Files
pydantic--pydantic-ai/.github/workflows/pydantic-ai-ui-security-review.md
T
wehub-resource-sync 9201ef759e
CI / lint (push) Waiting to run
CI / mypy (push) Waiting to run
CI / docs (push) Waiting to run
CI / test on 3.10 (standard) (push) Waiting to run
CI / test on 3.11 (standard) (push) Waiting to run
CI / test on 3.12 (standard) (push) Waiting to run
CI / test on 3.10 (all-extras) (push) Waiting to run
CI / test on 3.11 (all-extras) (push) Waiting to run
CI / test on 3.12 (all-extras) (push) Waiting to run
CI / test on 3.13 (all-extras) (push) Waiting to run
CI / test on 3.14 (pydantic-evals) (push) Waiting to run
CI / test on 3.13 (standard) (push) Waiting to run
CI / test on 3.14 (standard) (push) Waiting to run
CI / test on 3.14 (all-extras) (push) Waiting to run
CI / test on 3.10 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.11 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.12 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.13 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.14 (pydantic-ai-slim) (push) Waiting to run
CI / test on 3.10 (pydantic-evals) (push) Waiting to run
CI / test on 3.11 (pydantic-evals) (push) Waiting to run
CI / test on 3.12 (pydantic-evals) (push) Waiting to run
CI / test on 3.13 (pydantic-evals) (push) Waiting to run
CI / test on 3.10 (lowest-versions) (push) Waiting to run
CI / test on 3.11 (lowest-versions) (push) Waiting to run
CI / test on 3.12 (lowest-versions) (push) Waiting to run
CI / test on 3.13 (lowest-versions) (push) Waiting to run
CI / test on 3.14 (lowest-versions) (push) Waiting to run
CI / test examples on 3.11 (push) Waiting to run
CI / test examples on 3.12 (push) Waiting to run
CI / test examples on 3.13 (push) Waiting to run
CI / test examples on 3.14 (push) Waiting to run
CI / coverage (push) Blocked by required conditions
CI / check (push) Blocked by required conditions
CI / deploy-docs (push) Blocked by required conditions
CI / deploy-docs-preview (push) Blocked by required conditions
CI / build release artifacts (push) Blocked by required conditions
CI / publish to PyPI (push) Blocked by required conditions
CI / Send tweet (push) Blocked by required conditions
Harness Compat / harness compat (push) Failing after 0s
chore: import upstream snapshot with attribution
2026-07-13 13:27:52 +08:00

7.2 KiB

emoji, name, description, on, if, permissions, concurrency, tools, safe-outputs, timeout-minutes, imports, pre-agent-steps, jobs
emoji name description on if permissions concurrency tools safe-outputs timeout-minutes imports pre-agent-steps jobs
🛡️ Pydantic AI UI Security Review Security review of UI-adapter PRs (Vercel AI + AG-UI): audits the client/server trust boundary for outbound leakage and inbound abuse. Inline comments + a non-voting COMMENT-type review summary (pydantic-ai-pr-review owns the merge-gate verdict until gh-aw check-runs land). Prompt iterable from a Logfire managed variable; read-only via gh-aw safe-outputs.
pull_request workflow_dispatch roles manual-approval
types
opened
synchronize
ready_for_review
admin
maintainer
write
ui-security-review
${{ needs.detect.outputs.touched == 'true' }}
contents pull-requests issues
read read read
group cancel-in-progress
${{ github.workflow }}-ui-security-review-${{ github.event.pull_request.number || github.ref }} true
github
mode toolsets
gh-proxy
pull_requests
repos
search
issues
footer activation-comments noop create-pull-request-review-comment submit-pull-request-review
false false
max
30
max
1
30
shared/network-vendor-domains.md
shared/otel-logfire.md
shared/tool-hints.md
shared/repo-context.md
shared/rigor.md
shared/review-context.md
shared/checkout.md
shared/engine-minimax.md
shared/pre-steps.md
shared/pre-agent-steps.md
name if env run
Gather PR review context ${{ github.event.pull_request.number }}
GH_TOKEN PR_NUMBER REPO
${{ github.token }} ${{ github.event.pull_request.number }} ${{ github.repository }}
set -uo pipefail script=scripts/gather-pydantic-ai-review-context.sh if [ -x "$script" ]; then "$script" "$PR_NUMBER" "$REPO" \ || echo "::warning::${script} failed; reviewer will run with less context" else echo "::warning::${script} not present; reviewer will run with less context" fi
detect fetch_dynamic_prompt
runs-on timeout-minutes permissions outputs steps
ubuntu-latest 5
contents pull-requests
read read
touched
${{ steps.filter.outputs.touched }}
name id if env run
Detect UI security paths in the PR filter ${{ github.event.pull_request.number }}
GH_TOKEN PR_NUMBER REPO
${{ github.token }} ${{ github.event.pull_request.number }} ${{ github.repository }}
set -euo pipefail files="$(gh api --paginate "repos/${REPO}/pulls/${PR_NUMBER}/files" --jq '.[].filename')" if printf '%s\n' "$files" | grep -qE '^(pydantic_ai_slim/pydantic_ai/ui/|pydantic_ai_slim/pydantic_ai/_ssrf.py$|pydantic_ai_slim/pydantic_ai/messages.py$|pydantic_ai_slim/pydantic_ai/common_tools/web_fetch.py$|docs/ui/|docs/input.md$|tests/test_vercel_ai.py$|tests/test_ag_ui.py$|tests/test_ui.py$|tests/test_ui_web.py$)'; then echo 'touched=true' >> "$GITHUB_OUTPUT" else echo 'touched=false' >> "$GITHUB_OUTPUT" fi
runs-on timeout-minutes permissions outputs steps
ubuntu-latest 5
contents
read
dynamic_prompt
${{ steps.resolve.outputs.dynamic_prompt }}
name uses with
Check out the prompt resolver action and default prompt actions/checkout@de0fac2e45
persist-credentials sparse-checkout sparse-checkout-cone-mode
false .github/actions/fetch-dynamic-prompt .github/workflows/shared/prompts/pydantic-ai-ui-security-review.md false
name id uses with
Resolve agent prompt (Logfire managed variable, else committed default) resolve ./.github/actions/fetch-dynamic-prompt
logfire-variable-key default-prompt-file logfire-read-key logfire-base-url
gh_aw_pydantic_ai_ui_security_review_prompt .github/workflows/shared/prompts/pydantic-ai-ui-security-review.md ${{ secrets.LOGFIRE_READ_EXTERNAL_VARIABLES }} ${{ secrets.LOGFIRE_URL || vars.LOGFIRE_URL || 'https://logfire-api.pydantic.dev' }}

${{ needs.fetch_dynamic_prompt.outputs.dynamic_prompt }}