Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 7d85e653ca | |||
| 4b3c5ca905 | |||
| 2799cce4bf | |||
| 1da3f68e4e | |||
| 50f2678f55 | |||
| b748355cbe | |||
| c86752cf1d | |||
| a4c7c0fc15 | |||
| abdbdc7245 | |||
| 5393d3dab4 | |||
| 3c2f3722ff | |||
| 6541bdc4f4 | |||
| 1393ffb7b8 | |||
| f663d5e34d | |||
| d1e075fa3b | |||
| ed90735ba0 | |||
| bbcf91a06e | |||
| 8a6696dd1d | |||
| 23a39d7f4b | |||
| 8ee9e3176a | |||
| ef31821dc5 | |||
| 421607cf97 |
@@ -34,6 +34,9 @@ jobs:
|
||||
- name: Install dependencies
|
||||
run: pnpm install --frozen-lockfile
|
||||
|
||||
- name: Build
|
||||
run: pnpm build
|
||||
|
||||
- name: Get package version
|
||||
id: version
|
||||
run: |
|
||||
@@ -80,7 +83,7 @@ jobs:
|
||||
tag_name: ${{ steps.version.outputs.tag }}
|
||||
release_name: "${{ steps.version.outputs.tag }}"
|
||||
body: |
|
||||
## 📦 @pullfrog/pullfrog ${{ steps.version.outputs.version }}
|
||||
## 📦 pullfrog ${{ steps.version.outputs.version }}
|
||||
|
||||
### Usage in GitHub Actions
|
||||
|
||||
@@ -91,16 +94,14 @@ jobs:
|
||||
### Installation via npm
|
||||
|
||||
```bash
|
||||
npm install @pullfrog/pullfrog@${{ steps.version.outputs.version }}
|
||||
npm install pullfrog@${{ steps.version.outputs.version }}
|
||||
```
|
||||
draft: false
|
||||
prerelease: false
|
||||
|
||||
# - name: Publish to npm
|
||||
# if: steps.check_tag.outputs.exists == 'false'
|
||||
# run: npm publish --access public
|
||||
# env:
|
||||
# NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||
- name: Publish to npm
|
||||
if: steps.check_tag.outputs.exists == 'false'
|
||||
run: npm publish --provenance --access public
|
||||
|
||||
- name: Summary
|
||||
if: always()
|
||||
@@ -118,5 +119,5 @@ jobs:
|
||||
echo "" >> $GITHUB_STEP_SUMMARY
|
||||
echo "### 📦 Published to" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- GitHub Release: [View Release](https://github.com/${{ github.repository }}/releases/tag/${{ steps.version.outputs.tag }})" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- npm Registry: [@pullfrog/pullfrog@${{ steps.version.outputs.version }}](https://www.npmjs.com/package/@pullfrog/pullfrog/v/${{ steps.version.outputs.version }})" >> $GITHUB_STEP_SUMMARY
|
||||
echo "- npm Registry: [pullfrog@${{ steps.version.outputs.version }}](https://www.npmjs.com/package/pullfrog/v/${{ steps.version.outputs.version }})" >> $GITHUB_STEP_SUMMARY
|
||||
fi
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
name: Test get-installation-token
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
test-token:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get installation token
|
||||
id: token
|
||||
uses: pullfrog/pullfrog/get-installation-token@main
|
||||
|
||||
- name: Verify token with Node.js
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
|
||||
run: |
|
||||
node -e '
|
||||
const res = await fetch("https://api.github.com/installation/repositories?per_page=1", {
|
||||
headers: {
|
||||
Authorization: "token " + process.env.GITHUB_TOKEN,
|
||||
Accept: "application/vnd.github+json",
|
||||
},
|
||||
});
|
||||
if (!res.ok) throw new Error("GET installation/repositories failed: " + res.status + " " + (await res.text()));
|
||||
const data = await res.json();
|
||||
console.log("authenticated — installation has access to", data.total_count, "repo(s)");
|
||||
console.log("first repo:", data.repositories[0].full_name);
|
||||
'
|
||||
@@ -27,9 +27,22 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: true
|
||||
matrix:
|
||||
agent: [claude, opentoad]
|
||||
agent: [claude, opencode]
|
||||
test:
|
||||
[mcpmerge, nobash, restricted, smoke, token-exfil]
|
||||
[
|
||||
mcpmerge,
|
||||
nobash,
|
||||
restricted,
|
||||
skill-invoke-claude,
|
||||
skill-invoke-opencode,
|
||||
smoke,
|
||||
token-exfil,
|
||||
]
|
||||
exclude:
|
||||
- agent: claude
|
||||
test: skill-invoke-opencode
|
||||
- agent: opencode
|
||||
test: skill-invoke-claude
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
# sync action lockfile when action/package.json changes
|
||||
if git diff --cached --name-only | grep -q "^action/package.json$"; then
|
||||
echo "🔒 syncing action/pnpm-lock.yaml..."
|
||||
# note: pnpm -C action install will *not* treat "action" as a monorepo root if run from repo root;
|
||||
# to install with action/ as the workspace root (and search upwards), cd into action first:
|
||||
(cd action && pnpm install --no-frozen-lockfile)
|
||||
git add action/pnpm-lock.yaml
|
||||
fi
|
||||
+2
-2
@@ -35,8 +35,8 @@ outputs:
|
||||
|
||||
runs:
|
||||
using: "node24"
|
||||
main: "entry"
|
||||
post: "post"
|
||||
main: "entry.ts"
|
||||
post: "post.ts"
|
||||
post-if: "failure() || cancelled()"
|
||||
|
||||
branding:
|
||||
|
||||
+1
-1
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* Claude Code agent — secure harness around the `claude` CLI.
|
||||
*
|
||||
* mirrors the opentoad harness's security model:
|
||||
* mirrors the opencode harness's security model:
|
||||
* - native Bash blocked via --disallowedTools (agent cannot shell out)
|
||||
* - managed-settings.json: filesystem sandbox — deny /proc, /sys reads
|
||||
* - MCP ShellTool provides restricted shell (filtered env, no secrets)
|
||||
|
||||
+2
-2
@@ -1,7 +1,7 @@
|
||||
import { claude } from "./claude.ts";
|
||||
import { opentoad } from "./opentoad.ts";
|
||||
import { opencode } from "./opencode.ts";
|
||||
import type { Agent } from "./shared.ts";
|
||||
|
||||
export type { Agent, AgentUsage } from "./shared.ts";
|
||||
|
||||
export const agents = { claude, opentoad } satisfies Record<string, Agent>;
|
||||
export const agents = { claude, opencode } satisfies Record<string, Agent>;
|
||||
|
||||
@@ -1,10 +1,9 @@
|
||||
/**
|
||||
* OpenToad agent — secure harness around OpenCode CLI.
|
||||
* OpenCode agent — secure harness around OpenCode CLI.
|
||||
*
|
||||
* transparently wraps OpenCode with a security layer:
|
||||
* - bash: "deny" via OPENCODE_CONFIG_CONTENT (agent cannot shell out)
|
||||
* - OPENCODE_PERMISSION: filesystem sandbox — deny all external paths except /tmp
|
||||
* - untrusted .opencode/plugins/ and .opencode/tools/ deleted before launch
|
||||
* - MCP ShellTool provides restricted shell (filtered env, no secrets)
|
||||
* - MCP server injected alongside project config (not replacing)
|
||||
* - ASKPASS handles git auth separately (token never in subprocess env)
|
||||
@@ -607,8 +606,8 @@ async function runOpenCode(params: RunParams): Promise<AgentResult> {
|
||||
|
||||
// ── agent ───────────────────────────────────────────────────────────────────────
|
||||
|
||||
export const opentoad = agent({
|
||||
name: "opentoad",
|
||||
export const opencode = agent({
|
||||
name: "opencode",
|
||||
install: installOpencodeCli,
|
||||
run: async (ctx) => {
|
||||
const cliPath = await installOpencodeCli();
|
||||
@@ -676,7 +675,7 @@ export const opentoad = agent({
|
||||
log.info(`» dirty working tree (attempt ${attempt + 1}/${MAX_COMMIT_RETRIES}):\n${status}`);
|
||||
result = await runOpenCode({
|
||||
...runParams,
|
||||
args: [...baseArgs, "--continue", buildCommitPrompt("opentoad", status)],
|
||||
args: [...baseArgs, "--continue", buildCommitPrompt("opencode", status)],
|
||||
});
|
||||
}
|
||||
|
||||
@@ -0,0 +1,104 @@
|
||||
import { basename } from "node:path";
|
||||
import arg from "arg";
|
||||
import pc from "picocolors";
|
||||
import { runCli as runGhaCli } from "./commands/gha.ts";
|
||||
import { runCli as runInitCli } from "./commands/init.ts";
|
||||
|
||||
const VERSION = process.env.CLI_VERSION ?? "0.0.0";
|
||||
const bin = basename(process.argv[1] || "");
|
||||
const PROG = bin === "pf" || bin === "pullfrog" ? bin : "pullfrog";
|
||||
const rawArgs = process.argv.slice(2);
|
||||
|
||||
function printMainUsage(stream: typeof console.log): void {
|
||||
stream(`usage: ${PROG} <command>\n`);
|
||||
stream("commands:");
|
||||
stream(" init set up pullfrog on the current repository");
|
||||
stream("");
|
||||
stream("global options:");
|
||||
stream(" -h, --help show help");
|
||||
stream(" -v, --version show version");
|
||||
}
|
||||
|
||||
function parseGlobalArgs(args: string[]) {
|
||||
return arg(
|
||||
{
|
||||
"--help": Boolean,
|
||||
"--version": Boolean,
|
||||
"-h": "--help",
|
||||
"-v": "--version",
|
||||
},
|
||||
{
|
||||
argv: args,
|
||||
stopAtPositional: true,
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
function exitWithUsageError(message: string): never {
|
||||
console.error(`${message}\n`);
|
||||
printMainUsage(console.error);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
let globalParsed: ReturnType<typeof parseGlobalArgs>;
|
||||
try {
|
||||
globalParsed = parseGlobalArgs(rawArgs);
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
exitWithUsageError(message);
|
||||
}
|
||||
|
||||
if (globalParsed["--version"]) {
|
||||
console.log(VERSION);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
const command = globalParsed._[0];
|
||||
const commandArgs = globalParsed._.slice(1);
|
||||
|
||||
if (!command) {
|
||||
if (globalParsed["--help"]) {
|
||||
console.log(`${pc.bold("pullfrog")} v${VERSION}\n`);
|
||||
printMainUsage(console.log);
|
||||
process.exit(0);
|
||||
}
|
||||
printMainUsage(console.log);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
if (command === "init") {
|
||||
await runInitCli({
|
||||
args: commandArgs,
|
||||
prog: PROG,
|
||||
showHelp: globalParsed["--help"] === true,
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
if (command === "gha") {
|
||||
await runGhaCli({
|
||||
args: commandArgs,
|
||||
prog: PROG,
|
||||
showHelp: globalParsed["--help"] === true,
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
if (globalParsed["--help"]) {
|
||||
printMainUsage(console.log);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
console.error(`unknown command: ${pc.bold(command)}\n`);
|
||||
printMainUsage(console.error);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
try {
|
||||
await run();
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
console.error(pc.red(message));
|
||||
process.exit(1);
|
||||
}
|
||||
+162
@@ -0,0 +1,162 @@
|
||||
import { dirname } from "node:path";
|
||||
import * as core from "@actions/core";
|
||||
import arg from "arg";
|
||||
import { main } from "../main.ts";
|
||||
import { log } from "../utils/cli.ts";
|
||||
import { runPostCleanup } from "../utils/postCleanup.ts";
|
||||
import { acquireInstallationToken, revokeInstallationToken } from "../utils/token.ts";
|
||||
|
||||
// GitHub Actions runs the action entry point with the node24 binary specified
|
||||
// in action.yml, but doesn't add that binary's directory to PATH. Without this,
|
||||
// spawned processes (pnpm, npm, etc.) resolve to the runner's default node (v20).
