_API_BASE: ${{ secrets.AZURE_OPENAI_API_BASE }}
|
|
AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
|
|
AZURE_OPENAI_CHAT_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_CHAT_DEPLOYMENT_NAME }}
|
|
AZURE_OPENAI_LEGACY_CHAT_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_LEGACY_CHAT_DEPLOYMENT_NAME }}
|
|
AZURE_OPENAI_LLM_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_LLM_DEPLOYMENT_NAME }}
|
|
AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT_NAME: ${{ secrets.AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT_NAME }}
|
|
COHERE_API_KEY: ${{ secrets.COHERE_API_KEY }}
|
|
DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }}
|
|
ES_URL: ${{ secrets.ES_URL }}
|
|
ES_CLOUD_ID: ${{ secrets.ES_CLOUD_ID }}
|
|
ES_API_KEY: ${{ secrets.ES_API_KEY }}
|
|
EXA_API_KEY: ${{ secrets.EXA_API_KEY }}
|
|
FIREWORKS_API_KEY: ${{ secrets.FIREWORKS_API_KEY }}
|
|
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
|
|
GOOGLE_SEARCH_API_KEY: ${{ secrets.GOOGLE_SEARCH_API_KEY }}
|
|
GOOGLE_CSE_ID: ${{ secrets.GOOGLE_CSE_ID }}
|
|
GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
|
|
HUGGINGFACEHUB_API_TOKEN: ${{ secrets.HUGGINGFACEHUB_API_TOKEN }}
|
|
MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
|
|
MONGODB_ATLAS_URI: ${{ secrets.MONGODB_ATLAS_URI }}
|
|
NOMIC_API_KEY: ${{ secrets.NOMIC_API_KEY }}
|
|
NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}
|
|
OLLAMA_API_KEY: ${{ secrets.OLLAMA_API_KEY }}
|
|
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
|
|
OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
|
|
PPLX_API_KEY: ${{ secrets.PPLX_API_KEY }}
|
|
TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
|
|
UPSTAGE_API_KEY: ${{ secrets.UPSTAGE_API_KEY }}
|
|
WATSONX_APIKEY: ${{ secrets.WATSONX_APIKEY }}
|
|
WATSONX_PROJECT_ID: ${{ secrets.WATSONX_PROJECT_ID }}
|
|
XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
|
|
run: |
|
|
cd langchain/${{ matrix.working-directory }}
|
|
make integration_tests
|
|
|
|
- name: "🧹 Clean up External Libraries"
|
|
# Clean up external libraries to avoid affecting the following git status check
|
|
run: |
|
|
rm -rf \
|
|
langchain/libs/partners/google-genai \
|
|
langchain/libs/partners/google-vertexai \
|
|
langchain/libs/partners/aws
|
|
|
|
- name: "🧹 Verify Clean Working Directory"
|
|
working-directory: langchain
|
|
run: |
|
|
set -eu
|
|
|
|
STATUS="$(git status)"
|
|
echo "$STATUS"
|
|
|
|
# grep will exit non-zero if the target message isn't found,
|
|
# and `set -e` above will cause the step to fail.
|
|
echo "$STATUS" | grep 'nothing to commit, working tree clean'
|
|
|
|
# Test dependent packages against local packages to catch breaking changes
|
|
test-dependents:
|
|
# Defend against forks running scheduled jobs, but allow manual runs from forks
|
|
if: github.repository_owner == 'langchain-ai' || github.event_name != 'schedule'
|
|
|
|
name: "🐍 Python ${{ matrix.python-version }}: ${{ matrix.package.path }}"
|
|
runs-on: ubuntu-latest
|
|
needs: [compute-matrix]
|
|
timeout-minutes: 30
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
# deepagents requires Python >= 3.11, use bounded version from compute-matrix
|
|
python-version: ${{ fromJSON(needs.compute-matrix.outputs.python-version-min-3-11) }}
|
|
package:
|
|
- name: deepagents
|
|
repo: langchain-ai/deepagents
|
|
path: libs/deepagents
|
|
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
path: langchain
|
|
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
repository: ${{ matrix.package.repo }}
|
|
path: ${{ matrix.package.name }}
|
|
|
|
- name: "🐍 Set up Python ${{ matrix.python-version }} + UV"
|
|
uses: "./langchain/.github/actions/uv_setup"
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
|
|
- name: "📦 Install ${{ matrix.package.name }} with Local"
|
|
# Unlike partner packages (which use [tool.uv.sources] for local resolution),
|
|
# external dependents live in separate repos and need explicit overrides to
|
|
# test against the langchain versions from the current branch, as their
|
|
# pyproject.toml files point to released versions.
|
|
run: |
|
|
cd ${{ matrix.package.name }}/${{ matrix.package.path }}
|
|
|
|
# Install the package with test dependencies
|
|
uv sync --group test
|
|
|
|
# Override langchain packages with local versions
|
|
uv pip install \
|
|
-e $GITHUB_WORKSPACE/langchain/libs/core \
|
|
-e $GITHUB_WORKSPACE/langchain/libs/langchain_v1
|
|
|
|
# No API keys needed for now - deepagents `make test` only runs unit tests
|
|
- name: "🚀 Run ${{ matrix.package.name }} Tests"
|
|
run: |
|
|
cd ${{ matrix.package.name }}/${{ matrix.package.path }}
|
|
make test
|