ci: harden CI/CD — SHA-pin actions, bump pnpm to 11.1.2, add zizmor#1685
Merged
Conversation
Bumps pnpm from 10.13.1 to 11.1.2. pnpm 11 ships hardened defaults — notably `manage-package-manager-versions: true` and explicit allow-listing of postinstall scripts (no more implicit script execution during install). The new `allowBuilds:` block in pnpm-workspace.yaml enumerates each package whose postinstall pnpm 11 detected. Most need their scripts to fetch native binaries or run codegen (esbuild, sharp, protobufjs, @tailwindcss/oxide, unrs-resolver). @scarf/scarf (telemetry) and core-js (polyfill) are opted out as non-essential. Workflow pnpm version: fields are bumped in the workflow-hardening commit alongside the rest of the .yml changes.
Multi-faceted CI/CD hardening that mirrors what TanStack landed recently. Folds together changes that touch the same set of 22 workflow files so the SHA-pin diff stays paired with the security context that justifies it. * Resolves a committed merge conflict in unit-python-sdk.yml that was silently breaking Python CI on main (1b2d499). Keeps both watsonx-python and the adk/aws-strands/langroid job blocks. * Pins every `uses:` to a 40-char commit SHA with a `# v<semver>` trailing comment so Dependabot can keep the pins current. Replaces 136 floating-tag references across 23 distinct actions. Defeats tag-retargeting supply-chain attacks (cf. tj-actions/changed-files, Mar 2025). * Adds explicit `permissions:` blocks (least-privilege) to all workflows. `contents: read` at the top level; write scopes pushed down to the specific jobs that need them (prepare-release, auto-approve-community, security-fork-pr-alert) so future job additions are safe-by-default. * Routes attacker-controllable inputs through `env:` indirection instead of inline `${{ ... }}` interpolation in shell `run:` blocks. Affects `workflow_dispatch` inputs in prerelease.yml and prepare-release.yml, and `github.event.pull_request.head.repo.*` comparisons in the unit-* fork-detection patterns. * Gates the langroid `OPENAI_API_KEY` injection in dojo-e2e.yml on same-repo PRs only. Fork PRs will skip langroid e2e until a follow-up moves langroid to a workflow_run pattern (which would let fork PRs run langroid with secrets injected in the trusted base context). * Bumps the workflow-level pnpm version: fields to 11.1.2 to match package.json's packageManager field. * Bumps publish-commit.yml from actions/checkout@v2 (5 years old) and normalizes astral-sh/setup-uv to v6 across all workflows.
* `.github/dependabot.yml` enrolls the `github-actions` ecosystem so Dependabot opens weekly PRs to bump the SHA pins added in the previous commit. Minor/patch bumps are grouped so we don't get one PR per action per week; majors still get their own PR (intentional — they need review). * `.github/zizmor.yml` configures zizmor to ignore one well-documented intentional finding: publish-python-preview.yml's `workflow_run` trigger, which is the canonical safe pattern for cross-PR fork artifact handling. The zizmor workflow itself was added in the workflow-hardening commit since it lives under `.github/workflows/`.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
Python Preview PackagesVersion
Install with uvAdd the TestPyPI index to your [[tool.uv.index]]
name = "testpypi"
url = "https://test.pypi.org/simple/"
