chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0#8
Merged
GitCmurf merged 1 commit intoMay 13, 2026
Merged
Conversation
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
GitCmurf
approved these changes
May 13, 2026
dependabot
Bot
deleted the
dependabot/github_actions/actions/setup-python-6.2.0
branch
May 13, 2026 12:28
GitCmurf
added a commit
that referenced
this pull request
Jun 23, 2026
* docs: next phase planning docs * docs: iteration r1 * docs: CC revision, adding CI env-var awareness * docs: CC revision r3 * docs: CC revision r4 * docs: CC revision r5 * docs: CC revision r6 * docs: CC revision r7 * feat(t0): v0.5.0 fixture catalogue + PLAN-005 governance (REVREM-PLAN-005 T0) Stand up the shared inputs every v0.5.0 read-only consumer (revrem report, the GitHub Action) reads from a finished run directory. - Register PLAN-005 in the governed planning tree: move docs/next-steps-v0.5.0.md -> docs/05-planning/plan-005-next-steps-v0.5.0.md (meminit check green; document_id REVREM-PLAN-005 preserved). - Assemble a finished-run fixture catalogue under tests/fixtures/runs/<scenario>/ co-locating summary.json + events.jsonl for 8 terminal-state scenarios: clear, findings_remediated, findings_remaining, timeout, check_failure, cost_ceiling, cancelled, all_suppressed. These did not exist as combined run dirs before (summary/events fixtures were split across two trees with mismatched names); the four scenarios that had no summary are authored to summary-v1 shape with final_status/stopped_reason matching their events. - Add tests/support/run_fixtures.py::load_run(name) so downstream tests address a scenario by stable name. - Add tests/test_run_fixtures.py: meta-test asserting every scenario has both files and that summary validates against summary-v1 and events against events-v1 (25 cases, reusing the _compat_jsonschema validator). - Update REVREM-TEST-001: reference the catalogue and record the v0.5.0 report + Action success metrics. Gate: pytest (1300+ pass; 1 pre-existing env failure unrelated to T0 — test_cli_config_commands shells out to bare 'python' absent in WSL), ruff clean, mypy clean, lint-imports green (9 contracts), meminit check green (only a pre-existing FRONTMATTER_MISSING on an unrelated handoff doc), git diff --check clean. All fixture files verified LF-clean (no CRLF) for golden determinism. * feat(t1): revrem report subcommand — static HTML + JSON index (REVREM-PLAN-005 T1) Add a read-only subcommand that renders a finished run's summary.json + events.jsonl into a single self-contained HTML file, or a machine-readable JSON index. Never invokes a model or touches the network (gate G5). - src/code_review_loop/report_html.py: pure render_report(summary, events, *, redact=True) -> str and build_report_index(...) -> dict. Plain HTML5 + inline <style>, no JS/external assets, html.escape on all interpolation. Redaction on by default for anything leaving the run dir (gate G7). Deterministic: timestamps read from inputs (never now()), filesystem paths normalized via PurePosixPath so os.sep never leaks (Contract #9). - src/code_review_loop/cli/commands/report.py: command handler mirroring replay.py + bundle.py redaction-pair enforcement (--no-redact requires --i-understand-the-risks, exit 4). HTML writes via write_text_artifact (atomic); --format json prints canonical JSON to stdout (--output ignored). Truncated/malformed events render what is available + warn + exit 0 (the report is diagnostic). - cli/args.py: parse_report_args (run_dir, --output/-o, --format {html,json}, --no-redact, --i-understand-the-risks). registry.py: register 'report'. - docs/52-api/schemas/report-index-v1.schema.json + _history baseline: the frozen cross-boundary contract (Contract #8) describing the index's fields and nullability (cost_usd null for fake harness; top_findings [] when none; artifact_paths {} when unavailable). Auto-covered by the schema-parity test. - Tests: test_report_html.py (render over all 8 fixtures, determinism, no-CRLF, self-containment, redaction default, CLI exit codes, truncated tolerance, index required-keys + nullability); test_report_json.py (every index validates vs schema, --format json to stdout, --output ignored, golden snapshot of the clear-run index). test_cli_dispatch.py updated for the new subcommand. - Docs: DEVEX-001 'Static HTML report' subsection + version history; README Key Features bullet. Gate: 1371 passed (1 pre-existing env failure in test_cli_config_commands unrelated to T1); ruff, mypy, lint-imports (9 contracts), meminit