fix(security): verify langchain scope chain cryptographically #655
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.11" | |
| - name: Install ruff | |
| run: pip install --require-hashes --no-cache-dir -r requirements/ci-lint.txt | |
| - name: Lint ${{ matrix.package }} | |
| run: ruff check packages/${{ matrix.package }}/src/ --select E,F,W --ignore E501 | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance] | |
| python-version: ["3.11", "3.12"] | |
| include: | |
| - package: agent-os | |
| python-version: "3.10" | |
| - package: agent-sre | |
| python-version: "3.10" | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install ${{ matrix.package }} | |
| working-directory: packages/${{ matrix.package }} | |
| run: | | |
| pip install --no-cache-dir -e ".[dev]" 2>/dev/null || pip install --no-cache-dir -e ".[test]" 2>/dev/null || pip install --no-cache-dir -e . | |
| pip install --no-cache-dir pytest==8.4.1 pytest-asyncio==0.26.0 2>/dev/null || true | |
| - name: Test ${{ matrix.package }} | |
| working-directory: packages/${{ matrix.package }} | |
| run: pytest tests/ -q --tb=short | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.11" | |
| - name: Install safety | |
| run: | | |
| pip install --no-cache-dir safety==3.2.1 | |
| - name: Check dependencies | |
| env: | |
| GIT_TERMINAL_PROMPT: "0" | |
| run: | | |
| for pkg in agent-os agent-mesh agent-hypervisor agent-sre agent-compliance; do | |
| echo "=== $pkg ===" | |
| cd packages/$pkg | |
| pip install --no-cache-dir -e . 2>/dev/null || true | |
| cd ../.. | |
| done | |
| safety check 2>/dev/null || echo "Safety check completed with warnings" | |
| test-dotnet: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | |
| with: | |
| dotnet-version: "8.0.x" | |
| - name: Build .NET SDK | |
| working-directory: packages/agent-governance-dotnet | |
| run: dotnet build --configuration Release --verbosity quiet | |
| - name: Test .NET SDK | |
| working-directory: packages/agent-governance-dotnet | |
| run: dotnet test --configuration Release --verbosity normal --no-build | |
| test-integrations: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - package: a2a-protocol | |
| import-module: a2a_agentmesh | |
| - package: crewai-agentmesh | |
| import-module: crewai_agentmesh | |
| - package: dify-plugin | |
| import-module: provider | |
| - package: flowise-agentmesh | |
| import-module: flowise_agentmesh | |
| - package: haystack-agentmesh | |
| import-module: haystack_agentmesh | |
| - package: langchain-agentmesh | |
| import-module: langchain_agentmesh | |
| - package: langflow-agentmesh | |
| import-module: langflow_agentmesh | |
| - package: langgraph-trust | |
| import-module: langgraph_trust | |
| - package: llamaindex-agentmesh | |
| import-module: llama_index.agent.agentmesh | |
| - package: mcp-trust-proxy | |
| import-module: mcp_trust_proxy | |
| - package: nostr-wot | |
| import-module: agentmesh_nostr_wot | |
| - package: openai-agents-agentmesh | |
| import-module: openai_agents_agentmesh | |
| - package: openai-agents-trust | |
| import-module: openai_agents_trust | |
| - package: pydantic-ai-governance | |
| import-module: pydantic_ai_governance | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.11" | |
| - name: Install ${{ matrix.package }} | |
| working-directory: packages/agentmesh-integrations/${{ matrix.package }} | |
| run: | | |
| pip install --no-cache-dir -e ".[dev]" 2>/dev/null || pip install --no-cache-dir -e ".[test]" 2>/dev/null || pip install --no-cache-dir -e . | |
| pip install --no-cache-dir pytest==8.4.1 pytest-asyncio==0.26.0 2>/dev/null || true | |
| - name: Validate Python syntax | |
| working-directory: packages/agentmesh-integrations/${{ matrix.package }} | |
| run: | | |
| python -c " | |
| import ast, glob, sys | |
| errors = 0 | |
| for f in glob.glob('**/*.py', recursive=True): | |
| try: | |
| with open(f) as fh: | |
| ast.parse(fh.read(), f) | |
