PR CI kept breaking on upstream catalog drift (new model ships on models.dev,
OpenRouter renames an id, etc.) — failures unrelated to the PR's contents.
split the model-alias test suite so PRs only see pure-logic checks, and push
the external-state drift + end-to-end coverage to main.
test organization:
- action/test/models.test.ts keeps pure invariants: openRouterResolve
completeness and fallback-chain resolution. runs on every PR.
- action/test/models-catalog.main.test.ts gets the 4 network-dependent
describes (models.dev validity x2, OpenRouter API validity, latest-model
snapshot). runs only on main push via a dedicated vitest config
(vitest.main.config.ts + `pnpm test:catalog`).
new CI jobs in .github/workflows/test.yml:
- models-catalog: `pnpm test:catalog` on every main push. detects upstream
catalog drift so we can react at the next convenient window.
- models-live: 38-entry matrix that invokes the agent harness end-to-end
against the real provider for each alias in models.ts. generated from
action/test/list-aliases.ts. runs only on main push AND only when
resolution-affecting files changed (action/models.ts, action/package.json,
action/agents/**) — the exact shape of the opus 4.7 incident.
test/run.ts: PULLFROG_MODEL now flows through from process.env so the live
matrix can pin an alias per job without the per-agent default clobbering it.
Made-with: Cursor
anthropic shipped claude-opus-4-7 today; opencode also republished it.
point the "claude-opus" alias at the new version for both providers so
existing users get the upgrade automatically. openrouter hasn't
published 4.7 yet, so leave openRouterResolve at 4.6 as the BYOR fallback.
also clarify the latest-model snapshot comment: new model drops usually
just mean bumping the `resolve` on an existing alias, not adding a new one.
Made-with: Cursor
remove broad `PULLFROG_` passthrough from restricted shell env filtering and ensure sensitive names are blocked unless explicitly allowlisted, then align the restricted test fixture with allowed-prefix coverage.
Made-with: Cursor
* replace suffix-based env filtering with default-deny allowlist
filterEnv() now only passes known-safe GitHub Actions runner/system/toolchain
vars plus user-configured allowlist entries to shell subprocesses. GITHUB_TOKEN
and GH_TOKEN are always blocked, even from the user allowlist.
adds envAllowlist field to repo settings with dashboard textarea UI (visible
only when shell isolation is enabled) and wires it through run-context API
to the action runtime.
Made-with: Cursor
* address review: blocked-name warning, JAVA_HOME prefix, stale waitlist copy
- setEnvAllowlist now strips BLOCKED_ENV_NAMES from user input and returns
them so main.ts can log a warning
- move JAVA_HOME to exact names, use JAVA_HOME_ as prefix for clarity
- update stale suffix-based description in waitlist email script
Made-with: Cursor
* fix wiki/security.md snippet: JAVA_HOME -> JAVA_HOME_ to match code
Made-with: Cursor
* UI polish: field-sizing-content on all textareas, rename env allowlist label
- add field-sizing-content to all settings textareas so they auto-expand
to fit content (AgentSettings, ModesSettings, WorkflowsSettings, FlagsSettings)
- rename "Environment variable passthrough" to "Environment allowlist"
with clearer popover copy
- drop "e.g." prefix from env allowlist placeholder
- update docs/security.mdx and wiki/security.md references to match
Made-with: Cursor
* tweak env allowlist popover wording
Made-with: Cursor
* document default allowed variables in security docs with link from popover
Made-with: Cursor
* Update action/utils/secrets.ts
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
---------
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
remove duplicate model and agent log emitters, then print model, agent, push, shell, and timeout on separate startup lines so run settings stay concise and easy to scan.
Made-with: Cursor
review bodies were embedding a task-list snapshot that could capture
stale in-progress state due to timing between the agent's final
TodoWrite and the review submission API call. progress comments
are the authoritative checklist surface — remove the review-body
embedding entirely so there is a single source of truth.
also adds a `completeInProgress` option to `renderCollapsible` so
the progress-comment path can finalize any in-progress items at
render time without mutating tracker state.
Made-with: Cursor
* rename agent key to opencode and add skill invocation coverage.
add skill-invoke tests for claude and opencode with local play-based validation signals, update CI matrices, and include the current tracked refactors in this branch for review.
