dependabot[bot]
a77a000915
chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](53b83947a5...48b55a011bsupport@github.com >
2026-04-29 02:19:12 +00:00
Affaan Mustafa
0a87323eda
feat(ecc2): finalize rc1 release surface
2026-04-28 22:10:04 -04:00
Affaan Mustafa
6b7bd7156c
fix: relax pnpm strict build checks in CI
2026-04-15 16:44:58 -07:00
Affaan Mustafa
8b5c0c1b07
fix: allow manual release workflow dispatch
2026-04-14 21:02:23 -07:00
Affaan Mustafa
b5c4d2beb9
fix: wire npm auth into release publish
2026-04-14 20:43:22 -07:00
Affaan Mustafa
34380326c8
fix: publish npm releases and clarify install identifiers
2026-04-14 20:42:28 -07:00
Affaan Mustafa
85e331e49a
Merge pull request #1369 from affaan-m/dependabot/github_actions/pnpm/action-setup-6.0.0
...
build(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0
2026-04-13 01:05:16 -07:00
Affaan Mustafa
5c4570baa5
Merge pull request #1370 from affaan-m/dependabot/github_actions/softprops/action-gh-release-3.0.0
...
build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0
2026-04-13 00:30:59 -07:00
Affaan Mustafa
1a950e4f83
fix: allow pnpm cache probe under node 18
2026-04-13 00:21:42 -07:00
Affaan Mustafa
ef7613c526
fix: use corepack pnpm on node 18
2026-04-13 00:17:17 -07:00
Affaan Mustafa
bd207aabe1
fix: use pnpm 9 for node 18 workflow jobs
2026-04-13 00:13:54 -07:00
Affaan Mustafa
6eadf786f5
fix: pin pnpm version for setup action v6
2026-04-13 00:10:39 -07:00
Affaan Mustafa
db8247d701
chore: update release action version comments
2026-04-12 23:54:26 -07:00
Affaan Mustafa
adb46a95a6
chore: update pnpm action version comments
2026-04-12 23:53:57 -07:00
Affaan Mustafa
48e5a1fa75
Merge pull request #1371 from affaan-m/dependabot/github_actions/actions/github-script-9.0.0
...
build(deps): bump actions/github-script from 8.0.0 to 9.0.0
2026-04-12 23:53:17 -07:00
Affaan Mustafa
2fb041c6de
Merge pull request #1368 from affaan-m/dependabot/github_actions/actions/upload-artifact-7.0.1
...
build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1
2026-04-12 23:53:01 -07:00
Affaan Mustafa
3792b69a38
fix: block unsafe privileged workflow checkouts
2026-04-12 23:23:01 -07:00
Affaan Mustafa
28edd197c2
fix: harden release surface version and packaging sync ( #1388 )
...
* fix: keep ecc release surfaces version-synced
* fix: keep lockfile release version in sync
* fix: remove release version drift from locks and tests
* fix: keep root release metadata version-synced
* fix: keep codex marketplace metadata version-synced
* fix: gate release workflows on full metadata sync
* fix: ship all versioned release metadata
* fix: harden manual release path
* fix: keep localized release docs version-synced
* fix: sync install architecture version examples
* test: cover shipped plugin metadata in npm pack
* fix: verify final npm payload in release script
* fix: ship opencode lockfile in npm package
* docs: sync localized release highlights
* fix: stabilize windows ci portability
* fix: tighten release script version sync
* fix: prefer repo-relative hook file paths
* fix: make npm pack test shell-safe on windows
2026-04-12 22:33:32 -07:00
dependabot[bot]
57de4129da
build(deps): bump actions/github-script from 8.0.0 to 9.0.0
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 8.0.0 to 9.0.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](ed597411d8...3a2844b7e9support@github.com >
2026-04-12 04:52:39 +00:00
dependabot[bot]
5ae63b301f
build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 2.6.1 to 3.0.0.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](153bb8e044...b430933298support@github.com >
2026-04-12 04:52:35 +00:00
dependabot[bot]
4b92288a27
build(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0
...