check (only a pre-existing unrelated FRONTMATTER_MISSING), git diff --check all clean. * feat(t2): report body sections + golden HTML + determinism guards (REVREM-PLAN-005 T2) Fill the report body with the substance a reviewer wants and lock it with byte-stable golden files. - report_html.py: add four body sections rendered honestly from summary/events data (or 'unavailable' when absent): * Findings & triage: configured findings (severity, path, summary, f1: fingerprint) from status_classification events; suppressed findings with provenance; pointer to triage-N.json when present. * Checks: command/status/message/iteration from check_result events. * Cost & budget: tokens, USD, charge events, ceiling breach. Unreported costs render 'not reported', never a fabricated 0 (renders null honestly). * Diff stats: only from in-artifact data; absent -> 'diff stats unavailable for this run'. The report NEVER shells out to git. Also render tokens dict as key=value pairs instead of a raw repr. - tests/golden/report/: committed golden HTML for 6 fixtures (clear, findings_remediated, findings_remaining, check_failure, cost_ceiling, all_suppressed), byte-stable across runs and platforms. - test_report_html.py: golden comparison with REVREM_UPDATE_SNAPSHOTS=1 regeneration affordance; cross-platform guards asserting the committed goldens contain no CRLF and no backslash path separators (durable on the golden, not just the live render); content assertions for each terminal state (remediated shows the passing check + clear; all_suppressed shows the stop reason; cost_ceiling shows the breach + error badge; null cost renders 'not reported' not 0; diff stats 'unavailable' path). - DEVEX-001: expand the report subsection with a description of each body section in order, plus the determinism/stability note (HTML layout not a stable contract until 0.9.0; only report-index-v1 fields are versioned). Gate: 1388 passed (1 pre-existing env failure unrelated to T2); ruff, mypy, lint-imports (9 contracts), git diff --check all clean. * feat(t3): headless/CI output hardening — --no-tty + CI=true (REVREM-PLAN-005 T3) A CI run must produce ANSI-free stderr with no flags beyond what the provider sets automatically. Add a single suppression gate, progress.force_terminal(), that fires on either --no-tty or the CI env var (set automatically by GitHub Actions and most other providers). - progress.py: force_terminal(no_tty) helper returning isatty and not CI and not no_tty. Thread no_tty into both Console sites (_console_and_text, rich_live_progress); rich_live_progress now accepts an optional no_tty kwarg (backward compatible). - adapters/terminal.py: terminal_title_supported now returns False when config.no_tty or CI is set. This guards the /dev/tty write path, which a stderr-capture test would miss because /dev/tty exists on many CI runners regardless of isatty(). - Threading (additive throughout): OutputConfig.no_tty (routing_types) + OUTPUT_KEYS 'no_tty' (profiles) + LoopConfig.no_tty (config) + config_builder pick(args.no_tty, profile.output.no_tty, False) + args.py --no-tty flag (store_true) + runner.py passes config.no_tty into rich_live_progress. Also exposed as an additive profile key [output] no_tty. - tests/test_headless_output.py (19 cases): force_terminal unit tests (--no-tty, any CI value, isatty baseline); terminal_title_supported gate tests; rich_live_progress ANSI-free-under-no_tty; end-to-end test driving a real loop (rich progress + no_tty) asserting zero CSI bytes on captured stderr; documented exit-code mapping stability (0/2/3/4/5). - DEVEX-001: headless/CI guidance + recommended invocation (--progress-style compact --no-tty --summary-format json) + always-write- before-exit note; version history. Gate: 1407 passed (1 pre-existing env failure unrelated to T3); ruff, mypy, lint-imports (9 contracts), devex-doc version check all clean. * feat(t4): reference GitHub Action + idempotent PR comment (REVREM-PLAN-005 T4) A composite Action that runs a revrem profile on a PR, uploads a redacted HTML report, and posts a single updatable PR comment. Depends on T2 (report) + T3 (headless stability). - action.yml: composite action. Inputs: base, profile, max-iterations, max-wall-seconds, max-usd, max-tokens, checks (newline list), comment, upload-artifacts, raw-artifacts, fail-on-findings, install-mode (pypi|local), revrem-version. Does NOT checkout (caller must, fetch-depth:0); verifies base ref (exit 4 if absent). Runs revrem headless (--no-tty --progress-style compact --summary-format