Skip to content

Modernize proto Buf CI #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
haasonsaas merged 1 commit into from
Apr 15, 2026
Merged

Modernize proto Buf CI #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 10 additions & 27 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ on:

permissions:
contents: read

concurrency:
group: ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
Expand All @@ -18,8 +17,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
- uses: bufbuild/buf-action@v1
Copy link
Copy Markdown

@cursor cursor bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unpinned action reference will fail security guardrails

High Severity

bufbuild/buf-action@v1 uses a mutable tag instead of a full SHA pin. Every other action in this file is pinned to a 40-character commit hash. The project's own workflow-security-guardrails job runs check-workflow-security-baseline.sh with ENFORCE_SHA_PINS: 'true', which will reject any uses: reference that isn't a full-length SHA — so this PR will fail that CI gate.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c55b3b5. Configure here.

with:
setup_only: true
token: ${{ secrets.BUF_TOKEN }}
github_token: ${{ github.token }}
- run: buf lint

Expand All @@ -30,8 +31,10 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
- uses: bufbuild/buf-action@v1
with:
setup_only: true
token: ${{ secrets.BUF_TOKEN }}
github_token: ${{ github.token }}
- run: git fetch origin main:main
- run: buf breaking --against '.git#branch=main'
Expand All @@ -40,8 +43,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
- uses: bufbuild/buf-action@v1
with:
setup_only: true
token: ${{ secrets.BUF_TOKEN }}
github_token: ${{ github.token }}
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
Expand Down Expand Up @@ -72,49 +77,27 @@ jobs:
needs: generate
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
with:
github_token: ${{ github.token }}
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 20
cache: npm
- run: npm ci
- run: buf generate --timeout 10m
- name: Check generated code is up to date
run: |
if [ -n "$(git status --porcelain gen/)" ]; then
echo "Generated code is out of date. Run 'buf generate' and commit the result."
git diff gen/
exit 1
fi
- run: npm run check:package

python-package:
runs-on: ubuntu-latest
needs: generate
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
with:
github_token: ${{ github.token }}
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.12"
- run: python -m pip install --upgrade build pip
- run: buf generate --timeout 10m
- name: Check generated code is up to date
run: |
if [ -n "$(git status --porcelain gen/)" ]; then
echo "Generated code is out of date. Run 'buf generate' and commit the result."
git diff gen/
exit 1
fi
- run: python -m build
- name: Smoke install generated Python wheel
run: |
python -m venv .venv-smoke
. .venv-smoke/bin/activate
python -m pip install --upgrade pip
python -m pip install dist/*.whl
python -c "from agents.v1.agents_pb2 import Agent; from config.v1.config_pb2 import FeatureFlagSnapshot; from events.v1.cloudevent_pb2 import CloudEvent; from workflows.v1.workflows_pb2 import WorkflowRun; assert Agent.DESCRIPTOR.full_name == 'agents.v1.Agent'; assert FeatureFlagSnapshot.DESCRIPTOR.full_name == 'config.v1.FeatureFlagSnapshot'; assert CloudEvent.DESCRIPTOR.full_name == 'events.v1.CloudEvent'; assert WorkflowRun.DESCRIPTOR.full_name == 'workflows.v1.WorkflowRun'"
python -c "from agents.v1.agents_pb2 import Agent; from config.v1.config_pb2 import FeatureFlagSnapshot; from events.v1.cloudevent_pb2 import CloudEvent; from traces.v1.traces_pb2 import TraceSummary; from workflows.v1.workflows_pb2 import WorkflowRun; assert Agent.DESCRIPTOR.full_name == 'agents.v1.Agent'; assert FeatureFlagSnapshot.DESCRIPTOR.full_name == 'config.v1.FeatureFlagSnapshot'; assert CloudEvent.DESCRIPTOR.full_name == 'events.v1.CloudEvent'; assert TraceSummary.DESCRIPTOR.full_name == 'traces.v1.TraceSummary'; assert WorkflowRun.DESCRIPTOR.full_name == 'workflows.v1.WorkflowRun'"
4 changes: 4 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,10 @@
"types": "./gen/dist/tap/v1/event_pb.d.ts",
"import": "./gen/dist/tap/v1/event_pb.js"
},
"./traces/v1/traces_pb": {
"types": "./gen/dist/traces/v1/traces_pb.d.ts",
"import": "./gen/dist/traces/v1/traces_pb.js"
},
"./workflows/v1/workflows_pb": {
"types": "./gen/dist/workflows/v1/workflows_pb.d.ts",
"import": "./gen/dist/workflows/v1/workflows_pb.js"
Expand Down
Loading