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup ) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/pnpm/action-setup/releases )
- [Commits](fc06bc1257...08c4be7e2esupport@github.com >
2026-04-12 04:52:33 +00:00
dependabot[bot]
45faeb90a7
build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](bbbca2ddaa...043fb46d1asupport@github.com >
2026-04-12 04:52:29 +00:00
Affaan Mustafa
4967dad08c
ci: gate releases on opencode payload verification
2026-04-06 14:08:08 -07:00
Affaan Mustafa
c2199710c2
chore: bump actions stale workflow
2026-04-05 15:22:27 -07:00
Affaan Mustafa
bf5961e8d1
fix: refresh existing monthly metrics snapshots
2026-04-05 15:15:56 -07:00
Affaan Mustafa
43ac81f1ac
fix: harden reusable release tag validation
2026-03-31 23:00:58 -07:00
dependabot[bot]
87363f0e59
chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 ( #1060 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](34e114876b...de0fac2e45support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Affaan Mustafa <me@affaanmustafa.com >
2026-03-31 14:07:40 -07:00
dependabot[bot]
a1cebd29f7
chore(deps): bump actions/upload-artifact from 4.6.2 to 7.0.0 ( #1061 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.6.2 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](ea165f8d65...bbbca2ddaasupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 14:06:07 -07:00
dependabot[bot]
09398b42c2
chore(deps): bump actions/setup-node from 4.4.0 to 6.3.0 ( #1058 )
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 4.4.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](49933ea528...53b83947a5support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 14:06:02 -07:00
dependabot[bot]
d1e2209a52
chore(deps): bump actions/cache from 4.3.0 to 5.0.4 ( #1057 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 4.3.0 to 5.0.4.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](0057852bfa...668228422asupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 14:04:33 -07:00
dependabot[bot]
cfb3476f02
chore(deps): bump actions/github-script from 7.1.0 to 8.0.0 ( #1059 )
...
Bumps [actions/github-script](https://github.com/actions/github-script ) from 7.1.0 to 8.0.0.
- [Release notes](https://github.com/actions/github-script/releases )
- [Commits](f28e40c7f3...ed597411d8support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-31 14:04:30 -07:00
Affaan Mustafa
6cc85ef2ed
fix: CI fixes, security audit, remotion skill, lead-intelligence, npm audit ( #1039 )
...
* fix(ci): resolve cross-platform test failures
- Sanity check script (check-codex-global-state.sh) now falls back to
grep -E when ripgrep is not available, fixing the codex-hooks sync
test on all CI platforms. Patterns converted to POSIX ERE for
portability.
- Unicode safety test accepts both / and \ path separators so the
executable-file assertion passes on Windows.
- Gacha test sets PYTHONUTF8=1 so Python uses UTF-8 stdout encoding on
Windows instead of cp1252, preventing UnicodeEncodeError on box-drawing
characters.
- Quoted-hook-path test skipped on Windows where NTFS disallows
double-quote characters in filenames.
* feat: port remotion-video-creation skill (29 rules), restore missing files
New skill:
- remotion-video-creation: 29 domain-specific Remotion rules covering 3D/Three.js,
animations, audio, captions, charts, compositions, fonts, GIFs, Lottie,
measuring, sequencing, tailwind, text animations, timing, transitions,
trimming, and video embedding. Ported from personal skills.
Restored:
- autonomous-agent-harness/SKILL.md (was in commit but missing from worktree)
- lead-intelligence/ (full directory restored from branch commit)
Updated:
- manifests/install-modules.json: added remotion-video-creation to media-generation
- README.md + AGENTS.md: synced counts to 139 skills
Catalog validates: 30 agents, 60 commands, 139 skills.
