diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index d74d2bbea..4eec26ffc 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -8,15 +8,20 @@ jobs: run: working-directory: ./python/coinbase-agentkit steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -30,12 +35,17 @@ jobs: format-typescript: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" cache: "pnpm" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 0bcc420d3..a095019db 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,9 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + jobs: labeler: permissions: @@ -9,6 +12,11 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: sync-labels: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6e180e265..164c200e1 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,15 +27,20 @@ jobs: run: working-directory: python/${{ matrix.package }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -49,12 +54,17 @@ jobs: lint-typescript: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" cache: "pnpm" @@ -68,14 +78,19 @@ jobs: check-package-lock: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" cache: "pnpm" @@ -94,15 +109,20 @@ jobs: check-uv-locks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml index 662502d0b..96e557636 100644 --- a/.github/workflows/publish_docs.yml +++ b/.github/workflows/publish_docs.yml @@ -7,14 +7,19 @@ jobs: build-and-deploy-docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" cache: "pnpm" @@ -48,12 +53,12 @@ jobs: cp -r typescript/framework-extensions/model-context-protocol/docs/* docs/agentkit-model-context-protocol/typescript - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -91,7 +96,7 @@ jobs: cp -r python/framework-extensions/langchain/docs/_build/html/* docs/coinbase-agentkit-langchain/python - name: Deploy to Github Pages - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs diff --git a/.github/workflows/publish_nightly.yml b/.github/workflows/publish_nightly.yml index 63d3db969..ad37b3308 100644 --- a/.github/workflows/publish_nightly.yml +++ b/.github/workflows/publish_nightly.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 21 * * *" # Run daily at 9 PM UTC / 5 PM EST +permissions: + contents: read + jobs: publish-npm-nightly: runs-on: ubuntu-latest @@ -13,7 +16,12 @@ jobs: id-token: write environment: npm steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Configure Git run: | @@ -25,7 +33,7 @@ jobs: with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" registry-url: "https://registry.npmjs.org" @@ -60,14 +68,19 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Configure Git run: | git config user.name "GitHub Actions Bot" git config user.email "actions@github.com" - - uses: actions/setup-python@v4 + - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" @@ -75,7 +88,7 @@ jobs: run: sudo apt-get install jq - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -111,6 +124,6 @@ jobs: uv build - name: Publish Python packages - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/${{ matrix.package }}/dist/ diff --git a/.github/workflows/publish_npm_manual.yml b/.github/workflows/publish_npm_manual.yml index ea690fadd..c9f56a8dc 100644 --- a/.github/workflows/publish_npm_manual.yml +++ b/.github/workflows/publish_npm_manual.yml @@ -9,6 +9,9 @@ on: type: string default: "agentkit" +permissions: + contents: read + jobs: deploy-npm-package: runs-on: ubuntu-latest @@ -17,14 +20,19 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" registry-url: "https://registry.npmjs.org" diff --git a/.github/workflows/publish_pypi_coinbase_agentkit.yml b/.github/workflows/publish_pypi_coinbase_agentkit.yml index d6335856c..e3ce2876b 100644 --- a/.github/workflows/publish_pypi_coinbase_agentkit.yml +++ b/.github/workflows/publish_pypi_coinbase_agentkit.yml @@ -3,6 +3,9 @@ name: Publish Coinbase AgentKit to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-coinbase-agentkit: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/coinbase-agentkit/dist/ diff --git a/.github/workflows/publish_pypi_coinbase_agentkit_autogen.yml b/.github/workflows/publish_pypi_coinbase_agentkit_autogen.yml index 0aa784b89..20a1f9cc1 100644 --- a/.github/workflows/publish_pypi_coinbase_agentkit_autogen.yml +++ b/.github/workflows/publish_pypi_coinbase_agentkit_autogen.yml @@ -3,6 +3,9 @@ name: Publish Coinbase AgentKit Autogen to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-coinbase-agentkit-autogen: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/framework-extensions/autogen/dist/ diff --git