Files
wehub-resource-sync 9201ef759e
CI / lint (push) Waiting to run
CI / mypy (push) Waiting to run
CI / docs (push) Waiting to run
CI / test on 3.10 (standard) (push) Waiting to run
CI / test on 3.11 (standard) (push) Waiting to run
CI / test on 3.12 (standard) (push) Waiting to run
CI / test on 3.10 (all-extras) (push) Waiting to run
CI / test on 3.11 (all-extras) (push) Waiting to run
CI / test on 3.12 (all-extras) (push) Waiting to run
CI / test on 3.13 (all-extras) (push) Waiting to run
CI / test on 3.14 (pydantic-evals) (push) Waiting to run
Harness Compat / harness compat (push) Waiting to run
CI / test on 3.13 (standard) (push) Waiting to run
CI / test on 3.14 (standard) (push) Waiting to run
CI / test on 3.14 (all-extras) (push) Waiting to run
CI / test on 3.10 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.11 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.12 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.13 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.14 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.10 (pydantic-evals) (push) Waiting to run
CI / test on 3.11 (pydantic-evals) (push) Waiting to run
CI / test on 3.12 (pydantic-evals) (push) Waiting to run
CI / test on 3.13 (pydantic-evals) (push) Waiting to run
CI / test on 3.10 (lowest-versions) (push) Waiting to run
CI / test on 3.11 (lowest-versions) (push) Waiting to run
CI / test on 3.12 (lowest-versions) (push) Waiting to run
CI / test on 3.13 (lowest-versions) (push) Waiting to run
CI / test on 3.14 (lowest-versions) (push) Waiting to run
CI / test examples on 3.11 (push) Waiting to run
CI / test examples on 3.12 (push) Waiting to run
CI / test examples on 3.13 (push) Waiting to run
CI / test examples on 3.14 (push) Waiting to run
CI / coverage (push) Blocked by required conditions
CI / check (push) Blocked by required conditions
CI / deploy-docs (push) Blocked by required conditions
CI / deploy-docs-preview (push) Blocked by required conditions
CI / build release artifacts (push) Blocked by required conditions
CI / publish to PyPI (push) Blocked by required conditions
CI / Send tweet (push) Blocked by required conditions
chore: import upstream snapshot with attribution
2026-07-13 13:27:52 +08:00

64 lines
3.0 KiB
YAML

rules:
# setup-uv and setup-node use integrity-checked package registries (PyPI, npm) with
# lockfile hash-based cache keys. The HuggingFace model cache lacks integrity checks but
# is only used in test jobs that don't publish artifacts to external systems.
cache-poisoning:
ignore:
- after-ci.yml
- at-claude.yml
- ci.yml
- manually-deploy-docs.yml
# Secrets passed via `with:` to action inputs are the standard GitHub Actions pattern.
# These are not exposed to shell interpolation. Using `environment:` protection is applied
# where deployment secrets are involved.
secrets-outside-env:
ignore:
- after-ci.yml
- at-claude.yml
- bots.yml
- ci.yml
- docs-preview.yml
- manually-deploy-docs.yml
# `pr-guard.yml` reads `GH_AW_GITHUB_TOKEN` as job-level env solely to
# confirm private org membership via `gh api orgs/.../members/{author}`;
# it's used as a `gh` credential, never interpolated into a run script,
# and the job checks out no fork code, so shell-injection exposure is nil.
- pr-guard.yml
# gh-aw-generated agentic workflow lockfiles (see
# .github/workflows/README-pydantic-ai-agents.md). gh-aw injects API /
# GitHub secrets as job-level env by design; they are held by the AWF
# proxy sidecar and excluded from the agent container, not exposed to
# shell interpolation. The *.lock.yml files are compiled artifacts —
# the corresponding .md sources are the editable surface.
- pydantic-ai-bug-hunter.lock.yml
- pydantic-ai-docs-drift.lock.yml
- pydantic-ai-pr-review.lock.yml
- pydantic-ai-provider-mapping-sweep.lock.yml
- pydantic-ai-provider-parity-explore.lock.yml
- pydantic-ai-regression-detector.lock.yml
- pydantic-ai-roundtrip-sweep.lock.yml
- pydantic-ai-stale-issues-finder.lock.yml
- pydantic-ai-streaming-resilience-sweep.lock.yml
- pydantic-ai-ui-security-review.lock.yml
# `harness-compat.yml` calls a reusable workflow in `pydantic/pydantic-ai-harness`, an
# org-internal repo under the same maintenance group. SHA-pinning the cross-repo reference
# would force coordinated bumps on every harness change without meaningful security benefit
# (the maintainer set is identical, so no additional supply-chain boundary is crossed).
unpinned-uses:
ignore:
- harness-compat.yml
# `agentics-maintenance.yml` is auto-generated by `gh aw compile` (the
# workflow-dispatch maintenance surface for the agentic workflow set).
# It echoes `inputs.operation` / `inputs.run_url` into `$GITHUB_OUTPUT`,
# which zizmor flags as template-injection. Both inputs are gated by
# `workflow_dispatch`-only (no untrusted-PR trigger), so an attacker
# would need write access to invoke the workflow at all — at which point
# they could already run arbitrary code. Until upstream gh-aw switches
# to env-var indirection, ignore the rule on this generated file.
template-injection:
ignore:
- agentics-maintenance.yml