* fix(security): pin MCP server versions, add dependabot, pin github-script SHA
Critical:
- Pin all npx -y MCP server packages to specific versions in .mcp.json
to prevent supply chain attacks via version hijacking:
- @modelcontextprotocol/server-github@2025.4.8
- @modelcontextprotocol/server-memory@2026.1.26
- @modelcontextprotocol/server-sequential-thinking@2025.12.18
- @playwright/mcp@0.0.69 (was 0.0.68)
Medium:
- Add .github/dependabot.yml for weekly npm + github-actions updates
with grouped minor/patch PRs
- Pin actions/github-script to SHA (was @v7 tag, now pinned to commit)
* feat: add social-graph-ranker skill — weighted network proximity scoring
New skill: social-graph-ranker
- Weighted social graph traversal with exponential decay across hops
- Bridge Score: B(m) = Σ w(t) · λ^(d(m,t)-1) ranks mutuals by target proximity
- Extended Score incorporates 2nd-order network (mutual-of-mutual connections)
- Final ranking includes engagement bonus for responsive connections
- Runs in parallel with lead-intelligence skill for combined warm+cold outreach
- Supports X API + LinkedIn CSV for graph harvesting
- Outputs tiered action list: warm intros, direct outreach, network gap analysis
Added to business-content install module. Catalog validates: 30/60/140.
* fix(security): npm audit fix — resolve all dependency vulnerabilities
Applied npm audit fix --force to resolve:
- minimatch ReDoS (3 vulnerabilities, HIGH)
- smol-toml DoS (MODERATE)
- brace-expansion memory exhaustion (MODERATE)
- markdownlint-cli upgraded from 0.47.0 to 0.48.0
npm audit now reports 0 vulnerabilities.
* fix: resolve markdown lint and yarn lockfile sync
- MD047: ensure single trailing newline on all remotion rule files
- MD012: remove consecutive blank lines in lottie, measuring-dom-nodes, trimming
- MD034: wrap bare URLs in angle brackets (tailwind, transcribe-captions)
- yarn.lock: regenerated to sync with npm audit changes in package.json
* fix: replace unicode arrows in lead-intelligence (CI unicode safety check)
2026-03-31 15:08:55 -04:00
Affaan Mustafa
866d9ebb53
fix: harden unicode safety checks
2026-03-29 21:21:18 -04:00
Andriy Kalashnykov
46f37ae4fb
chore: pin actions to commit SHAs and add Skills section to CLAUDE.md
...
Pin all GitHub Actions to commit SHAs instead of mutable version tags
across ci.yml, release.yml, maintenance.yml, and all reusable workflows.
This prevents supply-chain attacks via tag hijacking.
Add the required Skills section to CLAUDE.md mapping project files
(README.md, .github/workflows/*.yml) to their respective review skills.
2026-03-29 17:16:56 -04:00
dagecko
28a1fbc3f2
fix: pin 6 actions to commit SHA, extract 1 expression to env var
2026-03-28 15:57:55 -04:00
to.watanabe
d8e3b9d593
fix(ci): remove --ignore-engines for Yarn Berry (v4+)
...
Yarn Berry removed the --ignore-engines flag; engine checking is no
longer a core feature. The deprecated flag causes yarn install to exit
with error code 1.
2026-03-28 12:27:04 +09:00
to.watanabe
7148d9006f
fix(ci): enable Corepack for yarn and relax pnpm strict mode
...
All 18 pnpm/yarn CI jobs fail on main because:
1. pnpm v9+ refuses to install when package.json declares
"packageManager": "yarn@4.9.2" — fixed by setting
COREPACK_ENABLE_STRICT=0 and --no-frozen-lockfile
2. CI runners only have Yarn Classic (v1.x) but the project
uses Yarn Berry (v4.x) — fixed by activating Corepack
before the cache/install steps
2026-03-28 12:27:04 +09:00
Affaan Mustafa
7726c25e46
fix(ci): restore validation and antigravity target safety
2026-03-23 14:29:21 -07:00
alfraido86-jpg
3b2e1745e9
chore(config): governance and config foundation ( #292 )
...