a/.github/workflows/publish_pypi_coinbase_agentkit_langchain.yml b/.github/workflows/publish_pypi_coinbase_agentkit_langchain.yml index 1a4335e51..7320f7ab3 100644 --- a/.github/workflows/publish_pypi_coinbase_agentkit_langchain.yml +++ b/.github/workflows/publish_pypi_coinbase_agentkit_langchain.yml @@ -3,6 +3,9 @@ name: Publish Coinbase AgentKit LangChain to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-coinbase-agentkit-langchain: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/framework-extensions/langchain/dist/ diff --git a/.github/workflows/publish_pypi_coinbase_agentkit_openai_agents_sdk.yml b/.github/workflows/publish_pypi_coinbase_agentkit_openai_agents_sdk.yml index 7939a4c7e..dcae54d57 100644 --- a/.github/workflows/publish_pypi_coinbase_agentkit_openai_agents_sdk.yml +++ b/.github/workflows/publish_pypi_coinbase_agentkit_openai_agents_sdk.yml @@ -3,6 +3,9 @@ name: Publish Coinbase AgentKit OpenAI Agents SDK to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-coinbase-agentkit-openai-agents-sdk: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/framework-extensions/openai-agents-sdk/dist/ diff --git a/.github/workflows/publish_pypi_coinbase_agentkit_pydantic_ai.yml b/.github/workflows/publish_pypi_coinbase_agentkit_pydantic_ai.yml index 02b37a4d7..400bd6b98 100644 --- a/.github/workflows/publish_pypi_coinbase_agentkit_pydantic_ai.yml +++ b/.github/workflows/publish_pypi_coinbase_agentkit_pydantic_ai.yml @@ -3,6 +3,9 @@ name: Publish Coinbase AgentKit Pydantic AI to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-coinbase-agentkit-pydantic-ai: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/framework-extensions/pydantic-ai/dist/ diff --git a/.github/workflows/publish_pypi_coinbase_agentkit_strands_agents.yml b/.github/workflows/publish_pypi_coinbase_agentkit_strands_agents.yml index 3c1f20e14..c0671f7fd 100644 --- a/.github/workflows/publish_pypi_coinbase_agentkit_strands_agents.yml +++ b/.github/workflows/publish_pypi_coinbase_agentkit_strands_agents.yml @@ -3,6 +3,9 @@ name: Publish Coinbase AgentKit Strands Agents to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-coinbase-agentkit-strands-agents: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/framework-extensions/strands-agents/dist/ diff --git a/.github/workflows/publish_pypi_create_onchain_agent.yml b/.github/workflows/publish_pypi_create_onchain_agent.yml index c6bda6d41..bb6c76520 100644 --- a/.github/workflows/publish_pypi_create_onchain_agent.yml +++ b/.github/workflows/publish_pypi_create_onchain_agent.yml @@ -3,6 +3,9 @@ name: Publish Create Onchain Agent to PyPI on: workflow_dispatch: +permissions: + contents: read + jobs: deploy-pypi-create-onchain-agent: runs-on: ubuntu-latest @@ -17,18 +20,23 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up Python 3.10 - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: "3.10" - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -43,6 +51,6 @@ jobs: echo "version=$(sed -n 's/^version = "\(.*\)"/\1/p' pyproject.toml)" >> $GITHUB_OUTPUT - name: Publish package - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: packages-dir: python/create-onchain-agent/dist/ diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index e9c28da06..bbb06e5fb 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -12,15 +12,20 @@ jobs: python: ["3.10", "3.11", "3.12"] steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Set up Python ${{ matrix.python }} - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ matrix.python }} - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -37,14 +42,19 @@ jobs: matrix: node-version: ["18", "20"] steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ matrix.node-version }} cache: "pnpm" diff --git a/.github/workflows/version_publish_npm.yml b/.github/workflows/version_publish_npm.yml index 484f9238a..ba8e19cb6 100644 --- a/.github/workflows/version_publish_npm.yml +++ b/.github/workflows/version_publish_npm.yml @@ -8,14 +8,25 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: + contents: read + jobs: version-and-publish: + permissions: + contents: write # for changesets/action to push to the repo + pull-requests: write # for changesets/action to create PRs name: Version and Publish runs-on: ubuntu-latest environment: npm steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Clone repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup pnpm uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda @@ -23,7 +34,7 @@ jobs: version: 10 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" registry-url: "https://registry.npmjs.org"