mirror of
https://github.com/hwchase17/langchain.git
synced 2026-03-18 02:53:16 +00:00
bb8b057ac3
## Summary - Adds top-level `permissions: contents: read` to 5 workflows that only had job-level permissions: `pr_labeler_file`, `pr_labeler_title`, `tag-external-contributions`, `v03_api_doc_build`, `auto-label-by-package` - SHA-pins all 14 third-party actions to full commit SHAs to prevent supply chain attacks via tag hijacking ## Why **Missing top-level permissions:** Without an explicit top-level `permissions` block, workflows inherit the repository/org default token permissions, which may be overly broad. Adding `contents: read` as the default restricts the blast radius if a dependency or action step is compromised. **SHA pinning:** Mutable tags (`@v1`, `@master`) can be force-pushed by the action maintainer or an attacker who compromises their account. Pinning to a full 40-character SHA ensures the exact reviewed code always runs. Tag comments are preserved for readability. ### Actions pinned | Action | File(s) | |--------|---------| | `pypa/gh-action-pypi-publish` | `_release.yml` (2 uses) | | `ncipollo/release-action` | `_release.yml` | | `Ana06/get-changed-files` | `check_diffs.yml` | | `astral-sh/setup-uv` | `check_diffs.yml`, `uv_setup/action.yml` | | `CodSpeedHQ/action` | `check_diffs.yml` | | `google-github-actions/auth` | `integration_tests.yml` | | `aws-actions/configure-aws-credentials` | `integration_tests.yml` | | `amannn/action-semantic-pull-request` | `pr_lint.yml` | | `bcoe/conventional-release-labels` | `pr_labeler_title.yml` | | `mikefarah/yq` | `v03_api_doc_build.yml` | | `EndBug/add-and-commit` | `v03_api_doc_build.yml` | | `peter-evans/create-pull-request` | `refresh_model_profiles.yml` | ## Test plan - [x] CI passes — all workflows still resolve their actions correctly - [x] Verify no functional change: SHA refs point to the same code as the previous tags --- > This PR was generated with assistance from an AI coding agent as part of a repository posture check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
48 lines
1.3 KiB
YAML
48 lines
1.3 KiB
YAML
# Label PRs based on their titles.
|
|
#
|
|
# Uses conventional commit types from PR titles to apply labels.
|
|
# Note: Scope-based labeling (e.g., integration labels) is handled by pr_labeler_file.yml
|
|
|
|
name: "🏷️ PR Title Labeler"
|
|
|
|
on:
|
|
# Safe since we're not checking out or running the PR's code
|
|
# Never check out the PR's head in a pull_request_target job
|
|
pull_request_target:
|
|
types: [opened, edited]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
pr-title-labeler:
|
|
name: "label"
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
issues: write
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Label PR based on title
|
|
uses: bcoe/conventional-release-labels@b503ca473654e07521c051628c5f1f969e7436da # v1
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
type_labels: >-
|
|
{
|
|
"feat": "feature",
|
|
"fix": "fix",
|
|
"docs": "documentation",
|
|
"style": "linting",
|
|
"refactor": "refactor",
|
|
"perf": "performance",
|
|
"test": "tests",
|
|
"build": "infra",
|
|
"ci": "infra",
|
|
"chore": "infra",
|
|
"revert": "revert",
|
|
"release": "release",
|
|
"breaking": "breaking"
|
|
}
|
|
ignored_types: '[]'
|