explicit = trueThen install the packages you need: # Core SDK
uv add 'ag-ui-protocol==0.0.0.dev1778805683' --index testpypi
# Integrations (each already depends on the matching ag-ui-protocol preview)
uv add 'ag-ui-langgraph==0.0.0.dev1778805683' --index testpypi
uv add 'ag-ui-crewai==0.0.0.dev1778805683' --index testpypi
# NOTE: ag-ui-agent-spec depends on pyagentspec (git-only, not on PyPI).
# You will need to install pyagentspec separately from its git repo.
uv add 'ag-ui-agent-spec==0.0.0.dev1778805683' --index testpypi
uv add 'ag_ui_adk==0.0.0.dev1778805683' --index testpypi
uv add 'ag_ui_strands==0.0.0.dev1778805683' --index testpypiInstall with pippip install \
--index-url https://test.pypi.org/simple/ \
--extra-index-url https://pypi.org/simple/ \
ag-ui-protocol==0.0.0.dev1778805683
Commit: 6d65942 |
@ag-ui/a2a-middleware
@ag-ui/a2ui-middleware
@ag-ui/event-throttle-middleware
@ag-ui/mcp-apps-middleware
@ag-ui/middleware-starter
@ag-ui/a2a
@ag-ui/adk
@ag-ui/ag2
@ag-ui/agno
@ag-ui/aws-strands
@ag-ui/claude-agent-sdk
@ag-ui/crewai
@ag-ui/langchain
@ag-ui/langgraph
@ag-ui/langroid
@ag-ui/llamaindex
@ag-ui/mastra
@ag-ui/pydantic-ai
@ag-ui/server-starter
@ag-ui/server-starter-all-features
@ag-ui/vercel-ai-sdk
@ag-ui/watsonx
create-ag-ui-app
@ag-ui/client
@ag-ui/core
@ag-ui/encoder
@ag-ui/proto
commit: |
jpr5
force-pushed
the
alem/ci-security-hardening
branch
from
2a97ef2 to
77e76aa
Compare
MikeRyanDev
approved these changes
May 15, 2026
Contributor
MikeRyanDev
left a comment
MikeRyanDev
left a comment
There was a problem hiding this comment.
No serious supply-chain or CI hardening blockers found. Release and prerelease workflows split no-secret build/test from publish, publish jobs install with --ignore-scripts or consume built artifacts, fork PR caches are prefixed away from release/main cache scopes, pull_request_target usage is Dependabot-only without PR checkout, actions are pinned, and zizmor/actionlint pass.
|
The spamming issue has propagated here too. Posting For example, in #1716 (comment) Please ensure this is also removed here. From your previous response and apology in CopilotKit/aimock#216 (comment), I understand that this was accidental. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI/CD supply-chain hardening. Mirrors what TanStack landed recently:
uses:in.github/workflows/pinned to a 40-char commit SHA with a trailing# v<semver>comment (Dependabot-readable). 136 references across 23 distinct actions.manage-package-manager-versions: trueby default and requires explicit allow-listing of postinstall scripts.pnpm-workspace.yamlenumerates each detected package with a per-package decision (native binaries →true, telemetry/polyfills →false).github-actionsecosystem so the new SHA pins don't go stale (weekly cadence, grouped minor/patch).--persona=auditor(down from 15 at the start of this PR).unit-python-sdk.yml(1b2d499) that was silently breaking Python CI onmain.permissions:blocks (top-levelcontents: read; write scopes pushed down to the single jobs that need them).env:indirection acrossprerelease.yml,prepare-release.yml, and the unit-* fork-detection patterns.OPENAI_API_KEYinjection indojo-e2e.ymlto same-repo PRs only (fork PRs were exposed to secret exfiltration via a malicious test runner).CODEOWNERS was intentionally out of scope (already in place).
Audit findings — severity counts
Three parallel code-reviewer agents audited injection, privilege/secret, and supply-chain surfaces before any code was changed:
After hardening, zizmor
--persona=auditorreports: 117 findings (0 high, 30 medium, 48 low, 38 informational). None block this PR; medium/low surface in the Security tab for ongoing triage.Commits
chore: bump pnpm to 11.1.2 with allowBuilds for native postinstallsci: harden all workflows — permissions, SHA pins, injection fixesci: add Dependabot config + zizmor configTest plan
pnpm install+pnpm install --frozen-lockfileboth succeed with pnpm 11.1.2; postinstall build scripts run (esbuild, sharp, protobufjs, @tailwindcss/oxide, unrs-resolver) — verified locallyuvx zizmor --persona=auditorreports 0 High findingsuses:references remain (grep -rE 'uses:[[:space:]]+\S+@v[0-9]' .github/workflows/returns nothing)unit-python-sdk.ymlresolved with all 6 Python jobs intactFollow-ups (tracked separately, not in this PR)
See the Notion doc for the full deferred list — supply-chain replacements, langroid workflow_run pattern, gradle-build-action migration, depot runner trust-boundary docs,
id-token: writereview, publish-python-preview artifact validation, and the GitHub repo-settings changes (branch protection, required code-scanning gates) that the team needs to make in the UI.