vikarti.anatra/Skyvern
1
0
Fork 0
mirror of https://github.com/Skyvern-AI/skyvern.git synced 2026-04-28 03:30:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

ci: add zizmor workflow and pin all GitHub Actions to SHA hashes (#5237)

Browse source
This commit is contained in:
Benji Visser 2026-03-25 12:28:41 -04:00 committed by GitHub
parent e909d3e4a1
commit f84563175f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
15 changed files with 92 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/auto-merge-sync.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Wait for all required checks to pass
uses: lewagon/wait-on-check-action@v1.4.1
uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343 # v1.4.1
with:
ref: ${{ github.event.pull_request.head.sha }}
repo-token: ${{ secrets.GITHUB_TOKEN }}

8
.github/workflows/auto-release.yml vendored
View file

@ -16,9 +16,10 @@ jobs:
new_version: ${{ steps.check.outputs.new_version }}
previous_version: ${{ steps.check.outputs.previous_version }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 2
persist-credentials: false
- name: Check if version changed
id: check
run: |
@ -51,9 +52,10 @@ jobs:
contents: write
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
persist-credentials: false
- name: Generate release notes
id: release_notes
run: |
@ -84,7 +86,7 @@ jobs:
echo "Release notes generated"
cat release_notes.md
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
with:
tag_name: v${{ needs.check-version-change.outputs.new_version }}
name: Release v${{ needs.check-version-change.outputs.new_version }}

16
.github/workflows/build-docker-image.yml vendored
View file

@ -22,28 +22,30 @@ jobs:
needs: [run-ci]
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2
with:
registry-type: public
- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Build, tag, and push backend image to Amazon Public ECR and Docker Hub
id: build-image
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
env:
ECR_REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
with:
@ -63,7 +65,7 @@ jobs:
${{ env.DOCKERHUB_USERNAME }}/${{ env.ECR_BACKEND_REPOSITORY }}:latest
- name: Build, tag, and push ui image to Amazon Public ECR and Docker Hub
id: build-ui-image
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
env:
ECR_REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
with:

18
.github/workflows/ci.yml vendored
View file

@ -29,10 +29,12 @@ jobs:
# Maps tcp port 5432 on service container to the host
- 5432:5432
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
persist-credentials: false
# If you wanted to use multiple Python versions, you'd have specify a matrix in the job and
# reference the matrixe python version here.
- uses: actions/setup-python@v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.11"
# Install uv (fast, single-file binary)
@ -42,14 +44,14 @@ jobs:
echo "$HOME/.local/bin" >> $GITHUB_PATH
# Cache uv's download/resolve cache to speed up CI (optional but nice)
- name: Cache uv global cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: ~/.cache/uv
key: uv-cache-${{ runner.os }}-${{ hashFiles('**/pyproject.toml', '**/uv.lock') }}
# Cache the project virtualenv (keyed by Python version + lockfile)
- name: Cache venv
id: cache-venv
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .venv
key: venv-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version || '3.11' }}-${{ hashFiles('**/uv.lock') }}
@ -65,7 +67,7 @@ jobs:
run: |
uv sync --group dev
- name: Set up Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version-file: .nvmrc
cache: npm
@ -113,9 +115,11 @@ jobs:
working-directory: ./skyvern-frontend
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version-file: .nvmrc
- name: Install Node.js dependencies

5
.github/workflows/claude-code-review.yml vendored
View file

@ -18,12 +18,13 @@ jobs:
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 1
persist-credentials: false
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
uses: anthropics/claude-code-action@0ee1beea589a67d33340072691a5d42abec7ae6b # v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'

5
.github/workflows/claude.yml vendored
View file

@ -32,12 +32,13 @@ jobs:
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 1
persist-credentials: false
- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
uses: anthropics/claude-code-action@0ee1beea589a67d33340072691a5d42abec7ae6b # v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# This is an optional setting that allows Claude to read CI results on PRs

2
.github/workflows/inactive-issues-and-prs.yml vendored
View file

@ -8,7 +8,7 @@ jobs:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v5
- uses: actions/stale@f7176fd3007623b69d27091f9b9d4ab7995f0a06 # v5
with:
days-before-issue-stale: 30
days-before-issue-close: 14

6
.github/workflows/preview-fern-docs vendored
View file

@ -9,7 +9,9 @@ jobs:
permissions: write-all
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Install Fern
run: npm install -g fern-api
@ -26,6 +28,6 @@ jobs:
echo "🌿 Preview your docs: $URL" > preview_url.txt
- name: Comment URL in PR
uses: thollander/actions-comment-pull-request@v2.4.3
uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308 # v2.4.3
with:
filePath: preview_url.txt

