Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR tightens dependency and CI supply-chain controls by adding an exclude-newer policy for uv and updating GitHub Actions to use setup-uv plus lockfile-frozen execution for linting/testing.
Changes:
- Add
uvconfiguration to only install packages older than 3 days (exclude-newer) and record corresponding lockfile options. - Update CI to use
astral-sh/setup-uv@v8.0.0, replace thepre-commitGitHub Action withuv run ..., and run pytest with--frozen. - Add explicit per-job GitHub token permissions for several CI jobs.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
uv.lock |
Adds exclude-newer/span options to the lockfile to support time-based dependency cutoffs. |
pyproject.toml |
Configures uv to enforce a “3 days old” installation policy. |
.github/workflows/ci.yml |
Switches CI to setup-uv@v8.0.0, runs pre-commit/pytest via uv run --frozen, and scopes job permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Set up uv | ||
| uses: astral-sh/setup-uv@v8.0.0 | ||
| with: |
There was a problem hiding this comment.
For supply-chain hardening, astral-sh/setup-uv@v8.0.0 is still a mutable ref unless you pin the action to an exact commit SHA (tags can be moved/replaced). Consider switching to uses: astral-sh/setup-uv@<full-sha> (and optionally leaving the tag in a comment) to make the workflow reference itself immutable.
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| activate-environment: true | ||
| - run: uv pip install pip |
There was a problem hiding this comment.
uv pip install pip pulls an unpinned pip version at CI runtime, which makes the environment less reproducible and works against the new --frozen/lockfile approach. Consider removing this step, or pinning pip to a specific version that is accounted for in your tooling strategy (so CI doesn't drift or unexpectedly fail under the new exclude-newer policy).
| - run: uv pip install pip |
| contents: write | ||
| issues: write | ||
| pull-requests: write |
There was a problem hiding this comment.
The PR-only test-release job grants broad write permissions (contents, issues, pull-requests). Given the steps are configured for no-op/dry-run (no push/tag/release), these should likely be reduced to the minimum required (typically read-only) to limit blast radius if a workflow run is compromised.
| contents: write | |
| issues: write | |
| pull-requests: write | |
| contents: read | |
| issues: read | |
| pull-requests: read |
There was a problem hiding this comment.
WDYT about this comment?
| contents: write | ||
| issues: write | ||
| pull-requests: write |
There was a problem hiding this comment.
WDYT about this comment?
Add some supply chain protections that help protect us from being a supply chain risk or falling victim to a supply chain risk.