From ec1b85f9e92f0521321da1046cf1a6b1156fc52c Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:42:04 -0400 Subject: [PATCH 1/9] chore: add workflow to build and cache uv dependencies --- .github/workflows/build-uv-cache.yml | 46 ++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/build-uv-cache.yml diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml new file mode 100644 index 0000000000..eaae045346 --- /dev/null +++ b/.github/workflows/build-uv-cache.yml @@ -0,0 +1,46 @@ +name: Build uv cache + +on: + push: + branches: + - main + paths: + - "uv.lock" + - "pyproject.toml" + pull_request: + paths: + - ".github/workflows/build-uv-cache.yml" + workflow_dispatch: + +jobs: + build-cache: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.10", "3.11", "3.12", "3.13"] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v6 + with: + version: "0.8.4" + python-version: ${{ matrix.python-version }} + enable-cache: false + + - name: Install dependencies and populate cache + run: | + echo "Building global UV cache for Python ${{ matrix.python-version }}..." + uv sync --all-groups --all-extras --no-install-project + echo "Cache populated successfully" + + - name: Save uv caches + uses: actions/cache/save@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} From d72f19678f35704644ed4a3d8723ebb58a1dff68 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:42:46 -0400 Subject: [PATCH 2/9] chore: update type-checker workflow to use cached dependencies --- .github/workflows/type-checker.yml | 36 ++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/.github/workflows/type-checker.yml b/.github/workflows/type-checker.yml index a403aa3402..03a5841a0e 100644 --- a/.github/workflows/type-checker.yml +++ b/.github/workflows/type-checker.yml @@ -3,7 +3,7 @@ name: Run Type Checks on: [pull_request] permissions: - contents: write + contents: read jobs: type-checker-matrix: @@ -20,19 +20,27 @@ jobs: with: fetch-depth: 0 # Fetch all history for proper diff + - name: Restore global uv cache + id: cache-restore + uses: actions/cache/restore@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-main-py${{ matrix.python-version }}- + - name: Install uv uses: astral-sh/setup-uv@v6 with: - enable-cache: true - cache-dependency-glob: | - **/pyproject.toml - **/uv.lock - - - name: Set up Python ${{ matrix.python-version }} - run: uv python install ${{ matrix.python-version }} + version: "0.8.4" + python-version: ${{ matrix.python-version }} + enable-cache: false - name: Install dependencies - run: uv sync --dev --all-extras --no-install-project + run: uv sync --all-groups --all-extras - name: Get changed Python files id: changed-files @@ -66,6 +74,16 @@ jobs: if: steps.changed-files.outputs.has_changes == 'false' run: echo "No Python files in src/ were modified - skipping type checks" + - name: Save uv caches + if: steps.cache-restore.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} + # Summary job to provide single status for branch protection type-checker: name: type-checker From b13b668cfd489f554b75d4d3eb4127ff58e69023 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:43:10 -0400 Subject: [PATCH 3/9] chore: update tests workflow to use cached dependencies --- .github/workflows/tests.yml | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c5c577b109..a5b860c9e6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -3,7 +3,7 @@ name: Run Tests on: [pull_request] permissions: - contents: write + contents: read env: OPENAI_API_KEY: fake-api-key @@ -23,19 +23,27 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Restore global uv cache + id: cache-restore + uses: actions/cache/restore@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-main-py${{ matrix.python-version }}- + - name: Install uv uses: astral-sh/setup-uv@v6 with: - enable-cache: true - cache-dependency-glob: | - **/pyproject.toml - **/uv.lock - - - name: Set up Python ${{ matrix.python-version }} - run: uv python install ${{ matrix.python-version }} + version: "0.8.4" + python-version: ${{ matrix.python-version }} + enable-cache: false - name: Install the project - run: uv sync --dev --all-extras + run: uv sync --all-groups --all-extras - name: Run tests (group ${{ matrix.group }} of 8) run: | @@ -48,3 +56,13 @@ jobs: --durations=10 \ -n auto \ --maxfail=3 + + - name: Save uv caches + if: steps.cache-restore.