The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Mar 26, 2026 0:48am

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

Merging this PR will not alter performance

✅ 16 untouched benchmarks

_{Comparing litellm_gha_pin_helm (b90a0af) with main (0d2b454)}

Greptile Summary

This PR hardens the repository's CI/CD supply chain by pinning all GitHub Actions to specific commit SHAs instead of mutable version tags, preventing dependency substitution attacks. Eight workflow files are updated across automation, security scanning, benchmarking, and release workflows.

• Security improvement: All actions/checkout, actions/setup-python, actions/github-script, CodSpeedHQ/action, azure/setup-helm, github/codeql-action/*, and wow-actions/potential-duplicates usages are now pinned to immutable commit hashes with the version tag preserved as a comment for readability.
• Version upgrades alongside pinning: Several workflows also receive version upgrades (e.g. checkout@v2/v3 → v4.3.0, azure/setup-helm@v1 → v4.3.1), which is intentional and safe.
• New integrity verification step in helm_unit_test.yml: A shell-based check was added to verify the installed helm-unittest plugin's commit SHA — however, the plugin directory path $(helm env HELM_PLUGINS)/helm-unittest is incorrect; Helm names the directory after the plugin's name field in plugin.yaml, which for helm-unittest is unittest. This will cause the verification step (and the entire Helm unit test workflow) to fail on every run.

Confidence Score: 3/5

• Good security initiative, but the Helm plugin integrity check will break CI on every run until the directory name is corrected.
• The vast majority of the changes are a straightforward and correct application of SHA-pinning best practices. The one concrete bug — the helm-unittest vs unittest directory name in the plugin integrity verification step — will cause the Helm unit test job to always fail with a non-zero exit, blocking PRs and main pushes. This is not a critical security issue but is a clear CI reliability regression that should be fixed before merge.
• .github/workflows/helm_unit_test.yml — the PLUGIN_DIR variable on line 27 uses the wrong directory name.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Event Trigger] --> B{Workflow}

    B --> C[helm_unit_test.yml]
    B --> D[codeql.yml]
    B --> E[codspeed.yml]
    B --> F[check_duplicate_issues.yml]
    B --> G[issue-keyword-labeler.yml / label-component.yml]
    B --> H[auto_update_price... / create_daily_staging...]

    C --> C1["actions/checkout@08eba0b # v4.3.0"]
    C1 --> C2["azure/setup-helm@1a275c3 # v4.3.1"]
    C2 --> C3["helm plugin install helm-unittest v0.4.4"]
    C3 --> C4["Verify plugin SHA\n(PLUGIN_DIR = HELM_PLUGINS/helm-unittest ❌\nshould be HELM_PLUGINS/unittest)"]
    C4 -->|"exit 1 — wrong path"| FAIL["CI Failure"]
    C4 -->|"if path correct"| C5["helm unittest tests"]

    D --> D1["actions/checkout@08eba0b # v4.3.0"]
    D1 --> D2["codeql-action/init@ebcb5b3 # v3"]
    D2 --> D3["codeql-action/analyze@ebcb5b3 # v3"]

    E --> E1["actions/checkout@08eba0b # v4.3.0"]
    E1 --> E2["setup-python@a26af69 # v5.6.0"]
    E2 --> E3["CodSpeedHQ/action@1c8ae48 # v4.12.1"]

    F --> F1["potential-duplicates@4d4ea03 # v1.1.0"]
    F1 --> F2["actions/checkout@08eba0b # v4.3.0"]
    F2 --> F3["setup-python@a26af69 # v5.6.0"]

    G --> G1["actions/checkout@08eba0b # v4.3.0"]
    G1 --> G2["actions/github-script@f28e40c # v7.1.0"]

    H --> H1["actions/checkout@08eba0b # v4.3.0"]

_{Reviews (2): Last reviewed commit: "remove extra @" | Re-trigger Greptile}