4
.github/workflows/publish-fern-docs.yml vendored
View file

@ -9,7 +9,9 @@ jobs:
if: ${{ github.event_name == 'push' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Install Fern
run: npm install -g fern-api
- name: Publish Docs

13
.github/workflows/sdk-release.yml vendored
View file

@ -12,9 +12,10 @@ jobs:
outputs:
version_changed: ${{ steps.check.outputs.version_changed }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 2
persist-credentials: false
- name: Check if version changed
id: check
run: |
@ -42,12 +43,14 @@ jobs:
if: needs.check-version-change.outputs.version_changed == 'true'
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
# If you wanted to use multiple Python versions, you'd have specify a matrix in the job and
# reference the matrixe python version here.
- name: Setup Python
id: setup-python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.11"
# Cache the installation of `uv` itself, e.g. the next step. This prevents the workflow
@ -58,14 +61,14 @@ jobs:
echo "$HOME/.local/bin" >> $GITHUB_PATH
# Cache uv's global cache (resolver/downloads) for speed
- name: Cache uv cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: ~/.cache/uv
key: uv-cache-${{ runner.os }}-${{ hashFiles('**/pyproject.toml', '**/uv.lock') }}
# Cache the project venv (keyed by lockfile + Python)
- name: Cache venv
id: cache-venv
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .venv
key: venv-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version || '3.11' }}-${{ hashFiles('**/uv.lock') }}

8
.github/workflows/sync-skyvern-cloud.yml vendored
View file

@ -23,7 +23,9 @@ jobs:
steps:
- name: Checkout Repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Determine Git credentials
id: git-creds
run: |
@ -123,7 +125,7 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run GitHub File Sync
id: file-sync
uses: Skyvern-AI/repo-file-sync-action@main
uses: Skyvern-AI/repo-file-sync-action@590c4ddbe1d7b5c4ca1e4b4edc85c7f919b6c26a # main
with:
GH_PAT: ${{ steps.git-creds.outputs.GH_PAT }}
GIT_EMAIL: ${{ steps.git-creds.outputs.GIT_EMAIL }}
@ -139,7 +141,7 @@ jobs:
if: >
steps.check-migrations.outputs.has_migrations == 'true' && steps.file-sync.outputs.pull_request_urls
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
env:
PR_URLS_RAW: ${{ steps.file-sync.outputs.pull_request_urls }}
SOURCE_PR_URL: ${{ steps.pr_details.outputs.PR_URL }}

9
.github/workflows/ts-sdk-release.yml vendored
View file

@ -13,9 +13,10 @@ jobs:
version_changed: ${{ steps.check.outputs.version_changed }}
current_version: ${{ steps.check.outputs.current_version }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 2
persist-credentials: false
- name: Check if version changed
id: check
run: |
@ -48,9 +49,11 @@ jobs:
working-directory: ./skyvern-ts/client
steps:
- name: Check out Git repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'

4
.github/workflows/update-openapi.yml vendored
View file

@ -10,11 +10,11 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
token: ${{ secrets.SKYVERN_OSS_GITHUB_TOKEN }}
- name: Update OpenAPI Spec
uses: fern-api/sync-openapi@v2
uses: fern-api/sync-openapi@8e936a4bac8ad11d698d7114f3074fa3397398ea # v2
with:
token: ${{ secrets.SKYVERN_OSS_GITHUB_TOKEN }}
branch: 'update-openapi-spec'

6
.github/workflows/version-bump.yml vendored
View file

@ -9,7 +9,9 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Extract version from release
id: get_version
run: |
@ -20,7 +22,7 @@ jobs:
sed -i "s/version = \".*\"/version = \"${{ steps.get_version.outputs.version }}\"/" pyproject.toml
- name: Create Pull Request
id: create-pr
uses: peter-evans/create-pull-request@v6
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
with:
commit-message: "chore: bump version to ${{ steps.get_version.outputs.version }}"
title: "chore: bump version to ${{ steps.get_version.outputs.version }}"

27
.github/workflows/zizmor.yml vendored Normal file
View file

@ -0,0 +1,27 @@
name: zizmor
on:
push:
branches: [main]
paths:
- '.github/workflows/**'
pull_request:
branches: [main]
paths:
- '.github/workflows/**'
jobs:
zizmor:
name: Audit GitHub Actions
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
token: ${{ secrets.GITHUB_TOKEN }}