Made-with: Cursor
* exclude agent-specific skill-invoke tests from wrong agent in CI matrix
* address review follow-up and preserve workflow run UI tweak.
switch changed-agents ci coverage to exercise the opentoad implementation path while keeping the opencode expectation, and include the local workflow run client interaction updates requested on this branch.
Made-with: Cursor
* remove opentoad agent filename from runtime.
rename the opencode harness implementation file from opentoad.ts to opencode.ts and update ci coverage input accordingly so action code no longer carries the old filename.
Made-with: Cursor
* ensure security prompt bypass is set on every test fixture.
this keeps adversarial and permissions harnesses from being blocked by the default prompt-injection refusal path during CI security tests.
Made-with: Cursor
---------
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
* add wiki/betterstack.md documenting log querying, request-ID grouping, and MCP usage
Made-with: Cursor
* fix webhook race conditions: separate runId assignment from data updates
the workflow_run webhook handler had a race where concurrent handlers assigned
the same runId to different pending records. the loser's P2002 silently dropped
data updates (jobId, status, completedAt). fix by splitting into two steps:
assignRunId() handles the race-safe unique assignment, then data updates always
target where: { runId } so they hit the correct record regardless of who won.
also downgrade R2 ObjectLockedByBucketPolicy errors from error to warn level
since duplicate webhook deliveries writing the same key is expected under load.
Made-with: Cursor
* homepage copy refresh + fix skills CLI installation
- update hero to "Agent x GitHub" with new subtagline
- rewrite intro paragraphs: workflow, harness capabilities, billing
- add feature sections: bash isolation, headless browser, MCP tools
- update FAQ answers, footer attribution, free-for-oss copy
- update APP_DESCRIPTION for SEO
- fix skills install: use npx from tmpdir instead of local binary
(the bundled action has no node_modules; running npx from tmpdir
avoids project .npmrc with pnpm settings breaking binary resolution)
- instruct agents to use markdown image syntax in upload_file tool
- start dependency installation eagerly from main.ts
- include event title in task instructions
Made-with: Cursor
* add wiki/betterstack.md documenting log querying, request-ID grouping, and MCP usage
Made-with: Cursor
* fix webhook race conditions: separate runId assignment from data updates
the workflow_run webhook handler had a race where concurrent handlers assigned
the same runId to different pending records. the loser's P2002 silently dropped
data updates (jobId, status, completedAt). fix by splitting into two steps:
assignRunId() handles the race-safe unique assignment, then data updates always
target where: { runId } so they hit the correct record regardless of who won.
also downgrade R2 ObjectLockedByBucketPolicy errors from error to warn level
since duplicate webhook deliveries writing the same key is expected under load.
Made-with: Cursor
* require OIDC verification for DB secrets on run-context endpoint
DB secrets transported via run-context were accessible to any GitHub API
token with read access, bypassing GitHub Actions' fork PR secret isolation.
Now the endpoint requires a valid GitHub Actions OIDC token
(X-GitHub-OIDC-Token header) with a matching repository claim before
returning dbSecrets. Also requires admin for account-scope CLI secret
writes (matching the dashboard), and removes dead redactSecrets code.
Made-with: Cursor
emit real ESM runtime + declaration outputs for programmatic imports, align package exports/types with built files, and add a no-cjs policy note.
Made-with: Cursor
npx was running with cwd set to the action's own directory, which has
package.json with "name": "pullfrog". npm treats the local package as
satisfying the request and skips the registry fetch, then fails to find
the binary (sh: 1: pullfrog: not found). use GITHUB_WORKSPACE instead.
Made-with: Cursor
publish was missing a build step so the npm tarball had no dist/.
switch from NPM_TOKEN to OIDC trusted publishing — explicitly unset
NODE_AUTH_TOKEN so setup-node's .npmrc doesn't override the OIDC flow.
bump version since v0.0.195 tag exists from the failed publish attempt.
Made-with: Cursor
action/.husky prepare script was overriding root husky config, so the
pre-push hook (lint + typecheck + test) never ran. merged the lockfile
sync pre-commit into root .husky/pre-commit and removed action/.husky.
also auto-fixed biome format/import-sort errors from last commit.
