Skip to content

Commit ac0b261

Browse files
Merge branch 'fastapi:master' into fix/cascade-delete-redundancy
2 parents 752a5f2 + 33fa827 commit ac0b261

27 files changed

Lines changed: 319 additions & 247 deletions

.github/DISCUSSION_TEMPLATE/questions.yml

Lines changed: 0 additions & 118 deletions
This file was deleted.

.github/FUNDING.yml

Lines changed: 0 additions & 1 deletion
This file was deleted.

.github/ISSUE_TEMPLATE/config.yml

Lines changed: 0 additions & 10 deletions
This file was deleted.

.github/ISSUE_TEMPLATE/privileged.yml

Lines changed: 0 additions & 22 deletions
This file was deleted.

.github/dependabot.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ updates:
55
directory: /
66
schedule:
77
interval: daily
8+
cooldown:
9+
default-days: 7
810
commit-message:
911
prefix:
1012
labels: [dependencies, internal]
@@ -13,6 +15,8 @@ updates:
1315
directory: /
1416
schedule:
1517
interval: weekly
18+
cooldown:
19+
default-days: 7
1620
commit-message:
1721
prefix:
1822
labels: [dependencies, internal]
@@ -21,6 +25,8 @@ updates:
2125
directory: /
2226
schedule:
2327
interval: weekly
28+
cooldown:
29+
default-days: 7
2430
commit-message:
2531
prefix:
2632
labels: [dependencies, internal]
@@ -33,6 +39,8 @@ updates:
3339
- /frontend
3440
schedule:
3541
interval: weekly
42+
cooldown:
43+
default-days: 7
3644
commit-message:
3745
prefix:
3846
labels: [dependencies, internal]
@@ -41,6 +49,17 @@ updates:
4149
directory: /
4250
schedule:
4351
interval: weekly
52+
cooldown:
53+
default-days: 7
54+
commit-message:
55+
prefix:
56+
labels: [dependencies, internal]
57+
- package-ecosystem: "pre-commit"
58+
directory: "/"
59+
schedule:
60+
interval: "daily"
61+
cooldown:
62+
default-days: 7
4463
commit-message:
4564
prefix:
4665
labels: [dependencies, internal]
Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,21 @@
11
name: Add to Project
22

33
on:
4-
pull_request_target:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers]
55
issues:
66
types:
77
- opened
88
- reopened
99

10+
permissions: {}
11+
1012
jobs:
1113
add-to-project:
1214
name: Add to project
1315
runs-on: ubuntu-latest
16+
timeout-minutes: 5
1417
steps:
15-
- uses: actions/add-to-project@v1.0.2
18+
- uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
1619
with:
1720
project-url: https://github.com/orgs/fastapi/projects/2
18-
github-token: ${{ secrets.PROJECTS_TOKEN }}
21+
github-token: ${{ secrets.PROJECTS_TOKEN }} # zizmor: ignore[secrets-outside-env]

.github/workflows/deploy-production.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ on:
55
types:
66
- published
77

8+
permissions: {}
9+
810
jobs:
911
deploy:
12+
environment: production
1013
# Do not deploy in the main repository, only in user projects
1114
if: github.repository_owner != 'fastapi'
1215
runs-on:
@@ -27,6 +30,8 @@ jobs:
2730
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
2831
steps:
2932
- name: Checkout
30-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
3136
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} build
3237
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} up -d

.github/workflows/deploy-staging.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ on:
55
branches:
66
- master
77

8+
permissions: {}
9+
810
jobs:
911
deploy:
12+
environment: staging
1013
# Do not deploy in the main repository, only in user projects
1114
if: github.repository_owner != 'fastapi'
1215
runs-on:
@@ -27,6 +30,8 @@ jobs:
2730
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
2831
steps:
2932
- name: Checkout
30-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
3136
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} build
3237
- run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} up -d

.github/workflows/detect-conflicts.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,21 @@
11
name: "Conflict detector"
22
on:
33
push:
4-
pull_request_target:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers]
55
types: [synchronize]
66

7+
permissions: {}
8+
79
jobs:
810
main:
911
permissions:
1012
contents: read
1113
pull-requests: write
1214
runs-on: ubuntu-latest
15+
timeout-minutes: 5
1316
steps:
1417
- name: Check if PRs have merge conflicts
15-
uses: eps1lon/actions-label-merge-conflict@v3
18+
uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
1619
with:
1720
dirtyLabel: "conflicts"
1821
repoToken: "${{ secrets.GITHUB_TOKEN }}"
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
name: Guard Dependencies
2+
3+
on:
4+
pull_request_target: # zizmor: ignore[dangerous-triggers] -- This workflow only reads context.payload metadata, never checks out PR code
5+
branches: [master]
6+
paths:
7+
- pyproject.toml
8+
- uv.lock
9+
10+
permissions:
11+
contents: read
12+
issues: write
13+
pull-requests: write
14+
15+
jobs:
16+
check-author:
17+
runs-on: ubuntu-latest
18+
steps:
19+
- name: Check if author is org member or allowed bot
20+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
21+
with:
22+
script: |
23+
const pr = context.payload.pull_request;
24+
const author = pr.user.login;
25+
const assoc = pr.author_association;
26+
27+
const botAllowlist = new Set(['dependabot[bot]']);
28+
const orgAuthorAssociations = new Set(['MEMBER', 'OWNER']);
29+
30+
const allowed =
31+
botAllowlist.has(author) ||
32+
(assoc != null && orgAuthorAssociations.has(assoc));
33+
34+
if (!allowed) {
35+
await github.rest.issues.createComment({
36+
owner: context.repo.owner,
37+
repo: context.repo.repo,
38+
issue_number: context.payload.pull_request.number,
39+
body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.`
40+
});
41+
42+
await github.rest.pulls.update({
43+
owner: context.repo.owner,
44+
repo: context.repo.repo,
45+
pull_number: context.payload.pull_request.number,
46+
state: 'closed'
47+
});
48+
49+
core.setFailed('Dependency changes are restricted to organization members.');
50+
} else {
51+
console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`);
52+
}

0 commit comments

Comments
 (0)