json); splits 'checks' via a bash while-read into repeated --check flags (never interpolates the joined string = injection vector). Two-stage guard: parse JSON stdout first, then read artifact_dir (never glob .revrem/runs/); fast-fail exit 4 if revrem crashed pre-summary. Always render/upload/comment when RUN_DIR discovered regardless of exit; maps exit code LAST (0 pass; 2 fail-on-findings gate; 3 budget; 4/5 error). Fork-PR safe: comment step gated on head.repo.fork != 'true' (never pull_request_target). Comment script invoked via ${{ github.action_path }} prefix for external users. - scripts/ci/post_pr_comment.py (stdlib only): pure build_comment_body(index) separated from the HTTP layer. Reads the already-redacted revrem-report.json via json.load; marker <!-- revrem-report --> update-or-create; body bounded (top 5 findings, fixed summary rows); never embeds raw model output/stderr; degraded generic comment when report unreadable. - .github/workflows/revrem-pr.yml: dogfood workflow (local install, dogfood profile), least-privilege (contents:read, pull-requests:write). - tests/support/fake_github_api.py: http.server stub for GET comments + POST/ PATCH comment (records requests, no network). - tests/test_post_pr_comment.py (13 cases): pure body builder (marker, status, findings, cost n/a when null, run url, never-embeds-secrets-by-design); posting vs stub (create-then-update idempotency, marker is the key, unrelated comment untouched, comment-before-fail ordering, main reads report + posts, degraded on unreadable, requires credentials). - tests/test_action_yaml.py (10 cases): action.yml + workflow parse; structural contract (composite runs, required inputs, pypi/local modes, headless json invocation, artifact_dir discovery not globbing, checks splitting, fork gate, exit mapping is last step, action_path prefix, dogfood local install). - README + DEVEX-001: Hands-off CI section (usage, least-privilege, fork model, redacted upload, generic-provider path); version history. Gate: 1430 passed (1 pre-existing env failure unrelated to T4); ruff, mypy, lint-imports (9 contracts), devex-doc version check all clean. action.yml + revrem-pr.yml parse as valid YAML (10 structural tests). * release(t13): cut v0.5.0 (REVREM-PLAN-005 T13) The 'showcase & hands-off adoption' release: Tier 1 (Pillars A+B) of REVREM-PLAN-005 — static HTML report, headless/CI hardening, and the reference GitHub Action. Pillars C (expert profiles) and D (DevEx) deferred to v0.5.x; T12 (TUI real runs) deferred to v0.6.0 per the plan's decision gate. - Version 0.4.0 -> 0.5.0 in pyproject.toml AND src/code_review_loop/__init__.py (release.yml validates the tag against __init__.__version__). - action.yml default revrem-version -> 0.5.0. - CHANGELOG [0.5.0]: Added (report, report-index-v1 schema, GitHub Action, --no-tty + CI detection, run fixture catalogue); Changed (recommended CI invocation); Stability (frozen schemas + summary/events; Preview report HTML layout + expert-profile surface); Deferred (Pillar C/D to v0.5.x, T12 to v0.6.0). - Fix: the golden-HTML test compared against tests/golden/report/ but the path resolved to a stray top-level golden/, so the comparison was a no-op (always re-wrote and passed). Correct _GOLDEN_DIR to tests/golden/report/; regenerate the committed goldens so they now genuinely pin the render (and embed 0.5.0). Remaining (manual, before tagging): dry-run release.yml; >=1 live dogfood run (revrem --profile dogfood) with revrem report rendering it; live observation that the Action posts a single idempotent PR comment within ~5 min on a real PR. These are recorded in the CHANGELOG and cannot be automated here. Gate: 1430+ passed (1 pre-existing env failure in test_cli_config_commands); ruff, mypy, lint-imports (9 contracts), meminit check (only a pre-existing unrelated FRONTMATTER_MISSING), git diff --check all clean. * fix(c1): render findings from triage-N.json::confirmed_findings (P0-1) The headline defect from peer review: the renderer derived findings from status_classification events whose payload was assumed to be severity-keyed lists. That shape does not exist in the engine — real status_classification payload is {message, summary} (verified across .revrem/runs/). Real confirmed findings live in triage-N.json::confirmed_findings. Result before this fix: findings section, finding_counts, and top_findings were empty on every real run, and the PR comment reported 0 findings. Tests were green only because the T0 fixtures were hand-authored to match the renderer's