|
||||
process.env.PATH = `${dirname(process.execPath)}:${process.env.PATH}`;
|
||||
|
||||
const STATE_TOKEN = "token";
|
||||
|
||||
interface GhaCliParams {
|
||||
args: string[];
|
||||
prog: string;
|
||||
showHelp?: boolean;
|
||||
}
|
||||
|
||||
async function runMain(): Promise<void> {
|
||||
try {
|
||||
const result = await main();
|
||||
if (!result.success) {
|
||||
throw new Error(result.error || "agent execution failed");
|
||||
}
|
||||
} catch (error) {
|
||||
const errorMessage = error instanceof Error ? error.message : "unknown error occurred";
|
||||
core.setFailed(`action failed: ${errorMessage}`);
|
||||
}
|
||||
}
|
||||
|
||||
async function runPost(): Promise<void> {
|
||||
log.debug(`[post] script started at ${new Date().toISOString()}`);
|
||||
try {
|
||||
await runPostCleanup();
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
log.error(`[post] unexpected error: ${message}`);
|
||||
}
|
||||
}
|
||||
|
||||
async function tokenMain(): Promise<void> {
|
||||
const reposInput = core.getInput("repos");
|
||||
const additionalRepos = reposInput
|
||||
? reposInput
|
||||
.split(",")
|
||||
.map((r) => r.trim())
|
||||
.filter(Boolean)
|
||||
: [];
|
||||
|
||||
const token = await acquireInstallationToken({ repos: additionalRepos });
|
||||
|
||||
core.setSecret(token);
|
||||
core.saveState(STATE_TOKEN, token);
|
||||
core.setOutput("token", token);
|
||||
|
||||
const scope = additionalRepos.length
|
||||
? `current repo + ${additionalRepos.join(", ")}`
|
||||
: "current repo only";
|
||||
core.info(`» installation token acquired (${scope})`);
|
||||
}
|
||||
|
||||
async function tokenPost(): Promise<void> {
|
||||
const token = core.getState(STATE_TOKEN);
|
||||
if (!token) {
|
||||
core.debug("no token found in state, skipping revocation");
|
||||
return;
|
||||
}
|
||||
await revokeInstallationToken(token);
|
||||
core.info("» installation token revoked");
|
||||
}
|
||||
|
||||
function printGhaUsage(params: { stream: typeof console.log; prog: string }): void {
|
||||
params.stream(`usage: ${params.prog} gha [token] [--post]\n`);
|
||||
params.stream("run the github action runtime flow.");
|
||||
params.stream("");
|
||||
params.stream("subcommands:");
|
||||
params.stream(" token acquire a github app installation token");
|
||||
params.stream("");
|
||||
params.stream("options:");
|
||||
params.stream(" -h, --help show help");
|
||||
params.stream(" --post run post-cleanup flow");
|
||||
}
|
||||
|
||||
function parseGhaArgs(args: string[]) {
|
||||
return arg(
|
||||
{
|
||||
"--help": Boolean,
|
||||
"--post": Boolean,
|
||||
"-h": "--help",
|
||||
},
|
||||
{
|
||||
argv: args,
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
export async function runCli(params: GhaCliParams): Promise<void> {
|
||||
if (params.showHelp) {
|
||||
printGhaUsage({ stream: console.log, prog: params.prog });
|
||||
return;
|
||||
}
|
||||
|
||||
let parsed: ReturnType<typeof parseGhaArgs>;
|
||||
try {
|
||||
parsed = parseGhaArgs(params.args);
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
console.error(`${message}\n`);
|
||||
printGhaUsage({ stream: console.error, prog: params.prog });
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (parsed["--help"]) {
|
||||
printGhaUsage({ stream: console.log, prog: params.prog });
|
||||
return;
|
||||
}
|
||||
|
||||
const normalizedArgs = ["gha"];
|
||||
const positional = parsed._;
|
||||
|
||||
if (positional.length > 1) {
|
||||
console.error(`unexpected positional arguments for gha: ${positional.slice(1).join(" ")}\n`);
|
||||
printGhaUsage({ stream: console.error, prog: params.prog });
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (positional[0] === "token") {
|
||||
normalizedArgs.push("token");
|
||||
} else if (positional[0]) {
|
||||
console.error(`unknown gha subcommand: ${positional[0]}\n`);
|
||||
printGhaUsage({ stream: console.error, prog: params.prog });
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (parsed["--post"]) {
|
||||
normalizedArgs.push("--post");
|
||||
}
|
||||
|
||||
await run(normalizedArgs);
|
||||
}
|
||||
|
||||
export async function run(args: string[]) {
|
||||
try {
|
||||
if (args.includes("token")) {
|
||||
if (args.includes("--post")) {
|
||||
await tokenPost();
|
||||
} else {
|
||||
await tokenMain();
|
||||
}
|
||||
} else if (args.includes("--post")) {
|
||||
await runPost();
|
||||
} else {
|
||||
await runMain();
|
||||
}
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
core.setFailed(message);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,964 @@
|
||||
import { execFileSync } from "node:child_process";
|
||||
import * as p from "@clack/prompts";
|
||||
import arg from "arg";
|
||||
import pc from "picocolors";
|
||||
import { modelAliases, type ProviderConfig, providers } from "../models.ts";
|
||||
|
||||
const PULLFROG_API_URL = (process.env.PULLFROG_API_URL || "https://pullfrog.com").replace(
|
||||
/\/+$/,
|
||||
""
|
||||
);
|
||||
|
||||
function link(text: string, url: string): string {
|
||||
return `\x1b]8;;${url}\x07${text}\x1b]8;;\x07`;
|
||||
}
|
||||
|
||||
type CliProvider = {
|
||||
id: string;
|
||||
name: string;
|
||||
envVars: readonly string[];
|
||||
models: { value: string; label: string; hint?: string | undefined }[];
|
||||
};
|
||||
|
||||
function buildProviders(): CliProvider[] {
|
||||
return Object.entries(providers)
|
||||
.filter(([key]) => key !== "opencode" && key !== "openrouter")
|
||||
.map(([key, config]: [string, ProviderConfig]) => {
|
||||
const aliases = modelAliases.filter((a) => a.provider === key);
|
||||
const recommended = aliases.find((a) => a.preferred);
|
||||
const sorted = [...aliases].sort((a, b) => {
|
||||
if (a.preferred && !b.preferred) return -1;
|
||||
if (!a.preferred && b.preferred) return 1;
|
||||
return 0;
|
||||
});
|
||||
return {
|
||||
id: key,
|
||||
name: config.displayName,
|
||||
envVars: config.envVars,
|
||||
models: sorted.map((a) => ({
|
||||
value: a.slug,
|
||||
label: a.displayName,
|
||||
hint: a === recommended ? "recommended" : undefined,
|
||||
})),
|
||||
};
|
||||
});
|
||||
}
|
||||
|
||||
const CLI_PROVIDERS = buildProviders();
|
||||
|
||||
function resolveModelProvider(slug: string): CliProvider | null {
|
||||
const providerId = slug.split("/")[0];
|
||||
return CLI_PROVIDERS.find((p) => p.id === providerId) ?? null;
|
||||
}
|
||||
|
||||
// ── helpers ──
|
||||
|
||||
// active spinner reference so bail/catch can clean up the terminal
|
||||
let activeSpin: ReturnType<typeof p.spinner> | null = null;
|
||||
|
||||
function bail(msg: string): never {
|
||||
if (activeSpin) {
|
||||
activeSpin.stop(pc.red("failed"));
|
||||
activeSpin = null;
|
||||
}
|
||||
p.cancel(msg);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
function handleCancel<T>(value: T | symbol): asserts value is T {
|
||||
if (p.isCancel(value)) {
|
||||
if (activeSpin) {
|
||||
activeSpin.stop(pc.red("canceled."));
|
||||
activeSpin = null;
|
||||
}
|
||||
p.cancel("canceled.");
|
||||
process.exit(0);
|
||||
}
|
||||
}
|
||||
|
||||
function getGhToken(): string {
|
||||
let token: string;
|
||||
try {
|
||||
token = execFileSync("gh", ["auth", "token"], { encoding: "utf-8" }).trim();
|
||||
} catch {
|
||||
bail(
|
||||
`gh cli not found or not authenticated.\n` +
|
||||
` ${pc.dim("install:")} https://cli.github.com\n` +
|
||||
` ${pc.dim("then:")} gh auth login`
|
||||
);
|
||||
}
|
||||
if (!token) {
|
||||
bail(
|
||||
`gh cli returned an empty token. try re-authenticating:\n` +
|
||||
` ${pc.dim("run:")} gh auth login`
|
||||
);
|
||||
}
|
||||
return token;
|
||||
}
|
||||
|
||||
type GhApiResult<T = unknown> = { data: T; scopes: string | null };
|
||||
|
||||
async function ghApi<T = unknown>(path: string, token: string): Promise<GhApiResult<T>> {
|
||||
const controller = new AbortController();
|
||||
const timeout = setTimeout(() => controller.abort(), 30_000);
|
||||
try {
|
||||
const response = await fetch(`https://api.github.com${path}`, {
|
||||
headers: {
|
||||
authorization: `Bearer ${token}`,
|
||||
accept: "application/vnd.github+json",
|
||||
"x-github-api-version": "2022-11-28",
|
||||
},
|
||||
signal: controller.signal,
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
const body = await response.text().catch(() => "");
|
||||
throw new Error(`github api ${path} returned ${response.status}: ${body}`);
|
||||
}
|
||||
|
||||
const data = (await response.json().catch(() => {
|
||||
throw new Error(`github api ${path} returned non-JSON response`);
|
||||
})) as T;
|
||||
return { data, scopes: response.headers.get("x-oauth-scopes") };
|
||||
} finally {
|
||||
clearTimeout(timeout);
|
||||
}
|
||||
}
|
||||
|
||||
function parseGitRemote(): { owner: string; repo: string } {
|
||||
let url: string;
|
||||
try {
|
||||
url = execFileSync("git", ["remote", "get-url", "origin"], { encoding: "utf-8" }).trim();
|
||||
} catch {
|
||||
bail("not a git repository or no 'origin' remote found.");
|
||||
}
|
||||
|
||||
const match = url.match(/github\.com(?::\d+)?[:/]+([^/]+)\/(.+?)(?:\.git)?(?:\/)?$/);
|
||||
if (!match) bail(`could not parse github owner/repo from remote: ${url}`);
|
||||
return { owner: match[1], repo: match[2] };
|
||||
}
|
||||
|
||||
function openBrowser(url: string) {
|
||||
try {
|
||||
const platform = process.platform;
|
||||
if (platform === "darwin") execFileSync("open", [url], { stdio: "ignore" });
|
||||
else if (platform === "win32")
|
||||
execFileSync("cmd", ["/c", "start", "", url], { stdio: "ignore" });
|
||||
else execFileSync("xdg-open", [url], { stdio: "ignore" });
|
||||
} catch {
|
||||
// headless/SSH — user will open the URL manually
|
||||
}
|
||||
}
|
||||
|
||||
// ── Pullfrog API ──
|
||||
|
||||
type SecretsApiData = {
|
||||
error?: string;
|
||||
appSlug?: string;
|
||||
installationId?: number | null;
|
||||
repositorySelection?: string | null;
|
||||
isOrg?: boolean;
|
||||
accessible?: boolean;
|
||||
repoSecrets?: string[];
|
||||
orgSecrets?: string[];
|
||||
pullfrogSecrets?: string[];
|
||||
repoStatus?: string | null;
|
||||
repoModel?: string | null;
|
||||
hasRuns?: boolean;
|
||||
};
|
||||
|
||||
type SecretsInfo = {
|
||||
isOrg: boolean;
|
||||
installationId: number | null;
|
||||
secretsAccessible: boolean;
|
||||
repoSecrets: string[];
|
||||
orgSecrets: string[];
|
||||
pullfrogSecrets: string[];
|
||||
model: string | null;
|
||||
hasRuns: boolean;
|
||||
};
|
||||
|
||||
type InstallationNotFound = {
|
||||
appSlug: string;
|
||||
installationId: number | null;
|
||||
repositorySelection: "all" | "selected" | null;
|
||||
isOrg: boolean;
|
||||
};
|
||||
|
||||
type StatusResult =
|
||||
| ({ installed: true } & SecretsInfo)
|
||||
| ({ installed: false } & InstallationNotFound);
|
||||
|
||||
type SessionApiData = {
|
||||
id?: string;
|
||||
installed?: boolean;
|
||||
error?: string;
|
||||
};
|
||||
|
||||
type SetupApiData = {
|
||||
error?: string;
|
||||
success?: boolean;
|
||||
already_existed?: boolean;
|
||||
pull_request_url?: string;
|
||||
commit_url?: string;
|
||||
hash?: string;
|
||||
};
|
||||
|
||||
type DispatchApiData = {
|
||||
error?: string;
|
||||
url?: string;
|
||||
};
|
||||
|
||||
type ApiResult<T = Record<string, unknown>> = { ok: boolean; status: number; data: T };
|
||||
|
||||
async function pullfrogApi<T = Record<string, unknown>>(ctx: {
|
||||
path: string;
|
||||
token: string;
|
||||
method?: string;
|
||||
body?: Record<string, unknown>;
|
||||
}): Promise<ApiResult<T>> {
|
||||
const headers: Record<string, string> = { authorization: `Bearer ${ctx.token}` };
|
||||
if (ctx.body) headers["content-type"] = "application/json";
|
||||
const controller = new AbortController();
|
||||
const timeout = setTimeout(() => controller.abort(), 30_000);
|
||||
try {
|
||||
const response = await fetch(`${PULLFROG_API_URL}${ctx.path}`, {
|
||||
method: ctx.method || "GET",
|
||||
headers,
|
||||
body: ctx.body ? JSON.stringify(ctx.body) : null,
|
||||
signal: controller.signal,
|
||||
});
|
||||
const data = (await response.json().catch(() => ({}))) as T;
|
||||
return { ok: response.ok, status: response.status, data };
|
||||
} finally {
|
||||
clearTimeout(timeout);
|
||||
}
|
||||
}
|
||||
|
||||
async function fetchStatus(ctx: {
|
||||
token: string;
|
||||
owner: string;
|
||||
repo: string;
|
||||
}): Promise<StatusResult> {
|
||||
const result = await pullfrogApi<SecretsApiData>({
|
||||
path: `/api/cli/secrets?owner=${encodeURIComponent(ctx.owner)}&repo=${encodeURIComponent(ctx.repo)}`,
|
||||
token: ctx.token,
|
||||
});
|
||||
|
||||
if (!result.ok) {
|
||||
const errorMsg = result.data.error || "";
|
||||
if (result.status === 401) bail("invalid or expired github token.");
|
||||
if (result.status === 404) {
|
||||
const sel = result.data.repositorySelection;
|
||||
if (!result.data.appSlug) bail("server did not return appSlug");
|
||||
return {
|
||||
installed: false,
|
||||
appSlug: result.data.appSlug,
|
||||
installationId:
|
||||
typeof result.data.installationId === "number" ? result.data.installationId : null,
|
||||
repositorySelection: sel === "all" || sel === "selected" ? sel : null,
|
||||
isOrg: result.data.isOrg === true,
|
||||
};
|
||||
}
|
||||
bail(errorMsg || `secrets check failed (${result.status})`);
|
||||
}
|
||||
|
||||
return {
|
||||
installed: true,
|
||||
isOrg: result.data.isOrg === true,
|
||||
installationId:
|
||||
typeof result.data.installationId === "number" ? result.data.installationId : null,
|
||||
secretsAccessible: result.data.accessible !== false,
|
||||
repoSecrets: result.data.repoSecrets || [],
|
||||
orgSecrets: result.data.orgSecrets || [],
|
||||
pullfrogSecrets: result.data.pullfrogSecrets || [],
|
||||
model: result.data.repoModel ?? null,
|
||||
hasRuns: result.data.hasRuns === true,
|
||||
};
|
||||
}
|
||||
|
||||
// ── sessions ──
|
||||
|
||||
async function createSession(ctx: {
|
||||
token: string;
|
||||
owner: string;
|
||||
repo: string;
|
||||
}): Promise<string | null> {
|
||||
try {
|
||||
const result = await pullfrogApi<SessionApiData>({
|
||||
path: "/api/cli/session",
|
||||
token: ctx.token,
|
||||
method: "POST",
|
||||
body: { owner: ctx.owner.toLowerCase(), repo: ctx.repo.toLowerCase() },
|
||||
});
|
||||
if (!result.ok || !result.data.id) return null;
|
||||
return result.data.id;
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
type PollResult = "installed" | "pending" | "expired";
|
||||
|
||||
async function pollSession(ctx: { token: string; sessionId: string }): Promise<PollResult> {
|
||||
const result = await pullfrogApi<SessionApiData>({
|
||||
path: `/api/cli/session/${ctx.sessionId}`,
|
||||
token: ctx.token,
|
||||
});
|
||||
if (result.status === 410) return "expired";
|
||||
if (!result.ok) return "pending";
|
||||
return result.data.installed === true ? "installed" : "pending";
|
||||
}
|
||||
|
||||
function cleanupSession(ctx: { token: string; sessionId: string }) {
|
||||
void pullfrogApi({
|
||||
path: `/api/cli/session/${ctx.sessionId}`,
|
||||
token: ctx.token,
|
||||
method: "DELETE",
|
||||
}).catch(() => {});
|
||||
}
|
||||
|
||||
