9201ef759e
CI / lint (push) Waiting to run
CI / mypy (push) Waiting to run
CI / docs (push) Waiting to run
CI / test on 3.10 (standard) (push) Waiting to run
CI / test on 3.11 (standard) (push) Waiting to run
CI / test on 3.12 (standard) (push) Waiting to run
CI / test on 3.10 (all-extras) (push) Waiting to run
CI / test on 3.11 (all-extras) (push) Waiting to run
CI / test on 3.12 (all-extras) (push) Waiting to run
CI / test on 3.13 (all-extras) (push) Waiting to run
CI / test on 3.14 (pydantic-evals) (push) Waiting to run
Harness Compat / harness compat (push) Waiting to run
CI / test on 3.13 (standard) (push) Waiting to run
CI / test on 3.14 (standard) (push) Waiting to run
CI / test on 3.14 (all-extras) (push) Waiting to run
CI / test on 3.10 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.11 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.12 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.13 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.14 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.10 (pydantic-evals) (push) Waiting to run
CI / test on 3.11 (pydantic-evals) (push) Waiting to run
CI / test on 3.12 (pydantic-evals) (push) Waiting to run
CI / test on 3.13 (pydantic-evals) (push) Waiting to run
CI / test on 3.10 (lowest-versions) (push) Waiting to run
CI / test on 3.11 (lowest-versions) (push) Waiting to run
CI / test on 3.12 (lowest-versions) (push) Waiting to run
CI / test on 3.13 (lowest-versions) (push) Waiting to run
CI / test on 3.14 (lowest-versions) (push) Waiting to run
CI / test examples on 3.11 (push) Waiting to run
CI / test examples on 3.12 (push) Waiting to run
CI / test examples on 3.13 (push) Waiting to run
CI / test examples on 3.14 (push) Waiting to run
CI / coverage (push) Blocked by required conditions
CI / check (push) Blocked by required conditions
CI / deploy-docs (push) Blocked by required conditions
CI / deploy-docs-preview (push) Blocked by required conditions
CI / build release artifacts (push) Blocked by required conditions
CI / publish to PyPI (push) Blocked by required conditions
CI / Send tweet (push) Blocked by required conditions
64 lines
3.0 KiB
YAML
64 lines
3.0 KiB
YAML
rules:
|
|
# setup-uv and setup-node use integrity-checked package registries (PyPI, npm) with
|
|
# lockfile hash-based cache keys. The HuggingFace model cache lacks integrity checks but
|
|
# is only used in test jobs that don't publish artifacts to external systems.
|
|
cache-poisoning:
|
|
ignore:
|
|
- after-ci.yml
|
|
- at-claude.yml
|
|
- ci.yml
|
|
- manually-deploy-docs.yml
|
|
|
|
# Secrets passed via `with:` to action inputs are the standard GitHub Actions pattern.
|
|
# These are not exposed to shell interpolation. Using `environment:` protection is applied
|
|
# where deployment secrets are involved.
|
|
secrets-outside-env:
|
|
ignore:
|
|
- after-ci.yml
|
|
- at-claude.yml
|
|
- bots.yml
|
|
- ci.yml
|
|
- docs-preview.yml
|
|
- manually-deploy-docs.yml
|
|
# `pr-guard.yml` reads `GH_AW_GITHUB_TOKEN` as job-level env solely to
|
|
# confirm private org membership via `gh api orgs/.../members/{author}`;
|
|
# it's used as a `gh` credential, never interpolated into a run script,
|
|
# and the job checks out no fork code, so shell-injection exposure is nil.
|
|
- pr-guard.yml
|
|
# gh-aw-generated agentic workflow lockfiles (see
|
|
# .github/workflows/README-pydantic-ai-agents.md). gh-aw injects API /
|
|
# GitHub secrets as job-level env by design; they are held by the AWF
|
|
# proxy sidecar and excluded from the agent container, not exposed to
|
|
# shell interpolation. The *.lock.yml files are compiled artifacts —
|
|
# the corresponding .md sources are the editable surface.
|
|
- pydantic-ai-bug-hunter.lock.yml
|
|
- pydantic-ai-docs-drift.lock.yml
|
|
- pydantic-ai-pr-review.lock.yml
|
|
- pydantic-ai-provider-mapping-sweep.lock.yml
|
|
- pydantic-ai-provider-parity-explore.lock.yml
|
|
- pydantic-ai-regression-detector.lock.yml
|
|
- pydantic-ai-roundtrip-sweep.lock.yml
|
|
- pydantic-ai-stale-issues-finder.lock.yml
|
|
- pydantic-ai-streaming-resilience-sweep.lock.yml
|
|
- pydantic-ai-ui-security-review.lock.yml
|
|
|
|
# `harness-compat.yml` calls a reusable workflow in `pydantic/pydantic-ai-harness`, an
|
|
# org-internal repo under the same maintenance group. SHA-pinning the cross-repo reference
|
|
# would force coordinated bumps on every harness change without meaningful security benefit
|
|
# (the maintainer set is identical, so no additional supply-chain boundary is crossed).
|
|
unpinned-uses:
|
|
ignore:
|
|
- harness-compat.yml
|
|
|
|
# `agentics-maintenance.yml` is auto-generated by `gh aw compile` (the
|
|
# workflow-dispatch maintenance surface for the agentic workflow set).
|
|
# It echoes `inputs.operation` / `inputs.run_url` into `$GITHUB_OUTPUT`,
|
|
# which zizmor flags as template-injection. Both inputs are gated by
|
|
# `workflow_dispatch`-only (no untrusted-PR trigger), so an attacker
|
|
# would need write access to invoke the workflow at all — at which point
|
|
# they could already run arbitrary code. Until upstream gh-aw switches
|
|
# to env-var indirection, ignore the rule on this generated file.
|
|
template-injection:
|
|
ignore:
|
|
- agentics-maintenance.yml
|