| except SyntaxError as e: | |
| print(f'FAIL {f}: {e}') | |
| errors += 1 | |
| if errors: | |
| sys.exit(1) | |
| print('All Python files parse successfully') | |
| " | |
| - name: Smoke test — import ${{ matrix.import-module }} | |
| run: python -c "import ${{ matrix.import-module }}" | |
| continue-on-error: true | |
| - name: Run tests | |
| working-directory: packages/agentmesh-integrations/${{ matrix.package }} | |
| run: | | |
| if [ -d tests ]; then | |
| pytest tests/ -q --tb=short | |
| else | |
| echo "No tests/ directory — smoke import passed" | |
| fi | |
| dependency-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.11" | |
| - name: Dependency confusion scan | |
| run: python scripts/check_dependency_confusion.py --strict | |
| - name: Notebook pip-install audit | |
| run: | | |
| python -c " | |
| import json, glob, sys, re | |
| REGISTERED = { | |
| 'agent-os-kernel','agentmesh-platform','agent-hypervisor', | |
| 'agentmesh-runtime','agent-sre','agent-governance-toolkit', | |
| 'agentmesh-lightning','agentmesh-marketplace', | |
| 'pydantic','pyyaml','cryptography','pynacl','click','rich', | |
| 'httpx','aiohttp','fastapi','uvicorn','structlog','numpy', | |
| 'scipy','openai','anthropic','langchain','crewai', | |
| } | |
| bad = [] | |
| for nb in glob.glob('**/*.ipynb', recursive=True): | |
| if 'node_modules' in nb or '.ipynb_checkpoints' in nb: | |
| continue | |
| try: | |
| cells = json.load(open(nb))['cells'] | |
| except Exception: | |
| continue | |
| for c in cells: | |
| for line in c.get('source', []): | |
| if 'pip install' in line and not line.strip().startswith('#'): | |
| pkgs = re.findall(r'(?:pip install\s+)(.+)', line) | |
| if pkgs: | |
| for p in pkgs[0].split(): | |
| name = re.sub(r'\[.*\]', '', p).strip() | |
| if (name and not name.startswith('-') and not name.startswith('.') | |
| and not name.startswith('http') and name not in REGISTERED | |
| and not name.startswith('--')): | |
| bad.append(f'{nb}: {name}') | |
| if bad: | |
| print('UNREGISTERED PACKAGES IN NOTEBOOKS:') | |
| for b in bad: | |
| print(f' {b}') | |
| sys.exit(1) | |
| print(f'OK: All notebook pip install packages are registered') | |
| " | |
| workflow-security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Audit pull_request_target workflows | |
| run: | | |
| echo "=== Checking pull_request_target safety ===" | |
| UNSAFE=0 | |
| for f in .github/workflows/*.yml; do | |
| if grep -q 'pull_request_target' "$f"; then | |
| # Only flag if actions/checkout has ref: pointing to head (unsafe) | |
| # Uses awk to check checkout blocks specifically, not unrelated lines | |
| if awk '/actions\/checkout/{found=1} found && /ref:.*head\.(ref|sha)/{print; exit 1}' "$f" 2>/dev/null; then | |
| echo "UNSAFE: $f checks out PR head in pull_request_target context" | |
| UNSAFE=1 | |
| else | |
| echo "OK: $f (pull_request_target, base-only checkout)" | |
| fi | |
| fi | |
| done | |
| if [ $UNSAFE -eq 1 ]; then exit 1; fi | |
| test-integrations-ts: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| - name: Install mastra-agentmesh | |
| working-directory: packages/agentmesh-integrations/mastra-agentmesh | |
| run: npm ci 2>/dev/null || npm install | |
| - name: Lint mastra-agentmesh | |
| working-directory: packages/agentmesh-integrations/mastra-agentmesh | |
| run: npm run lint 2>/dev/null || true | |
| - name: Test mastra-agentmesh | |
| working-directory: packages/agentmesh-integrations/mastra-agentmesh | |
| run: npm test | |
| - name: Install copilot-governance | |
| working-directory: packages/agentmesh-integrations/copilot-governance | |
| run: npm ci 2>/dev/null || npm install | |
| - name: Lint copilot-governance | |
| working-directory: packages/agentmesh-integrations/copilot-governance | |
| run: npm run lint 2>/dev/null || true | |
| - name: Test copilot-governance | |
| working-directory: packages/agentmesh-integrations/copilot-governance | |
| run: npm test |