diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..a9e3ad862f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,36 @@ +version: 2 + +# Keeps the SHA pins in .github/workflows/*.yml current. Dependabot reads the +# trailing `# v` comment after each pinned SHA and opens PRs that +# bump both the SHA and the comment in lockstep. Without this file, pins go +# stale and we lose the security guarantee they provide. +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: "daily" + groups: + minor-and-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + # Workaround for dependabot/dependabot-core#14202: without an explicit + # major group, major updates matching the minor-and-patch pattern are + # silently suppressed. Remove this group when #14202 is fixed to get + # individual (ungrouped) PRs per major bump instead. + major: + patterns: + - "*" + update-types: + - "major" + labels: + - dependencies + - github-actions + commit-message: + prefix: "chore(ci)" + include: scope + open-pull-requests-limit: 10 + cooldown: + default-days: 1 diff --git a/.github/workflows/auto-approve-community.yml b/.github/workflows/auto-approve-community.yml index 11db553dd9..976ae3c23d 100644 --- a/.github/workflows/auto-approve-community.yml +++ b/.github/workflows/auto-approve-community.yml @@ -5,24 +5,27 @@ on: types: [opened, synchronize, reopened] permissions: - pull-requests: write contents: read jobs: auto-approve: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 + persist-credentials: false - name: Fetch PR head run: | git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-head - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" diff --git a/.github/workflows/build-python-preview.yml b/.github/workflows/build-python-preview.yml index 9f2ccc1f72..e189b020dd 100644 --- a/.github/workflows/build-python-preview.yml +++ b/.github/workflows/build-python-preview.yml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -16,10 +19,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" @@ -32,7 +37,9 @@ jobs: echo "Preview version: ${VERSION}" - name: Rewrite pyproject.toml versions - run: uv run python scripts/rewrite-python-preview-versions.py ${{ steps.version.outputs.version }} + run: uv run python scripts/rewrite-python-preview-versions.py ${STEPS_VERSION_OUTPUTS_VERSION} + env: + STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }} - name: Build ag-ui-protocol working-directory: sdks/python @@ -75,17 +82,19 @@ jobs: run: | mkdir -p pr-metadata echo "${{ github.event.pull_request.number }}" > pr-metadata/pr-number - echo "${{ steps.version.outputs.version }}" > pr-metadata/version + echo "${STEPS_VERSION_OUTPUTS_VERSION}" > pr-metadata/version echo "${{ github.sha }}" > pr-metadata/sha + env: + STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }} - name: Upload dist artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: python-preview-dist path: dist-preview/ - name: Upload PR metadata - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: python-preview-metadata path: pr-metadata/ diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000000..218916149b --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,32 @@ +name: Dependabot Auto-Merge (Minor/Patch) + +on: + pull_request_target: + types: [opened, synchronize] + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge: + runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-approve and merge minor/patch github-actions updates + if: >- + steps.metadata.outputs.package-ecosystem == 'github_actions' && + (steps.metadata.outputs.update-type == 'version-update:semver-minor' || + steps.metadata.outputs.update-type == 'version-update:semver-patch') + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + run: | + gh pr review "$PR_URL" --approve + gh pr merge "$PR_URL" --auto --merge diff --git a/.github/workflows/dependabot-major-analysis.yml b/.github/workflows/dependabot-major-analysis.yml new file mode 100644 index 0000000000..8e17192874 --- /dev/null +++ b/.github/workflows/dependabot-major-analysis.yml @@ -0,0 +1,144 @@ +name: Dependabot Major Version Analysis + +on: + pull_request_target: + types: [opened] + +permissions: + contents: read + pull-requests: write + +jobs: + analyze-major: + runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Analyze major version bump + if: >- + steps.metadata.outputs.package-ecosystem == 'github_actions' && + steps.metadata.outputs.update-type == 'version-update:semver-major' + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 + env: + DEP_NAME: ${{ steps.metadata.outputs.dependency-names }} + PREV_VERSION: ${{ steps.metadata.outputs.previous-version }} + NEW_VERSION: ${{ steps.metadata.outputs.new-version }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const depName = process.env.DEP_NAME; + const prevVersion = process.env.PREV_VERSION; + const newVersion = process.env.NEW_VERSION; + const parts = depName.split('/'); + const owner = parts[0]; + const repo = parts[1]; + const repoSlug = `${owner}/${repo}`; + + let releases = []; + try { + const { data } = await github.rest.repos.listReleases({ owner, repo, per_page: 50 }); + releases = data; + } catch (err) { + core.warning(`Could not fetch releases for ${repoSlug}: ${err.message}`); + } + + const prevMajor = parseInt(prevVersion.replace(/^v/, ''), 10); + const newMajor = parseInt(newVersion.replace(/^v/, ''), 10); + + const relevantReleases = releases.filter(r => { + const major = parseInt(r.tag_name.replace(/^v/, ''), 10); + return major > prevMajor && major <= newMajor; + }); + + let releaseNotesSummary = ''; + let breakingChanges = ''; + + if (relevantReleases.length === 0) { + releaseNotesSummary = '_No releases found between these versions._'; + breakingChanges = `_Unable to determine breaking changes automatically. Please review the [full changelog](https://github.com/${repoSlug}/releases)._`; + } else { + for (const release of relevantReleases.slice(0, 10)) { + const body = release.body || '_No release notes._'; + releaseNotesSummary += `### ${release.tag_name}${release.name && release.name !== release.tag_name ? ' — ' + release.name : ''}\n\n`; + releaseNotesSummary += body.substring(0, 2000); + if (body.length > 2000) releaseNotesSummary += '\n\n_...truncated_'; + releaseNotesSummary += '\n\n---\n\n'; + const lines = body.split('\n'); + for (const line of lines) { + if (/breaking|BREAKING|removed|deprecated|incompatible|migration/i.test(line)) { + breakingChanges += `- ${line.trim()}\n`; + } + } + } + } + + if (!breakingChanges) { + breakingChanges = '_No explicit breaking changes detected in release notes. Manual review recommended._'; + } + + let commentBody = `## :warning: Major Version Update — Manual Review Required + + | Field | Value | + |-------|-------| + | **Action** | [\`${depName}\`](https://github.com/${repoSlug}) | + | **Previous** | \`v${prevVersion}\` | + | **New** | \`v${newVersion}\` | + | **Type** | Major (\`v${prevMajor}\` → \`v${newMajor}\`) | + + ### Breaking Changes + + ${breakingChanges} + + ### Release Notes (v${prevMajor + 1} → v${newMajor}) + + ${releaseNotesSummary} + + ### Next Steps + + 1. Review breaking changes above + 2. Check if workflow inputs/outputs changed + 3. Verify compatibility with your CI/CD configuration + + > Full changelog: https://github.com/${repoSlug}/releases + + --- + _Generated automatically for Dependabot major version PRs._`.replace(/^ /gm, ''); + + if (commentBody.length > 64000) { + commentBody = commentBody.substring(0, 63900) + '\n\n_...comment truncated due to size limit._'; + } + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: commentBody, + }); + + try { + const labelsToAdd = ['major-update', 'needs-review']; + for (const label of labelsToAdd) { + try { + await github.rest.issues.getLabel({ owner: context.repo.owner, repo: context.repo.repo, name: label }); + } catch { + const colors = { 'major-update': 'B60205', 'needs-review': 'FBCA04' }; + await github.rest.issues.createLabel({ + owner: context.repo.owner, repo: context.repo.repo, + name: label, color: colors[label] || 'EDEDED', + }); + } + } + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + labels: labelsToAdd, + }); + } catch (err) { + core.warning(`Could not add labels: ${err.message}`); + } diff --git a/.github/workflows/dojo-e2e.yml b/.github/workflows/dojo-e2e.yml index 4f1173ea3a..38e2a2ddc7 100644 --- a/.github/workflows/dojo-e2e.yml +++ b/.github/workflows/dojo-e2e.yml @@ -25,25 +25,29 @@ on: - "sdks/python/**" - "sdks/typescript/**" +permissions: + contents: read + jobs: check-generated-files: name: dojo / check-generated-files runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: lfs: true + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: 10.13.1 + version: 10.33.4 - name: Validate agentFilesMapper and regenerate files.json working-directory: apps/dojo @@ -167,29 +171,32 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: lfs: true + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: 10.13.1 + version: 10.33.4 # Now that pnpm is available, cache its store to speed installs - name: Resolve pnpm store path @@ -197,7 +204,7 @@ jobs: run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - name: Cache pnpm store - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ env.STORE_PATH }} key: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -205,7 +212,7 @@ jobs: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-pnpm-store- - name: Cache Python dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/pip @@ -218,7 +225,7 @@ jobs: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-pydeps- - name: Cache Next.js build - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ github.workspace }}/apps/dojo/.next/cache key: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-nextjs-${{ hashFiles('**/pnpm-lock.yaml') }}-${{ hashFiles('apps/dojo/src/**/*.ts', 'apps/dojo/src/**/*.tsx', 'apps/dojo/src/**/*.js', 'apps/dojo/src/**/*.jsx') }} @@ -226,18 +233,18 @@ jobs: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-nextjs-${{ hashFiles('**/pnpm-lock.yaml') }}- - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: latest virtualenvs-create: true virtualenvs-in-project: true - name: Install uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 - name: Set up .NET SDK if: ${{ contains(join(matrix.services, ','), 'microsoft-agent-framework-dotnet') }} - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 with: dotnet-version: "9.0.x" @@ -250,7 +257,7 @@ jobs: run: node ./scripts/prep-dojo-everything.js --only ${{ join(matrix.services, ',') }} - name: Cache Playwright browsers id: cache-playwright - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.cache/ms-playwright key: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-playwright-${{ hashFiles('apps/dojo/e2e/package.json') }} @@ -284,12 +291,21 @@ jobs: working-directory: integrations/langroid/python/examples env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - if: ${{ contains(join(matrix.services, ','), 'langroid') }} + # Only inject OPENAI_API_KEY for same-repo PRs / push events. + # Fork PRs skip this step (and the langroid suite that depends on it) + # to prevent secret exfiltration via a malicious PR modifying the + # langroid test runner. Tracked for follow-up: move langroid e2e to a + # workflow_run pattern so fork PRs can run with secrets injected in + # the trusted base context. + if: >- + contains(join(matrix.services, ','), 'langroid') + && (github.event_name != 'pull_request' + || github.event.pull_request.head.repo.full_name == github.repository) run: | echo "OPENAI_API_KEY=${OPENAI_API_KEY}" > .env - name: Run dojo+agents - uses: JarvusInnovations/background-action@v1 + uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1.0.7 if: ${{ join(matrix.services, ',') != '' && contains(join(matrix.services, ','), 'dojo') }} with: run: | @@ -308,7 +324,7 @@ jobs: - name: Upload traces – ${{ matrix.suite }} if: always() # Uploads artifacts even if tests fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ matrix.suite }}-playwright-traces path: | diff --git a/.github/workflows/lint-release-workflows.yml b/.github/workflows/lint-release-workflows.yml index 67896ec37f..e787f9655a 100644 --- a/.github/workflows/lint-release-workflows.yml +++ b/.github/workflows/lint-release-workflows.yml @@ -27,13 +27,18 @@ on: - "scripts/release/**" - "nx.json" +permissions: + contents: read + jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Run actionlint on release workflows - uses: reviewdog/action-actionlint@v1 + uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0 with: reporter: github-check level: error @@ -47,7 +52,9 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install shellcheck run: sudo apt-get update && sudo apt-get install -y shellcheck - name: Run shellcheck on release scripts @@ -68,6 +75,8 @@ jobs: # or silently skip a package (missing from nx.json). runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Verify nx.json and release.config.json are in sync run: bash scripts/release/verify-nx-release-allowlist.sh diff --git a/.github/workflows/pr-check-binaries.yml b/.github/workflows/pr-check-binaries.yml index d3658a9214..8145cd717f 100644 --- a/.github/workflows/pr-check-binaries.yml +++ b/.github/workflows/pr-check-binaries.yml @@ -12,9 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 + persist-credentials: false - name: Check for binary and build artifacts env: @@ -86,7 +87,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Check build config allowlist run: bash .github/scripts/check-config-allowlist.sh diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index dd7a5ce417..111c7b4f03 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -56,8 +56,7 @@ concurrency: cancel-in-progress: false permissions: - contents: write - pull-requests: write + contents: read env: NX_VERBOSE_LOGGING: true @@ -67,10 +66,13 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: write + pull-requests: write steps: - name: Find existing release/next PR (stacking target) id: existing - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -94,24 +96,25 @@ jobs: } - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} ref: main + persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: "10.13.1" + version: "10.33.4" - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" @@ -139,14 +142,18 @@ jobs: - name: Bump versions for scope id: bump + env: + INPUT_SCOPE: ${{ inputs.scope }} + INPUT_BUMP: ${{ inputs.bump }} + INPUT_DRY_RUN: ${{ inputs.dry_run }} run: | EXTRA_ARGS=() - if [ "${{ inputs.dry_run }}" = "true" ]; then + if [ "$INPUT_DRY_RUN" = "true" ]; then EXTRA_ARGS+=(--dry-run) fi RESULT=$(pnpm tsx scripts/release/prepare-release.ts \ - --scope "${{ inputs.scope }}" \ - --bump "${{ inputs.bump }}" \ + --scope "$INPUT_SCOPE" \ + --bump "$INPUT_BUMP" \ "${EXTRA_ARGS[@]}") echo "$RESULT" > /tmp/bump-result.json @@ -161,16 +168,25 @@ jobs: - name: Dry-run summary if: inputs.dry_run == true + env: + INPUT_SCOPE: ${{ inputs.scope }} + INPUT_BUMP: ${{ inputs.bump }} run: | { echo "## Dry Run — release / create-pr" echo "" - echo "**Scope:** \`${{ inputs.scope }}\` | **Bump:** \`${{ inputs.bump }}\`" + echo "**Scope:** \`${INPUT_SCOPE}\` | **Bump:** \`${INPUT_BUMP}\`" echo "" echo "### Would bump" jq -r '.packages[] | "- **\(.name)**: \(.oldVersion) → \(.newVersion)"' /tmp/bump-result.json } >> "$GITHUB_STEP_SUMMARY" + - name: Configure git credentials for push + if: inputs.dry_run != true && steps.bump.outputs.changed_count != '0' + run: git config --global url."https://x-access-token:$GITHUB_TOKEN@github.com/".insteadOf "https://github.com/" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Commit and push version bumps if: inputs.dry_run != true && steps.bump.outputs.changed_count != '0' env: @@ -187,12 +203,14 @@ jobs: - name: Collect accumulated bumps id: notes if: inputs.dry_run != true && steps.bump.outputs.changed_count != '0' + env: + INPUT_SCOPE: ${{ inputs.scope }} run: | git fetch origin main python3 scripts/release/collect-accumulated-bumps.py origin/main HEAD > /tmp/accumulated.json SCOPES=$(jq -r '[.