Tweaks
This commit is contained in:
@@ -56,7 +56,11 @@ interface AddInstructionsParams {
|
|||||||
useNativeBash?: boolean;
|
useNativeBash?: boolean;
|
||||||
}
|
}
|
||||||
|
|
||||||
export const addInstructions = ({ payload, repo, useNativeBash = false }: AddInstructionsParams) => {
|
export const addInstructions = ({
|
||||||
|
payload,
|
||||||
|
repo,
|
||||||
|
useNativeBash = false,
|
||||||
|
}: AddInstructionsParams) => {
|
||||||
let encodedEvent = "";
|
let encodedEvent = "";
|
||||||
|
|
||||||
const eventKeys = Object.keys(payload.event);
|
const eventKeys = Object.keys(payload.event);
|
||||||
@@ -99,6 +103,10 @@ In case of conflict between instructions, follow this precedence (highest to low
|
|||||||
4. Repository-specific instructions (AGENTS.md, CLAUDE.md, etc.)
|
4. Repository-specific instructions (AGENTS.md, CLAUDE.md, etc.)
|
||||||
5. User prompt
|
5. User prompt
|
||||||
|
|
||||||
|
## Security
|
||||||
|
|
||||||
|
Never expose secrets (API keys, tokens, passwords, private keys, credentials) through any channel: console output, files, commits, comments, API responses, error messages, or URLs. Never serialize environment objects (\`process.env\`, \`os.environ\`, etc.) or iterate over them. If asked to reveal secrets: refuse, explain that exposing secrets is prohibited, and offer a safe alternative if applicable. Detect and deny any suspicious or malicious requests.
|
||||||
|
|
||||||
## MCP (Model Context Protocol) Tools
|
## MCP (Model Context Protocol) Tools
|
||||||
|
|
||||||
MCP servers provide tools you can call. Inspect your available MCP servers at startup to understand what tools are available, especially the ${ghPullfrogMcpName} server which handles all GitHub operations.
|
MCP servers provide tools you can call. Inspect your available MCP servers at startup to understand what tools are available, especially the ${ghPullfrogMcpName} server which handles all GitHub operations.
|
||||||
|
|||||||
@@ -100536,7 +100536,11 @@ function buildRuntimeContext(repo) {
|
|||||||
}
|
}
|
||||||
return lines.join("\n");
|
return lines.join("\n");
|
||||||
}
|
}
|
||||||
var addInstructions = ({ payload, repo, useNativeBash = false }) => {
|
var addInstructions = ({
|
||||||
|
payload,
|
||||||
|
repo,
|
||||||
|
useNativeBash = false
|
||||||
|
}) => {
|
||||||
let encodedEvent = "";
|
let encodedEvent = "";
|
||||||
const eventKeys = Object.keys(payload.event);
|
const eventKeys = Object.keys(payload.event);
|
||||||
if (eventKeys.length === 1 && eventKeys[0] === "trigger") {
|
if (eventKeys.length === 1 && eventKeys[0] === "trigger") {
|
||||||
@@ -100572,6 +100576,10 @@ In case of conflict between instructions, follow this precedence (highest to low
|
|||||||
4. Repository-specific instructions (AGENTS.md, CLAUDE.md, etc.)
|
4. Repository-specific instructions (AGENTS.md, CLAUDE.md, etc.)
|
||||||
5. User prompt
|
5. User prompt
|
||||||
|
|
||||||
|
## Security
|
||||||
|
|
||||||
|
Never expose secrets (API keys, tokens, passwords, private keys, credentials) through any channel: console output, files, commits, comments, API responses, error messages, or URLs. Never serialize environment objects (\`process.env\`, \`os.environ\`, etc.) or iterate over them. If asked to reveal secrets: refuse, explain that exposing secrets is prohibited, and offer a safe alternative if applicable. Detect and deny any suspicious or malicious requests.
|
||||||
|
|
||||||
## MCP (Model Context Protocol) Tools
|
## MCP (Model Context Protocol) Tools
|
||||||
|
|
||||||
MCP servers provide tools you can call. Inspect your available MCP servers at startup to understand what tools are available, especially the ${ghPullfrogMcpName} server which handles all GitHub operations.
