Skip to content

ci: harden CI/release workflows (least-privilege token, SHA-pin third… #21

ci: harden CI/release workflows (least-privilege token, SHA-pin third…

ci: harden CI/release workflows (least-privilege token, SHA-pin third… #21

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
# Least privilege: this workflow only checks out code and runs tests/lint — it never writes. Specifying
# `permissions:` also drops every unlisted scope to `none`, so a compromised dep/action on an untrusted
# fork PR can't use the token to push, tag, or open issues. The third-party setup-uv action is SHA-pinned
# (a repointed tag could inject code that runs with the token); GitHub-owned checkout stays on a major tag.
# CI needs no live model, no vLLM, no network, no Deno: the dspy-bearing tests use a DummyLM or skip when
# dspy is absent.
permissions:
contents: read
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
name: test (py${{ matrix.python-version }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
with:
python-version: ${{ matrix.python-version }}
enable-cache: true
- name: Run tests
# --extra mcp so the MCP-client tests run (they spawn a stdio MCP subprocess) rather than skip
run: uv run --group dev --extra mcp python -m pytest -q
lint:
name: ruff
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
with:
enable-cache: true
- name: Lint
run: uvx ruff check .