chore: secure github workflows

[safiya2610]

What type of PR is this?

/kind security /kind cleanup

What this PR does / why we need it:

This PR hardens our CI/CD infrastructure and aligns our GitHub Workflows with GitHub Security Best Practices. Specifically, it introduces the following enhancements:

Pin Actions to Full-Length Commit SHAs:

Replaced mutable action tags (e.g., @v4) with immutable 40-character commit SHAs across all 14 workflow files to protect against tag-moving or hijacking.
Define Top-Level Permissions: Added explicit top-level permissions (permissions: contents: read) to workflows that lacked them, enforcing the Principle of Least Privilege.
Standardize Action Versions: Unified action versions across all workflows (e.g., standardizing on actions/setup-go@v5 and actions/setup-python@v5).
Configure Dependabot: Added a .github/dependabot.yml configuration to automatically track and update our pinned GitHub Actions on a weekly schedule.

Which issue(s) this PR fixes:

Fixes #392

Special notes for your reviewer:

The IMAGE_REGISTRY utilizes a dynamically formatted environment variable generated directly within the workflow via $GITHUB_ENV, so no manual UI setup is needed for that. The release workflows (dify-plugin-publish.yml and python-cli-publish.yml) will continue to require the pypi environment and PLUGIN_ACTION secret configured by maintainers at the repository level.

[volcano-sh-bot]

@safiya2610: The label(s) kind/security, kind//kind cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?

/kind security /kind cleanup

What this PR does / why we need it:

This PR hardens our CI/CD infrastructure and aligns our GitHub Workflows with GitHub Security Best Practices. Specifically, it introduces the following enhancements:

Pin Actions to Full-Length Commit SHAs:

Replaced mutable action tags (e.g., @v4) with immutable 40-character commit SHAs across all 14 workflow files to protect against tag-moving or hijacking.
Define Top-Level Permissions: Added explicit top-level permissions (permissions: contents: read) to workflows that lacked them, enforcing the Principle of Least Privilege.
Standardize Action Versions: Unified action versions across all workflows (e.g., standardizing on actions/setup-go@v5 and actions/setup-python@v5).
Configure Dependabot: Added a .github/dependabot.yml configuration to automatically track and update our pinned GitHub Actions on a weekly schedule.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

The IMAGE_REGISTRY utilizes a dynamically formatted environment variable generated directly within the workflow via $GITHUB_ENV, so no manual UI setup is needed for that. The release workflows (dify-plugin-publish.yml and python-cli-publish.yml) will continue to require the pypi environment and PLUGIN_ACTION secret configured by maintainers at the repository level.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevin-wangzefeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[volcano-sh-bot]

Welcome @safiya2610! It looks like this is your first PR to volcano-sh/agentcube 🎉

[gemini-code-assist]

Code Review

This pull request adds a Dependabot configuration file to schedule weekly updates for GitHub Actions. The feedback suggests grouping these updates into a single weekly pull request using Dependabot's groups feature to avoid PR fatigue.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Pull request overview

This PR hardens the repository’s CI/CD GitHub Actions setup by pinning third-party actions to immutable commit SHAs, setting explicit least-privilege workflow permissions, and adding Dependabot tracking for GitHub Actions updates.

Changes:

• Pinned GitHub Actions uses: references from mutable tags to full-length commit SHAs across all workflows.
• Added explicit top-level permissions blocks (generally contents: read) to align with least-privilege defaults.
• Added .github/dependabot.yml to keep pinned GitHub Actions up to date on a weekly cadence.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
.github/workflows/workflows-approve.yml	Pins actions/github-script; workflow uses pull_request_target with explicit permissions.
.github/workflows/test-coverage.yml	Adds top-level permissions and pins checkout/paths-filter/setup-go/codecov/upload-artifact actions.
.github/workflows/python-sdk-tests.yml	Adds top-level permissions and pins checkout/paths-filter/setup-python.
.github/workflows/python-sdk-publish.yml	Adds top-level permissions and pins checkout/setup-python/pypi-publish.
.github/workflows/python-lint.yml	Adds top-level permissions and pins checkout/paths-filter/setup-python.
.github/workflows/python-cli-publish.yml	Adds top-level permissions and pins checkout/setup-python/pypi-publish.
.github/workflows/main.yml	Adds top-level permissions and pins checkout/docker buildx setup.
.github/workflows/lint.yml	Pins checkout/paths-filter/setup-go.
.github/workflows/e2e.yml	Adds top-level permissions and pins checkout/setup-python/setup-go/kind/upload-artifact.
.github/workflows/dify-plugin-publish.yml	Adds top-level permissions and pins checkout usages.
.github/workflows/copyright-check.yml	Adds top-level permissions and pins checkout/paths-filter.
.github/workflows/codespell.yml	Adds top-level permissions and pins checkout.
.github/workflows/codegen-check.yml	Adds top-level permissions and pins checkout/paths-filter/setup-go.
.github/workflows/build-push-release.yml	Adds top-level permissions and pins checkout/setup-go/docker/buildx/helm/login actions.
.github/dependabot.yml	Adds weekly Dependabot updates for the github-actions ecosystem.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.52%. Comparing base (524e55e) to head (ed73d19).
⚠️ Report is 146 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #393       +/-   ##
===========================================
+ Coverage   47.57%   58.52%   +10.95%     
===========================================
  Files          30       37        +7     
  Lines        2819     3491      +672     
===========================================
+ Hits         1341     2043      +702     
+ Misses       1338     1238      -100     
- Partials      140      210       +70     

Flag	Coverage Δ
unittests	58.52% <ø> (+10.95%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.

[zhzhuang-zju]

Thanks @safiya2610

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

[safiya2610]

@zhzhuang-zju hello, Codegen check is failing, not because of my code,
the go.sum file have extra dependency (golang.org/x/oauth2 v0.36.0),our dependency tree only requires v0.32.0 (as specified in go.mod). That's why I run the go mod tidy command.
And I have made changes for according to your suggestion.
also, I Updated the commit SHA to 1a275c3b69536ee54be43f2070a358922e12c8d4, commit SHA for the stable v4.3.1 release of azure/setup-helm.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[zhzhuang-zju]

hello, Codegen check is failing, not because of my code,
the go.sum file have extra dependency (golang.org/x/oauth2 v0.36.0),our dependency tree only requires v0.32.0 (as specified in go.mod). That's why I run the go mod tidy command.

@safiya2610 Sorry, I didn't quite catch that. Could you share the link to the failed CI run?

I see what's going on. I'll create a separate issue to track this problem.

[safiya2610]

hello, Codegen check is failing, not because of my code,
the go.sum file have extra dependency (golang.org/x/oauth2 v0.36.0),our dependency tree only requires v0.32.0 (as specified in go.mod). That's why I run the go mod tidy command.

@safiya2610 Sorry, I didn't quite catch that. Could you share the link to the failed CI run?

I see what's going on. I'll create a separate issue to track this problem.

I have solve this.

[zhzhuang-zju]

I have solve this.

Yes, I noticed your commit removes extra entries from go.sum. However, this does not fully resolve the issue. As I mentioned in issue #401, we also need to fix the Codegen Check CI to prevent the same problem from recurring.

Since this is out of scope for the current PR, we can rebase after #399 gets merged.

[zhzhuang-zju]

Well done! @safiya2610
We need to wait for #399 to be merged and then rebase, others LGTM.

[zhzhuang-zju]

If #399 ultimately removes the Filter paths step, we will be required to remove the pull-requests: read permission.

[safiya2610]

sure, I will do.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 15 changed files in this pull request and generated 1 comment.