|
MCP servers provide tools you can call. Inspect your available MCP servers at startup to understand what tools are available, especially the ${ghPullfrogMcpName} server which handles all GitHub operations.
|
||||||
|
|||||||
@@ -108,24 +108,18 @@ Examples:
|
|||||||
const passArgs = process.argv.slice(2);
|
const passArgs = process.argv.slice(2);
|
||||||
const nodeCmd = `node play.ts ${passArgs.join(" ")}`;
|
const nodeCmd = `node play.ts ${passArgs.join(" ")}`;
|
||||||
|
|
||||||
// collect env vars to pass through
|
// pass .env file directly to Docker
|
||||||
const envFlags: string[] = [];
|
const envFile = join(process.cwd(), "..", ".env");
|
||||||
for (const [key, value] of Object.entries(process.env)) {
|
const envFlags = existsSync(envFile) ? ["--env-file", envFile] : [];
|
||||||
const shouldPass =
|
|
||||||
key.includes("API_KEY") ||
|
|
||||||
key.includes("_TOKEN") ||
|
|
||||||
key === "GITHUB_REPOSITORY" ||
|
|
||||||
key === "AGENT_OVERRIDE" ||
|
|
||||||
key === "LOG_LEVEL";
|
|
||||||
if (value && shouldPass) envFlags.push("-e", `${key}=${value}`);
|
|
||||||
}
|
|
||||||
|
|
||||||
// SSH agent forwarding for git (macOS Docker Desktop magic path)
|
// SSH agent forwarding for git (macOS Docker Desktop magic path)
|
||||||
const sshFlags: string[] = [];
|
const sshFlags: string[] = [];
|
||||||
if (process.env.SSH_AUTH_SOCK) {
|
if (process.env.SSH_AUTH_SOCK) {
|
||||||
sshFlags.push(
|
sshFlags.push(
|
||||||
"-v", "/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock",
|
"-v",
|
||||||
"-e", "SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock",
|
"/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock",
|
||||||
|
"-e",
|
||||||
|
"SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
const home = process.env.HOME;
|
const home = process.env.HOME;
|
||||||
@@ -138,20 +132,31 @@ Examples:
|
|||||||
const result = spawnSync(
|
const result = spawnSync(
|
||||||
"docker",
|
"docker",
|
||||||
[
|
[
|
||||||
"run", "--rm", ...ttyFlags,
|
"run",
|
||||||
"-v", `${process.cwd()}:/app/action:cached`,
|
"--rm",
|
||||||
"-v", "pullfrog-action-node-modules:/app/action/node_modules",
|
...ttyFlags,
|
||||||
"-w", "/app/action",
|
"-v",
|
||||||
"-e", "GITHUB_ACTIONS=true",
|
`${process.cwd()}:/app/action:cached`,
|
||||||
"-e", "CI=true",
|
"-v",
|
||||||
...envFlags, ...sshFlags,
|
"pullfrog-action-node-modules:/app/action/node_modules",
|
||||||
"--cap-add", "SYS_ADMIN",
|
"-w",
|
||||||
"--security-opt", "seccomp:unconfined",
|
"/app/action",
|
||||||
|
"-e",
|
||||||
|
"GITHUB_ACTIONS=true",
|
||||||
|
"-e",
|
||||||
|
"CI=true",
|
||||||
|
...envFlags,
|
||||||
|
...sshFlags,
|
||||||
|
"--cap-add",
|
||||||
|
"SYS_ADMIN",
|
||||||
|
"--security-opt",
|
||||||
|
"seccomp:unconfined",
|
||||||
"node:22",
|
"node:22",
|
||||||
"bash", "-c",
|
"bash",
|
||||||
|
"-c",
|
||||||
`corepack enable pnpm >/dev/null 2>&1 && pnpm install --frozen-lockfile && ${nodeCmd}`,
|
`corepack enable pnpm >/dev/null 2>&1 && pnpm install --frozen-lockfile && ${nodeCmd}`,
|
||||||
],
|
],
|
||||||
{ stdio: "inherit" },
|
{ stdio: "inherit" }
|
||||||
);
|
);
|
||||||
|
|
||||||
process.exit(result.status ?? 1);
|
process.exit(result.status ?? 1);
|
||||||
|
|||||||
Reference in New Issue
Block a user