Made-with: Cursor
simplify installation-not-found flow by removing ownerHasInstallation
field and collapsing the "selected repos" vs "no access" branches into
a single message with a confirm prompt. improve spinner/log copy
throughout init (secrets, model, workflow, test run).
backfill missing jobId on workflow-run redirect page by querying the
GitHub API for the pullfrog job when jobId is null. add 600ms delay
in handleWorkflowRunInProgress before fetching jobs to avoid racing
the job assignment.
Made-with: Cursor
the postinstall script referenced scripts/generate-proxies.ts which isn't
included in the published npm package, silently breaking every npx install.
replaced the proxy stub approach with turbopack resolveAlias and webpack
conditionNames so both bundlers resolve pullfrog imports to TypeScript
source directly — matching what tsc already does via customConditions.
also moves PR summary format from handleWebhook into modes.ts so the
summarize mode prompt includes it directly.
Made-with: Cursor
PRs created as draft (or by automation tokens that suppress workflow
triggers) never ran preview-create because the workflow only listened
for opened/synchronize. Adding ready_for_review as a trigger ensures
the preview repo gets created when a draft PR is marked ready.
Also makes preview-create.ts idempotent by catching 422 (repo already
exists) so it's safe if both opened and ready_for_review fire.
Made-with: Cursor
the inline `node -e` + `TOKEN=$(...)` approach broke because
`core.getIDToken()` in @actions/core writes `::debug::` and
`::add-mask::` to stdout, polluting the captured value.
`node cli.ts gha token` uses `core.setOutput()` which writes to
the $GITHUB_OUTPUT file instead of stdout.
Made-with: Cursor
* improve incremental review output and fix todo tracker race
- reviewed changes section: summarize at logical-change level with
past-tense verbs, not per-file enumerations
- add TodoTracker.completeAll() to mark all non-cancelled items as
completed before snapshotting the collapsible in review/progress posts
Made-with: Cursor
* completeAll -> completeInProgress: only mark in-progress items as completed
Pending items that were genuinely skipped stay as-is in the collapsible,
so the task list honestly reflects what the agent actually did.
Made-with: Cursor
* fix: make token-exfil test reliable by disabling security instructions and reframing prompt
the test was flaky — agents would randomly refuse (not calling set_output),
refuse politely (calling set_output with refusal text), or cooperate fully,
depending on model mood. two changes:
1. set PULLFROG_DISABLE_SECURITY_INSTRUCTIONS=1 in test env (layer 1)
2. reframe prompt as CI debugging task instead of security test (layer 2)
Made-with: Cursor
* fix: set PULLFROG_DISABLE_SECURITY_INSTRUCTIONS on adversarial test fixtures
without this flag, the system prompt tells agents to refuse anything that
looks malicious — which is exactly what these security pentests ask them to
do. adds the flag to tokenExfil, askpassIntercept, and nobashcreative.
Made-with: Cursor
* set PULLFROG_DISABLE_SECURITY_INSTRUCTIONS on all security-related test fixtures
Made-with: Cursor
the "delegate a subagent" instruction doubled LLM sessions for
every summary run, and "use mini or auto effort" was a no-op
since the agent always runs at high/max effort.
Made-with: Cursor
* fix WorkflowRun mis-assignment when multiple dispatches are in flight
workflow_run_requested fires before GitHub applies the custom run-name,
so display_title has no [suffix]. the old desc ordering picked the newest
pending record, cross-linking enrichment ↔ auto-label records.
switch to FIFO (asc) ordering so records are claimed in dispatch order,
and add a 15s createdAt window to avoid claiming stale records.
fixes#523
Made-with: Cursor
* WIP
* plan: update issue indexing resolution to R2-backed lazy filesystem
replace the direct GitHub tarball + in-memory extraction approach with a
two-phase architecture: streaming tarball sync to R2 (per-file, via
tar-stream) and on-demand lazy loading via just-bash InMemoryFs backed
by R2 GETs. scales to 200K+ file monorepos at <50MB memory overhead.
