chore: add build-cache, update jobs, remove redundant security check

greysonlalonde · web-flow · commit 01be26ce2ad7 · 2025-09-10T13:02:24.000-04:00
- Build and cache uv dependencies; update type-checker, tests, and linter to use cache  
- Remove separate security-checker
- Add explicit workflow permissions for compliance  
- Remove pull_request trigger from build-cache workflow
diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml
@@ -0,0 +1,46 @@
+name: Build uv cache
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "uv.lock"
+      - "pyproject.toml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-cache:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: "0.8.4"
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false
+
+      - name: Install dependencies and populate cache
+        run: |
+          echo "Building global UV cache for Python ${{ matrix.python-version }}..."
+          uv sync --all-groups --all-extras --no-install-project
+          echo "Cache populated successfully"
+
+      - name: Save uv caches
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -2,6 +2,9 @@ name: Lint
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -15,19 +18,27 @@ jobs:
       - name: Fetch Target Branch
         run: git fetch origin $TARGET_BRANCH --depth=1
 
+      - name: Restore global uv cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py3.11-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-main-py3.11-
+
       - name: Install uv
         uses: astral-sh/setup-uv@v6
         with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python
-        run: uv python install 3.11
+          version: "0.8.4"
+          python-version: "3.11"
+          enable-cache: false
 
       - name: Install dependencies
-        run: uv sync --dev --no-install-project
+        run: uv sync --all-groups --all-extras --no-install-project
 
       - name: Get Changed Python Files
         id: changed-files
@@ -45,3 +56,13 @@ jobs:
             | tr ' ' '\n' \
             | grep -v 'src/crewai/cli/templates/' \
             | xargs -I{} uv run ruff check "{}"
+
+      - name: Save uv caches
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py3.11-${{ hashFiles('uv.lock') }}
diff --git a/.github/workflows/security-checker.yml b/.github/workflows/security-checker.yml
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -3,7 +3,7 @@ name: Run Tests
 on: [pull_request]
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   OPENAI_API_KEY: fake-api-key
@@ -23,19 +23,27 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Restore global uv cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-main-py${{ matrix.python-version }}-
+
       - name: Install uv
         uses: astral-sh/setup-uv@v6
         with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python ${{ matrix.python-version }}
-        run: uv python install ${{ matrix.python-version }}
+          version: "0.8.4"
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false
 
       - name: Install the project
-        run: uv sync --dev --all-extras
+        run: uv sync --all-groups --all-extras
 
       - name: Run tests (group ${{ matrix.group }} of 8)
         run: |
@@ -48,3 +56,13 @@ jobs:
             --durations=10 \
             -n auto \
             --maxfail=3
+
+      - name: Save uv caches
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
diff --git a/.github/workflows/type-checker.yml b/.github/workflows/type-checker.yml
@@ -3,7 +3,7 @@ name: Run Type Checks
 on: [pull_request]
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   type-checker-matrix:
@@ -20,19 +20,27 @@ jobs:
         with:
           fetch-depth: 0 # Fetch all history for proper diff
 
+      - name: Restore global uv cache
+        id: cache-restore
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-main-py${{ matrix.python-version }}-
+
       - name: Install uv
         uses: astral-sh/setup-uv@v6
         with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/pyproject.toml
-            **/uv.lock
-
-      - name: Set up Python ${{ matrix.python-version }}
-        run: uv python install ${{ matrix.python-version }}
+          version: "0.8.4"
+          python-version: ${{ matrix.python-version }}
+          enable-cache: false
 
       - name: Install dependencies
-        run: uv sync --dev --all-extras --no-install-project
+        run: uv sync --all-groups --all-extras
 
       - name: Get changed Python files
         id: changed-files
@@ -66,6 +74,16 @@ jobs:
         if: steps.changed-files.outputs.has_changes == 'false'
         run: echo "No Python files in src/ were modified - skipping type checks"
 
+      - name: Save uv caches
+        if: steps.cache-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.local/share/uv
+            .venv
+          key: uv-main-py${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
+
   # Summary job to provide single status for branch protection
   type-checker:
     name: type-checker
