* fix bootstrap ETARGET when customer has npm min-release-age policy
set npm_config_min_release_age=0 in the action runtime env so
`npx --yes pullfrog@<spec>` doesn't get rejected by a customer-side
release-age gate (npm 11.5+'s min-release-age / pnpm's
minimumReleaseAge). env vars beat .npmrc in npm config precedence,
so this neutralises the policy regardless of where it's defined.
pullfrog's npm version is server-stamped from a SHA-pinned action
ref customers already vet at the action layer — it isn't a
customer-vetted dep, so the release-age policy is the wrong
affordance for our bootstrap and would otherwise hard-fail every
run while the latest publish ages into the customer's window.
closes#713
* also cover pnpm's minimumReleaseAge key for corepack fallback path
* correct pnpm env var (pnpm v11+ uses pnpm_config_*, not npm_config_*)
the prior commit set `npm_config_minimum_release_age=0` to cover the
pnpm corepack-dlx fallback path, but pnpm v11+ only reads env vars
prefixed `pnpm_config_*` / `PNPM_CONFIG_*` (the v10→v11 migration
explicitly renamed the prefix). swap to the correct env var so the
fallback path actually neutralises pnpm's `minimumReleaseAge`.
also tighten the comment block, and add an AGENTS.md rule reminding
us to fetch top-level reviews AND inline review comments together —
they live on different endpoints and the inline set is easy to miss
with `gh pr view --json reviews,comments` alone.
* add scripts/pr-reviews.ts for one-shot review evaluation
dumps top-level reviews + inline review threads (with resolved/outdated
state) + PR-level conversation in a single GraphQL round trip, so agents
don't miss inline-comment feedback. fixes the trap where
`gh pr view --json reviews,comments` silently omits the inline
`pulls/{n}/comments` set.
borrows `gh auth token` so no env vars are required. registered in
`wiki/scripts.md`; AGENTS.md rule updated to point at the script
instead of the two-step gh-CLI workaround.
* pr-reviews: dump raw JSON for jq piping
* Exclude GITHUB_WORKSPACE and relative entries from PATH walk
resolveExecutable previously walked any directory listed in process.env.PATH,
which trusts that nothing earlier in the workflow prepended an
attacker-controlled location. A malicious PR could land bin/npx in the repo
and add `echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH` to a prior step,
causing pullfrog to exec the attacker's binary with our scoped tokens in env.
Filter out (a) any non-absolute PATH entry (., bin, .., etc., which resolve
against cwd) and (b) any entry equal to or under GITHUB_WORKSPACE. The walk
then continues to the next legitimate system tooling dir.
* Address PR #558 review: comment typo + Windows case bypass
- Drop double space in the threat-model comment.
- Lowercase paths on Windows before comparing against GITHUB_WORKSPACE.
Without this, an attacker can bypass the filter by varying case in their
injected PATH entry (`d:\a\repo\bin` vs `D:\a\repo`) — string compare
misses but NTFS still resolves the executable inside the workspace.
* Fix Node 24 action bootstrap fallback
Resolve the published CLI launcher through PATH so runners missing a sibling Node 24 npx can still start, and make post cleanup recognize prefixed leaping comments.
* Bump Pullfrog action package version
Ensure the Node 24 bootstrap and post-cleanup fixes publish to npm and move the v0 action tag.
* Walk PATH for corepack and npx in action bootstrap
ensureActionDependencies and runPackageCli now resolve corepack/npx through
PATH the same way as the npx-via-PATH fix, so Node 24 runner pools missing
either sibling can still bootstrap. Also adds a Zod-mirror settings helper
for the preview-556 repo and documents the per-PR settings workflow.
* log when corepack PATH fallback is used
* add one-time diff coverage preflight for PR reviews
track diff read coverage from agent tool-use events and run a one-time pre-flight before review submission, with explicit coverage skip reasons for low-value files like lockfiles.
Made-with: Cursor
* add manual dispatch fallback for preview deploy workflow
allow preview repo and preview sync jobs to be run via workflow_dispatch with explicit PR number and branch inputs, so preview provisioning can be retriggered when pull_request events fail to fire.
Made-with: Cursor
* fix manual preview dispatch PR input wiring
use normalized PR number and branch env values for comment creation and script env wiring so workflow_dispatch preview runs can create and update PR-specific preview resources.
Made-with: Cursor
* remove obsolete snapshots invalidated by checkout instructions change
* fix diff coverage read offset handling and add local sanity-check guidance
normalize read offset semantics for diff coverage tracking, reuse shared range counting in review preflight, add focused diff coverage unit tests, and document the local play.ts testing workflow in AGENTS.md.
Made-with: Cursor
* add regenerated mcp test snapshots
capture snapshot files generated by the review comment and checkout formatting tests during pre-push validation so the branch remains clean and reproducible.
Made-with: Cursor
* add diff coverage preflight instrumentation logs
log diff coverage initialization in checkout_pr and emit preflight state/breakdown diagnostics in create_pull_request_review to debug missing coverage enforcement in preview e2e runs.
Made-with: Cursor
* add env override to force local cli execution in action runtime
support explicit local-cli execution via PULLFROG_FORCE_LOCAL_CLI so preview workflows can run branch action code instead of the npm fallback package during e2e debugging.
Made-with: Cursor
* add preview e2e debugging learnings for action runtime validation
capture the preview execution-path gotchas and one-time preflight verification pattern in AGENTS.md so future investigations validate the real runtime and avoid npm fallback confusion.
Made-with: Cursor
* reduce diff coverage log noise while preserving failure visibility
downgrade verbose diff coverage lifecycle diagnostics to debug, keep a concise info-level pre-flight failure signal, and document preview runtime debugging learnings in AGENTS.md.
Made-with: Cursor
* WIP
* tune sync.md: ff override + softer overlap verification
Made-with: Cursor
* chore: bump models snapshot for claude-opus-4-7
Made-with: Cursor
* rip out coverage_skips waiver from diff coverage pre-flight
Made-with: Cursor
---------
Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
npx was running with cwd set to the action's own directory, which has
package.json with "name": "pullfrog". npm treats the local package as
satisfying the request and skips the registry fetch, then fails to find
the binary (sh: 1: pullfrog: not found). use GITHUB_WORKSPACE instead.
Made-with: Cursor
the inline `node -e` + `TOKEN=$(...)` approach broke because
`core.getIDToken()` in @actions/core writes `::debug::` and
`::add-mask::` to stdout, polluting the captured value.
`node cli.ts gha token` uses `core.setOutput()` which writes to
the $GITHUB_OUTPUT file instead of stdout.
Made-with: Cursor