Files
litellm/.github
Cursor Agent 0bd9213d8d ci: add supply-chain guard to block fork PRs that modify dependencies
Add a new CI workflow that rejects pull requests from forks when they:
- Modify uv.lock (any change at all)
- Add new dependencies to any pyproject.toml file (root, litellm-proxy-extras, enterprise)

Security properties:
- Uses pull_request (not pull_request_target) so no secrets are exposed
- All action refs pinned to full SHA hashes
- persist-credentials: false on all checkouts
- permissions: {} (no GitHub token permissions)
- No user-controlled input in run: blocks (no script injection)
- Proper TOML parsing via stdlib tomllib (not regex on raw text)
- Only triggers when dependency files are actually changed (paths filter)

Internal PRs (from branches in the canonical repo) skip the job entirely.

Co-authored-by: Krrish Dholakia <krrish-berri-2@users.noreply.github.com>
2026-04-25 18:46:50 +00:00
..
2026-04-05 01:30:57 -07:00
2023-10-25 16:33:53 -07:00
2023-09-22 09:51:35 -07:00
2024-02-09 09:28:13 -08:00