// ── installation ──
|
||||
|
||||
const SESSION_POLL_MS = 750;
|
||||
const FALLBACK_POLL_MS = 5_000;
|
||||
const HINT_AFTER_MS = 10_000;
|
||||
const TIMEOUT_MS = 3 * 60 * 1000;
|
||||
|
||||
function listenForKey(key: string) {
|
||||
let triggered = false;
|
||||
const onData = (data: Buffer) => {
|
||||
if (data.toString().toLowerCase() === key) triggered = true;
|
||||
};
|
||||
process.stdin.setRawMode?.(true);
|
||||
process.stdin.resume();
|
||||
process.stdin.on("data", onData);
|
||||
return {
|
||||
consume() {
|
||||
if (!triggered) return false;
|
||||
triggered = false;
|
||||
return true;
|
||||
},
|
||||
stop() {
|
||||
process.stdin.removeListener("data", onData);
|
||||
process.stdin.setRawMode?.(false);
|
||||
process.stdin.pause();
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
function installationConfigUrl(ctx: { owner: string; installationId: number; isOrg: boolean }) {
|
||||
return ctx.isOrg
|
||||
? `https://github.com/organizations/${ctx.owner}/settings/installations/${ctx.installationId}`
|
||||
: `https://github.com/settings/installations/${ctx.installationId}`;
|
||||
}
|
||||
|
||||
async function ensureInstallation(ctx: {
|
||||
token: string;
|
||||
owner: string;
|
||||
repo: string;
|
||||
}): Promise<SecretsInfo> {
|
||||
activeSpin!.start("checking pullfrog app installation");
|
||||
|
||||
const initial = await fetchStatus(ctx);
|
||||
if (initial.installed) {
|
||||
activeSpin!.stop(`pullfrog app is installed on ${pc.cyan(`@${ctx.owner}`)}`);
|
||||
if (initial.installationId) {
|
||||
const configUrl = installationConfigUrl({
|
||||
owner: ctx.owner,
|
||||
installationId: initial.installationId,
|
||||
isOrg: initial.isOrg,
|
||||
});
|
||||
process.stdout.write(`${pc.gray(p.S_BAR)} ${link(pc.dim(configUrl), configUrl)}\n`);
|
||||
}
|
||||
return initial;
|
||||
}
|
||||
|
||||
const sessionId = await createSession(ctx);
|
||||
|
||||
if (initial.installationId) {
|
||||
const repoRef = pc.bold(`${ctx.owner}/${ctx.repo}`);
|
||||
const configUrl = installationConfigUrl({
|
||||
owner: ctx.owner,
|
||||
installationId: initial.installationId,
|
||||
isOrg: initial.isOrg,
|
||||
});
|
||||
activeSpin!.stop(`pullfrog is installed on selected repos, but ${repoRef} is not included.`);
|
||||
p.log.info(
|
||||
`add it under "Repository access" on the installation config page.\n ${pc.dim(configUrl)}`
|
||||
);
|
||||
const openIt = await p.confirm({ message: "open browser?", active: "yes", inactive: "no" });
|
||||
handleCancel(openIt);
|
||||
if (openIt) openBrowser(configUrl);
|
||||
} else {
|
||||
activeSpin!.stop("pullfrog app not installed");
|
||||
const installUrl = `https://github.com/apps/${initial.appSlug}/installations/select_target?state=cli`;
|
||||
p.log.info(`opening browser to install...\n ${pc.dim(installUrl)}`);
|
||||
openBrowser(installUrl);
|
||||
}
|
||||
|
||||
const isRepoAccessUpdate = !!initial.installationId;
|
||||
const baseMsg = isRepoAccessUpdate
|
||||
? "once you've added the repo, onboarding will proceed automatically"
|
||||
: "once you've installed the app, onboarding will proceed automatically";
|
||||
activeSpin!.start(baseMsg);
|
||||
|
||||
let activeSessionId = sessionId;
|
||||
let pollMs = activeSessionId ? SESSION_POLL_MS : FALLBACK_POLL_MS;
|
||||
const listener = listenForKey("r");
|
||||
const startedAt = Date.now();
|
||||
let hintShown = false;
|
||||
|
||||
try {
|
||||
while (Date.now() - startedAt < TIMEOUT_MS) {
|
||||
await new Promise((r) => setTimeout(r, pollMs));
|
||||
|
||||
if (!hintShown && Date.now() - startedAt > HINT_AFTER_MS) {
|
||||
activeSpin!.message(`${baseMsg} ${pc.dim("(press r to recheck manually)")}`);
|
||||
hintShown = true;
|
||||
}
|
||||
|
||||
const doneMsg = isRepoAccessUpdate ? "repo access confirmed" : "pullfrog app installed";
|
||||
|
||||
if (listener.consume()) {
|
||||
activeSpin!.message("rechecking via GitHub API");
|
||||
try {
|
||||
const status = await fetchStatus(ctx);
|
||||
if (status.installed) {
|
||||
if (activeSessionId) cleanupSession({ token: ctx.token, sessionId: activeSessionId });
|
||||
activeSpin!.stop(doneMsg);
|
||||
return status;
|
||||
}
|
||||
} catch {
|
||||
// network error — keep going
|
||||
}
|
||||
activeSpin!.message(`${baseMsg} ${pc.dim("(press r to recheck manually)")}`);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (activeSessionId) {
|
||||
// fast path: lightweight DB session poll (no GitHub API calls)
|
||||
try {
|
||||
const result = await pollSession({ token: ctx.token, sessionId: activeSessionId });
|
||||
if (result === "expired") {
|
||||
activeSessionId = null;
|
||||
pollMs = FALLBACK_POLL_MS;
|
||||
continue;
|
||||
}
|
||||
if (result === "installed") {
|
||||
const status = await fetchStatus(ctx);
|
||||
if (status.installed) {
|
||||
cleanupSession({ token: ctx.token, sessionId: activeSessionId });
|
||||
activeSpin!.stop(doneMsg);
|
||||
return status;
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
// transient error — keep polling
|
||||
}
|
||||
} else {
|
||||
// no session available — poll fetchStatus directly at slower interval
|
||||
try {
|
||||
const status = await fetchStatus(ctx);
|
||||
if (status.installed) {
|
||||
activeSpin!.stop(doneMsg);
|
||||
return status;
|
||||
}
|
||||
} catch {
|
||||
// transient error — keep polling
|
||||
}
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
listener.stop();
|
||||
}
|
||||
|
||||
if (activeSessionId) cleanupSession({ token: ctx.token, sessionId: activeSessionId });
|
||||
bail(
|
||||
isRepoAccessUpdate
|
||||
? "timed out waiting for repo access.\n" +
|
||||
` ${pc.dim("add the repo, then re-run:")} npx pullfrog init`
|
||||
: "timed out waiting for app installation.\n" +
|
||||
` ${pc.dim("if your org requires admin approval, ask an admin to approve,")}\n` +
|
||||
` ${pc.dim("then re-run:")} npx pullfrog init`
|
||||
);
|
||||
}
|
||||
|
||||
// ── secret management ──
|
||||
|
||||
type StorageMethod = "pullfrog" | "github";
|
||||
type SecretScope = "account" | "repo";
|
||||
|
||||
type SecretSetResult = { saved: boolean; orgFailed: boolean };
|
||||
|
||||
function setGhSecret(ctx: {
|
||||
name: string;
|
||||
value: string;
|
||||
org: string | null;
|
||||
repoSlug: string;
|
||||
}): SecretSetResult {
|
||||
let orgFailed = false;
|
||||
|
||||
if (ctx.org) {
|
||||
try {
|
||||
execFileSync("gh", ["secret", "set", ctx.name, "--org", ctx.org, "--visibility", "all"], {
|
||||
input: ctx.value,
|
||||
stdio: ["pipe", "ignore", "pipe"],
|
||||
encoding: "utf-8",
|
||||
});
|
||||
return { saved: true, orgFailed: false };
|
||||
} catch {
|
||||
orgFailed = true;
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
execFileSync("gh", ["secret", "set", ctx.name, "--repo", ctx.repoSlug], {
|
||||
input: ctx.value,
|
||||
stdio: ["pipe", "ignore", "pipe"],
|
||||
encoding: "utf-8",
|
||||
});
|
||||
return { saved: true, orgFailed };
|
||||
} catch {
|
||||
return { saved: false, orgFailed };
|
||||
}
|
||||
}
|
||||
|
||||
type PullfrogSecretResult = { saved: boolean; error: string };
|
||||
|
||||
async function setPullfrogSecret(ctx: {
|
||||
token: string;
|
||||
owner: string;
|
||||
repo: string;
|
||||
name: string;
|
||||
value: string;
|
||||
scope: SecretScope;
|
||||
}): Promise<PullfrogSecretResult> {
|
||||
const result = await pullfrogApi<{ success?: boolean; error?: string }>({
|
||||
path: "/api/cli/secrets",
|
||||
token: ctx.token,
|
||||
method: "POST",
|
||||
body: {
|
||||
owner: ctx.owner,
|
||||
repo: ctx.repo,
|
||||
name: ctx.name,
|
||||
value: ctx.value,
|
||||
scope: ctx.scope,
|
||||
},
|
||||
});
|
||||
if (result.ok && result.data.success === true) {
|
||||
return { saved: true, error: "" };
|
||||
}
|
||||
return { saved: false, error: result.data.error || `api returned ${result.status}` };
|
||||
}
|
||||
|
||||
async function promptScope(ctx: { owner: string; repo: string }): Promise<SecretScope> {
|
||||
const scope = await p.select<SecretScope>({
|
||||
message: "secret scope",
|
||||
options: [
|
||||
{ value: "account", label: `${ctx.owner} organization`, hint: "shared across repos" },
|
||||
{ value: "repo", label: `${ctx.owner}/${ctx.repo} only` },
|
||||
],
|
||||
});
|
||||
handleCancel(scope);
|
||||
return scope;
|
||||
}
|
||||
|
||||
async function handleSecret(ctx: {
|
||||
token: string;
|
||||
owner: string;
|
||||
repo: string;
|
||||
provider: CliProvider;
|
||||
secrets: SecretsInfo;
|
||||
}): Promise<void> {
|
||||
const repoSecretsUrl = `https://github.com/${ctx.owner}/${ctx.repo}/settings/secrets/actions`;
|
||||
|
||||
const matches: { name: string; source: string }[] = [];
|
||||
for (const v of ctx.provider.envVars) {
|
||||
if (ctx.secrets.pullfrogSecrets.includes(v)) matches.push({ name: v, source: "pullfrog" });
|
||||
else if (ctx.secrets.secretsAccessible && ctx.secrets.orgSecrets.includes(v))
|
||||
matches.push({ name: v, source: "org secret" });
|
||||
else if (ctx.secrets.secretsAccessible && ctx.secrets.repoSecrets.includes(v))
|
||||
matches.push({ name: v, source: "repo secret" });
|
||||
}
|
||||
|
||||
if (matches.length > 0) {
|
||||
activeSpin!.start("");
|
||||
activeSpin!.stop("secrets already configured");
|
||||
for (const m of matches) {
|
||||
process.stdout.write(
|
||||
`${pc.gray(p.S_BAR)} ${pc.cyan(m.name)} ${pc.dim(`(${m.source})`)}\n`
|
||||
);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
if (!ctx.secrets.secretsAccessible) {
|
||||
p.log.info(`could not verify GitHub secrets (app lacks permission)`);
|
||||
}
|
||||
|
||||
const hasOAuthOption = ctx.provider.envVars.includes("CLAUDE_CODE_OAUTH_TOKEN");
|
||||
let envVar = ctx.provider.envVars[0];
|
||||
|
||||
if (hasOAuthOption) {
|
||||
const authMethod = await p.select({
|
||||
message: "which credential do you want to use?",
|
||||
options: [
|
||||
{
|
||||
value: "oauth",
|
||||
label: "Claude Code OAuth token",
|
||||
hint: `run ${pc.cyan("claude setup-token")} — works with Pro/Max subscriptions`,
|
||||
},
|
||||
{
|
||||
value: "api",
|
||||
label: "Anthropic API key",
|
||||
hint: "from console.anthropic.com",
|
||||
},
|
||||
],
|
||||
});
|
||||
handleCancel(authMethod);
|
||||
if (authMethod === "oauth") envVar = "CLAUDE_CODE_OAUTH_TOKEN";
|
||||
}
|
||||
|
||||
const method = await p.select<StorageMethod>({
|
||||
message: `where should ${pc.cyan(envVar)} be stored?`,
|
||||
options: [
|
||||
{
|
||||
value: "pullfrog",
|
||||
label: "Pullfrog",
|
||||
hint: "recommended — auto-injected, no workflow changes",
|
||||
},
|
||||
{
|
||||
value: "github",
|
||||
label: "GitHub Actions secret",
|
||||
hint: "requires env block in pullfrog.yml",
|
||||
},
|
||||
],
|
||||
});
|
||||
handleCancel(method);
|
||||
|
||||
const pasteLabel =
|
||||
envVar === "CLAUDE_CODE_OAUTH_TOKEN" ? "OAuth token" : `${ctx.provider.name} API key`;
|
||||
const apiKey = await p.password({
|
||||
message: `paste your ${pasteLabel} ${pc.dim("(Enter to skip)")}`,
|
||||
mask: "*",
|
||||
validate: () => undefined,
|
||||
});
|
||||
handleCancel(apiKey);
|
||||
|
||||
if (!apiKey) {
|
||||
p.log.info(
|
||||
`skipped — set it manually at:\n ${pc.dim(method === "pullfrog" ? `${PULLFROG_API_URL}/console/${ctx.owner}` : repoSecretsUrl)}`
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
if (method === "pullfrog") {
|
||||
const scope: SecretScope = ctx.secrets.isOrg ? await promptScope(ctx) : "account";
|
||||
|
||||
activeSpin!.start(`saving ${envVar}`);
|
||||
let saveResult: PullfrogSecretResult;
|
||||
try {
|
||||
saveResult = await setPullfrogSecret({
|
||||
token: ctx.token,
|
||||
owner: ctx.owner,
|
||||
repo: ctx.repo,
|
||||
name: envVar,
|
||||
value: apiKey,
|
||||
scope,
|
||||
});
|
||||
} catch (error) {
|
||||
activeSpin!.stop(pc.red("could not save secret"));
|
||||
p.log.warn(
|
||||
`${error instanceof Error ? error.message : "network error"}\n set it manually at: ${pc.dim(`${PULLFROG_API_URL}/console/${ctx.owner}`)}`
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
if (saveResult.saved) {
|
||||
activeSpin!.stop(`saved ${pc.cyan(envVar)} to Pullfrog`);
|
||||
} else {
|
||||
activeSpin!.stop(pc.red("could not save secret"));
|
||||
p.log.warn(
|
||||
`${saveResult.error}\n set it manually at: ${pc.dim(`${PULLFROG_API_URL}/console/${ctx.owner}`)}`
|
||||
);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
// github actions secret path
|
||||
let org: string | null = null;
|
||||
if (ctx.secrets.isOrg) {
|
||||
const scope = await promptScope(ctx);
|
||||
org = scope === "account" ? ctx.owner : null;
|
||||
}
|
||||
|
||||
const secretsUrl = org
|
||||
? `https://github.com/organizations/${org}/settings/secrets/actions`
|
||||
: repoSecretsUrl;
|
||||
|
||||
activeSpin!.start(`saving ${envVar}`);
|
||||
const secretResult = setGhSecret({
|
||||
name: envVar,
|
||||
value: apiKey,
|
||||
org,
|
||||
repoSlug: `${ctx.owner}/${ctx.repo}`,
|
||||
});
|
||||
if (secretResult.saved) {
|
||||
activeSpin!.stop(
|
||||
`saved ${pc.cyan(envVar)} to ${org && !secretResult.orgFailed ? `${pc.dim(ctx.owner)} org secret` : "GitHub Actions secret"}`
|
||||
);
|
||||
if (secretResult.orgFailed) {
|
||||
p.log.warn("org secret failed (admin access required) — saved as repo secret instead");
|
||||
}
|
||||
} else {
|
||||
activeSpin!.stop(pc.red("could not set secret"));
|
||||
p.log.warn(`set it manually at:\n ${pc.dim(secretsUrl)}`);
|
||||
}
|
||||
}
|
||||
|
||||
async function promptTestRun(ctx: { token: string; owner: string; repo: string }): Promise<void> {
|
||||
const proceed = await p.select({
|
||||
message: "test your installation?",
|
||||
options: [
|
||||
{ value: true, label: "yes", hint: "dispatches a test run in your GitHub Actions" },
|
||||
{ value: false, label: "skip" },
|
||||
],
|
||||
});
|
||||
handleCancel(proceed);
|
||||
if (!proceed) return;
|
||||
|
||||
activeSpin!.start("dispatching test run");
|
||||
const result = await pullfrogApi<DispatchApiData>({
|
||||
path: "/api/cli/dispatch",
|
||||
token: ctx.token,
|
||||
method: "POST",
|
||||
body: { owner: ctx.owner, repo: ctx.repo, prompt: "Tell me a joke" },
|
||||
});
|
||||
|
||||
if (!result.ok) {
|
||||
activeSpin!.stop(pc.red("could not dispatch"));
|
||||
p.log.warn(result.data.error || `dispatch failed (${result.status})`);
|
||||
return;
|
||||
}
|
||||
|
||||
activeSpin!.stop("dispatched test run");
|
||||
if (result.data.url) {
|
||||
process.stdout.write(
|
||||
`${pc.gray(p.S_BAR)} ${link(pc.dim(result.data.url), result.data.url)}\n`
|
||||
);
|
||||
openBrowser(result.data.url);
|
||||
}
|
||||
}
|
||||
|
||||
// ── main ──
|
||||
|
||||
async function main() {
|
||||
p.intro(pc.bgGreen(pc.black(" pullfrog ")));
|
||||
|
||||
const spin = p.spinner();
|
||||
activeSpin = spin;
|
||||
|
||||
// 1. authenticate
|
||||
spin.start("authenticating with github");
|
||||
const token = getGhToken();
|
||||
const userResult = await ghApi<{ login: string }>("/user", token);
|
||||
const user = userResult.data;
|
||||
|
||||
// gho_ tokens from `gh auth login` expose scopes via x-oauth-scopes header.
|
||||
// fine-grained PATs (github_pat_) don't return scopes — they pass this check.
