54 Commits

Author SHA1 Message Date
Colin McDonnell b472aa1ba9 fix(opencode): add effort-aware model overrides and OpenRouter guidance (#354)
* chore: create empty commit for PR

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(action): trigger preview repo creation workflow

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(opencode): merge repo opencode config and log provider key presence

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(opencode): add effort-aware model override precedence

Add OPENCODE_MODEL_MINI and OPENCODE_MODEL_MAX support with fallback to OPENCODE_MODEL and auto-selection, and keep provider resolution aligned via inline OpenCode config when overrides are used. Update workflow env wiring, test allowlists, and docs (including OpenRouter setup guidance and sidebar ordering) to document the new behavior.

Co-authored-by: Cursor <cursoragent@cursor.com>

* docs(effort): clarify OpenCode precedence and add section link

Add a concise OpenCode precedence callout in the summary area and link directly to the OpenCode section for full details and examples.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Restructure dash (#372)

* Restructure dash

* WIP

* WIP

* refactor trigger UI: extract PR summary card, add mentions section, rename labels

Co-authored-by: Cursor <cursoragent@cursor.com>

* clean up console UI: remove info icons from section descriptions, rename mentions trigger

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix review feedback: layout, terminology, form scope

- extract console sidebar sections to module-level constant
- align three-column layout breakpoints to xl (match sidebar visibility)
- fix mixed shell/bash terminology in beta page
- scope FormProvider to trigger sections only, restore autoComplete="off"

Co-authored-by: Cursor <cursoragent@cursor.com>

* Bump

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore: create empty commit for PR

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(opencode): merge repo opencode config and log provider key presence

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(opencode): add effort-aware model override precedence

Add OPENCODE_MODEL_MINI and OPENCODE_MODEL_MAX support with fallback to OPENCODE_MODEL and auto-selection, and keep provider resolution aligned via inline OpenCode config when overrides are used. Update workflow env wiring, test allowlists, and docs (including OpenRouter setup guidance and sidebar ordering) to document the new behavior.

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore: update agent rules and OpenCode config docs

Align AGENTS guidance with current preferences and apply review-driven wording updates in OpenCode-related files.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-24 02:05:26 +00:00
Mateusz Burzyński 185ca7a832 Avoid using --ignore-workspace (#353) 2026-02-19 14:41:21 +00:00
Colin McDonnell 0e1f1ccbb7 pass GEMINI_MODEL and OPENCODE_MODEL vars through CI and Docker
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-14 02:33:00 +00:00
Colin McDonnell 8a64742ddf sync action workflow fail-fast to match root workflow
the root workflow was updated to fail-fast: true but the action
workflow wasn't updated to match. the ci consistency test enforces
they stay in sync.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-14 02:10:18 +00:00
Colin McDonnell 6f108237d4 Deployment protection bypass (#298)
* test preview bypass 2

Co-authored-by: Cursor <cursoragent@cursor.com>

* add apiFetch wrapper with Vercel bypass via query param + header

the template workflow was missing VERCEL_AUTOMATION_BYPASS_SECRET,
so all action API calls to preview deployments hit Vercel's
deployment protection without bypass. this also consolidates the
bypass logic into a single fetch wrapper that applies the secret
as both a query parameter (matching server-side forwarding) and
a header for belt-and-suspenders reliability.

Co-authored-by: Cursor <cursoragent@cursor.com>

* security hardening for Vercel bypass

- redact bypass token from webhook forwarder logs and response body
- remove dead x-preview-api-forward header
- refactor getAllSecrets() to use SENSITIVE_PATTERNS instead of hardcoded list
- enforce https:// on API_URL (localhost exempt for local dev)

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-13 20:01:48 +00:00
David Blass 9071c0ae6c refactor mode selection into delegate tool that spawns subagents (#265) 2026-02-12 19:34:47 +00:00
David Blass bc28c658f2 harden sandbox escape vectors for bash disabled/restricted modes (#257)
* harden sandbox escape vectors for bash disabled/restricted modes

block git config injection (-c flag as subcommand), dangerous subcommands
(config, submodule, rebase, bisect), code-executing arg flags (--exec,
--extcmd), .gitattributes/.gitmodules writes, and package lifecycle scripts.
add retry logic to test runner for transient failures. add security unit
tests and adhoc attack tests.

Co-authored-by: Cursor <cursoragent@cursor.com>

* only filter subcommands in nobash, remove nobash from ui

* use regex matching

* iterate on tests

* simplify githooks

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-11 02:02:41 +00:00
David Blass 19df8372cd add file_read/file_write tools, sandbox tests, CI improvements (#239)
* migrate to flags

* init

* iterate on file write lockdown tests

* improve ci

* fix lockfile

* fix typecheck

* fix lint

* improve pushRestricted

* ok

* fix more

* ok

* remove process.env spreading rule

Co-authored-by: Cursor <cursoragent@cursor.com>

* enhanced fs rw tools

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-02-10 06:35:47 +00:00
Colin McDonnell 102417f442 Add post hooks for cleanup (#193)
* Add post hooks for cleanup

* Switch to signal-based cleanup

* Better exit handling
2026-01-28 01:59:15 +00:00
pullfrog[bot] 90945a9481 chore: update pullfrog.yml workflow 2026-01-28 00:51:37 +00:00
pullfrog[bot] a200d07370 feat: Immediate Leaping into action (#146)
* feat: post "Leaping..." comment immediately without polling GitHub API

This change makes the initial comment response much faster by avoiding
the expensive GitHub API polling that was waiting for workflows to
dequeue (up to 12s+ in some cases).