[].scope] | unique | join(" + ")' /tmp/accumulated.json) - [ -z "$SCOPES" ] || [ "$SCOPES" = "null" ] && SCOPES="${{ inputs.scope }}" + [ -z "$SCOPES" ] || [ "$SCOPES" = "null" ] && SCOPES="$INPUT_SCOPE" echo "title=release: ${SCOPES}" >> "$GITHUB_OUTPUT" - name: Build PR body @@ -234,12 +252,14 @@ jobs: - name: Create or update release PR if: inputs.dry_run != true && steps.bump.outputs.changed_count != '0' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 env: HAS_EXISTING: ${{ steps.existing.outputs.has_existing }} EXISTING_PR: ${{ steps.existing.outputs.pr_number }} PR_TITLE: ${{ steps.notes.outputs.title }} PR_BODY_PATH: ${{ steps.prbody.outputs.body_path }} + INPUT_SCOPE: ${{ inputs.scope }} + INPUT_BUMP: ${{ inputs.bump }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -248,6 +268,8 @@ jobs: const title = process.env.PR_TITLE; const body = fs.readFileSync(process.env.PR_BODY_PATH, "utf8"); const hasExisting = process.env.HAS_EXISTING === "true"; + const scope = process.env.INPUT_SCOPE; + const bump = process.env.INPUT_BUMP; let pr; if (hasExisting) { @@ -269,15 +291,17 @@ jobs: await core.summary .addHeading("release / create-pr", 2) - .addRaw(`**Added scope:** \`${{ inputs.scope }}\` (\`${{ inputs.bump }}\`)\n\n`) + .addRaw(`**Added scope:** \`${scope}\` (\`${bump}\`)\n\n`) .addRaw(`**PR:** ${pr.html_url}\n`) .write(); - name: No-op summary if: inputs.dry_run != true && steps.bump.outputs.changed_count == '0' + env: + INPUT_SCOPE: ${{ inputs.scope }} run: | { echo "## release / create-pr" echo "" - echo "Scope \`${{ inputs.scope }}\` is already bumped on \`release/next\` — nothing to add." + echo "Scope \`${INPUT_SCOPE}\` is already bumped on \`release/next\` — nothing to add." } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index b0f2bc014c..7d586f37f2 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -56,6 +56,9 @@ concurrency: env: NX_VERBOSE_LOGGING: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -68,31 +71,33 @@ jobs: has_py_packages: ${{ steps.py.outputs.has_packages }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: "10.13.1" + version: "10.33.4" - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: version: "25.x" repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" @@ -104,14 +109,17 @@ jobs: - name: Compute prerelease version and bump id: bump + env: + INPUT_SUFFIX: ${{ inputs.suffix }} + INPUT_SCOPE: ${{ inputs.scope }} run: | - SUFFIX="${{ inputs.suffix }}" + SUFFIX="$INPUT_SUFFIX" if [ -z "$SUFFIX" ]; then SUFFIX=$(date +%s) fi RESULT=$(pnpm tsx scripts/release/prepare-release.ts \ - --scope "${{ inputs.scope }}" \ + --scope "$INPUT_SCOPE" \ --bump prerelease \ --preid "canary.${SUFFIX}") @@ -147,15 +155,19 @@ jobs: - name: Build TypeScript packages in scope if: steps.ts.outputs.count != '0' - run: npx nx run-many -t build --projects="${{ steps.ts.outputs.projects }}" + run: npx nx run-many -t build --projects="${STEPS_TS_OUTPUTS_PROJECTS}" + env: + STEPS_TS_OUTPUTS_PROJECTS: ${{ steps.ts.outputs.projects }} - name: Test TypeScript packages in scope if: steps.ts.outputs.count != '0' - run: npx nx run-many -t test --projects="${{ steps.ts.outputs.projects }}" + run: npx nx run-many -t test --projects="${STEPS_TS_OUTPUTS_PROJECTS}" + env: + STEPS_TS_OUTPUTS_PROJECTS: ${{ steps.ts.outputs.projects }} - name: Upload TypeScript build artifacts if: steps.ts.outputs.count != '0' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ts-canary-artifacts path: | @@ -184,7 +196,7 @@ jobs: - name: Upload Python build artifacts if: steps.py.outputs.has_packages == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: py-canary-artifacts path: | @@ -193,7 +205,7 @@ jobs: retention-days: 1 - name: Upload bump result - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: bump-result path: /tmp/bump-result.json @@ -208,10 +220,12 @@ jobs: contents: read steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Download bump result - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: bump-result path: /tmp/ @@ -219,13 +233,13 @@ jobs: # --- TypeScript publish --- - name: Setup pnpm if: needs.build.outputs.ts_count != '0' - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: "10.13.1" + version: "10.33.4" - name: Setup Node if: needs.build.outputs.ts_count != '0' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" registry-url: https://registry.npmjs.org @@ -241,7 +255,7 @@ jobs: - name: Download TypeScript build artifacts if: needs.build.outputs.ts_count != '0' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ts-canary-artifacts @@ -250,20 +264,21 @@ jobs: env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NEEDS_BUILD_OUTPUTS_TS_PROJECTS: ${{ needs.build.outputs.ts_projects }} run: | - echo "Publishing TypeScript canary: ${{ needs.build.outputs.ts_projects }}" - npx nx release publish --projects="${{ needs.build.outputs.ts_projects }}" --tag canary + echo "Publishing TypeScript canary: ${NEEDS_BUILD_OUTPUTS_TS_PROJECTS}" + npx nx release publish --projects="${NEEDS_BUILD_OUTPUTS_TS_PROJECTS}" --tag canary # --- Python publish --- - name: Install uv if: needs.build.outputs.has_py_packages == 'true' - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Download Python build artifacts if: needs.build.outputs.has_py_packages == 'true' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: py-canary-artifacts diff --git a/.github/workflows/publish-commit.yml b/.github/workflows/publish-commit.yml index b47aeff440..8022b5925d 100644 --- a/.github/workflows/publish-commit.yml +++ b/.github/workflows/publish-commit.yml @@ -9,6 +9,9 @@ concurrency: # runs untrusted repo code (pnpm install, pnpm build) without any secrets. # The publish job only runs pkg-pr-new against pre-built artifacts. +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -17,13 +20,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 - run: corepack enable - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: "package.json" @@ -34,7 +39,7 @@ jobs: run: pnpm run build - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pkg-pr-new-build path: | @@ -51,18 +56,20 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 - run: corepack enable - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: "package.json" - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: pkg-pr-new-build diff --git a/.github/workflows/publish-java-sdk.yml b/.github/workflows/publish-java-sdk.yml index 11739e61a5..7c5c903b49 100644 --- a/.github/workflows/publish-java-sdk.yml +++ b/.github/workflows/publish-java-sdk.yml @@ -14,6 +14,9 @@ on: # This ensures that build-time code execution (compile, test) happens in a # job that cannot exfiltrate publishing credentials. +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -27,10 +30,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: "21" distribution: "temurin" @@ -52,10 +57,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: "21" distribution: "temurin" diff --git a/.github/workflows/publish-kotlin-sdk.yml b/.github/workflows/publish-kotlin-sdk.yml index 04561b0400..19c090be27 100644 --- a/.github/workflows/publish-kotlin-sdk.yml +++ b/.github/workflows/publish-kotlin-sdk.yml @@ -14,6 +14,9 @@ on: # secrets (Sonatype credentials, GPG keys) are only available in the publish # job, never in the same process tree as build-time code execution. +permissions: + contents: read + jobs: build-and-test: runs-on: macos-latest @@ -23,19 +26,21 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: "21" distribution: "temurin" - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 - name: Install Android SDK - uses: android-actions/setup-android@v3 + uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2 - name: Install Android SDK 36 components run: | @@ -106,7 +111,7 @@ jobs: # JReleaser's publish.sh does a Gradle build internally, so we upload # the Gradle caches to speed up the publish job's rebuild. - name: Upload Gradle build cache - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kotlin-gradle-cache path: | @@ -123,19 +128,21 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: "21" distribution: "temurin" - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 - name: Install Android SDK - uses: android-actions/setup-android@v3 + uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2 - name: Install Android SDK 36 components run: | @@ -147,7 +154,7 @@ jobs: run: yes | sdkmanager --licenses || true - name: Download Gradle build cache - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: kotlin-gradle-cache path: sdks/community/kotlin/library/ @@ -180,7 +187,7 @@ jobs: - name: Upload JReleaser logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jreleaser-logs path: sdks/community/kotlin/library/build/jreleaser/ diff --git a/.github/workflows/publish-python-preview.yml b/.github/workflows/publish-python-preview.yml index 9c314fae3a..cfc95599d3 100644 --- a/.github/workflows/publish-python-preview.yml +++ b/.github/workflows/publish-python-preview.yml @@ -9,6 +9,9 @@ on: workflows: ["Build Python Preview"] types: [completed] +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest @@ -19,7 +22,7 @@ jobs: steps: - name: Download dist artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: python-preview-dist path: dist-preview/ @@ -27,7 +30,7 @@ jobs: github-token: ${{ github.token }} - name: Download PR metadata - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: python-preview-metadata path: pr-metadata/ @@ -42,7 +45,7 @@ jobs: echo "sha=$(cat pr-metadata/sha)" >> "$GITHUB_OUTPUT" - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" @@ -60,7 +63,7 @@ jobs: - name: Find existing preview comment if: always() id: find-comment - uses: peter-evans/find-comment@v4 + uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 with: issue-number: ${{ steps.meta.outputs.pr-number }} comment-author: 'github-actions[bot]' @@ -68,7 +71,7 @@ jobs: - name: Post or update install instructions if: success() - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} issue-number: ${{ steps.meta.outputs.pr-number }} @@ -125,7 +128,7 @@ jobs: - name: Post failure comment if: failure() - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} issue-number: ${{ steps.meta.outputs.pr-number }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index bdab83a434..149b91c6da 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -46,6 +46,9 @@ concurrency: env: NX_VERBOSE_LOGGING: true +permissions: + contents: read + jobs: build: # Fires on merged release PRs OR on manual dispatch (retry / forced publish). @@ -64,34 +67,35 @@ jobs: ts_groups_json: ${{ steps.save_groups.outputs.groups }} steps: - name: Checkout merged main - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 ref: main + persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: "10.13.1" + version: "10.33.4" - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: version: "25.x" repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" @@ -151,11 +155,15 @@ jobs: - name: Build TypeScript packages in scope if: steps.detect_ts.outputs.count != '0' - run: npx nx run-many -t build --projects="${{ steps.ts_projects.outputs.projects }}" + run: npx nx run-many -t build --projects="${STEPS_TS_PROJECTS_OUTPUTS_PROJECTS}" + env: + STEPS_TS_PROJECTS_OUTPUTS_PROJECTS: ${{ steps.ts_projects.outputs.projects }} - name: Test TypeScript packages in scope if: steps.detect_ts.outputs.count != '0' - run: npx nx run-many -t test --projects="${{ steps.ts_projects.outputs.projects }}" + run: npx nx run-many -t test --projects="${STEPS_TS_PROJECTS_OUTPUTS_PROJECTS}" + env: + STEPS_TS_PROJECTS_OUTPUTS_PROJECTS: ${{ steps.ts_projects.outputs.projects }} - name: Group TypeScript packages by dist-tag if: steps.detect_ts.outputs.count != '0' @@ -190,7 +198,7 @@ jobs: - name: Upload TypeScript build artifacts if: steps.detect_ts.outputs.count != '0' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ts-build-artifacts path: | @@ -220,7 +228,7 @@ jobs: - name: Upload Python build artifacts if: steps.detect_py.outputs.count != '0' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: py-build-artifacts path: | @@ -240,22 +248,23 @@ jobs: id-token: write steps: - name: Checkout merged main - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 ref: main token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false # --- TypeScript publish --- - name: Setup pnpm if: needs.build.outputs.ts_count != '0' - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: "10.13.1" + version: "10.33.4" - name: Setup Node if: needs.build.outputs.ts_count != '0' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" registry-url: https://registry.npmjs.org @@ -271,7 +280,7 @@ jobs: - name: Download TypeScript build artifacts if: needs.build.outputs.ts_count != '0' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ts-build-artifacts @@ -310,13 +319,13 @@ jobs: # --- Python publish --- - name: Install uv if: needs.build.outputs.py_count != '0' - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Download Python build artifacts if: needs.build.outputs.py_count != '0' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: py-build-artifacts @@ -356,6 +365,11 @@ jobs: git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" + - name: Configure git credentials for push + run: git config --global url."https://x-access-token:$GITHUB_TOKEN@github.com/".insteadOf "https://github.com/" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create and push per-package git tags (TypeScript) if: needs.build.outputs.ts_count != '0' env: diff --git a/.github/workflows/rust-lint-test.yml b/.github/workflows/rust-lint-test.yml index f11acedd80..3e9b147dc2 100644 --- a/.github/workflows/rust-lint-test.yml +++ b/.github/workflows/rust-lint-test.yml @@ -22,6 +22,9 @@ defaults: run: working-directory: ./rust +permissions: + contents: read + jobs: rust: strategy: @@ -36,10 +39,12 @@ jobs: CARGO_TERM_COLOR: always steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false # Built-in cache is fork-safe (fork PRs can't write to base repo cache) - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2.8.1 - name: Build run: cargo build --verbose diff --git a/.github/workflows/security-fork-pr-alert.yml b/.github/workflows/security-fork-pr-alert.yml index be925b4b13..a2d217ba21 100644 --- a/.github/workflows/security-fork-pr-alert.yml +++ b/.github/workflows/security-fork-pr-alert.yml @@ -5,16 +5,18 @@ on: types: [opened, synchronize, closed, reopened] permissions: - pull-requests: write contents: read jobs: fork-pr-monitor: if: github.event.pull_request.head.repo.full_name != github.repository runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Check for suspicious patterns - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const pr = context.payload.pull_request; diff --git a/.github/workflows/unit-dart-sdk.yml b/.github/workflows/unit-dart-sdk.yml index 3c50705f9c..85e4e85d19 100644 --- a/.github/workflows/unit-dart-sdk.yml +++ b/.github/workflows/unit-dart-sdk.yml @@ -12,6 +12,9 @@ on: - "sdks/community/dart/**" - ".github/workflows/unit-dart-sdk.yml" +permissions: + contents: read + jobs: dart: runs-on: ubuntu-latest @@ -22,12 +25,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: lfs: true + persist-credentials: false - name: Set up Dart - uses: dart-lang/setup-dart@v1 + uses: dart-lang/setup-dart@65eb853c7ba17dde3be364c3d2858773e7144260 # v1.7.2 with: sdk: stable diff --git a/.github/workflows/unit-genkit-go.yml b/.github/workflows/unit-genkit-go.yml index d3db7590f1..c7e72d9276 100644 --- a/.github/workflows/unit-genkit-go.yml +++ b/.github/workflows/unit-genkit-go.yml @@ -12,6 +12,9 @@ on: - "integrations/community/genkit/go/**" - ".github/workflows/unit-genkit-go.yml" +permissions: + contents: read + jobs: go-genkit: name: Go Genkit Integration Tests @@ -19,25 +22,29 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25.0" - name: Setup Go module cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/unit-go-sdk.yml b/.github/workflows/unit-go-sdk.yml index a7b4b1e8f5..0e3612a936 100644 --- a/.github/workflows/unit-go-sdk.yml +++ b/.github/workflows/unit-go-sdk.yml @@ -12,31 +12,38 @@ on: - "sdks/community/go/**" - ".github/workflows/unit-go-sdk.yml" +permissions: + contents: read + jobs: go: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.24.4" - name: Setup Go module cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/go/pkg/mod diff --git a/.github/workflows/unit-java-sdk.yml b/.github/workflows/unit-java-sdk.yml index 7a901dd553..a5f7d00f08 100644 --- a/.github/workflows/unit-java-sdk.yml +++ b/.github/workflows/unit-java-sdk.yml @@ -12,6 +12,9 @@ on: - "sdks/community/java/**" - ".github/workflows/unit-java-sdk.yml" +permissions: + contents: read + jobs: java: runs-on: ubuntu-latest @@ -22,10 +25,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Set up Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: "temurin" java-version: "17" diff --git a/.github/workflows/unit-kotlin-sdk.yml b/.github/workflows/unit-kotlin-sdk.yml index d8092c2f66..5ab695f7c0 100644 --- a/.github/workflows/unit-kotlin-sdk.yml +++ b/.github/workflows/unit-kotlin-sdk.yml @@ -12,23 +12,28 @@ on: - "sdks/community/kotlin/**" - ".github/workflows/unit-kotlin-sdk.yml" +permissions: + contents: read + jobs: kotlin: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: "21" distribution: "temurin" # Built-in cache is fork-safe (fork PRs can't write to base repo cache) - name: Setup Gradle - uses: gradle/gradle-build-action@v3 + uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 - name: Run JVM tests working-directory: sdks/community/kotlin/library diff --git a/.github/workflows/unit-python-sdk.yml b/.github/workflows/unit-python-sdk.yml index 1d9dd110de..fd766fd367 100644 --- a/.github/workflows/unit-python-sdk.yml +++ b/.github/workflows/unit-python-sdk.yml @@ -24,32 +24,39 @@ on: # Note: crew-ai uses Poetry (no uv.lock) — skipped for now. +permissions: + contents: read + jobs: python: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Load cached venv id: cached-uv-dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: sdks/python/.venv key: ${{ steps.fork-check.outputs.prefix }}venv-${{ runner.os }}-${{ hashFiles('sdks/python/uv.lock') }} @@ -67,26 +74,30 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Load cached venv id: cached-uv-dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: integrations/langgraph/python/.venv key: ${{ steps.fork-check.outputs.prefix }}venv-${{ runner.os }}-langgraph-${{ hashFiles('integrations/langgraph/python/uv.lock') }} @@ -98,33 +109,36 @@ jobs: - name: Run tests working-directory: integrations/langgraph/python run: uv run python -m unittest discover tests -v -<<<<<<< HEAD watsonx-python: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Load cached venv id: cached-uv-dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: integrations/watsonx/python/.venv key: ${{ steps.fork-check.outputs.prefix }}venv-${{ runner.os }}-watsonx-${{ hashFiles('integrations/watsonx/python/uv.lock') }} @@ -136,34 +150,36 @@ jobs: - name: Run tests working-directory: integrations/watsonx/python run: uv run python -m pytest tests/ -v -||||||| parent of 461a511e (ci: add adk-middleware, aws-strands, and langroid Python tests to CI) -======= adk-middleware-python: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Load cached venv id: cached-uv-dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: integrations/adk-middleware/python/.venv key: ${{ steps.fork-check.outputs.prefix }}venv-${{ runner.os }}-adk-middleware-${{ hashFiles('integrations/adk-middleware/python/uv.lock') }} @@ -181,26 +197,30 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Load cached venv id: cached-uv-dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: integrations/aws-strands/python/.venv key: ${{ steps.fork-check.outputs.prefix }}venv-${{ runner.os }}-aws-strands-${{ hashFiles('integrations/aws-strands/python/uv.lock') }} @@ -218,26 +238,30 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 with: version: ">=0.8.0" - name: Load cached venv id: cached-uv-dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: integrations/langroid/python/.venv key: ${{ steps.fork-check.outputs.prefix }}venv-${{ runner.os }}-langroid-${{ hashFiles('integrations/langroid/python/uv.lock') }} @@ -249,4 +273,3 @@ jobs: - name: Run tests working-directory: integrations/langroid/python run: uv run python -m unittest discover tests -v ->>>>>>> 461a511e (ci: add adk-middleware, aws-strands, and langroid Python tests to CI) diff --git a/.github/workflows/unit-ruby-sdk.yml b/.github/workflows/unit-ruby-sdk.yml index 72e2813b00..575c4d1d40 100644 --- a/.github/workflows/unit-ruby-sdk.yml +++ b/.github/workflows/unit-ruby-sdk.yml @@ -12,16 +12,21 @@ on: - "sdks/community/ruby/**" - ".github/workflows/unit-ruby-sdk.yml" +permissions: + contents: read + jobs: ruby: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + - uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0 with: ruby-version: '3.4' # Built-in cache is fork-safe (fork PRs can't write to base repo cache) bundler-cache: true working-directory: sdks/community/ruby - run: bundle exec rake - working-directory: sdks/community/ruby \ No newline at end of file + working-directory: sdks/community/ruby diff --git a/.github/workflows/unit-typescript-sdk.yml b/.github/workflows/unit-typescript-sdk.yml index cad48cfd2e..8052e98859 100644 --- a/.github/workflows/unit-typescript-sdk.yml +++ b/.github/workflows/unit-typescript-sdk.yml @@ -24,42 +24,49 @@ on: - "nx.json" - ".github/workflows/unit-typescript-sdk.yml" +permissions: + contents: read + jobs: typescript: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false - name: Detect fork PR id: fork-check run: | if [[ "${{ github.event_name }}" == "pull_request" && \ - "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "${{ github.repository }}" ]]; then echo "prefix=fork-" >> "$GITHUB_OUTPUT" else echo "prefix=" >> "$GITHUB_OUTPUT" fi + env: + GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }} - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 with: version: "25.x" repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: - version: 10.13.1 + version: 10.33.4 - name: Setup pnpm cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.local/share/pnpm/store key: ${{ steps.fork-check.outputs.prefix }}${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..58017c299e --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,65 @@ +name: zizmor + +# Static analysis for GitHub Actions workflows. Catches injection vulnerabilities, +# over-broad permissions, unpinned action references, dangerous trigger combos, +# and other CI/CD anti-patterns. Findings are uploaded as SARIF to GitHub's +# code-scanning surface so they show up next to CodeQL alerts. +# +# Runs on: +# - PRs that touch CI config (path-filtered to avoid noise on unrelated PRs) +# - pushes to main (so the main-branch baseline stays current) +# - weekly cron (catches new zizmor rule releases against unchanged workflows) +# +# Install path: `uvx zizmor` rather than zizmorcore/zizmor-action — keeps the +# third-party-action surface narrow and reuses `astral-sh/setup-uv`, which is +# already pinned and used by other workflows in this repo. + +on: + push: + branches: [main] + paths: + - .github/workflows/** + - .github/dependabot.yml + pull_request: + paths: + - .github/workflows/** + - .github/dependabot.yml + schedule: + - cron: "0 7 * * 1" # Mon 07:00 UTC + workflow_dispatch: + +permissions: + contents: read + security-events: write # SARIF upload to GitHub code scanning + +jobs: + zizmor: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0 + + - name: Run zizmor + # --persona=auditor surfaces medium-confidence findings that the default + # persona suppresses; SARIF goes to the Security tab for triage rather + # than failing the build during this initial rollout. Gate via branch + # protection on code-scanning alerts once the baseline is established. + continue-on-error: true + run: | + uvx zizmor \ + --config .github/zizmor.yml \ + --persona=auditor \ + --format=sarif \ + .github/workflows \ + > zizmor.sarif + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4 + with: + sarif_file: zizmor.sarif + category: zizmor diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..e0db8a78cb --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,19 @@ +# zizmor configuration. Suppresses well-documented intentional patterns +# so the security tab stays focused on genuine new findings. +# +# Note: docs at https://docs.zizmor.sh/configuration/ + +rules: + dangerous-triggers: + ignore: + # publish-python-preview.yml deliberately uses workflow_run to publish + # PR-built Python wheels to TestPyPI from the trusted base context. + # It does NOT execute fork code — it only consumes artifacts and PR + # metadata. The trade-off is documented in the file's header comment. + - publish-python-preview.yml + # Dependabot auto-merge: uses pull_request_target for write token. + # Does NOT checkout PR code. Actor-gated to dependabot[bot]. + - dependabot-auto-merge.yml + # Dependabot major analysis: uses pull_request_target for PR comments. + # Does NOT checkout PR code. Actor-gated to dependabot[bot]. + - dependabot-major-analysis.yml diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000000..14c0d398a3 --- /dev/null +++ b/.npmrc @@ -0,0 +1,2 @@ +minimum-release-age=1440 +block-exotic-subdeps=true diff --git a/package.json b/package.json index 2be6f2d8f9..db05579426 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,7 @@ "tsx": "^4.20.6", "typescript": "5.8.2" }, - "packageManager": "pnpm@10.13.1", + "packageManager": "pnpm@10.33.4", "engines": { "node": ">=18" },