Skip to content

Commit fa36a03

Browse files
authored
Merge branch 'master' into dependabot/github_actions/astral-sh/setup-uv-8.1.0
2 parents 492a817 + baa12f6 commit fa36a03

23 files changed

Lines changed: 311 additions & 37 deletions

.github/dependabot.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ updates:
55
directory: /
66
schedule:
77
interval: daily
8+
cooldown:
9+
default-days: 7
810
commit-message:
911
prefix:
1012
labels: [dependencies, internal]
@@ -13,6 +15,8 @@ updates:
1315
directory: /
1416
schedule:
1517
interval: weekly
18+
cooldown:
19+
default-days: 7
1620
commit-message:
1721
prefix:
1822
labels: [dependencies, internal]
@@ -21,6 +25,8 @@ updates:
2125
directory: /
2226
schedule:
2327
interval: weekly
28+
cooldown:
29+
default-days: 7
2430
commit-message:
2531
prefix:
2632
labels: [dependencies, internal]
@@ -33,6 +39,8 @@ updates:
3339
- /frontend
3440
schedule:
3541
interval: weekly
42+
cooldown:
43+
default-days: 7
3644
commit-message:
3745
prefix:
3846
labels: [dependencies, internal]
@@ -41,6 +49,17 @@ updates:
4149
directory: /
4250
schedule:
4351
interval: weekly
52+
cooldown:
53+
default-days: 7
54+
commit-message:
55+
prefix:
56+
labels: [dependencies, internal]
57+
- package-ecosystem: "pre-commit"
58+
directory: "/"
59+
schedule:
60+
interval: "daily"
61+
cooldown:
62+
default-days: 7
4463
commit-message:
4564
prefix:
4665
labels: [dependencies, internal]
Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,21 @@
11
name: Add to Project
22

33
on:
4-
pull_request_target:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers]
55
issues:
66
types:
77
- opened
88
- reopened
99

10+
permissions: {}
11+
1012
jobs:
1113
add-to-project:
1214
name: Add to project
1315
runs-on: ubuntu-latest
16+
timeout-minutes: 5
1417
steps:
15-
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
18+
- uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
1619
with:
1720
project-url: https://github.com/orgs/fastapi/projects/2
18-
github-token: ${{ secrets.PROJECTS_TOKEN }}
21+
github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]

.github/workflows/deploy-production.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ on:
55
types:
66
- published
77

8+
permissions: {}
9+
810
jobs:
911
deploy:
12+
environment: production
1013
# Do not deploy in the main repository, only in user projects
1114
if: github.repository_owner != 'fastapi'
1215
runs-on:
@@ -28,5 +31,7 @@ jobs:
2831
steps:
2932
- name: Checkout
3033
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
3136
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} build
3237
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} up -d

.github/workflows/deploy-staging.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ on:
55
branches:
66
- master
77

8+
permissions: {}
9+
810
jobs:
911
deploy:
12+
environment: staging
1013
# Do not deploy in the main repository, only in user projects
1114
if: github.repository_owner != 'fastapi'
1215
runs-on:
@@ -28,5 +31,7 @@ jobs:
2831
steps:
2932
- name: Checkout
3033
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
3136
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} build
3237
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} up -d

.github/workflows/detect-conflicts.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,18 @@
11
name: "Conflict detector"
22
on:
33
push:
4-
pull_request_target:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers]
55
types: [synchronize]
66

7+
permissions: {}
8+
79
jobs:
810
main:
911
permissions:
1012
contents: read
1113
pull-requests: write
1214
runs-on: ubuntu-latest
15+
timeout-minutes: 5
1316
steps:
1417
- name: Check if PRs have merge conflicts
1518
uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
name: Guard Dependencies
2+
3+
on:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers] -- This workflow only reads context.payload metadata, never checks out PR code
5+
branches: [master]
6+
paths:
7+
- pyproject.toml
8+
- uv.lock
9+
10+
permissions:
11+
contents: read
12+
issues: write
13+
pull-requests: write
14+
15+
jobs:
16+
check-author:
17+
runs-on: ubuntu-latest
18+
steps:
19+
- name: Check if author is org member or allowed bot
20+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
21+
with:
22+
script: |
23+
const pr = context.payload.pull_request;
24+
const author = pr.user.login;
25+
const assoc = pr.author_association;
26+
27+
const botAllowlist = new Set(['dependabot[bot]']);
28+
const orgAuthorAssociations = new Set(['MEMBER', 'OWNER']);
29+
30+
const allowed =
31+
botAllowlist.has(author) ||
32+
(assoc != null && orgAuthorAssociations.has(assoc));
33+
34+
if (!allowed) {
35+
await github.rest.issues.createComment({
36+
owner: context.repo.owner,
37+
repo: context.repo.repo,
38+
issue_number: context.payload.pull_request.number,
39+
body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.`
40+
});
41+
42+
await github.rest.pulls.update({
43+
owner: context.repo.owner,
44+
repo: context.repo.repo,
45+
pull_number: context.payload.pull_request.number,
46+
state: 'closed'
47+
});
48+
49+
core.setFailed('Dependency changes are restricted to organization members.');
50+
} else {
51+
console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`);
52+
}