New architecture:
1. Create WorkflowRun record BEFORE dispatching (no runId yet)
2. Post "Leaping into action..." comment with shortlink URL immediately
3. Dispatch workflow and return
4. workflow_run.requested webhook fills in runId when GitHub dequeues

Shortlink redirect at /api/workflow-run/[id]/logs:
- If runId available: redirects to GitHub workflow run
- If runId null: shows polling page that checks DB every 1.5s

Changes:
- Make `runId` optional on WorkflowRun model (filled in via webhook)
- Add `workflow_run` to expected webhook events
- Add handler for workflow_run.requested to update DB with runId
- Create /api/workflow-run/[id]/logs shortlink redirect route
- Refactor triggerWorkflow.ts to use eager comment pattern
- Update trigger page to use new pattern

Closes #141

* chore: add migration for nullable runId in WorkflowRun

* fix: rm dead code.

* fix: Adjusting the issueNumber prop usage comment.

* fix: shortening and JSDoc for createWorkflowRunRecord.

* fix: Reducing diff, reducing confusion on naming the id.

* Revert "fix: Adjusting the issueNumber prop usage comment."

This reverts commit 34d87c2f8bc58782a53ce5eb14a40935232a4924.

* refactor: reuse buildShortlinkUrl in trigger page

* fix: Reducing confusion on param naming.

* fix: shorter JSDoc.

* Apply suggestion from @RobinTail

* chore: remove unnecessary JSDoc comment from buildShortlinkUrl

* Revert "chore: remove unnecessary JSDoc comment from buildShortlinkUrl"

This reverts commit 491ba6ba3f31c874c9f391871739efa50adb0446.

* fix: confusing naming of var.

* fix: redundant 'let'.

* refactor: move route from `/api/workflow-run/[id]/logs` to `/api/workflow-run-logs/[id]`

Avoids confusion with existing `/api/workflow-run/[runId]` route which uses
GitHub's runId, whereas this new route uses the internal WorkflowRun record id.

* chore: remove old route directory

* refactor: reuse `buildShortlinkUrl()` with `shouldPoll` param

* refactor: add script prop to generateLeapingLoaderHtml

Instead of string-replacing to inject scripts, the function now
accepts an optional script prop that gets wrapped in <script> tags.

* mv script into new LeapingLoaderHtmlProps.

* refactor: extract `buildGithubUrl` helper to avoid repetition

* fix: shorening.

* fix: More clear subtitle.

* refactor: reuse `WORKFLOW_FILENAME` from `app/globals.ts`

* fix: shortening.

* feat: add integrity_id for reliable workflow matching

Pass WorkflowRun record id as integrity_id when dispatching workflows.
The webhook handler parses integrity_id from display_title (via run-name)
for reliable matching, with fallback to repo/owner lookup when missing.

Note: workflow template changes (.github/workflows/pullfrog.yml) need to be
applied manually as the GitHub App lacks workflows permission.

* Revert "feat: add integrity_id for reliable workflow matching"

This reverts commit dbc601233a0dd85ac5f0d608a221e7015e265aaa.

* Add todo for consideration later.

* docs: add plan for action-initiated workflow run correlation

Addresses review feedback requesting research into secure alternatives
to exposing HOOKDECK_API_KEY. Proposes leveraging existing OIDC token
exchange to pass WorkflowRun record ID and correlate with run_id.

* Revert "docs: add plan for action-initiated workflow run correlation"

This reverts commit b9279d0e99db4d85e4144675634afa941858333a.

* FEAT: Add optional integrity_id input, used by run-name, set with partial record id, read by handler for lookup.

* Add integrity_id to app/trigger/[owner]/[repo]/[number]/page.tsx

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>

* feat: Extracting INTEGRITY_ID_LENGTH.

* Add integrity_id to the workflow files of the repo.

* fix: Use Vercel Preview deployment URL into account in buildShortlinkUrl().

* fix: add missing `.rest` prefix in Octokit API call

* revert: remove unnecessary escaping of backticks in comment

* fix: add polling timeout and wrap DB update in try-catch

- Add 3-minute timeout to polling page to prevent indefinite polling
- Wrap updateWorkflowRunComment in try-catch to prevent orphaned comments

* feat: restore job-level deep linking for workflow runs

Adds jobId to WorkflowRun model and captures the first job ID via
listJobsForWorkflowRun() when the workflow_run_in_progress event fires.
The shortlink redirect now appends /job/{jobId} when available, providing
a direct link to the job rather than just the workflow run.