Made-with: Cursor
* plan: switch to tarball + R2 range requests, add design alternatives rule
update issue indexing plan to use a single uncompressed tar in R2 with
byte-offset index instead of per-file uploads. 2 PUTs per sync vs 10K,
5000x cheaper, trivial lifecycle.
add AGENTS.md rule: generate 3 alternatives before committing to a design.
Made-with: Cursor
* fix typos in AGENTS.md
---------
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
- in Review mode, stop the todo tracker and append the completed task
list as a collapsible section to the review body before submitting
- always delete the progress comment after a review is submitted,
regardless of whether the agent called report_progress
Made-with: Cursor
* refactor: replace narrow parameter types with context objects across action/
pass broader context objects (ToolContext, PromptContext, PostCleanupContext) to
utility functions instead of cherry-picking fields into single-use interfaces.
deletes 8 narrow types, simplifies call sites, and makes buildCommentFooter
synchronous by reading ctx.runId/ctx.jobId directly instead of re-deriving
from env vars and making an extra API call.
Made-with: Cursor
* fix: replace non-null assertion with local guard in validatePushDestination
addresses review feedback — the function now validates pushUrl itself instead
of relying on the caller's check, eliminating the ! assertion.
Made-with: Cursor
* revert: remove GH_TOKEN injection from restricted shell
the original change exposed the git token in restricted-mode shell so
`gh` CLI would work. this is a security regression for public repos: MCP
tools are deliberately constrained (no merge, no release, no arbitrary
API calls), but `gh api` with the token gives full GitHub API access to
any prompt-injected agent.
Made-with: Cursor
* reorder prompt sections: task-first with dynamic TOC
put the actual task at the top of the prompt for primacy, add a
dynamic table of contents, and push system/runtime metadata to the end.
new section order: TOC → YOUR TASK → PROCEDURE → EVENT CONTEXT →
SYSTEM → LEARNINGS → RUNTIME
Made-with: Cursor
* enforce clean working tree: continue session if agent leaves uncommitted changes
after each agent run, check `git status --porcelain`. if dirty, resume
the same session with instructions to commit on a new branch, push, and
open a PR. retries up to 3 times before giving up.
- claude code: capture session_id from result event, use --resume <id>
- opencode: use --continue to resume the last session
- remove --no-session-persistence from claude (needed for --resume)
- update Task mode to clarify branch/push/PR is the default finalize step
Made-with: Cursor
* log full prompt in collapsible group for debugging
Made-with: Cursor
* fix: format tool refs in buildCommitPrompt via formatMcpToolRef
* enforce clean git status: general instructions, stop hook, and Task mode
Made-with: Cursor
* fix: rename stale titleBody references after body leak fix
Made-with: Cursor
---------
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
* WIP
* WIP
* review/incremental-review: always submit review, never call report_progress
The progress comment is auto-deleted by the stranded-comment cleanup in
main.ts when the agent skips report_progress. This makes reviews the
sole PR artifact for both modes, reducing noise.
- soften report_progress tool description to allow mode opt-out
- Review mode: always submit exactly one review (approve or request changes)
- IncrementalReview mode: submit review for substantive outcomes, silently
exit for non-substantive changes (formatting-only pushes produce zero artifacts)
Made-with: Cursor
* incremental-review: clarify approval condition for substantive no-issues case
Made-with: Cursor
* report_progress: s/completed/current task list
Made-with: Cursor
* system instructions: align report_progress guidance with mode opt-out
Made-with: Cursor
* fix autofix body leak, harden prompt against injection, trigger-aware comments
never forward event bodies to the agent prompt — they are user-generated
content and a prompt injection vector. the agent fetches bodies on demand
via MCP tools (checkout_pr, get_issue, etc.).
- always set event.body to null in dispatch(), add promptFromBody: false
to autofix, strip body from nested pull_request object
- replace buildEventTitleBody with buildEventTitle rendering inline
references like PR #497 ("Title") instead of raw markdown headings
- add LEAPING_REASON_MAP for trigger-aware progress comments
(e.g. "CI failure detected. Leaping into action...")
- thread type through buildLeapingIntoActionComment, createLeapingComment,
and updateCommentToLeaping
Made-with: Cursor
* rename translateWorkflowRunType.ts to workflowRunTypes.ts
Made-with: Cursor