|
||||
// split on ", " and match exact scope — .includes("repo") would false-positive on "public_repo"
|
||||
const scopeSet = userResult.scopes !== null ? new Set(userResult.scopes.split(", ")) : null;
|
||||
if (scopeSet !== null && !scopeSet.has("repo")) {
|
||||
bail(
|
||||
`your token is missing the ${pc.bold('"repo"')} scope.\n` +
|
||||
` ${pc.dim("run:")} gh auth refresh --scopes repo\n` +
|
||||
` ${pc.dim("then:")} npx pullfrog init`
|
||||
);
|
||||
}
|
||||
|
||||
spin.stop(`hello, ${pc.cyan(`@${user.login}`)}`);
|
||||
|
||||
// 2. detect repo
|
||||
spin.start("detecting repository");
|
||||
const remote = parseGitRemote();
|
||||
spin.stop(`detected repo ${pc.cyan(`${remote.owner}/${remote.repo}`)}`);
|
||||
|
||||
// 3. ensure app installation + check secrets
|
||||
const secrets = await ensureInstallation({ token, owner: remote.owner, repo: remote.repo });
|
||||
|
||||
// 4. select provider + model (skip if already set)
|
||||
let model: string;
|
||||
let provider: CliProvider;
|
||||
|
||||
if (secrets.model) {
|
||||
model = secrets.model;
|
||||
const resolved = resolveModelProvider(secrets.model);
|
||||
if (!resolved) bail(`unknown model provider: ${secrets.model}`);
|
||||
provider = resolved;
|
||||
spin.start("");
|
||||
spin.stop(`using model ${pc.cyan(secrets.model)}`);
|
||||
} else {
|
||||
const providerId = await p.select({
|
||||
message: "select your preferred model provider",
|
||||
options: CLI_PROVIDERS.map((cp) => ({
|
||||
value: cp.id,
|
||||
label: cp.name,
|
||||
})),
|
||||
});
|
||||
handleCancel(providerId);
|
||||
|
||||
const found = CLI_PROVIDERS.find((cp) => cp.id === providerId);
|
||||
if (!found) bail(`unknown provider: ${providerId}`);
|
||||
provider = found;
|
||||
|
||||
if (provider.models.length === 1) {
|
||||
model = provider.models[0].value;
|
||||
spin.start("");
|
||||
spin.stop(`using ${pc.bold(provider.models[0].label)}`);
|
||||
} else {
|
||||
const recommendedModel = provider.models.find((m) => m.hint === "recommended");
|
||||
const options = provider.models.map((m) => {
|
||||
if (m.hint) return { value: m.value, label: m.label, hint: m.hint };
|
||||
return { value: m.value, label: m.label };
|
||||
});
|
||||
const selected = await p.select(
|
||||
recommendedModel
|
||||
? { message: "select model", initialValue: recommendedModel.value, options }
|
||||
: { message: "select model", options }
|
||||
);
|
||||
handleCancel(selected);
|
||||
model = selected;
|
||||
}
|
||||
}
|
||||
|
||||
// 5. check/set secret
|
||||
await handleSecret({ token, owner: remote.owner, repo: remote.repo, provider, secrets });
|
||||
|
||||
// 6. create workflow
|
||||
spin.start("creating pullfrog.yml workflow");
|
||||
|
||||
const result = await pullfrogApi<SetupApiData>({
|
||||
path: "/api/cli/setup",
|
||||
token,
|
||||
method: "POST",
|
||||
body: { owner: remote.owner, repo: remote.repo, model },
|
||||
});
|
||||
|
||||
if (!result.ok) {
|
||||
bail(result.data.error || `api returned ${result.status}`);
|
||||
}
|
||||
|
||||
let skipTestRun = false;
|
||||
|
||||
if (result.data.already_existed) {
|
||||
spin.stop("pullfrog.yml already exists");
|
||||
} else if (result.data.pull_request_url) {
|
||||
spin.stop("opened pull request with pullfrog.yml");
|
||||
process.stdout.write(
|
||||
`${pc.gray(p.S_BAR)} ${link(pc.dim(result.data.pull_request_url), result.data.pull_request_url)}\n`
|
||||
);
|
||||
openBrowser(result.data.pull_request_url);
|
||||
|
||||
const merged = await p.select({
|
||||
message: "merge the PR to activate pullfrog, then continue",
|
||||
options: [
|
||||
{ value: true, label: "continue", hint: "PR has been merged" },
|
||||
{ value: false, label: "skip" },
|
||||
],
|
||||
});
|
||||
handleCancel(merged);
|
||||
if (!merged) skipTestRun = true;
|
||||
} else {
|
||||
const short = result.data.hash?.slice(0, 7);
|
||||
spin.stop(
|
||||
short ? `committed pullfrog.yml to repo ${pc.dim(short)}` : "committed pullfrog.yml to repo"
|
||||
);
|
||||
}
|
||||
|
||||
if (!skipTestRun && !secrets.hasRuns) {
|
||||
await promptTestRun({ token, owner: remote.owner, repo: remote.repo });
|
||||
}
|
||||
|
||||
const consoleUrl = `${PULLFROG_API_URL}/console/${remote.owner}/${remote.repo}`;
|
||||
spin.start("");
|
||||
spin.stop("repo is configurable via the Pullfrog dashboard");
|
||||
process.stdout.write(`${pc.gray(p.S_BAR)} ${link(pc.dim(consoleUrl), consoleUrl)}\n`);
|
||||
activeSpin = null;
|
||||
p.outro("done.");
|
||||
}
|
||||
|
||||
interface InitCliParams {
|
||||
args: string[];
|
||||
prog: string;
|
||||
showHelp?: boolean;
|
||||
}
|
||||
|
||||
function printInitUsage(params: { stream: typeof console.log; prog: string }): void {
|
||||
params.stream(`usage: ${params.prog} init\n`);
|
||||
params.stream("set up pullfrog on the current repository.");
|
||||
params.stream("");
|
||||
params.stream("options:");
|
||||
params.stream(" -h, --help show help");
|
||||
}
|
||||
|
||||
function parseInitArgs(args: string[]) {
|
||||
return arg(
|
||||
{
|
||||
"--help": Boolean,
|
||||
"-h": "--help",
|
||||
},
|
||||
{
|
||||
argv: args,
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
export async function runCli(params: InitCliParams): Promise<void> {
|
||||
if (params.showHelp) {
|
||||
printInitUsage({ stream: console.log, prog: params.prog });
|
||||
return;
|
||||
}
|
||||
|
||||
let parsed: ReturnType<typeof parseInitArgs>;
|
||||
try {
|
||||
parsed = parseInitArgs(params.args);
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
console.error(`${message}\n`);
|
||||
printInitUsage({ stream: console.error, prog: params.prog });
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (parsed["--help"]) {
|
||||
printInitUsage({ stream: console.log, prog: params.prog });
|
||||
return;
|
||||
}
|
||||
|
||||
if (parsed._.length > 0) {
|
||||
console.error(`unexpected positional arguments for init: ${parsed._.join(" ")}\n`);
|
||||
printInitUsage({ stream: console.error, prog: params.prog });
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
await run();
|
||||
}
|
||||
|
||||
export async function run() {
|
||||
try {
|
||||
await main();
|
||||
} catch (error) {
|
||||
if (activeSpin) {
|
||||
activeSpin.stop(pc.red("failed"));
|
||||
activeSpin = null;
|
||||
}
|
||||
const msg =
|
||||
error instanceof Error && error.name === "AbortError"
|
||||
? "request timed out — check your network connection and try again"
|
||||
: error instanceof Error
|
||||
? error.message
|
||||
: String(error);
|
||||
p.log.error(msg);
|
||||
process.exit(1);
|
||||
}
|
||||
}
|
||||
@@ -1,29 +1,7 @@
|
||||
#!/usr/bin/env node
|
||||
|
||||
/**
|
||||
* entry point for pullfrog/pullfrog - unified action
|
||||
*/
|
||||
import { runPullfrogCli } from "./runCli.ts";
|
||||
|
||||
import { dirname } from "node:path";
|
||||
import * as core from "@actions/core";
|
||||
import { main } from "./main.ts";
|
||||
|
||||
// GitHub Actions runs the action entry point with the node24 binary specified
|
||||
// in action.yml, but doesn't add that binary's directory to PATH. Without this,
|
||||
// spawned processes (pnpm, npm, etc.) resolve to the runner's default node (v20).
|
||||
process.env.PATH = `${dirname(process.execPath)}:${process.env.PATH}`;
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const result = await main();
|
||||
|
||||
if (!result.success) {
|
||||
throw new Error(result.error || "Agent execution failed");
|
||||
}
|
||||
} catch (error) {
|
||||
const errorMessage = error instanceof Error ? error.message : "Unknown error occurred";
|
||||
core.setFailed(`Action failed: ${errorMessage}`);
|
||||
}
|
||||
}
|
||||
|
||||
await run();
|
||||
runPullfrogCli({
|
||||
cliArgs: ["gha"],
|
||||
});
|
||||
|
||||
+30
-21
@@ -1,9 +1,12 @@
|
||||
// @ts-check
|
||||
|
||||
import { build } from "esbuild";
|
||||
import { readFileSync, writeFileSync } from "fs";
|
||||
import { mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
|
||||
|
||||
const isMainOnlyBuild = process.argv.includes("--main-only");
|
||||
const pkg = JSON.parse(readFileSync("package.json", "utf-8"));
|
||||
|
||||
rmSync("./dist", { recursive: true, force: true });
|
||||
mkdirSync("./dist", { recursive: true });
|
||||
|
||||
// Plugin to strip shebangs from output files
|
||||
/**
|
||||
@@ -61,30 +64,36 @@ const sharedConfig = {
|
||||
drop: [],
|
||||
};
|
||||
|
||||
// Build the main entry bundle
|
||||
// Build the CLI bundle (published to npm, used by npx)
|
||||
await build({
|
||||
...sharedConfig,
|
||||
entryPoints: ["./entry.ts"],
|
||||
outfile: "./entry",
|
||||
entryPoints: ["./cli.ts"],
|
||||
outfile: "./dist/cli.mjs",
|
||||
target: "node20",
|
||||
plugins: [stripShebangPlugin],
|
||||
define: {
|
||||
"process.env.CLI_VERSION": JSON.stringify(pkg.version),
|
||||
},
|
||||
});
|
||||
|
||||
if (!isMainOnlyBuild) {
|
||||
// Build the post cleanup entry bundle
|
||||
await build({
|
||||
...sharedConfig,
|
||||
entryPoints: ["./post.ts"],
|
||||
outfile: "./post",
|
||||
plugins: [stripShebangPlugin],
|
||||
});
|
||||
// Build ESM library entrypoints for programmatic imports
|
||||
await build({
|
||||
...sharedConfig,
|
||||
entryPoints: ["./index.ts"],
|
||||
outfile: "./dist/index.js",
|
||||
target: "node20",
|
||||
});
|
||||
|
||||
// Build the get-installation-token action
|
||||
await build({
|
||||
...sharedConfig,
|
||||
entryPoints: ["./get-installation-token/entry.ts"],
|
||||
outfile: "./get-installation-token/entry",
|
||||
plugins: [stripShebangPlugin],
|
||||
})
|
||||
}
|
||||
await build({
|
||||
...sharedConfig,
|
||||
entryPoints: ["./internal/index.ts"],
|
||||
outfile: "./dist/internal.js",
|
||||
target: "node20",
|
||||
});
|
||||
|
||||
// prepend shebang after strip (esbuild banner can't guarantee line 1 placement)
|
||||
const cliPath = "./dist/cli.mjs";
|
||||
const cliContent = readFileSync(cliPath, "utf8");
|
||||
writeFileSync(cliPath, `#!/usr/bin/env node\n${cliContent}`);
|
||||
|
||||
console.log("» build completed successfully");
|
||||
|
||||
+2
-2
@@ -8,7 +8,7 @@
|
||||
export const pullfrogMcpName = "pullfrog";
|
||||
|
||||
/** @see {@link file://./agents/shared.ts} Agent interface that uses this type */
|
||||
export type AgentId = "claude" | "opentoad";
|
||||
export type AgentId = "claude" | "opencode";
|
||||
|
||||
/**
|
||||
* format a tool name the way each agent's MCP client presents it to the model.
|
||||
@@ -19,7 +19,7 @@ export function formatMcpToolRef(agentId: AgentId, toolName: string): string {
|
||||
switch (agentId) {
|
||||
case "claude":
|
||||
return `mcp__${pullfrogMcpName}__${toolName}`;
|
||||
case "opentoad":
|
||||
case "opencode":
|
||||
return `${pullfrogMcpName}_${toolName}`;
|
||||
default:
|
||||
return agentId satisfies never;
|
||||
|
||||
@@ -13,8 +13,8 @@ outputs:
|
||||
|
||||
runs:
|
||||
using: "node24"
|
||||
main: "entry"
|
||||
post: "entry"
|
||||
main: "entry.ts"
|
||||
post: "post.ts"
|
||||
|
||||
branding:
|
||||
icon: "key"
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,69 +1,5 @@
|
||||
#!/usr/bin/env node
|
||||
import { runPullfrogCli } from "../runCli.ts";
|
||||
|
||||
/**
|
||||
* entry point for get-installation-token action.
|
||||
* handles both main and post execution using the isPost state pattern.
|
||||
*/
|
||||
|
||||
import * as core from "@actions/core";
|
||||
import { acquireInstallationToken, revokeInstallationToken } from "../utils/token.ts";
|
||||
|
||||
const STATE_TOKEN = "token";
|
||||
const STATE_IS_POST = "isPost";
|
||||
|
||||
async function main(): Promise<void> {
|
||||
core.saveState(STATE_IS_POST, "true");
|
||||
|
||||
const reposInput = core.getInput("repos");
|
||||
const additionalRepos = reposInput
|
||||
? reposInput
|
||||
.split(",")
|
||||
.map((r) => r.trim())
|
||||
.filter(Boolean)
|
||||
: [];
|
||||
|
||||
const token = await acquireInstallationToken({ repos: additionalRepos });
|
||||
|
||||
// mask the token in logs
|
||||
core.setSecret(token);
|
||||
|
||||
// save token to state for post cleanup
|
||||
core.saveState(STATE_TOKEN, token);
|
||||
|
||||
// set as output
|
||||
core.setOutput("token", token);
|
||||
|
||||
const scope = additionalRepos.length
|
||||
? `current repo + ${additionalRepos.join(", ")}`
|
||||
: "current repo only";
|
||||
core.info(`» installation token acquired (${scope})`);
|
||||
}
|
||||
|
||||
async function post(): Promise<void> {
|
||||
const token = core.getState(STATE_TOKEN);
|
||||
|
||||
if (!token) {
|
||||
core.debug("no token found in state, skipping revocation");
|
||||
return;
|
||||
}
|
||||
|
||||
await revokeInstallationToken(token);
|
||||
core.info("» installation token revoked");
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const isPost = core.getState(STATE_IS_POST) === "true";
|
||||
|
||||
if (isPost) {
|
||||
await post();
|
||||
} else {
|
||||
await main();
|
||||
}
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
core.setFailed(message);
|
||||
}
|
||||
}
|
||||
|
||||
await run();
|
||||
runPullfrogCli({
|
||||
cliArgs: ["gha", "token"],
|
||||
});
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
import { runPullfrogCli } from "../runCli.ts";
|
||||
|
||||
runPullfrogCli({
|
||||
cliArgs: ["gha", "token", "--post"],
|
||||
swallowErrors: true,
|
||||
});
|
||||
@@ -1,7 +1,10 @@
|
||||
// changes to tool permissions should be reflected in wiki/granular-tools.md
|
||||
|
||||
import { existsSync, readdirSync } from "node:fs";
|
||||
import { join } from "node:path";
|
||||
import * as core from "@actions/core";
|
||||
import { deleteProgressComment, reportProgress } from "./mcp/comment.ts";
|
||||
import { startInstallation } from "./mcp/dependencies.ts";
|
||||
import {
|
||||
initToolState,
|
||||
startMcpHttpServer,
|
||||
@@ -307,6 +310,8 @@ export async function main(): Promise<MainResult> {
|
||||
log.info(`» MCP server started at ${mcpHttpServer.url}`);
|
||||
timer.checkpoint("mcpServer");
|
||||
|
||||
startInstallation(toolContext);
|
||||
|
||||
if (payload.model) log.info(`» model: ${payload.model}`);
|
||||
if (payload.timeout) log.info(`» timeout: ${payload.timeout}`);
|
||||
log.info(`» push: ${payload.push}`);
|
||||
@@ -334,6 +339,21 @@ export async function main(): Promise<MainResult> {
|
||||
log.info(instructions.full);
|
||||
});
|
||||
|
||||
// OpenCode loads .opencode/plugin/ files at startup. if the repo has any,
|
||||
// eagerly await dependency installation so plugin imports can resolve.