* fix: handle only `workflow_run.in_progress` to avoid race condition

Combine the handling of `runId` and `jobId` into a single update when
`workflow_run.in_progress` fires, avoiding the race condition where
`in_progress` could arrive before `requested` was processed.

* Renae integrity_id -> name

* Clean up

* Clean up

* Shorter timeout

* Add fallback

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
Co-authored-by: Robin Tail <robin_tail@me.com>
Co-authored-by: Colin McDonnell <colinmcd94@gmail.com>
2026-01-28 00:40:56 +00:00
David Blass 9a8db3e07c add restricted tests, refactor test infrastructure (#150) 2026-01-22 21:06:19 +00:00
Colin McDonnell c6dfe4fa10 Update workflows 2026-01-21 03:27:12 +00:00
Colin McDonnell df4e7a9a4a Update workflows 2026-01-21 03:25:32 +00:00
Colin McDonnell 6af0c721ba Update workflows 2026-01-21 03:24:35 +00:00
David Blass 4e19178c81 fix CI (#111) 2026-01-20 17:25:06 +00:00
David Blass 410b11db71 test CI 2026-01-16 20:21:54 +00:00
David Blass 02a498e0cb update workflows 2026-01-16 16:00:27 +00:00
David Blass e4b086938e iterate on CI 2026-01-16 15:52:37 +00:00
Mateusz Burzyński 332ef73b87 Remove invalid working-directory setting (#105) 2026-01-16 10:56:28 +00:00
Mateusz Burzyński cd16ba67a6 Get rid of incorrect cache-dependency-path in an /action workflow (#104) 2026-01-16 10:47:52 +00:00
Anna Bocharova 9432a5b737 Revert 4c5cf44 2026-01-16 11:31:38 +01:00
Anna Bocharova 4c5cf444a2 Fix cache-dependency-path in test workflow 2026-01-16 11:28:45 +01:00
David Blass f34379415e add per-agent smoke tests (#100) 2026-01-16 08:00:16 +00:00
Colin McDonnell 5c60791b34 Update workflow 2026-01-15 23:47:40 +00:00
Colin McDonnell 3fa309853b Fix repo slug 2026-01-14 01:44:30 +00:00
Mateusz Burzyński e839fbeacd Perform repository dispatch using the builtin CLI (#65) 2026-01-13 19:54:57 +00:00
David Blass b3e1cf6de3 Update pullfrog.yml to new template with env-based API keys 2026-01-13 11:29:53 -05:00
Anna Bocharova 0aa97f4fd0 fix(CI): Changing the API keys to uppercase and moving to env (#26)
* fix(CI): Changing the API keys to uppercase

Due to c335032
See diff https://github.com/pullfrog/action/commit/c335032c37b5aa957ee3d9f7d37a937ed3ece150#diff-35ec9ad6938f4a0788911257499ca3ccf99c80cca56a22e86706f2c17f636835

* fix: Moving the keys to env
2026-01-13 12:22:35 +01:00
Colin McDonnell 79344c653d Fix CI 2026-01-12 23:19:35 -08:00
Colin McDonnell 20b4f683e5 Two way sync attempt 2026-01-13 07:13:47 +00:00
Robin Tail c5d201ce60 Add CI workflow for testing. 2026-01-12 15:10:06 +01:00
Colin McDonnell 78c22085bf 0.0.156 2026-01-08 15:05:05 -08:00
Colin McDonnell 479e066492 Clean up 2025-12-17 12:26:07 -08:00
Colin McDonnell 4d68198641 Update pullfrog.yml to use pullfrog/action@main 2025-12-16 16:55:38 -08:00
Colin McDonnell fd5e9c2838 update action w setup instructions 2025-11-26 19:18:41 -08:00
Pullfrog 7853f9ef56 Add pullfrog.yml workflow 2025-11-26 15:56:05 -05:00
Colin McDonnell 611e7e80ce remove workflow 2025-11-26 12:51:27 -08:00
Pullfrog f2571d07a4 Add pullfrog.yml workflow 2025-11-26 15:47:04 -05:00
David Blass 4f5ee28b8a update publish to reflect no build 2025-10-13 17:08:59 -04:00
David Blass 3b39f2c8d8 move pnpm version specifier to actions 2025-10-13 15:30:41 -04:00
David Blass 8ef805b9fc remove pnpm version from publish action 2025-10-13 15:27:05 -04:00
David Blass 03810d574e bump version 2025-10-13 14:14:52 -04:00
David Blass d3d2dad025 no-frozen-lockfile 2025-10-08 16:46:52 -04:00
David Blass 608322f026 use frozen lockfile in ci 2025-10-08 16:42:09 -04:00
Colin McDonnell 92225d30c5 No frozen lockfile 2025-09-10 00:36:03 -07:00
Colin McDonnell c5b9c7cfc4 Tweak 2025-09-09 17:19:59 -07:00
Colin McDonnell 7a14716481 Disable npm publishing for now 2025-09-09 16:58:30 -07:00
Colin McDonnell ff81db8bb7 Update 2025-09-09 16:54:36 -07:00
Colin McDonnell 260b563913 Update workflow 2025-09-09 16:31:47 -07:00