chore: secure github workflows

[safiya2610]

What type of PR is this?

/kind security /kind cleanup

What this PR does / why we need it:

This PR hardens our CI/CD infrastructure and aligns our GitHub Workflows with GitHub Security Best Practices. Specifically, it introduces the following enhancements:

Pin Actions to Full-Length Commit SHAs:

Replaced mutable action tags (e.g., @v4) with immutable 40-character commit SHAs across all 14 workflow files to protect against tag-moving or hijacking.
Define Top-Level Permissions: Added explicit top-level permissions (permissions: contents: read) to workflows that lacked them, enforcing the Principle of Least Privilege.
Standardize Action Versions: Unified action versions across all workflows (e.g., standardizing on actions/setup-go@v5 and actions/setup-python@v5).
Configure Dependabot: Added a .github/dependabot.yml configuration to automatically track and update our pinned GitHub Actions on a weekly schedule.

Which issue(s) this PR fixes:

Fixes #392

Special notes for your reviewer:

The IMAGE_REGISTRY utilizes a dynamically formatted environment variable generated directly within the workflow via $GITHUB_ENV, so no manual UI setup is needed for that. The release workflows (dify-plugin-publish.yml and python-cli-publish.yml) will continue to require the pypi environment and PLUGIN_ACTION secret configured by maintainers at the repository level.

[volcano-sh-bot]

@safiya2610: The label(s) kind/security, kind//kind cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?

/kind security /kind cleanup

What this PR does / why we need it:

This PR hardens our CI/CD infrastructure and aligns our GitHub Workflows with GitHub Security Best Practices. Specifically, it introduces the following enhancements:

Pin Actions to Full-Length Commit SHAs:

Replaced mutable action tags (e.g., @v4) with immutable 40-character commit SHAs across all 14 workflow files to protect against tag-moving or hijacking.
Define Top-Level Permissions: Added explicit top-level permissions (permissions: contents: read) to workflows that lacked them, enforcing the Principle of Least Privilege.
Standardize Action Versions: Unified action versions across all workflows (e.g., standardizing on actions/setup-go@v5 and actions/setup-python@v5).
Configure Dependabot: Added a .github/dependabot.yml configuration to automatically track and update our pinned GitHub Actions on a weekly schedule.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

The IMAGE_REGISTRY utilizes a dynamically formatted environment variable generated directly within the workflow via $GITHUB_ENV, so no manual UI setup is needed for that. The release workflows (dify-plugin-publish.yml and python-cli-publish.yml) will continue to require the pypi environment and PLUGIN_ACTION secret configured by maintainers at the repository level.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevin-wangzefeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[volcano-sh-bot]

Welcome @safiya2610! It looks like this is your first PR to volcano-sh/agentcube 🎉

[gemini-code-assist]

Code Review

This pull request adds a Dependabot configuration file to schedule weekly updates for GitHub Actions. The feedback suggests grouping these updates into a single weekly pull request using Dependabot's groups feature to avoid PR fatigue.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

With 14 workflow files, updating pinned GitHub Actions individually can quickly create a high volume of pull requests and cause PR fatigue. It is highly recommended to group all GitHub Actions updates into a single weekly pull request using Dependabot's groups feature.

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"

[Copilot]

Pull request overview

This PR hardens the repository’s CI/CD GitHub Actions setup by pinning third-party actions to immutable commit SHAs, setting explicit least-privilege workflow permissions, and adding Dependabot tracking for GitHub Actions updates.

Changes:

• Pinned GitHub Actions uses: references from mutable tags to full-length commit SHAs across all workflows.
• Added explicit top-level permissions blocks (generally contents: read) to align with least-privilege defaults.
• Added .github/dependabot.yml to keep pinned GitHub Actions up to date on a weekly cadence.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
.github/workflows/workflows-approve.yml	Pins actions/github-script; workflow uses pull_request_target with explicit permissions.
.github/workflows/test-coverage.yml	Adds top-level permissions and pins checkout/paths-filter/setup-go/codecov/upload-artifact actions.
.github/workflows/python-sdk-tests.yml	Adds top-level permissions and pins checkout/paths-filter/setup-python.
.github/workflows/python-sdk-publish.yml	Adds top-level permissions and pins checkout/setup-python/pypi-publish.
.github/workflows/python-lint.yml	Adds top-level permissions and pins checkout/paths-filter/setup-python.
.github/workflows/python-cli-publish.yml	Adds top-level permissions and pins checkout/setup-python/pypi-publish.
.github/workflows/main.yml	Adds top-level permissions and pins checkout/docker buildx setup.
.github/workflows/lint.yml	Pins checkout/paths-filter/setup-go.
.github/workflows/e2e.yml	Adds top-level permissions and pins checkout/setup-python/setup-go/kind/upload-artifact.
.github/workflows/dify-plugin-publish.yml	Adds top-level permissions and pins checkout usages.
.github/workflows/copyright-check.yml	Adds top-level permissions and pins checkout/paths-filter.
.github/workflows/codespell.yml	Adds top-level permissions and pins checkout.
.github/workflows/codegen-check.yml	Adds top-level permissions and pins checkout/paths-filter/setup-go.
.github/workflows/build-push-release.yml	Adds top-level permissions and pins checkout/setup-go/docker/buildx/helm/login actions.
.github/dependabot.yml	Adds weekly Dependabot updates for the github-actions ecosystem.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.96%. Comparing base (524e55e) to head (766d0cf).
⚠️ Report is 127 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #393       +/-   ##
===========================================
+ Coverage   47.57%   57.96%   +10.39%     
===========================================
  Files          30       34        +4     
  Lines        2819     3181      +362     
===========================================
+ Hits         1341     1844      +503     
+ Misses       1338     1153      -185     
- Partials      140      184       +44     

Flag	Coverage Δ
unittests	57.96% <ø> (+10.39%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.