assumptions, not the engine's contract (self-confirming goldens). - report_html.py: add triage_findings param to render_report and build_report_index. Source confirmed/suppressed findings from parsed triage payloads (_flatten_confirmed_findings / _flatten_suppressed_findings). finding_counts and top_findings now derive from triage confirmed_findings (severity, affected_paths, summary, fingerprint, rationale), not the status_classification event. The renderer stays pure — it receives parsed triage, never reads disk. - cli/commands/report.py: _load_triage_findings loads triage-N.json from summary.artifact_paths.triage (relative to run dir; highest N authoritative), threads parsed findings into both render paths. Missing/unreadable triage is skipped gracefully. - Red gate: tests/test_report_real_findings.py + a real-shaped findings_with_triage fixture (status_classification payload {message,summary} — no severities; triage-1.json with one confirmed medium finding). Was red before this commit for exactly the right reason; now green. Registered as a standing gate in REVREM-TEST-001 (C5). - Fixtures made representative: all_suppressed + findings_remaining now carry triage-1.json with confirmed/suppressed findings (findings_remaining had a triage-less summary despite its name). findings_with_triage is a new fixture whose status_classification matches the real engine shape. - Regenerated goldens: findings_remaining.html now shows the finding (fingerprint + summary), not 'No configured findings recorded'. Verified against ground truth: real status_classification payloads across .revrem/runs/ carry only {message, summary}; real findings live in triage-N.json with keys confirmed_findings/rejected_findings/needs_more_info/ suppressed_findings, each finding {severity, summary, affected_paths, fingerprint, rationale}. Gate: 1433 passed (1 pre-existing env failure unrelated); ruff, mypy, lint-imports (9 contracts) clean. * fix(c2): remove dead phase_config section (P0-2) _phase_config_rows read summary.phase_config, but summary-v1 has no such key (0 matches in the schema; verified). The section returned '' on every run — dead code that faithfully implemented a plan referencing a nonexistent field. The header already shows the real top-level summary.harness. - report_html.py: delete _phase_config_rows and its call in render_report. - test_report_html.py: assert the header renders summary.harness and that no 'Phase configuration' section appears. - Regenerated goldens (section removed). Gate: ruff, mypy clean; report tests green. * fix(c3): wire github-token input for the PR comment (P0-3) The comment step read GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}, but GITHUB_TOKEN is not a default env var for composite actions and the dogfood workflow never set it. So env.GITHUB_TOKEN resolved empty -> post_pr_comment.py hit its 'required' guard and exited 1; no comment was ever posted. The test suite missed this because test_post_pr_comment.py called post_or_update_comment directly, bypassing action.yml's wiring. - action.yml: add a github-token input defaulting to ${{ github.token }} (composite actions can't read secrets, so the caller passes it in). The comment step now reads GITHUB_TOKEN: ${{ inputs.github-token }}. The dogfood workflow needs no extra secret wiring (defaults to the automatic token). - test_action_yaml.py: assert the github-token input exists and defaults to github.token; assert the comment step's GITHUB_TOKEN comes from inputs.github-token, NOT env.GITHUB_TOKEN (the original bug). Live verification (a comment actually posts on a PR) is a manual gate recorded in C7 and the CHANGELOG. * fix(c4): render checks from summary.iterations[].checks[] (engine real source) The checks section previously read only check_result events. The engine's authoritative check record is summary.iterations[].checks[] ({command, status, artifact}) — verified across real .revrem/runs/. Now source from the summary, falling back to check_result events for older runs that carry none. - report_html.py: _checks_section takes summary, iterates iterations[].checks[] (command/status/artifact link/iteration), falling back to check_result events. Column renamed Message->Artifact (the real field). - findings_with_triage fixture: add a real-shaped summary check (ruff check ., passed, check-1-1.txt artifact) so C4 is exercised. - test_report_real_findings.py: assert the summary-sourced check renders and the empty placeholder does not appear. - Regenerated goldens. Gate: ruff, mypy, lint-imports