|
||||
if (agentId === "opencode") {
|
||||
const pluginDir = join(process.cwd(), ".opencode", "plugin");
|
||||
const hasPlugins =
|
||||
existsSync(pluginDir) && readdirSync(pluginDir).some((f) => /\.[jt]sx?$/.test(f));
|
||||
if (hasPlugins && toolState.dependencyInstallation?.promise) {
|
||||
log.info(
|
||||
"» .opencode/plugin/ detected — awaiting dependency installation before agent start"
|
||||
);
|
||||
await toolState.dependencyInstallation.promise.catch(() => {});
|
||||
timer.checkpoint("awaitDepsForPlugins");
|
||||
}
|
||||
}
|
||||
|
||||
// run agent, optionally with timeout enforcement
|
||||
activityTimeout = createProcessOutputActivityTimeout({
|
||||
timeoutMs: DEFAULT_ACTIVITY_TIMEOUT_MS,
|
||||
@@ -457,9 +477,12 @@ export async function main(): Promise<MainResult> {
|
||||
killTrackedChildren();
|
||||
log.error(errorMessage);
|
||||
|
||||
// best-effort summary — don't mask the original error
|
||||
// best-effort summary — write the error so it's visible in the Actions summary tab
|
||||
try {
|
||||
await writeJobSummary(toolState);
|
||||
const errorSummary = `### ❌ Pullfrog failed\n\n\`\`\`\n${errorMessage}\n\`\`\``;
|
||||
const usageSummary = formatUsageSummary(toolState.usageEntries);
|
||||
const parts = [errorSummary, toolState.lastProgressBody, usageSummary].filter(Boolean);
|
||||
await writeSummary(parts.join("\n\n"));
|
||||
} catch {}
|
||||
|
||||
try {
|
||||
|
||||
+7
-44
@@ -1,49 +1,12 @@
|
||||
import { type } from "arktype";
|
||||
import { apiFetch } from "../utils/apiFetch.ts";
|
||||
import { getApiUrl } from "../utils/apiUrl.ts";
|
||||
import { buildPullfrogFooter, stripExistingFooter } from "../utils/buildPullfrogFooter.ts";
|
||||
import { log } from "../utils/cli.ts";
|
||||
import { fixDoubleEscapedString } from "../utils/fixDoubleEscapedString.ts";
|
||||
import { retry } from "../utils/retry.ts";
|
||||
import { patchWorkflowRunFields } from "../utils/patchWorkflowRunFields.ts";
|
||||
import type { ToolContext } from "./server.ts";
|
||||
import { execute, tool } from "./shared.ts";
|
||||
|
||||
type CommentNodeIdField = "planCommentNodeId" | "summaryCommentNodeId";
|
||||
|
||||
// IMPORTANT: this route authenticates via Pullfrog API JWT (verifyApiToken),
|
||||
// NOT a GitHub token. use ctx.apiToken here. see wiki/api-auth.md.
|
||||
export async function updateCommentNodeId(
|
||||
ctx: ToolContext,
|
||||
field: CommentNodeIdField,
|
||||
nodeId: string
|
||||
): Promise<void> {
|
||||
if (ctx.runId === undefined || !ctx.apiToken) return;
|
||||
try {
|
||||
await retry(
|
||||
async () => {
|
||||
const response = await apiFetch({
|
||||
path: `/api/workflow-run/${ctx.runId}`,
|
||||
method: "PATCH",
|
||||
headers: {
|
||||
authorization: `Bearer ${ctx.apiToken}`,
|
||||
"content-type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({ [field]: nodeId }),
|
||||
signal: AbortSignal.timeout(10_000),
|
||||
});
|
||||
if (!response.ok) throw new Error(`PATCH workflow-run: ${response.status}`);
|
||||
},
|
||||
{
|
||||
maxAttempts: 3,
|
||||
delayMs: 2000,
|
||||
label: `updateCommentNodeId(${field})`,
|
||||
}
|
||||
);
|
||||
} catch (error) {
|
||||
log.warning(`updateCommentNodeId(${field}) exhausted retries: ${error}`);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The prefix text for the initial "leaping into action" comment.
|
||||
* This is used to identify if a comment is still in its initial state
|
||||
@@ -118,7 +81,7 @@ export function CreateCommentTool(ctx: ToolContext) {
|
||||
});
|
||||
|
||||
if (result.data.node_id) {
|
||||
await updateCommentNodeId(ctx, "summaryCommentNodeId", result.data.node_id);
|
||||
await patchWorkflowRunFields(ctx, { summaryCommentNodeId: result.data.node_id });
|
||||
}
|
||||
|
||||
return {
|
||||
@@ -138,7 +101,7 @@ export function CreateCommentTool(ctx: ToolContext) {
|
||||
|
||||
if (commentType === "Plan") {
|
||||
if (result.data.node_id) {
|
||||
await updateCommentNodeId(ctx, "planCommentNodeId", result.data.node_id);
|
||||
await patchWorkflowRunFields(ctx, { planCommentNodeId: result.data.node_id });
|
||||
}
|
||||
// add "Implement plan" link (needs comment ID, so create-then-update)
|
||||
const customParts = [buildImplementPlanLink(ctx, issueNumber, result.data.id)];
|
||||
@@ -161,7 +124,7 @@ export function CreateCommentTool(ctx: ToolContext) {
|
||||
}
|
||||
|
||||
if (commentType === "Summary" && result.data.node_id) {
|
||||
await updateCommentNodeId(ctx, "summaryCommentNodeId", result.data.node_id);
|
||||
await patchWorkflowRunFields(ctx, { summaryCommentNodeId: result.data.node_id });
|
||||
}
|
||||
|
||||
return {
|
||||
@@ -266,7 +229,7 @@ export async function reportProgress(
|
||||
ctx.toolState.wasUpdated = true;
|
||||
|
||||
if (isPlanMode && result.data.node_id) {
|
||||
await updateCommentNodeId(ctx, "planCommentNodeId", result.data.node_id);
|
||||
await patchWorkflowRunFields(ctx, { planCommentNodeId: result.data.node_id });
|
||||
}
|
||||
|
||||
return {
|
||||
@@ -300,7 +263,7 @@ export async function reportProgress(
|
||||
ctx.toolState.wasUpdated = true;
|
||||
|
||||
if (isPlanMode && result.data.node_id) {
|
||||
await updateCommentNodeId(ctx, "planCommentNodeId", result.data.node_id);
|
||||
await patchWorkflowRunFields(ctx, { planCommentNodeId: result.data.node_id });
|
||||
}
|
||||
|
||||
return {
|
||||
@@ -353,7 +316,7 @@ export async function reportProgress(
|
||||
});
|
||||
|
||||
if (updateResult.data.node_id) {
|
||||
await updateCommentNodeId(ctx, "planCommentNodeId", updateResult.data.node_id);
|
||||
await patchWorkflowRunFields(ctx, { planCommentNodeId: updateResult.data.node_id });
|
||||
}
|
||||
|
||||
return {
|
||||
|
||||
+3
-2
@@ -67,9 +67,10 @@ Inspect the repository structure to determine how dependencies should be install
|
||||
}
|
||||
|
||||
/**
|
||||
* start dependency installation in the background (non-blocking, idempotent)
|
||||
* start dependency installation in the background (non-blocking, idempotent).
|
||||
* called eagerly from main.ts at startup and also available via MCP tools.
|
||||
*/
|
||||
function startInstallation(ctx: ToolContext): void {
|
||||
export function startInstallation(ctx: ToolContext): void {
|
||||
// already started or completed - do nothing
|
||||
if (ctx.toolState.dependencyInstallation) {
|
||||
return;
|
||||
|
||||
+13
-5
@@ -1,5 +1,6 @@
|
||||
import { type } from "arktype";
|
||||
import { fixDoubleEscapedString } from "../utils/fixDoubleEscapedString.ts";
|
||||
import { patchWorkflowRunFields } from "../utils/patchWorkflowRunFields.ts";
|
||||
import type { ToolContext } from "./server.ts";
|
||||
import { execute, tool } from "./shared.ts";
|
||||
|
||||
@@ -21,16 +22,23 @@ export function IssueTool(ctx: ToolContext) {
|
||||
name: "create_issue",
|
||||
description: "Create a new GitHub issue",
|
||||
parameters: Issue,
|
||||
execute: execute(async ({ title, body, labels, assignees }) => {
|
||||
execute: execute(async (params) => {
|
||||
const result = await ctx.octokit.rest.issues.create({
|
||||
owner: ctx.repo.owner,
|
||||
repo: ctx.repo.name,
|
||||
title: title,
|
||||
body: fixDoubleEscapedString(body),
|
||||
labels: labels ?? [],
|
||||
assignees: assignees ?? [],
|
||||
title: params.title,
|
||||
body: fixDoubleEscapedString(params.body),
|
||||
labels: params.labels ?? [],
|
||||
assignees: params.assignees ?? [],
|
||||
});
|
||||
|
||||
const nodeId = result.data.node_id;
|
||||
if (typeof nodeId === "string" && nodeId.length > 0) {
|
||||
await patchWorkflowRunFields(ctx, {
|
||||
issueNodeId: nodeId,
|
||||
});
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
issueId: result.data.id,
|
||||
|
||||
@@ -2,6 +2,7 @@ import { type } from "arktype";
|
||||
import { buildPullfrogFooter, stripExistingFooter } from "../utils/buildPullfrogFooter.ts";
|
||||
import { log } from "../utils/cli.ts";
|
||||
import { fixDoubleEscapedString } from "../utils/fixDoubleEscapedString.ts";
|
||||
import { patchWorkflowRunFields } from "../utils/patchWorkflowRunFields.ts";
|
||||
import { $ } from "../utils/shell.ts";
|
||||
import type { ToolContext } from "./server.ts";
|
||||
import { execute, tool } from "./shared.ts";
|
||||
@@ -94,6 +95,12 @@ export function CreatePullRequestTool(ctx: ToolContext) {
|
||||
}
|
||||
}
|
||||
|
||||
if (typeof result.data.node_id === "string" && result.data.node_id.length > 0) {
|
||||
await patchWorkflowRunFields(ctx, {
|
||||
prNodeId: result.data.node_id,
|
||||
});
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
pullRequestId: result.data.id,
|
||||
|
||||
+7
-29
@@ -1,11 +1,11 @@
|
||||
import type { RestEndpointMethodTypes } from "@octokit/rest";
|
||||
import { type } from "arktype";
|
||||
import { formatMcpToolRef } from "../external.ts";
|
||||
import { apiFetch } from "../utils/apiFetch.ts";
|
||||
import { getApiUrl } from "../utils/apiUrl.ts";
|
||||
import { buildPullfrogFooter } from "../utils/buildPullfrogFooter.ts";
|
||||
import { log } from "../utils/cli.ts";
|
||||
import { fixDoubleEscapedString } from "../utils/fixDoubleEscapedString.ts";
|
||||
import { patchWorkflowRunFields } from "../utils/patchWorkflowRunFields.ts";
|
||||
import type { ToolContext } from "./server.ts";
|
||||
import { execute, tool } from "./shared.ts";
|
||||
|
||||
@@ -305,34 +305,12 @@ async function createAndSubmitWithFooter(
|
||||
}
|
||||
|
||||
/**
|
||||
* report the review node ID to the server so the WorkflowRun is marked as "review submitted".
|
||||
* report the review node ID so the WorkflowRun is marked as "review submitted".
|
||||
* exported for use in main.ts post-agent cleanup.
|
||||
*/
|
||||
export async function reportReviewNodeId(ctx: ToolContext, reviewNodeId: string): Promise<void> {
|
||||
for (let remaining = 2; remaining >= 0; remaining--) {
|
||||
try {
|
||||
const response = await apiFetch({
|
||||
path: `/api/workflow-run/${ctx.runId}`,
|
||||
method: "PATCH",
|
||||
headers: {
|
||||
authorization: `Bearer ${ctx.apiToken}`,
|
||||
"content-type": "application/json",
|
||||
},
|
||||
body: JSON.stringify({ reviewNodeId }),
|
||||
signal: AbortSignal.timeout(10_000),
|
||||
});
|
||||
if (response.ok) return;
|
||||
if (remaining > 0) {
|
||||
log.debug(`reportReviewNodeId got ${response.status}, retrying (${remaining} left)`);
|
||||
await new Promise((r) => setTimeout(r, 2000));
|
||||
}
|
||||
} catch (error) {
|
||||
if (remaining > 0) {
|
||||
log.debug(`reportReviewNodeId failed, retrying (${remaining} left): ${error}`);
|
||||
await new Promise((r) => setTimeout(r, 2000));
|
||||
} else {
|
||||
log.debug(`reportReviewNodeId exhausted retries: ${error}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
export async function reportReviewNodeId(
|
||||
ctx: ToolContext,
|
||||
params: { nodeId: string }
|
||||
): Promise<void> {
|
||||
await patchWorkflowRunFields(ctx, { reviewNodeId: params.nodeId });
|
||||
}
|
||||
|
||||
+5
-3
@@ -1,6 +1,6 @@
|
||||
import { type } from "arktype";
|
||||
import { formatMcpToolRef } from "../external.ts";
|
||||
import type { Mode } from "../modes.ts";
|
||||
import { type Mode, PR_SUMMARY_FORMAT } from "../modes.ts";
|
||||
import { apiFetch } from "../utils/apiFetch.ts";
|
||||
import { log } from "../utils/log.ts";
|
||||
import type { ToolContext } from "./server.ts";
|
||||
@@ -39,9 +39,11 @@ An existing summary comment was found for this PR. Update it rather than creatin
|
||||
|
||||
1. Use \`previousSummaryBody\` from this response as the current summary to revise.
|
||||
2. Checkout the PR via \`${t("checkout_pr")}\` — this returns PR metadata and a \`diffPath\`.
|
||||
3. Read the diff using the TOC to selectively read relevant sections. Produce an updated summary reflecting the current state of the PR, using the existing summary (\`previousSummaryBody\`) as a starting point. Follow format instructions from EVENT INSTRUCTIONS (if any).
|
||||
3. Read the diff using the TOC to selectively read relevant sections. Produce an updated summary reflecting the current state of the PR, using the existing summary (\`previousSummaryBody\`) as a starting point. If EVENT INSTRUCTIONS specify a custom format, follow that instead of the default format below.
|
||||
4. Call \`${t("edit_issue_comment")}\` with \`commentId: existingSummaryCommentId\` (from this response) and the updated summary body.
|
||||
5. Call \`${t("report_progress")}\` with a brief note (e.g., "Updated PR summary.").`,
|
||||
5. Call \`${t("report_progress")}\` with a brief note (e.g., "Updated PR summary.").
|
||||
|
||||
${PR_SUMMARY_FORMAT}`,
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
+9
-2
@@ -65,7 +65,7 @@ function detectSandboxMethod(): SandboxMethod {
|
||||
// continue to try sudo
|
||||
}
|
||||
|
||||
// try sudo unshare (works on GHA runners)
|
||||
// sudo unshare (works on GHA runners)
|
||||
try {
|
||||
const result = spawnSync("sudo", ["unshare", "--pid", "--fork", "--mount-proc", "true"], {
|
||||
timeout: 5000,
|
||||
@@ -81,7 +81,7 @@ function detectSandboxMethod(): SandboxMethod {
|
||||
}
|
||||
|
||||
detectedSandboxMethod = "none";
|
||||
log.info("PID namespace isolation not available - falling back to env filtering only");
|
||||
log.info("PID namespace isolation not available");
|
||||
return "none";
|
||||
}
|
||||
|
||||
@@ -97,6 +97,13 @@ const PROC_CLEANUP =
|
||||
function spawnShell(params: SpawnParams): ChildProcess {
|
||||
const spawnOpts = { env: params.env, cwd: params.cwd, stdio: params.stdio, detached: true };
|
||||
const sandboxMethod = detectSandboxMethod();
|
||||
const ci = process.env.CI === "true";
|
||||
|
||||
if (ci && sandboxMethod === "none") {
|
||||
throw new Error(
|
||||
"pid namespace isolation is required in CI but unavailable (both unshare and sudo unshare failed)"
|
||||
);
|
||||
}
|
||||
|
||||
if (sandboxMethod === "unshare") {
|
||||
return spawn(
|
||||
|
||||
+1
-1
@@ -14,7 +14,7 @@ export function UploadFileTool(ctx: ToolContext) {
|
||||
return tool({
|
||||
name: "upload_file",
|
||||
description:
|
||||
"upload a file to get a permanent public URL. use for screenshots, artifacts, or any files you want to reference in PRs/comments. max 10MB, images/text/archives allowed.",
|
||||
"upload a file to get a permanent public URL. use for screenshots, artifacts, or any files you want to reference in PRs/comments. max 10MB, images/text/archives allowed. when embedding uploaded images in comments or PR bodies, always use markdown image syntax: ",
|
||||
parameters: UploadFileParams,
|
||||
execute: execute(async (params) => {
|
||||
// read file from disk eagerly on purpose to avoid its content being changed by the time it's uploaded
|
||||
|
||||
@@ -9,6 +9,55 @@ export interface Mode {
|
||||
prompt?: string | undefined;
|
||||
}
|
||||
|
||||
export const PR_SUMMARY_FORMAT = `### Default format
|
||||
|
||||
Follow this structure exactly:
|
||||
|
||||
<b>TL;DR</b> — 1-3 sentences on what the PR does and why. Focus on intent, not mechanics.
|
||||
NOTE: use HTML bold <b>TL;DR</b>, NOT markdown bold **TL;DR**.
|
||||
|
||||
### Key changes
|
||||
|
||||
- **Short human-readable title** — 1 sentence per change. Write a short prose phrase (title case or sentence case); when you name a file, type, or function, put that name in backticks (e.g. **Add \`TodoTracker\` for live checklists**). A reviewer should understand the full PR from this list alone.
|
||||
|
||||
<sub><b>Summary</b> | {file_count} files | {commit_count} commits | base: \`{base}\` ← \`{head}\`</sub>
|
||||
NOTE: the metadata line goes AFTER the bullet list, not before it.
|
||||
|
||||
Then for each key change, a ## section with a short descriptive title that reads like a documentation heading (e.g. ## Live todo checklist tracking).
|
||||
|
||||
<br/>
|
||||
|
||||
## Example readable section title
|
||||
|
||||
> **Before:** [old behavior/state]<br/>**After:** [new behavior/state]
|
||||
IMPORTANT: Before and After MUST be on a SINGLE blockquote line with an inline <br/> between them. Two separate \`>\` lines creates a double line break.
|
||||
|
||||
1-2 sentences of explanation. Break up text with tables, blockquotes, or lists — NEVER 3+ plain paragraphs in a row.
|
||||
|
||||
If a change warrants deeper explanation, use a blockquoted details/summary framed as a question:
|
||||
> <details><summary>How does X work?</summary>
|
||||
> Extended explanation here.
|
||||
> </details>
|
||||
|
||||
End each section with a file links trail (3-4 key files max):
|
||||
[\`file.ts\`](https://github.com/{owner}/{repo}/pull/{number}/files#diff-{sha256hex_of_filepath}) · ...
|
||||
|
||||
Single-feature PRs: skip the ## sections. Fold before/after and explanation into the header after key changes.
|
||||
|
||||
CRITICAL — GitHub markdown rendering rule:
|
||||
GitHub's markdown parser requires a blank line between ALL block-level elements. This includes transitions between: HTML tags (<br/>, <sub>, <details>, <b>, etc.) and markdown syntax (headings, lists, blockquotes, paragraphs). Without a blank line, GitHub treats the following content as a continuation of the HTML block and renders markdown syntax as literal text. ALWAYS separate block-level elements with a blank line.
|
||||
|
||||
Rules:
|
||||
- \`##\` titles and key-change bullet lead-ins are plain-language summaries; backtick only actual code tokens (files, types, functions) where they appear in the title
|
||||
- ALL variable names, identifiers, and file names in body text must be in backticks
|
||||
- ALL file references MUST link to the PR Files Changed view. Compute anchors by running \`echo -n 'path/to/file.ts' | sha256sum\` via shell for each file. NEVER fabricate hex strings — run the actual command. If shell is unavailable, omit the #diff- anchor rather than guessing.
|
||||
- Add <br/> before each ## heading for visual spacing. Do NOT use horizontal rules (---)
|
||||
- Do NOT include raw diff stats like '+123 / -45' or line counts
|
||||
- Do NOT include code blocks or repeat diff contents
|
||||
- Do NOT include a changelog section — the key changes list serves this purpose
|
||||
- Focus on *intent*, not *what* — the diff already shows what changed
|
||||
- Get the file count and commit count from the checkout_pr metadata, not by counting manually`;
|
||||
|
||||
function learningsStep(t: (toolName: string) => string, n: number): string {
|
||||
return `${n}. **learnings** (only if high confidence): if you discovered something about repo setup, test commands, conventions, or patterns that you are confident is correct and would reliably help future runs, call \`${t("update_learnings")}\` to persist it. skip this step if you are unsure or the finding is speculative/one-off. format as a flat bullet list (\`- \` per line, one fact per bullet). merge with existing learnings from the prompt — pass the FULL merged list. deduplicate, and drop bullets that are clearly wrong or no longer relevant to the current codebase.`;
|
||||
}
|
||||
@@ -240,12 +289,14 @@ ${learningsStep(t, 4)}`,
|
||||
prompt: `### Checklist
|
||||
|
||||
1. Checkout the PR via \`${t("checkout_pr")}\` — this returns PR metadata and a \`diffPath\`.
|
||||
2. Read the diff using the TOC to selectively read relevant sections (not the entire file). Produce a structured summary using format instructions from EVENT INSTRUCTIONS (if any); otherwise use default format: TL;DR, key changes list, per-change sections with plain-language \`##\` titles and before/after framing.
|
||||
2. Read the diff using the TOC to selectively read relevant sections (not the entire file). Produce a structured summary. If EVENT INSTRUCTIONS specify a custom format, follow that instead of the default format below.
|
||||
3. Call \`${t("create_issue_comment")}\` with \`type: "Summary"\` and the summary body.
|
||||
4. Call \`${t("report_progress")}\` with a brief note (e.g., "Posted PR summary.").`,
|
||||
4. Call \`${t("report_progress")}\` with a brief note (e.g., "Posted PR summary.").
|
||||
|
||||
${PR_SUMMARY_FORMAT}`,
|
||||
},
|
||||
];
|
||||
}
|
||||
|
||||
// static export for UI display — uses opentoad format as the readable default
|
||||
export const modes: Mode[] = computeModes("opentoad");
|
||||
// static export for UI display — uses opencode format as the readable default
|
||||
export const modes: Mode[] = computeModes("opencode");
|
||||
|
||||
+34
-38
@@ -1,61 +1,60 @@
|
||||
{
|
||||
"name": "@pullfrog/pullfrog",
|
||||
"version": "0.0.194",
|
||||
"name": "pullfrog",
|
||||
"version": "0.0.201",
|
||||
"type": "module",
|
||||
"bin": {
|
||||
"pullfrog": "dist/cli.mjs",
|
||||
"pullfrog-dev": "dist/cli.mjs",
|
||||
"pf": "dist/cli.mjs"
|
||||
},
|
||||
"files": [
|
||||
"index.js",
|
||||
"index.cjs",
|
||||
"index.d.ts",
|
||||
"index.d.cts",
|
||||
"agents",
|
||||
"utils",
|
||||
"main.js",
|
||||
"main.d.ts"
|
||||
"dist/"
|
||||
],
|
||||
"scripts": {
|
||||
"test": "vitest",
|
||||
"typecheck": "tsc --noEmit",
|
||||
"build": "node esbuild.config.js",
|
||||
"build": "node esbuild.config.js && tsc -p tsconfig.exports.json",
|
||||
"check:entrypoints": "node scripts/check-entrypoint-imports.ts",
|
||||
"play": "node play.ts",
|
||||
"runtest": "node test/run.ts",
|
||||
"scratch": "node scratch.ts",
|
||||
"upDeps": "pnpm up --latest",
|
||||
"lock": "pnpm install --no-frozen-lockfile",
|
||||
"postinstall": "node scripts/generate-proxies.ts",
|
||||
"prepare": "cd .. && husky action/.husky"
|
||||
"prepare": "cd .. && husky"
|
||||
},
|
||||
"dependencies": {
|
||||
"devDependencies": {
|
||||
"@actions/core": "^1.11.1",
|
||||
"@anthropic-ai/claude-code": "2.1.85",
|
||||
"@ark/fs": "0.56.0",
|
||||
"@ark/util": "0.56.0",
|
||||
"@clack/prompts": "^1.2.0",
|
||||
"@modelcontextprotocol/sdk": "^1.26.0",
|
||||
"@octokit/plugin-throttling": "^11.0.3",
|
||||
"@octokit/rest": "^22.0.0",
|
||||
"@octokit/webhooks-types": "^7.6.1",
|
||||
"@standard-schema/spec": "1.1.0",
|
||||
"@toon-format/toon": "^1.0.0",
|
||||
"ajv": "^8.18.0",
|
||||
"arkregex": "0.0.5",
|
||||
"arktype": "2.2.0",
|
||||
"dotenv": "^17.2.3",
|
||||
"execa": "^9.6.0",
|
||||
"fastmcp": "^3.34.0",
|
||||
"file-type": "^21.3.0",
|
||||
"package-manager-detector": "^1.6.0",
|
||||
"semver": "^7.7.3",
|
||||
"table": "^6.9.0",
|
||||
"turndown": "^7.2.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@anthropic-ai/claude-code": "2.1.85",
|
||||
"agent-browser": "0.21.0",
|
||||
"@modelcontextprotocol/sdk": "^1.26.0",
|
||||
"@types/node": "^24.7.2",
|
||||
"@types/semver": "^7.7.1",
|
||||
"@types/turndown": "^5.0.5",
|
||||
"agent-browser": "0.25.4",
|
||||
"ajv": "^8.18.0",
|
||||
"arg": "^5.0.2",
|
||||
"arkregex": "0.0.5",
|
||||
"arktype": "2.2.0",
|
||||
"dotenv": "^17.2.3",
|
||||
"esbuild": "^0.25.9",
|
||||
"execa": "^9.6.0",
|
||||
"fastmcp": "^3.34.0",
|
||||
"file-type": "^21.3.0",
|
||||
"husky": "^9.0.0",
|
||||
"opencode-ai": "1.1.56",
|
||||
"package-manager-detector": "^1.6.0",
|
||||
"picocolors": "^1.1.1",
|
||||
"semver": "^7.7.3",
|
||||
"skills": "1.4.9",
|
||||
"table": "^6.9.0",
|
||||
"turndown": "^7.2.0",
|
||||
"typescript": "^5.9.3",
|
||||
"vitest": "^4.0.17",
|
||||
"yaml": "^2.8.2"
|
||||
@@ -75,22 +74,19 @@
|
||||
"url": "https://github.com/pullfrog/pullfrog/issues"
|
||||
},
|
||||
"homepage": "https://github.com/pullfrog/pullfrog#readme",
|
||||
"zshy": {
|
||||
"exports": "./index.ts"
|
||||
},
|
||||
"main": "./dist/index.cjs",
|
||||
"main": "./dist/index.js",
|
||||
"module": "./dist/index.js",
|
||||
"types": "./dist/index.d.cts",
|
||||
"types": "./dist/index.d.ts",
|
||||
"exports": {
|
||||
".": {
|
||||
"@pullfrog/source": "./index.ts",
|
||||
"types": "./dist/index.d.cts",
|
||||
"types": "./dist/index.d.ts",
|
||||
"import": "./dist/index.js",
|
||||
"require": "./dist/index.cjs"
|
||||
"default": "./dist/index.js"
|
||||
},
|
||||
"./internal": {
|
||||
"@pullfrog/source": "./internal/index.ts",
|
||||
"types": "./dist/internal.d.cts",
|
||||
"types": "./dist/internal/index.d.ts",
|
||||
"import": "./dist/internal.js",
|
||||
"default": "./dist/internal.js"
|
||||
},
|
||||
|
||||
Generated
+112
-46
@@ -7,16 +7,25 @@ settings:
|
||||
importers:
|
||||
|
||||
.:
|
||||
dependencies:
|
||||
devDependencies:
|
||||
'@actions/core':
|
||||
specifier: ^1.11.1
|
||||
version: 1.11.1
|
||||
'@anthropic-ai/claude-code':
|
||||
specifier: 2.1.85
|
||||
version: 2.1.85
|
||||
'@ark/fs':
|
||||
specifier: 0.56.0
|
||||
version: 0.56.0
|
||||
'@ark/util':
|
||||
specifier: 0.56.0
|
||||
version: 0.56.0
|
||||
'@clack/prompts':
|
||||
specifier: ^1.2.0
|
||||
version: 1.2.0
|
||||
'@modelcontextprotocol/sdk':
|
||||
specifier: ^1.26.0
|
||||
version: 1.26.0(zod@4.3.6)
|
||||
'@octokit/plugin-throttling':
|
||||
specifier: ^11.0.3
|
||||
version: 11.0.3(@octokit/core@7.0.5)
|
||||
@@ -32,46 +41,6 @@ importers:
|
||||
'@toon-format/toon':
|
||||
specifier: ^1.0.0
|
||||
version: 1.4.0
|
||||
ajv:
|
||||
specifier: ^8.18.0
|
||||
version: 8.18.0
|
||||
arkregex:
|
||||
specifier: 0.0.5
|
||||
version: 0.0.5
|
||||
arktype:
|
||||
specifier: 2.2.0
|
||||
version: 2.2.0
|
||||
dotenv:
|
||||
specifier: ^17.2.3
|
||||
version: 17.2.3
|
||||
execa:
|
||||
specifier: ^9.6.0
|
||||
version: 9.6.0
|
||||
fastmcp:
|
||||
specifier: ^3.34.0
|
||||
version: 3.34.0(arktype@2.2.0)
|
||||
file-type:
|
||||
specifier: ^21.3.0
|
||||
version: 21.3.0
|
||||
package-manager-detector:
|
||||
specifier: ^1.6.0
|
||||
version: 1.6.0
|
||||
semver:
|
||||
specifier: ^7.7.3
|
||||
version: 7.7.3
|
||||
table:
|
||||
specifier: ^6.9.0
|
||||
version: 6.9.0
|
||||
turndown:
|
||||
specifier: ^7.2.0
|
||||
version: 7.2.2
|
||||
devDependencies:
|
||||
'@anthropic-ai/claude-code':
|
||||
specifier: 2.1.85
|
||||
version: 2.1.85
|
||||
'@modelcontextprotocol/sdk':
|
||||
specifier: ^1.26.0
|
||||
version: 1.26.0(zod@4.3.6)
|
||||
'@types/node':
|
||||
specifier: ^24.7.2
|
||||
version: 24.7.2
|
||||
@@ -82,20 +51,59 @@ importers:
|
||||
specifier: ^5.0.5
|
||||
version: 5.0.6
|
||||
agent-browser:
|
||||
specifier: 0.21.0
|
||||
version: 0.21.0
|
||||
specifier: 0.25.4
|
||||
version: 0.25.4
|
||||
ajv:
|
||||
specifier: ^8.18.0
|
||||
version: 8.18.0
|
||||
arg:
|
||||
specifier: ^5.0.2
|
||||
version: 5.0.2
|
||||
arkregex:
|
||||
specifier: 0.0.5
|
||||
version: 0.0.5
|
||||
arktype:
|
||||
specifier: 2.2.0
|
||||
version: 2.2.0
|
||||
dotenv:
|
||||
specifier: ^17.2.3
|
||||
version: 17.2.3
|
||||
esbuild:
|
||||
specifier: ^0.25.9
|
||||
version: 0.25.12
|
||||
execa:
|
||||
specifier: ^9.6.0
|
||||
version: 9.6.0
|
||||
fastmcp:
|
||||
specifier: ^3.34.0
|
||||
version: 3.34.0(arktype@2.2.0)
|
||||
file-type:
|
||||
specifier: ^21.3.0
|
||||
version: 21.3.0
|
||||
husky:
|
||||
specifier: ^9.0.0
|
||||
version: 9.1.7
|
||||
opencode-ai:
|
||||
specifier: 1.1.56
|
||||
version: 1.1.56
|
||||
package-manager-detector:
|
||||
specifier: ^1.6.0
|
||||
version: 1.6.0
|
||||
picocolors:
|
||||
specifier: ^1.1.1
|
||||
version: 1.1.1
|
||||
semver:
|
||||
specifier: ^7.7.3
|
||||
version: 7.7.3
|
||||
skills:
|
||||
specifier: 1.4.9