* chore(config): governance and config foundation (PR #272 split 1/6)
Add repository governance and configuration files:
- CODEOWNERS: review authority model
- ISSUE_TEMPLATE: Copilot task template
- PULL_REQUEST_TEMPLATE: comprehensive review checklist
- .env.example: environment variable documentation
- .tool-versions: asdf/mise compatibility (Node 20, Python 3.12)
- .gitignore: expanded coverage (build, test, Python, tmp)
- .markdownlint.json: add MD009 trailing whitespace rule
- VERSION: 0.1.0
This is PR 1 of 6 from the PR #272 decomposition plan.
Dependency chain: PR-1 → PR-2 → PR-3 → PR-4/5/6 (parallel)
* chore(config): remove fork-specific CODEOWNERS from upstream PR
CODEOWNERS references @alfraido86-jpg (fork owner). Submitting this to
upstream would override @affaan-m's review authority. CODEOWNERS belongs
in the fork only, not in upstream contributions.
Ref: SAM finding F9 (run-048 audit)
* chore: address CodeRabbit review feedback on PR #292
- Scope markdownlint config to repo files (globs pattern)
- Add pre-commit hook checkbox to PR template
Ref: CodeRabbit review on PR #292
* fix(config): address CodeRabbit nitpicks N2 and N3
N2: Move pre-commit hooks checkbox higher in security checklist.
N3: Replace global MD009 disable with scoped config (br_spaces: 2).
* fix(config): use recursive glob for node_modules exclusion (N4)
2026-03-16 13:39:03 -07:00
Justin Philpott
01ed1b3b03
fix(ci): enforce catalog count integrity ( #525 )
...
* fix(ci): enforce catalog count integrity
* test: harden catalog structure parsing
2026-03-16 13:37:51 -07:00
Affaan Mustafa
4fa817cd7d
ci: install validation deps for hook checks
2026-03-10 20:14:18 -07:00
Affaan Mustafa
5fe40f4a63
docs: add sponsorship playbook and monthly metrics automation
2026-03-04 16:17:12 -08:00
Affaan Mustafa
48b883d741
feat: deliver v1.8.0 harness reliability and parity updates
2026-03-04 14:48:06 -08:00
Pangerkumzuk Longkumer
bc64712b5d
Delete .github/workflows/copilot-setup-steps.yml ( #319 )
2026-03-02 21:58:20 -08:00
Harry Kwok
5818e8adc7
feat: project-scoped instinct isolation
...
* feat: add project-scoped instinct isolation
* fix(continuous-learning-v2): harden instinct loading and promotion safety; sync v2.1 command docs
* fix(ci): make copilot-setup-steps a valid GitHub Actions workflow
* fix(hooks): stabilize docs warning inline JS regex parsing
2026-03-01 12:07:13 -08:00
Affaan Mustafa
1fa22efd90
chore: clean up FUNDING.yml format
2026-02-28 10:09:51 -08:00
anthropic-code-agent[bot]
00464b6f60
Fix failing workflows: trim action in getCommandPattern and remove broken AgentShield scan
...
Co-authored-by: pangerlkr <73515951+pangerlkr@users.noreply.github.com >
2026-02-18 08:06:25 +00:00
copilot-swe-agent[bot]
90e6a8c63b
Fix copilot-setup-steps.yml and address PR review comments
...
Co-authored-by: pangerlkr <73515951+pangerlkr@users.noreply.github.com >
2026-02-18 07:22:05 +00:00
Pangerkumzuk Longkumer
fdda6cbcd9
Merge branch 'main' into main
2026-02-17 07:00:12 +05:30
Pangerkumzuk Longkumer
4d98d9f125
Add Go environment setup step to workflow
...
Added a step to set up the Go environment in GitHub Actions workflow.
2026-02-16 07:10:39 +05:30