.github/workflows/issue-manager.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,19 +9,21 @@ on:
99
issues:
1010
types:
1111
- labeled
12-
pull_request_target:
12+
pull_request_target: # zizmor: ignore[dangerous-triggers]
1313
types:
1414
- labeled
1515
workflow_dispatch:
1616

17-
permissions:
18-
issues: write
19-
pull-requests: write
17+
permissions: {}
2018

2119
jobs:
2220
issue-manager:
2321
if: github.repository_owner == 'fastapi'
2422
runs-on: ubuntu-latest
23+
timeout-minutes: 5
24+
permissions:
25+
issues: write
26+
pull-requests: write
2527
steps:
2628
- name: Dump GitHub context
2729
env:

.github/workflows/labeler.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: Labels
22
on:
3-
pull_request_target:
3+
pull_request_target: # zizmor: ignore[dangerous-triggers]
44
types:
55
- opened
66
- synchronize
@@ -9,12 +9,15 @@ on:
99
- labeled
1010
- unlabeled
1111

12+
permissions: {}
13+
1214
jobs:
1315
labeler:
1416
permissions:
1517
contents: read
1618
pull-requests: write
1719
runs-on: ubuntu-latest
20+
timeout-minutes: 5
1821
steps:
1922
- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
2023
if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
@@ -26,6 +29,7 @@ jobs:
2629
permissions:
2730
pull-requests: read
2831
runs-on: ubuntu-latest
32+
timeout-minutes: 5
2933
steps:
3034
- uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
3135
with:

.github/workflows/latest-changes.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Latest Changes
22

33
on:
4-
pull_request_target:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers]
55
branches:
66
- master
77
types:
@@ -16,11 +16,15 @@ on:
1616
required: false
1717
default: "false"
1818

19+
permissions: {}
20+
1921
jobs:
2022
latest-changes:
2123
runs-on: ubuntu-latest
24+
timeout-minutes: 5
2225
permissions:
2326
pull-requests: read
27+
if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
2428
steps:
2529
- name: Dump GitHub context
2630
env:
@@ -29,7 +33,8 @@ jobs:
2933
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3034
with:
3135
# To allow latest-changes to commit to the main branch
32-
token: ${{ secrets.LATEST_CHANGES }}
36+
token: ${{ secrets.LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env]
37+
persist-credentials: true # required by tiangolo/latest-changes
3338
- uses: tiangolo/latest-changes@c9d329cb147f0ddf4fb631214e3f838ff17ccbbd # 0.4.1
3439
with:
3540
token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/playwright.yml

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,19 @@ on:
1515
required: false
1616
default: 'false'
1717

18+
permissions: {}
19+
1820
jobs:
1921
changes:
2022
runs-on: ubuntu-latest
23+
timeout-minutes: 5
2124
# Set job outputs to values from filter step
2225
outputs:
2326
changed: ${{ steps.filter.outputs.changed }}
2427
steps:
2528
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
29+
with:
30+
persist-credentials: false
2631
# For pull requests it's not necessary to checkout the code but for the main branch it is
2732
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
2833
id: filter
@@ -39,7 +44,7 @@ jobs:
3944
needs:
4045
- changes
4146
if: ${{ needs.changes.outputs.changed == 'true' }}
42-
timeout-minutes: 60
47+
timeout-minutes: 15
4348
runs-on: ubuntu-latest
4449
strategy:
4550
matrix:
@@ -48,7 +53,11 @@ jobs:
4853
fail-fast: false
4954
steps:
5055
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
51-
- uses: oven-sh/setup-bun@v2
56+
with:
57+
persist-credentials: false
58+
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
59+
with:
60+
bun-version: 1.3.12
5261
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
5362
with:
5463
python-version: '3.10'
@@ -59,6 +68,10 @@ jobs:
5968
limit-access-to-actor: true
6069
- name: Install uv
6170
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
71+
with:
72+
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
73+
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
74+
version: "0.11.4"
6275
- run: uv sync
6376
working-directory: backend
6477
- run: bun ci
@@ -85,9 +98,14 @@ jobs:
8598
# Merge reports after playwright-tests, even if some shards have failed
8699
if: ${{ !cancelled() && needs.changes.outputs.changed == 'true' }}
87100
runs-on: ubuntu-latest
101+
timeout-minutes: 5
88102
steps:
89103
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
90-
- uses: oven-sh/setup-bun@v2
104+
with:
105+
persist-credentials: false
106+
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
107+
with:
108+
bun-version: 1.3.12
91109
- name: Install dependencies
92110
run: bun ci
93111
- name: Download blob reports from GitHub Actions Artifacts
@@ -113,6 +131,7 @@ jobs:
113131
needs:
114132
- test-playwright
115133
runs-on: ubuntu-latest
134+
timeout-minutes: 5
116135
steps:
117136
- name: Decide whether the needed jobs succeeded or failed
118137
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2

0 commit comments

Comments
 (0)