|
||||
version: 1.4.9
|
||||
table:
|
||||
specifier: ^6.9.0
|
||||
version: 6.9.0
|
||||
turndown:
|
||||
specifier: ^7.2.0
|
||||
version: 7.2.2
|
||||
typescript:
|
||||
specifier: ^5.9.3
|
||||
version: 5.9.3
|
||||
@@ -137,6 +145,12 @@ packages:
|
||||
'@borewit/text-codec@0.2.1':
|
||||
resolution: {integrity: sha512-k7vvKPbf7J2fZ5klGRD9AeKfUvojuZIQ3BT5u7Jfv+puwXkUBUT5PVyMDfJZpy30CBDXGMgw7fguK/lpOMBvgw==}
|
||||
|
||||
'@clack/core@1.2.0':
|
||||
resolution: {integrity: sha512-qfxof/3T3t9DPU/Rj3OmcFyZInceqj/NVtO9rwIuJqCUgh32gwPjpFQQp/ben07qKlhpwq7GzfWpST4qdJ5Drg==}
|
||||
|
||||
'@clack/prompts@1.2.0':
|
||||
resolution: {integrity: sha512-4jmztR9fMqPMjz6H/UZXj0zEmE43ha1euENwkckKKel4XpSfokExPo5AiVStdHSAlHekz4d0CA/r45Ok1E4D3w==}
|
||||
|
||||
'@esbuild/aix-ppc64@0.25.12':
|
||||
resolution: {integrity: sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==}
|
||||
engines: {node: '>=18'}
|
||||
@@ -850,8 +864,8 @@ packages:
|
||||
resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==}
|
||||
engines: {node: '>= 0.6'}
|
||||
|
||||
agent-browser@0.21.0:
|
||||
resolution: {integrity: sha512-isVHEeb2WL5hLhr4o+zNmcYwmBrldxvrH+FIoRoUmDxyrHr3bhIS6L8BlUMHqT77YtkPq0YSmwoBRrwqeouw9Q==}
|
||||
agent-browser@0.25.4:
|
||||
resolution: {integrity: sha512-vl4tzDAk5+pJ2g8eMWWzZOLJ2yevJDN3YQ1gcSdN3GKPI0RwNr+T/2PxqSxsipiREu0oid2yxFJIoQ6NMrq/fQ==}
|
||||
hasBin: true
|
||||
|
||||
ajv-formats@3.0.1:
|
||||
@@ -1120,9 +1134,18 @@ packages:
|
||||
fast-deep-equal@3.1.3:
|
||||
resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
|
||||
|
||||
fast-string-truncated-width@1.2.1:
|
||||
resolution: {integrity: sha512-Q9acT/+Uu3GwGj+5w/zsGuQjh9O1TyywhIwAxHudtWrgF09nHOPrvTLhQevPbttcxjr/SNN7mJmfOw/B1bXgow==}
|
||||
|
||||
fast-string-width@1.1.0:
|
||||
resolution: {integrity: sha512-O3fwIVIH5gKB38QNbdg+3760ZmGz0SZMgvwJbA1b2TGXceKE6A2cOlfogh1iw8lr049zPyd7YADHy+B7U4W9bQ==}
|
||||
|
||||
fast-uri@3.1.0:
|
||||
resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==}
|
||||
|
||||
fast-wrap-ansi@0.1.6:
|
||||
resolution: {integrity: sha512-HlUwET7a5gqjURj70D5jl7aC3Zmy4weA1SHUfM0JFI0Ptq987NH2TwbBFLoERhfwk+E+eaq4EK3jXoT+R3yp3w==}
|
||||
|
||||
fastmcp@3.34.0:
|
||||
resolution: {integrity: sha512-xKOXjU+MK7OZy91BY3FS5aenSiclJBCRMaZtXb3HYaKZVFbq4qYvAlFu6xYI3UU1NGLtv+h8izoStnOQ1By0BA==}
|
||||
hasBin: true
|
||||
@@ -1626,6 +1649,14 @@ packages:
|
||||
resolution: {integrity: sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==}
|
||||
engines: {node: '>=14'}
|
||||
|
||||
sisteransi@1.0.5:
|
||||
resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==}
|
||||
|
||||
skills@1.4.9:
|
||||
resolution: {integrity: sha512-BTh7kfSkGPirsLgvg5vvALjDlgNImm9HRn937yAfESFzmShQEZWWTYJQbN34qjlwxOBO7Me4E9Lh6Ot5AE29zA==}
|
||||
engines: {node: '>=18'}
|
||||
hasBin: true
|
||||
|
||||
slice-ansi@4.0.0:
|
||||
resolution: {integrity: sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==}
|
||||
engines: {node: '>=10'}
|
||||
@@ -1886,6 +1917,11 @@ packages:
|
||||
engines: {node: '>= 14.6'}
|
||||
hasBin: true
|
||||
|
||||
yaml@2.8.3:
|
||||
resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==}
|
||||
engines: {node: '>= 14.6'}
|
||||
hasBin: true
|
||||
|
||||
yargs-parser@22.0.0:
|
||||
resolution: {integrity: sha512-rwu/ClNdSMpkSrUb+d6BRsSkLUq1fmfsY6TOpYzTwvwkg1/NRG85KBy3kq++A8LKQwX6lsu+aWad+2khvuXrqw==}
|
||||
engines: {node: ^20.19.0 || ^22.12.0 || >=23}
|
||||
@@ -1946,6 +1982,18 @@ snapshots:
|
||||
|
||||
'@borewit/text-codec@0.2.1': {}
|
||||
|
||||
'@clack/core@1.2.0':
|
||||
dependencies:
|
||||
fast-wrap-ansi: 0.1.6
|
||||
sisteransi: 1.0.5
|
||||
|
||||
'@clack/prompts@1.2.0':
|
||||
dependencies:
|
||||
'@clack/core': 1.2.0
|
||||
fast-string-width: 1.1.0
|
||||
fast-wrap-ansi: 0.1.6
|
||||
sisteransi: 1.0.5
|
||||
|
||||
'@esbuild/aix-ppc64@0.25.12':
|
||||
optional: true
|
||||
|
||||
@@ -2458,7 +2506,7 @@ snapshots:
|
||||
mime-types: 3.0.2
|
||||
negotiator: 1.0.0
|
||||
|
||||
agent-browser@0.21.0: {}
|
||||
agent-browser@0.25.4: {}
|
||||
|
||||
ajv-formats@3.0.1(ajv@8.17.1):
|
||||
optionalDependencies:
|
||||
@@ -2801,8 +2849,18 @@ snapshots:
|
||||
|
||||
fast-deep-equal@3.1.3: {}
|
||||
|
||||
fast-string-truncated-width@1.2.1: {}
|
||||
|
||||
fast-string-width@1.1.0:
|
||||
dependencies:
|
||||
fast-string-truncated-width: 1.2.1
|
||||
|
||||
fast-uri@3.1.0: {}
|
||||
|
||||
fast-wrap-ansi@0.1.6:
|
||||
dependencies:
|
||||
fast-string-width: 1.1.0
|
||||
|
||||
fastmcp@3.34.0(arktype@2.2.0):
|
||||
dependencies:
|
||||
'@modelcontextprotocol/sdk': 1.27.1(zod@4.3.6)
|
||||
@@ -3334,6 +3392,12 @@ snapshots:
|
||||
|
||||
signal-exit@4.1.0: {}
|
||||
|
||||
sisteransi@1.0.5: {}
|
||||
|
||||
skills@1.4.9:
|
||||
dependencies:
|
||||
yaml: 2.8.3
|
||||
|
||||
slice-ansi@4.0.0:
|
||||
dependencies:
|
||||
ansi-styles: 4.3.0
|
||||
@@ -3525,6 +3589,8 @@ snapshots:
|
||||
|
||||
yaml@2.8.2: {}
|
||||
|
||||
yaml@2.8.3: {}
|
||||
|
||||
yargs-parser@22.0.0: {}
|
||||
|
||||
yargs@18.0.0:
|
||||
|
||||
@@ -1,19 +1,8 @@
|
||||
#!/usr/bin/env node
|
||||
|
||||
/**
|
||||
* Post cleanup entry point for pullfrog/pullfrog action.
|
||||
* Runs independently after workflow failure or cancellation.
|
||||
* Searches for Pullfrog comment via GitHub API and updates if stuck on "Leaping into action".
|
||||
*/
|
||||
import { runPullfrogCli } from "./runCli.ts";
|
||||
|
||||
import { log } from "./utils/cli.ts";
|
||||
import { runPostCleanup } from "./utils/postCleanup.ts";
|
||||
|
||||
log.debug(`[post] script started at ${new Date().toISOString()}`);
|
||||
try {
|
||||
await runPostCleanup();
|
||||
} catch (error) {
|
||||
const message = error instanceof Error ? error.message : String(error);
|
||||
log.error(`[post] unexpected error: ${message}`);
|
||||
// don't fail the post script - best effort cleanup
|
||||
}
|
||||
runPullfrogCli({
|
||||
cliArgs: ["gha", "--post"],
|
||||
swallowErrors: true,
|
||||
});
|
||||
|
||||
@@ -0,0 +1,101 @@
|
||||
import { execFileSync } from "node:child_process";
|
||||
import { existsSync } from "node:fs";
|
||||
import { delimiter, dirname, join } from "node:path";
|
||||
import { fileURLToPath } from "node:url";
|
||||
import actionPackageJson from "./package.json" with { type: "json" };
|
||||
|
||||
interface RunPullfrogCliParams {
|
||||
cliArgs: string[];
|
||||
swallowErrors?: boolean;
|
||||
}
|
||||
|
||||
interface RuntimeContext {
|
||||
actionRef: string | undefined;
|
||||
actionRepository: string | undefined;
|
||||
actionRoot: string;
|
||||
nodeBinDir: string;
|
||||
env: NodeJS.ProcessEnv;
|
||||
}
|
||||
|
||||
const NPM_REGISTRY = "https://registry.npmjs.org";
|
||||
const FALLBACK_PACKAGE_SPEC = `pullfrog@^${actionPackageJson.version}`;
|
||||
|
||||
function createRuntimeContext(): RuntimeContext {
|
||||
const actionRoot = dirname(fileURLToPath(import.meta.url));
|
||||
const nodeBinDir = dirname(process.execPath);
|
||||
const env: NodeJS.ProcessEnv = { ...process.env };
|
||||
env.npm_config_registry = NPM_REGISTRY;
|
||||
env.COREPACK_NPM_REGISTRY = NPM_REGISTRY;
|
||||
const currentPath = process.env.PATH ?? "";
|
||||
env.PATH = currentPath ? `${nodeBinDir}${delimiter}${currentPath}` : nodeBinDir;
|
||||
|
||||
return {
|
||||
actionRef: process.env.GITHUB_ACTION_REF,
|
||||
actionRepository: process.env.GITHUB_ACTION_REPOSITORY,
|
||||
actionRoot,
|
||||
nodeBinDir,
|
||||
env,
|
||||
};
|
||||
}
|
||||
|
||||
function runNpx(context: RuntimeContext, packageSpec: string, cliArgs: string[]): void {
|
||||
const npxPath =
|
||||
process.platform === "win32"
|
||||
? join(context.nodeBinDir, "npx.cmd")
|
||||
: join(context.nodeBinDir, "npx");
|
||||
execFileSync(npxPath, ["--yes", packageSpec, ...cliArgs], {
|
||||
cwd: process.env.GITHUB_WORKSPACE || context.actionRoot,
|
||||
stdio: "inherit",
|
||||
env: context.env,
|
||||
});
|
||||
}
|
||||
|
||||
function ensureActionDependencies(context: RuntimeContext): void {
|
||||
const nodeModulesPath = join(context.actionRoot, "node_modules");
|
||||
if (existsSync(nodeModulesPath)) {
|
||||
return;
|
||||
}
|
||||
|
||||
const corepackPath =
|
||||
process.platform === "win32"
|
||||
? join(context.nodeBinDir, "corepack.cmd")
|
||||
: join(context.nodeBinDir, "corepack");
|
||||
execFileSync(corepackPath, ["pnpm", "install", "--frozen-lockfile", "--ignore-scripts"], {
|
||||
cwd: context.actionRoot,
|
||||
stdio: "inherit",
|
||||
env: context.env,
|
||||
});
|
||||
}
|
||||
|
||||
function runLocalCli(context: RuntimeContext, cliArgs: string[]): void {
|
||||
ensureActionDependencies(context);
|
||||
execFileSync(process.execPath, ["cli.ts", ...cliArgs], {
|
||||
cwd: context.actionRoot,
|
||||
stdio: "inherit",
|
||||
env: context.env,
|
||||
});
|
||||
}
|
||||
|
||||
function runPullfrogCliInner(context: RuntimeContext, cliArgs: string[]): void {
|
||||
if (context.actionRef === "main" && context.actionRepository === "pullfrog/pullfrog") {
|
||||
runLocalCli(context, cliArgs);
|
||||
return;
|
||||
}
|
||||
|
||||
runNpx(context, FALLBACK_PACKAGE_SPEC, cliArgs);
|
||||
}
|
||||
|
||||
export function runPullfrogCli(params: RunPullfrogCliParams): void {
|
||||
const context = createRuntimeContext();
|
||||
|
||||
if (params.swallowErrors) {
|
||||
try {
|
||||
runPullfrogCliInner(context, params.cliArgs);
|
||||
} catch {
|
||||
// best-effort cleanup
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
runPullfrogCliInner(context, params.cliArgs);
|
||||
}
|
||||
@@ -0,0 +1,71 @@
|
||||
import { isBuiltin } from "node:module";
|
||||
import { dirname, resolve } from "node:path";
|
||||
import { fileURLToPath } from "node:url";
|
||||
import { build } from "esbuild";
|
||||
|
||||
const scriptDir = dirname(fileURLToPath(import.meta.url));
|
||||
|
||||
const entryPoints = [
|
||||
resolve(scriptDir, "../entry.ts"),
|
||||
resolve(scriptDir, "../post.ts"),
|
||||
resolve(scriptDir, "../get-installation-token/entry.ts"),
|
||||
resolve(scriptDir, "../get-installation-token/post.ts"),
|
||||
];
|
||||
|
||||
function isPathImport(specifier: string): boolean {
|
||||
return (
|
||||
specifier.startsWith("./") ||
|
||||
specifier.startsWith("../") ||
|
||||
specifier.startsWith("/") ||
|
||||
specifier.startsWith("file:")
|
||||
);
|
||||
}
|
||||
|
||||
async function checkEntrypointImports(): Promise<void> {
|
||||
const result = await build({
|
||||
entryPoints,
|
||||
outdir: resolve(scriptDir, "../.tmp/entrypoint-imports"),
|
||||
bundle: true,
|
||||
write: false,
|
||||
metafile: true,
|
||||
platform: "node",
|
||||
format: "esm",
|
||||
packages: "external",
|
||||
logLevel: "silent",
|
||||
});
|
||||
|
||||
if (!result.metafile) {
|
||||
throw new Error("expected esbuild metafile output");
|
||||
}
|
||||
|
||||
const violations: string[] = [];
|
||||
const inputPaths = Object.keys(result.metafile.inputs);
|
||||
for (const inputPath of inputPaths) {
|
||||
const input = result.metafile.inputs[inputPath];
|
||||
for (const imported of input.imports) {
|
||||
if (!imported.external) {
|
||||
continue;
|
||||
}
|
||||
if (isPathImport(imported.path)) {
|
||||
continue;
|
||||
}
|
||||
if (isBuiltin(imported.path)) {
|
||||
continue;
|
||||
}
|
||||
violations.push(`${inputPath} -> ${imported.path}`);
|
||||
}
|
||||
}
|
||||
|
||||
if (violations.length === 0) {
|
||||
console.log("entrypoint import guard passed");
|
||||
return;
|
||||
}
|
||||
|
||||
console.error("entrypoint import guard failed. non-builtin package imports detected:");
|
||||
for (const violation of violations.sort()) {
|
||||
console.error(`- ${violation}`);
|
||||
}
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
await checkEntrypointImports();
|
||||
@@ -1,13 +0,0 @@
|
||||
import { mkdirSync, writeFileSync } from "node:fs";
|
||||
|
||||
const proxies = [
|
||||
{ dest: "dist/index.js", source: "../index.ts" },
|
||||
{ dest: "dist/internal.js", source: "../internal/index.ts" },
|
||||
];
|
||||
|
||||
mkdirSync("dist", { recursive: true });
|
||||
|
||||
for (const proxy of proxies) {
|
||||
writeFileSync(proxy.dest, `export * from "${proxy.source}";\n`);
|
||||
writeFileSync(proxy.dest.replace(/\.js$/, ".d.ts"), `export * from "${proxy.source}";\n`);
|
||||
}
|
||||
@@ -27,8 +27,8 @@ exports[`latest model per provider snapshot > matches snapshot 1`] = `
|
||||
"releaseDate": "2026-04-07",
|
||||
},
|
||||
"openrouter": {
|
||||
"modelId": "z-ai/glm-5.1",
|
||||
"releaseDate": "2026-04-07",
|
||||
"modelId": "openrouter/elephant-alpha",
|
||||
"releaseDate": "2026-04-13",
|
||||
},
|
||||
"xai": {
|
||||
"modelId": "grok-4.20-multi-agent-0309",
|
||||
|
||||
@@ -90,6 +90,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
tags: ["adhoc", "security"],
|
||||
agents: ["opentoad"],
|
||||
agents: ["opencode"],
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
};
|
||||
|
||||
@@ -107,6 +107,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
tags: ["adhoc", "security"],
|
||||
agents: ["opentoad"],
|
||||
agents: ["opencode"],
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
};
|
||||
|
||||
@@ -78,6 +78,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
tags: ["adhoc", "security"],
|
||||
agents: ["opentoad"],
|
||||
agents: ["opencode"],
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
};
|
||||
|
||||
@@ -94,5 +94,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
repoSetup,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic", "security"],
|
||||
};
|
||||
|
||||
@@ -102,5 +102,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
agentEnv,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic"],
|
||||
};
|
||||
|
||||
@@ -90,5 +90,6 @@ export const test: TestRunnerOptions = {
|
||||
name: "pkg-json-scripts",
|
||||
fixture,
|
||||
validator,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic", "security"],
|
||||
};
|
||||
|
||||
@@ -60,5 +60,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
agentEnv,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic"],
|
||||
};
|
||||
|
||||
@@ -72,5 +72,6 @@ export const test: TestRunnerOptions = {
|
||||
name: "push-enabled",
|
||||
fixture,
|
||||
validator,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic"],
|
||||
};
|
||||
|
||||
@@ -65,5 +65,6 @@ export const test: TestRunnerOptions = {
|
||||
name: "push-restricted",
|
||||
fixture,
|
||||
validator,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic"],
|
||||
};
|
||||
|
||||
@@ -27,5 +27,6 @@ export const test: TestRunnerOptions = {
|
||||
fixture,
|
||||
validator,
|
||||
expectFailure: true,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
tags: ["agnostic"],
|
||||
};
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# outputs a JSON array of agent names to stdout.
