Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/benchmarks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# AAASM-3993: least-privilege default token β€” this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read

jobs:
benchmark:
name: Run performance benchmarks
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# AAASM-3993: least-privilege default token β€” this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read

jobs:
build-and-test_all:
# name: Run all tests and organize all test reports
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/ci_includes_e2e_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ on:
- "pyproject.toml"
- "uv.lock"

# AAASM-3993: least-privilege default token β€” this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read

jobs:
build-and-test_all:
# name: Run all tests and organize all test reports
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/native-core-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# AAASM-3993: least-privilege default token β€” this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read

jobs:
build-native-core:
runs-on: ubuntu-latest
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/rw_build_and_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,19 @@ on:
description: "Set the Slack bot token for end-to-end test."
required: false

# AAASM-3993: least-privilege default token. As a reusable workflow this also caps
# the GITHUB_TOKEN granted to the third-party workflows it calls; none need write.
permissions:
contents: read

jobs:
# AAASM-3994: these jobs call a third-party reusable workflow owned by a personal
# account (Chisanan232/GitHub-Action_Reusable_Workflows-Python). Trust is bounded
# by the 40-char commit-SHA pin on each `uses:` below β€” a moving tag/branch would
# let the owner alter behavior after review. Secrets are already scoped per call:
# only run_e2e-test receives e2e_test_api_token (Slack); unit/integration forward
# none. TODO(AAASM-3994): vendor this workflow into the ai-agent-assembly org (or
# pin a signed release) to drop the personal-account supply-chain dependency.
run_unit-test:
# name: Run all unit test items
uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_uv_run_test.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master @ 2026-05-26
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/rw_run_all_test_and_record.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ on:
description: "The API token for uploading testing coverage report to Coveralls."
required: false

# AAASM-3993: least-privilege default token. As a reusable workflow this also caps
# the GITHUB_TOKEN granted to the third-party workflows it calls; none need write.
permissions:
contents: read

jobs:
build-and-test:
# name: Run all tests and organize all test reports
Expand All @@ -34,6 +39,14 @@ jobs:
secrets:
e2e_test_api_token: ${{ secrets.e2e_test_api_token }}

# AAASM-3994: the *_codecov_finish jobs below call a third-party reusable workflow
# owned by a personal account (Chisanan232/GitHub-Action_Reusable_Workflows-Python).
# Trust is bounded by the 40-char commit-SHA pin on each `uses:` β€” a moving ref
# would let the owner alter behavior after review. Secrets are already minimized:
# each call forwards ONLY codecov_token; sonar_token is used solely by the local
# sonarcloud_finish job (SonarSource action) and never forwarded to the third party.
# TODO(AAASM-3994): vendor this workflow into the ai-agent-assembly org (or pin a
# signed release) to drop the personal-account supply-chain dependency.
unit-test_codecov_finish:
# name: Organize and generate the testing report and upload it to Codecov
if: ${{
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/type-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

# AAASM-3993: least-privilege default token β€” this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read

jobs:
verify-pep561-compliance:
name: Verify PEP 561 Compliance
Expand Down