ci: harden CI/release workflows (least-privilege token, SHA-pin third… #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| # Least privilege: this workflow only checks out code and runs tests/lint — it never writes. Specifying | |
| # `permissions:` also drops every unlisted scope to `none`, so a compromised dep/action on an untrusted | |
| # fork PR can't use the token to push, tag, or open issues. The third-party setup-uv action is SHA-pinned | |
| # (a repointed tag could inject code that runs with the token); GitHub-owned checkout stays on a major tag. | |
| # CI needs no live model, no vLLM, no network, no Deno: the dspy-bearing tests use a DummyLM or skip when | |
| # dspy is absent. | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test: | |
| name: test (py${{ matrix.python-version }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ["3.11", "3.12", "3.13"] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| enable-cache: true | |
| - name: Run tests | |
| # --extra mcp so the MCP-client tests run (they spawn a stdio MCP subprocess) rather than skip | |
| run: uv run --group dev --extra mcp python -m pytest -q | |
| lint: | |
| name: ruff | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 | |
| with: | |
| enable-cache: true | |
| - name: Lint | |
| run: uvx ruff check . |