From 80eb8615717e461d94b0ad7a61ac69d2c1656ff0 Mon Sep 17 00:00:00 2001 From: Bryant Date: Mon, 29 Jun 2026 11:28:38 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20Pin=20astral-sh/setu?= =?UTF-8?q?p-uv=20to=20v7.6.0=20commit=20SHA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All third-party actions in this repo were already SHA-pinned; this closes the consistency gap so a re-pointed setup-uv tag cannot enter CI. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf --- .github/workflows/benchmarks.yml | 2 +- .github/workflows/ci.yaml | 2 +- .github/workflows/docs-backfill.yaml | 2 +- .github/workflows/documentation.yaml | 8 ++++---- .github/workflows/native-core-build.yml | 2 +- .github/workflows/release-python.yml | 2 +- .github/workflows/type-check.yml | 4 ++-- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 95277fd..af171c1 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -27,7 +27,7 @@ jobs: - uses: actions/checkout@v7 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 24dc00b..b37cba8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -87,7 +87,7 @@ jobs: with: python-version: "3.12" - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Sync locked environment run: uv sync --frozen - name: Run pip-audit advisory gate diff --git a/.github/workflows/docs-backfill.yaml b/.github/workflows/docs-backfill.yaml index 887b6ba..9be68e7 100644 --- a/.github/workflows/docs-backfill.yaml +++ b/.github/workflows/docs-backfill.yaml @@ -71,7 +71,7 @@ jobs: ref: master - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index 83b4e86..6e84892 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -93,7 +93,7 @@ jobs: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true @@ -126,7 +126,7 @@ jobs: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true @@ -198,7 +198,7 @@ jobs: echo "Resolved release tag: ${tag}" - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true @@ -267,7 +267,7 @@ jobs: ref: master - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/native-core-build.yml b/.github/workflows/native-core-build.yml index 13272c3..4f3ef4e 100644 --- a/.github/workflows/native-core-build.yml +++ b/.github/workflows/native-core-build.yml @@ -27,7 +27,7 @@ jobs: python-version: "3.13" - name: Setup uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Setup Rust uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index a306f9e..4613976 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -162,7 +162,7 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Sync resolved environment # Resolve the locked dependency set into .venv so the SBOM reflects the # exact versions a consumer gets, not just the declared ranges. diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml index 15a8580..04cec6e 100644 --- a/.github/workflows/type-check.yml +++ b/.github/workflows/type-check.yml @@ -47,7 +47,7 @@ jobs: uses: actions/checkout@v7 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: python-version: 3.13 @@ -131,7 +131,7 @@ jobs: uses: actions/checkout@v7 - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: python-version: 3.13 From f1a9ae9f5649a777c1659f1d75f8ffe9cc39656e Mon Sep 17 00:00:00 2001 From: Bryant Date: Mon, 29 Jun 2026 11:29:45 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20Scope=20documentatio?= =?UTF-8?q?n.yaml=20write=20permissions=20to=20deploy=20jobs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Default top-level to contents: read so the PR build-only job inherits least privilege; grant contents/id-token/pages write only on the push, workflow_run and workflow_dispatch deploy jobs. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf --- .github/workflows/documentation.yaml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index 6e84892..315eac9 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -70,10 +70,10 @@ on: required: false default: "" +# Default to read-only at the top level so the PR build-only job inherits the +# least privilege. The deploy jobs opt back into the write scopes they need. permissions: - contents: write - id-token: write - pages: write + contents: read # Allow one concurrent deployment so a fast-follow push doesn't race the # previous deploy on gh-pages. @@ -119,6 +119,10 @@ jobs: name: Deploy latest documentation if: github.event_name == 'push' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pages: write steps: - name: Checkout (full history for mike + git-revision-date plugins) uses: actions/checkout@v7 @@ -167,6 +171,10 @@ jobs: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'repository_dispatch' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pages: write steps: - name: Checkout (full history for mike + git-revision-date plugins) uses: actions/checkout@v7 @@ -240,6 +248,10 @@ jobs: # left byte-for-byte unchanged. It reuses the existing deploy scripts verbatim. if: github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + pages: write steps: - name: Validate inputs env: