Skip to content

ci: pin GitHub Actions to server SHAs and add hidden-unicode lint #2016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dirkkul merged 2 commits into from
Apr 30, 2026
Merged

ci: pin GitHub Actions to server SHAs and add hidden-unicode lint #2016

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b00cb9a
ci: pin GitHub Actions to server SHAs
mpartipilo Apr 19, 2026
2188fd7
ci: add hidden-unicode lint via weaviate/weaviate composite
mpartipilo Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 37 additions & 37 deletions .github/workflows/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ jobs:
name: Run Linter and Formatter
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.11"
cache: 'pip' # caching pip dependencies
Expand Down Expand Up @@ -66,13 +66,13 @@ jobs:
version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
folder: ["weaviate", "integration", "integration_embedded"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.version }}
cache: 'pip' # caching pip dependencies
- run: pip install -r requirements-devel.txt
- uses: jakebailey/pyright-action@v2
- uses: jakebailey/pyright-action@6cabc0f01c4994be48fd45cd9dbacdd6e1ee6e5e # v2
with:
version: 1.1.399
working-directory: ${{ matrix.folder }}
Expand All @@ -86,8 +86,8 @@ jobs:
version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
folder: ["test", "mock_tests"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.version }}
cache: 'pip' # caching pip dependencies
Expand All @@ -96,7 +96,7 @@ jobs:
run: pytest --cov -v --cov-report=term-missing --cov=weaviate --cov-report xml:coverage-${{ matrix.folder }}.xml ${{ matrix.folder }}
- name: Archive code coverage results
if: matrix.version == '3.10' && (github.ref_name != 'main')
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: coverage-report-${{ matrix.folder }}
path: coverage-${{ matrix.folder }}.xml
Expand All @@ -110,8 +110,8 @@ jobs:
grpc: ["1.59.5", "1.63.0", "1.65.0", "1.66.0", "1.68.0", "1.72.1", "1.73.0", "1.74.0"]
protobuf: ["4.25.8", "5.26.0", "5.27.4", "5.28.3", "5.29.0", "6.30.0", "6.31.1", "6.32.0"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.11"
cache: 'pip' # caching pip dependencies
Expand All @@ -129,11 +129,11 @@ jobs:
version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
optional_dependencies: [false]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
fetch-tags: true
- uses: actions/setup-python@v5
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.version }}
cache: 'pip' # caching pip dependencies
Expand All @@ -145,7 +145,7 @@ jobs:
run: pytest -v --cov --cov-report=term-missing --cov=weaviate --cov-report xml:coverage-integration-embedded.xml integration_embedded
- name: Archive code coverage results
if: matrix.version == '3.10' && (github.ref_name != 'main') && !github.event.pull_request.head.repo.fork
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: coverage-report-integration-embedded
path: coverage-integration-embedded.xml
Expand All @@ -165,16 +165,16 @@ jobs:
]
optional_dependencies: [false]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
fetch-tags: true
- uses: actions/setup-python@v5
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.versions.py }}
cache: 'pip' # caching pip dependencies
- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
if: ${{ !github.event.pull_request.head.repo.fork && github.triggering_actor != 'dependabot[bot]' }}
with:
username: ${{secrets.DOCKER_USERNAME}}
Expand All @@ -198,7 +198,7 @@ jobs:
run: pytest -n auto --dist loadgroup -v --cov --cov-report=term-missing --cov=weaviate --cov-report xml:coverage-integration.xml integration
- name: Archive code coverage results
if: matrix.versions.py == '3.10' && (github.ref_name != 'main')
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: coverage-report-integration
path: coverage-integration.xml
Expand All @@ -220,13 +220,13 @@ jobs:
]
optional_dependencies: [false]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.11"
cache: 'pip' # caching pip dependencies
- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
if: ${{ !github.event.pull_request.head.repo.fork && github.triggering_actor != 'dependabot[bot]' }}
with:
username: ${{secrets.DOCKER_USERNAME}}
Expand All @@ -245,25 +245,25 @@ jobs:
runs-on: ubuntu-latest
if: github.ref_name != 'main' && !github.event.pull_request.head.repo.fork
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Download coverage artifacts mock
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-report-mock_tests
- name: Download coverage artifacts unit
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-report-test
- name: Download coverage integration
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-report-integration
- name: Download coverage integration embedded
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-report-integration-embedded
- name: Codecov
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
with:
fail_ci_if_error: true
files: ./coverage-integration.xml, ./coverage-integration-embedded.xml, ./coverage-test.xml, ./coverage-mock_tests.xml
Expand All @@ -275,11 +275,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Set up Python 3.11
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.11"
cache: 'pip' # caching pip dependencies
Expand All @@ -288,7 +288,7 @@ jobs:
- name: Build a binary wheel
run: python -m build
- name: Create Wheel Artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
path: "dist/*.whl"
name: weaviate-python-client-wheel
Expand All @@ -315,17 +315,17 @@ jobs:
]
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
if: ${{ !github.event.pull_request.head.repo.fork && github.triggering_actor != 'dependabot[bot]' }}
with:
username: ${{secrets.DOCKER_USERNAME}}
password: ${{secrets.DOCKER_PASSWORD}}
- name: Download build artifact to append to release
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: weaviate-python-client-wheel
- run: |
Expand All @@ -343,11 +343,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Set up Python 3.11
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.11"
cache: 'pip' # caching pip dependencies
Expand All @@ -357,7 +357,7 @@ jobs:
run: python -m build
- name: Publish distribution 📦 to PyPI on new tags
if: startsWith(github.ref, 'refs/tags')
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
verbose: true
password: ${{ secrets.PYPI_API_TOKEN }}
Expand All @@ -369,12 +369,12 @@ jobs:
needs: [build-and-publish]
steps:
- name: Download build artifact to append to release
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: weaviate-python-client-wheel
path: dist
- name: Release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
generate_release_notes: true
draft: true
Expand Down
35 changes: 35 additions & 0 deletions .github/workflows/pr-security-lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: PR Security Lint

# SECURITY: This workflow uses pull_request_target intentionally so that the
# workflow definition runs from the BASE branch (main), not the PR. The
# composite action it invokes lives at a pinned 40-char SHA in
# weaviate/weaviate — attackers cannot alter the lint logic via a PR or by
# tampering with an upstream tag.
#
# Rules:
# 1. Do NOT add `ref: ${{ github.event.pull_request.head.sha }}` or any
# reference to PR-controlled refs. The composite uses the GitHub API to
# fetch the diff text — no PR code is ever executed.
# 2. Do NOT add secrets to this workflow. The pull_request_target context
# grants a token with write access to the base repo and access to all
# repo secrets if any are referenced. We reference none and request
# minimal permissions; keep it that way.
# 3. Keep the composite action pinned to a full-length commit SHA. Tag or
# branch refs would let an upstream change alter the lint logic at
# execution time.
on:
pull_request_target:

permissions: {}

jobs:
hidden-unicode:
name: hidden unicode characters
runs-on: ubuntu-latest
permissions:
pull-requests: read # required by the composite's `gh pr diff` call
steps:
- uses: weaviate/weaviate/.github/actions/security-lint@3e52fc80a244f4644d4facc6a4e705ea6eda9039 # PR #11093
with:
pr-number: ${{ github.event.pull_request.number }}
github-token: ${{ github.token }}
Loading