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} From 4dcae54be120aa2678a9958f0a6f15a923390de3 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:43:28 -0400 Subject: [PATCH 4/9] chore: update linter workflow to use cached dependencies --- .github/workflows/linter.yml | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 3e76011778..87488b3a7f 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -15,19 +15,27 @@ jobs: - name: Fetch Target Branch run: git fetch origin $TARGET_BRANCH --depth=1 + - name: Restore global uv cache + id: cache-restore + uses: actions/cache/restore@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py3.11-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-main-py3.11- + - name: Install uv uses: astral-sh/setup-uv@v6 with: - enable-cache: true - cache-dependency-glob: | - **/pyproject.toml - **/uv.lock - - - name: Set up Python - run: uv python install 3.11 + version: "0.8.4" + python-version: "3.11" + enable-cache: false - name: Install dependencies - run: uv sync --dev --no-install-project + run: uv sync --all-groups --all-extras --no-install-project - name: Get Changed Python Files id: changed-files @@ -45,3 +53,13 @@ jobs: | tr ' ' '\n' \ | grep -v 'src/crewai/cli/templates/' \ | xargs -I{} uv run ruff check "{}" + + - name: Save uv caches + if: steps.cache-restore.outputs.cache-hit != 'true' + uses: actions/cache/save@v4 + with: + path: | + ~/.cache/uv + ~/.local/share/uv + .venv + key: uv-main-py3.11-${{ hashFiles('uv.lock') }} From 7e4c4185d4564f5b59e73a5885fb693c2c49299d Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:43:55 -0400 Subject: [PATCH 5/9] chore: remove redundant security-checker workflow Ruff already includes bandit security rules (S prefix) making the separate security-checker workflow redundant --- .github/workflows/security-checker.yml | 29 -------------------------- 1 file changed, 29 deletions(-) delete mode 100644 .github/workflows/security-checker.yml diff --git a/.github/workflows/security-checker.yml b/.github/workflows/security-checker.yml deleted file mode 100644 index 5fcc47b71c..0000000000 --- a/.github/workflows/security-checker.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: Security Checker - -on: [pull_request] - -jobs: - security-check: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install uv - uses: astral-sh/setup-uv@v6 - with: - enable-cache: true - cache-dependency-glob: | - **/pyproject.toml - **/uv.lock - - - name: Set up Python - run: uv python install 3.11 - - - name: Install dependencies - run: uv sync --dev --no-install-project - - - name: Run Bandit - run: uv run bandit -c pyproject.toml -r src/ -ll - From 722b26a8e0ba14c6ce18d099c098010cfbc796c9 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:51:58 -0400 Subject: [PATCH 6/9] test: trigger workflows to verify cache usage --- .github/workflows/build-uv-cache.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml index eaae045346..a7d1d26622 100644 --- a/.github/workflows/build-uv-cache.yml +++ b/.github/workflows/build-uv-cache.yml @@ -44,3 +44,4 @@ jobs: ~/.local/share/uv .venv key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} +# Testing cache From eab95a4c3fd8bee54f3e70f6ecdacbd3f605bf06 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 11:57:54 -0400 Subject: [PATCH 7/9] Revert "test: trigger workflows to verify cache usage" This reverts commit 722b26a8e0ba14c6ce18d099c098010cfbc796c9. --- .github/workflows/build-uv-cache.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml index a7d1d26622..eaae045346 100644 --- a/.github/workflows/build-uv-cache.yml +++ b/.github/workflows/build-uv-cache.yml @@ -44,4 +44,3 @@ jobs: ~/.local/share/uv .venv key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }} -# Testing cache From 430d81eb97b60c16e09f375a40c0a8b85d25b06b Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 12:08:33 -0400 Subject: [PATCH 8/9] fix: add explicit permissions to workflows for security compliance --- .github/workflows/build-uv-cache.yml | 3 +++ .github/workflows/linter.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml index eaae045346..3ce4d8a9b7 100644 --- a/.github/workflows/build-uv-cache.yml +++ b/.github/workflows/build-uv-cache.yml @@ -12,6 +12,9 @@ on: - ".github/workflows/build-uv-cache.yml" workflow_dispatch: +permissions: + contents: read + jobs: build-cache: runs-on: ubuntu-latest diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 87488b3a7f..33a24b1c7e 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -2,6 +2,9 @@ name: Lint on: [pull_request] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest From ed3db26cdd3c84fb0be690810774931754b195f1 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 10 Sep 2025 12:38:51 -0400 Subject: [PATCH 9/9] chore: remove pull_request trigger from build-cache workflow --- .github/workflows/build-uv-cache.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml index 3ce4d8a9b7..ec0670c13b 100644 --- a/.github/workflows/build-uv-cache.yml +++ b/.github/workflows/build-uv-cache.yml @@ -7,9 +7,6 @@ on: paths: - "uv.lock" - "pyproject.toml" - pull_request: - paths: - - ".github/workflows/build-uv-cache.yml" workflow_dispatch: permissions: