chore: add build-cache, update jobs, remove redundant security check

- Build and cache uv dependencies; update type-checker, tests, and linter to use cache - Remove separate security-checker - Add explicit workflow permissions for compliance - Remove pull_request trigger from build-cache workflow
2025-12-15 20:08:29 +00:00 · 2025-09-10 13:02:24 -04:00
parent c3ad5887ef
commit 01be26ce2a
5 changed files with 129 additions and 55 deletions
--- a/.github/workflows/build-uv-cache.yml
+++ b/.github/workflows/build-uv-cache.yml
@@ -0,0 +1,46 @@
+name: Build uv cache
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "uv.lock"
+      - "pyproject.toml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-cache:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: "0.8.4"
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false
+
+      - name: Install dependencies and populate cache
+        run: |
+          echo "Building global UV cache for Python ${{ matrix.python-version }}..."
+          uv sync --all-groups --all-extras --no-install-project
+          echo "Cache populated successfully"
+
+      - name: Save uv caches
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -2,6 +2,9 @@ name: Lint

 on: [pull_request]

+permissions:
+  contents: read
+
 jobs:
  lint:
    runs-on: ubuntu-latest
@@ -15,19 +18,27 @@ jobs:
      - name: Fetch Target Branch
        run: git fetch origin $TARGET_BRANCH --depth=1

+      - name: Restore global uv cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py3.11-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-main-py3.11-
+
      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python
-        run: uv python install 3.11
+          version: "0.8.4"
+          python-version: "3.11"
+          enable-cache: false

      - name: Install dependencies
-        run: uv sync --dev --no-install-project
+        run: uv sync --all-groups --all-extras --no-install-project

      - name: Get Changed Python Files
        id: changed-files
@@ -45,3 +56,13 @@ jobs:
            | tr ' ' '\n' \
            | grep -v 'src/crewai/cli/templates/' \
            | xargs -I{} uv run ruff check "{}"
+
+      - name: Save uv caches
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py3.11-${{ hashFiles('uv.lock') }}
--- a/.github/workflows/security-checker.yml
+++ b/.github/workflows/security-checker.yml
@@ -1,29 +0,0 @@
-name: Security Checker
-
-on: [pull_request]
-
-jobs:
-  security-check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python
-        run: uv python install 3.11
-
-      - name: Install dependencies
-        run: uv sync --dev --no-install-project
-
-      - name: Run Bandit
-        run: uv run bandit -c pyproject.toml -r src/ -ll
-
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,7 +3,7 @@ name: Run Tests
 on: [pull_request]

 permissions:
-  contents: write
+  contents: read

 env:
  OPENAI_API_KEY: fake-api-key
@@ -23,19 +23,27 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      - name: Restore global uv cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-main-py${{ matrix.python-version }}-
+
      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python ${{ matrix.python-version }}
-        run: uv python install ${{ matrix.python-version }}
+          version: "0.8.4"
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false

      - name: Install the project
-        run: uv sync --dev --all-extras
+        run: uv sync --all-groups --all-extras

      - name: Run tests (group ${{ matrix.group }} of 8)
        run: |
@@ -48,3 +56,13 @@ jobs:
            --durations=10 \
            -n auto \
            --maxfail=3
+
+      - name: Save uv caches
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
--- a/.github/workflows/type-checker.yml
+++ b/.github/workflows/type-checker.yml
@@ -3,7 +3,7 @@ name: Run Type Checks
 on: [pull_request]

 permissions:
-  contents: write
+  contents: read

 jobs:
  type-checker-matrix:
@@ -20,19 +20,27 @@ jobs:
        with:
          fetch-depth: 0 # Fetch all history for proper diff

+      - name: Restore global uv cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-main-py${{ matrix.python-version }}-
+
      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python ${{ matrix.python-version }}
-        run: uv python install ${{ matrix.python-version }}
+          version: "0.8.4"
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false

      - name: Install dependencies
-        run: uv sync --dev --all-extras --no-install-project
+        run: uv sync --all-groups --all-extras

      - name: Get changed Python files
        id: changed-files
@@ -66,6 +74,16 @@ jobs:
        if: steps.changed-files.outputs.has_changes == 'false'
        run: echo "No Python files in src/ were modified - skipping type checks"

+      - name: Save uv caches
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+
  # Summary job to provide single status for branch protection
  type-checker:
    name: type-checker