clean; 116 report/fixture tests green. * docs(c5): register real-findings render gate in REVREM-TEST-001 Add a standing success-metric row for tests/test_report_real_findings.py — the anti-self-confirming-fixture gate introduced by the C1 corrective. It asserts findings surface from triage-N.json::confirmed_findings (and checks from summary.iterations[].checks[]) on a real-engine-shaped fixture, and fails if that ever stops happening. Document why the gate exists (T0 fixtures were hand-authored against the renderer's assumptions, not the engine's contract). Fixture representativeness for the P0-relevant scenarios (findings_remaining, all_suppressed, findings_with_triage) was restored in C1/C4 — they now carry real triage and checks. Full regeneration of every fixture from .revrem/runs/ (including the 5 secondary schema keys the review noted: external_review_coverage, invocation, phase_failures, phase_observations, triage_diagnostics) is tracked as a follow-up; it does not gate the showcase features. REVREM-TEST-001 bumped 1.7 -> 1.8. * fix(c6): deep-link the report artifact in the PR comment (secondary) The comment always linked the workflow run URL, never the uploaded report artifact. The plan specified capturing actions/upload-artifact's artifact-url output with the run URL as fallback. - action.yml: give the upload-report step an id; add an Export-artifact-URL step that writes the artifact-url output to REVREM_ARTIFACT_URL env; pass it into the comment step env. - post_pr_comment.py: main() prefers REVREM_ARTIFACT_URL over GITHUB_RUN_URL. - test: assert the posted body links the artifact URL and not the run URL. Gate: ruff clean; 25 comment/action tests green. * docs(c7): document corrective fixes + release hygiene (P0 series) No v0.5.0 tag was ever created (git tag -l 'v0.5*' is empty) — the release(t13) commit bumped the version in source but never tagged. So there is no premature tag to revert; 0.5.0 remains unreleased as intended. CHANGELOG [0.5.0] gains a Fixed (corrective) section documenting P0-1/P0-2/P0-3 plus the checks-source, artifact-deep-link, and real-findings-gate fixes. Remaining manual gates before tagging v0.5.0 (cannot be automated here, recorded in the CHANGELOG): - A live dogfood revrem --profile dogfood run with revrem report rendering it. - A live observation that the Action posts a single idempotent PR comment on a real PR (validates the C3 github-token wiring end-to-end). Gate: 1437 passed (1 pre-existing env failure unrelated); ruff, mypy, lint-imports (9 contracts) clean. * fix(c8): document phase_config in summary-v1 schema (P0-B root cause) phase_config is written on every run by reporting.add_summary_contract_fields (present on 106/156 local runs, all recent ones) but was undocumented in summary-v1.schema.json. additionalProperties was already true, so validation never caught the drift — which is exactly why the earlier P0-2 wrongly concluded the key did not exist and deleted the report's phase-config section. Additive, non-breaking (v1 is additive-only; 5 other optional keys already use this convention). _history byte-equality baseline updated to match. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c9): make findings_with_triage fixture representative (P0-B) The hand-authored fixtures omitted every key a real run carries, which is what let the self-confirming-fixture failure mode persist. Make the anchor fixture representative of a real run: - summary.json: real-shaped phase_config (review/triage/remediation/ commit_message with harness/model/effort; plus the non-model checks/runtime blocks) and the five previously-omitted keys (external_review_coverage, invocation, phase_failures, phase_observations, triage_diagnostics). - triage-1.json: a rejected_finding and a needs_more_info entry so the renderer is exercised against the full triage outcome, not confirmed-only. Inert until the renderer reads it (next commit); suite stays green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c10): restore phase-config section + render full triage outcome (P0-A, C1) Reverts the wrong P0-2 deletion and completes the C1 findings contract. - Restore the "Phase configuration" section, sourced from summary.phase_config (real data on every modern run). Filter to the model-bearing phases (review/triage/remediation/commit_message); checks/runtime carry no harness/model and are skipped, not emitted as blank rows. Now also surfaces reasoning-effort, timeout, and sandbox. - Render triage rejected_findings and needs_more_info, which were silently dropped (only confirmed/suppressed rendered before). - Surface per-iteration iterations[].review_status in the outcome section (the _findings_section docstring already promised this; it is now true). Goldens regenerated: the sole delta is the inserted Review status row (verified by word-diff). New gate assertions in test_report_real_findings.py cover the phase-config table + filter, rejected/needs-info, and review_status. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c11): fix the inert fork-PR guard in the Action (Sec-1) `github.event.pull_request.head.repo.fork != 'true'` always evaluated true under GitHub Actions' type coercion (boolean true -> 1, string 'true' -> NaN, 1 != NaN), so the comment step never actually skipped on fork PRs — where the token is read-only and the post would 403 and fail the job. Compare to the boolean `false` instead. Static fix; requires live verification on a real fork PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c12): label the comment artifact link [Report], not [Run] (Sec-3) build_comment_body linked the uploaded report artifact (REVREM_ARTIFACT_URL) but labelled it [Run]. Pass report_url and run_url separately: deep-link the artifact as [Report] when captured, fall back to the workflow run as [Run] otherwise. Comment stays confirmed-findings-only by design (the actionable "what remains" summary); rejected/needs-info live in the full HTML report. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * docs(c13): record second corrective iteration + extend the render gate - CHANGELOG: correct the stale P0-2 entry (it described the now-reverted deletion) and document the second corrective iteration (phase-config restore, schema drift, fork gate, rejected/needs-info, comment label, fixture). - REVREM-TEST-001: extend the real-findings gate entry to cover the new regression guards (phase-config table + filter, rejected/needs-info, review_status) and the fixture's representativeness. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c14): preserve array-valued artifact paths + redact index paths (GPT #3, #7) build_report_index normalised every artifact_paths value with _normalize_path, flattening list entries (triage, reviews, ...) to repr strings like "['triage-1.json']" — even though report-index-v1 allows arrays and the PR comment / consumers rely on the real shape. Preserve lists as lists of normalised strings, and redact each path element when redact=True (an absolute local run dir under $HOME is a real leak vector; redact_text scrubs it to [REDACTED:home]). Also tighten the review-status gate to assert the rendered value, not just the label. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c15): sanitize PR comment markdown table cells (GPT #6) A model-derived finding title containing a pipe, newline, or backtick could add columns, split the table row, or open an unterminated code span in the comment. Route severity/file/title through an _md_cell escaper (escape `|`, collapse line breaks, neutralise backticks) before interpolating into the table. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c16): harden the Action — injection, token fallback, raw-artifact accuracy (GPT #1, #2, #4, #5) - #1 Script injection: every workflow input is now passed through `env:` and read as a shell variable ("$BASE", "$CHECKS", ...), never interpolated as `${{ inputs.x }}` into a run script (GitHub expands those into the script text before bash parses it). Added numeric validation for the budget inputs and a test asserting no `${{ inputs.* }}` appears in any run script. - #2 Token: the comment step reads `${{ inputs.github-token || github.token }}` so the token resolves even if expression evaluation inside the input default is not honoured. - #4 Raw upload: `raw-artifacts` is documented as uploading the run directory VERBATIM and UNREDACTED (raw prompts/model output/paths) — the prior "still-redacted" wording was false. DevEx doc updated to match. - #5 Doc drift: DevEx doc now documents the corrected `head.repo.fork == false` fork guard; added a test asserting doc/action agreement. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * docs(c17): record external-review security & robustness fixes Document the GPT-review corrective iteration (script-injection hardening, token fallback, raw-artifact honesty, array-path preservation + redaction, comment cell escaping) in the Unreleased corrective section. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix(c18): make github-token default empty so the token fallback works (GPT re-review) The c16 fallback `${{ inputs.github-token || github.token }}` was defeated by the input default `${{ github.token }}`: if GitHub does not evaluate the expression in the default, inputs.github-token becomes the literal non-empty string "${{ github.token }}" — which is truthy, so `||` short-circuits to it and the action sends a bad token. Exactly the failure mode the fallback was meant to prevent. Set the default to "" (empty, not an expression). When the caller omits the input, inputs.github-token is falsy and the fallback resolves github.token in the step context, where expressions are honoured. Test asserts the default is empty; CHANGELOG/docs corrected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE * fix: PR review comments (GLM) * fix: PR review comments 2 (GLM/CC) * fix: PR review comments 3 (CC) * fix: CI gate (CC) * fix: PR review comments 4 (CC) * fix: make action metadata load in GitHub * fix: keep action scratch files outside checkout * fix: bootstrap codex in dogfood action * fix: install dogfood check tools in action workflow * fix: make dogfood action codex-only in CI * docs: added tech debt note * fix: PR review comments 5 (CC) * fix: configure git author for dogfood commits * fix: bound dogfood action runtime * fix: resolve dogfood report findings * fix: sanitize stop reason in PR comment * fix: report latest triage artifact only * fix: emit summaries for typed CLI failures * fix: surface phase failures in dogfood reports * fix: include provider excerpts in failure diagnostics * fix: classify codex quota exhaustion * fix: surface quota exhaustion in ci * fix: use portable action diagnostics lookup [skip ci] * fix: address review feedback on report action safety [skip ci] * fix: normalize windows report paths [skip ci] * test: add no-provider action smoke workflow * fix: address report and dogfood review comments --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-python from 5.6.0 to 6.2.0.
Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
a309ff8Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)bfe8cc5Upgrade@actionsdependencies to Node 24 compatible versions (#1259)4f41a90Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)83679a8Bump@types/nodefrom 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...bfc4944Bump prettier from 3.5.3 to 3.6.2 (#1234)97aeb3eBump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)443da59Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...cfd55cagraalpy: add graalpy early-access and windows builds (#880)bba65e5Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)18566f8Improve wording and "fix example" (remove 3.13) on testing against pre-releas...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Greptile Summary
This PR bumps
actions/setup-pythonfrom v5.6.0 to v6.2.0 across both CI and release workflows. The change is a major-version jump (5 → 6); v6.0.0 upgraded the action's runtime from Node 20 to Node 24 and requires the GitHub Actions runner to be on v2.327.1 or later.ci.ymlandrelease.ymlare updated consistently, with the full commit SHA pinned and the version comment correctly reflectingv6.2.0.ubuntu-latest(a GitHub-hosted runner), GitHub guarantees the runner is kept up to date, so the Node 24 runtime requirement should be met automatically.Confidence Score: 5/5
Safe to merge — a routine Dependabot version bump with no logic changes and correct SHA pinning in both workflow files.
The only change is the actions/setup-python SHA and version comment in two workflow files. Both files are updated consistently, SHA pinning is correct, and both workflows run on ubuntu-latest so the Node 24 runner requirement introduced in v6.0.0 is satisfied automatically.
No files require special attention.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Push / PR event] --> B[actions/checkout v4.2.2] B --> C["actions/setup-python **v6.2.0** ⬆\n(was v5.6.0, Node 20 → Node 24)"] C --> D[Install dependencies] D --> E{Workflow} E -->|ci.yml| F[Test · Lint · Type-check\nDocOps · Whitespace · Secret scan · Pre-commit] E -->|release.yml| G[Test · Build dist · SBOM\nAttest provenance · Upload & Publish release]Reviews (1): Last reviewed commit: "chore(deps): bump actions/setup-python f..." | Re-trigger Greptile
Note
Bump
actions/setup-pythonfrom v5.6.0 to v6.2.0 in CI and release workflowsUpdates the pinned commit hash for
actions/setup-pythonin both ci.yml and release.yml. No changes to Python version configuration or other workflow steps.Macroscope summarized 1c00061.