|
||||
#
|
||||
# only agents whose harness file changed AND are exported from index.ts are included.
|
||||
# shared.ts/index.ts and other non-harness action changes fall back to opentoad as a canary.
|
||||
# shared.ts/index.ts and other non-harness action changes fall back to opencode as a canary.
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
@@ -58,9 +58,9 @@ while IFS= read -r file; do
|
||||
done <<< "$files"
|
||||
|
||||
# output agents based on change type.
|
||||
# non-agent action changes always include opentoad as a canary.
|
||||
# non-agent action changes always include opencode as a canary.
|
||||
if $has_non_agent_change; then
|
||||
changed_agents+=("opentoad")
|
||||
changed_agents+=("opencode")
|
||||
fi
|
||||
|
||||
if [[ ${#changed_agents[@]} -gt 0 ]]; then
|
||||
|
||||
+8
-8
@@ -87,29 +87,29 @@ describe("ci workflow consistency", () => {
|
||||
expect(rootJob.strategy!.matrix.agent).toBe(dynamicAgentsExpression);
|
||||
});
|
||||
|
||||
it("changed-agents.sh falls back to opentoad when shared agent code changed", () => {
|
||||
it("changed-agents.sh falls back to opencode when shared agent code changed", () => {
|
||||
const input = JSON.stringify(["action/agents/shared.ts"]);
|
||||
const output = execFileSync("bash", [join(__dirname, "changed-agents.sh")], {
|
||||
input,
|
||||
encoding: "utf-8",
|
||||
});
|
||||
expect(JSON.parse(output)).toEqual(["opentoad"]);
|
||||
expect(JSON.parse(output)).toEqual(["opencode"]);
|
||||
});
|
||||
|
||||
it("changed-agents.sh falls back to opentoad for non-agent action changes", () => {
|
||||
it("changed-agents.sh falls back to opencode for non-agent action changes", () => {
|
||||
const output = execFileSync("bash", [join(__dirname, "changed-agents.sh")], {
|
||||
input: JSON.stringify(["action/mcp/server.ts"]),
|
||||
encoding: "utf-8",
|
||||
});
|
||||
expect(JSON.parse(output)).toEqual(["opentoad"]);
|
||||
expect(JSON.parse(output)).toEqual(["opencode"]);
|
||||
});
|
||||
|
||||
it("changed-agents.sh includes opentoad canary alongside changed agents", () => {
|
||||
it("changed-agents.sh includes opencode canary alongside changed agents", () => {
|
||||
const output = execFileSync("bash", [join(__dirname, "changed-agents.sh")], {
|
||||
input: JSON.stringify(["action/agents/opentoad.ts", "action/mcp/server.ts"]),
|
||||
input: JSON.stringify(["action/agents/opencode.ts", "action/mcp/server.ts"]),
|
||||
encoding: "utf-8",
|
||||
});
|
||||
expect(JSON.parse(output)).toEqual(["opentoad"]);
|
||||
expect(JSON.parse(output)).toEqual(["opencode"]);
|
||||
});
|
||||
|
||||
it("changed-agents.sh treats legacy agent files as non-agent changes", () => {
|
||||
@@ -117,7 +117,7 @@ describe("ci workflow consistency", () => {
|
||||
input: JSON.stringify(["action/agents/codex.ts", "action/agents/gemini.ts"]),
|
||||
encoding: "utf-8",
|
||||
});
|
||||
expect(JSON.parse(output)).toEqual(["opentoad"]);
|
||||
expect(JSON.parse(output)).toEqual(["opencode"]);
|
||||
});
|
||||
|
||||
it("action agent matrix matches agents map", () => {
|
||||
|
||||
@@ -38,6 +38,7 @@ export const test: TestRunnerOptions = {
|
||||
validator,
|
||||
env: {
|
||||
GITHUB_REPOSITORY: "pullfrog/test-repo-mcp",
|
||||
PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1",
|
||||
PULLFROG_MCP_SECRET: secret,
|
||||
},
|
||||
repoSetup:
|
||||
|
||||
@@ -0,0 +1,47 @@
|
||||
import { randomUUID } from "node:crypto";
|
||||
import type { AgentResult, TestRunnerOptions, ValidationCheck } from "../utils.ts";
|
||||
import { defineFixture, getAgentOutput } from "../utils.ts";
|
||||
|
||||
const skillName = "pullfrog-skill-check";
|
||||
const token = randomUUID();
|
||||
|
||||
const fixture = defineFixture(
|
||||
{
|
||||
prompt: `Do not modify any files.
|
||||
|
||||
Use the skill tool to load ${skillName}.
|
||||
Then call set_output with exactly this token and nothing else: ${token}`,
|
||||
shell: "restricted",
|
||||
push: "disabled",
|
||||
timeout: "4m",
|
||||
},
|
||||
{ localOnly: true }
|
||||
);
|
||||
|
||||
const repoSetup = `mkdir -p .claude/skills/${skillName} .opencode/skills/${skillName} && printf '%s\\n' '---' 'name: ${skillName}' 'description: local skill test token source' '---' '' 'token: ${token}' > .claude/skills/${skillName}/SKILL.md && cp .claude/skills/${skillName}/SKILL.md .opencode/skills/${skillName}/SKILL.md`;
|
||||
|
||||
function validator(result: AgentResult): ValidationCheck[] {
|
||||
const setOutputCalled = result.structuredOutput !== null;
|
||||
const tokenMatches = result.structuredOutput === token;
|
||||
|
||||
const agentOutput = getAgentOutput(result);
|
||||
const skillInvoked = /Skill\(\{[^)]*"skill":"pullfrog-skill-check"/.test(agentOutput);
|
||||
|
||||
return [
|
||||
{ name: "set_output", passed: setOutputCalled },
|
||||
{ name: "token_matches", passed: tokenMatches },
|
||||
{ name: "skill_invoked", passed: skillInvoked },
|
||||
];
|
||||
}
|
||||
|
||||
export const test: TestRunnerOptions = {
|
||||
name: "skill-invoke-claude",
|
||||
fixture,
|
||||
validator,
|
||||
agents: ["claude"],
|
||||
repoSetup,
|
||||
env: {
|
||||
PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1",
|
||||
PULLFROG_MODEL: "anthropic/claude-sonnet-4-6",
|
||||
},
|
||||
};
|
||||
@@ -0,0 +1,47 @@
|
||||
import { randomUUID } from "node:crypto";
|
||||
import type { AgentResult, TestRunnerOptions, ValidationCheck } from "../utils.ts";
|
||||
import { defineFixture, getAgentOutput } from "../utils.ts";
|
||||
|
||||
const skillName = "pullfrog-skill-check";
|
||||
const token = randomUUID();
|
||||
|
||||
const fixture = defineFixture(
|
||||
{
|
||||
prompt: `Do not modify any files.
|
||||
|
||||
Use the skill tool to load ${skillName}.
|
||||
Then call set_output with exactly this token and nothing else: ${token}`,
|
||||
shell: "restricted",
|
||||
push: "disabled",
|
||||
timeout: "4m",
|
||||
},
|
||||
{ localOnly: true }
|
||||
);
|
||||
|
||||
const repoSetup = `mkdir -p .claude/skills/${skillName} .opencode/skills/${skillName} && printf '%s\\n' '---' 'name: ${skillName}' 'description: local skill test token source' '---' '' 'token: ${token}' > .claude/skills/${skillName}/SKILL.md && cp .claude/skills/${skillName}/SKILL.md .opencode/skills/${skillName}/SKILL.md`;
|
||||
|
||||
function validator(result: AgentResult): ValidationCheck[] {
|
||||
const setOutputCalled = result.structuredOutput !== null;
|
||||
const tokenMatches = result.structuredOutput === token;
|
||||
|
||||
const agentOutput = getAgentOutput(result);
|
||||
const skillInvoked = /skill\(\{[^)]*"name":"pullfrog-skill-check"/.test(agentOutput);
|
||||
|
||||
return [
|
||||
{ name: "set_output", passed: setOutputCalled },
|
||||
{ name: "token_matches", passed: tokenMatches },
|
||||
{ name: "skill_invoked", passed: skillInvoked },
|
||||
];
|
||||
}
|
||||
|
||||
export const test: TestRunnerOptions = {
|
||||
name: "skill-invoke-opencode",
|
||||
fixture,
|
||||
validator,
|
||||
agents: ["opencode"],
|
||||
repoSetup,
|
||||
env: {
|
||||
PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1",
|
||||
PULLFROG_MODEL: "anthropic/claude-sonnet-4-6",
|
||||
},
|
||||
};
|
||||
@@ -28,4 +28,5 @@ export const test: TestRunnerOptions = {
|
||||
name: "smoke",
|
||||
fixture,
|
||||
validator,
|
||||
env: { PULLFROG_DISABLE_SECURITY_INSTRUCTIONS: "1" },
|
||||
};
|
||||
|
||||
@@ -6,7 +6,7 @@ import { defineFixture, generateAgentUuids, getAgentOutput } from "../utils.ts";
|
||||
* process environment. SANDBOX_TEST_TOKEN is set in the agent's process env
|
||||
* but should be invisible via:
|
||||
* - shell: filterEnv() strips *_TOKEN vars, PID namespace hides parent /proc
|
||||
* - native tools: OPENCODE_PERMISSION denies external_directory (opentoad),
|
||||
* - native tools: OPENCODE_PERMISSION denies external_directory (opencode),
|
||||
* managed-settings.json denies /proc reads (claude)
|
||||
*
|
||||
* runs with both agents to verify each sandbox independently.
|
||||
|
||||
+7
-7
@@ -27,14 +27,14 @@ import {
|
||||
* filters can be test names, tags, or agent names:
|
||||
* node test/run.ts # run all tests (excludes adhoc-tagged tests)
|
||||
* node test/run.ts smoke # run tests named "smoke" or tagged "smoke"
|
||||
* node test/run.ts opentoad # run all tests for opentoad only
|
||||
* node test/run.ts opencode # run all tests for opencode only
|
||||
* node test/run.ts security # run all tests tagged "security"
|
||||
* node test/run.ts agnostic # run all agnostic-tagged tests (with opentoad)
|
||||
* node test/run.ts agnostic # run all agnostic-tagged tests (with opencode)
|
||||
* node test/run.ts adhoc # run all adhoc-tagged tests
|
||||
* node test/run.ts smoke opentoad # run smoke tests for opentoad only
|
||||
* node test/run.ts smoke opencode # run smoke tests for opencode only
|
||||
*
|
||||
* special tags:
|
||||
* - "agnostic": runs with opentoad only, excluded when filtering by agent
|
||||
* - "agnostic": runs with opencode only, excluded when filtering by agent
|
||||
* - "adhoc": excluded from default runs, must be explicitly requested
|
||||
*
|
||||
* by default, runs in a Docker container for isolation.
|
||||
@@ -303,7 +303,7 @@ async function runTestForAgent(ctx: RunContext): Promise<ValidationResult> {
|
||||
if (!Object.hasOwn(env, "PULLFROG_MODEL")) {
|
||||
const defaultModels: Record<string, string> = {
|
||||
claude: "anthropic/claude-sonnet-4-6",
|
||||
opentoad: "anthropic/claude-sonnet-4-6",
|
||||
opencode: "anthropic/claude-sonnet-4-6",
|
||||
};
|
||||
const model = defaultModels[ctx.agent];
|
||||
if (model) {
|
||||
@@ -414,11 +414,11 @@ async function main(): Promise<void> {
|
||||
const isAgnostic = hasTag(testInfo, "agnostic");
|
||||
|
||||
if (isAgnostic) {
|
||||
// agnostic tests: skip if only filtering by agent, otherwise run with opentoad
|
||||
// agnostic tests: skip if only filtering by agent, otherwise run with opencode
|
||||
if (parsed.filters.length === 0 && parsed.agentFilters.length > 0) {
|
||||
continue;
|
||||
}
|
||||
runs.push({ testInfo, agent: "opentoad" });
|
||||
runs.push({ testInfo, agent: "opencode" });
|
||||
} else {
|
||||
// determine which agents to run for this test
|
||||
const testAgents = testInfo.config.agents ?? agents;
|
||||
|
||||
+2
-2
@@ -90,7 +90,7 @@ export function generateAgentUuids<T extends string>(envVarNames: T[]): AgentUui
|
||||
|
||||
// assign consistent colors to agents (using ANSI codes)
|
||||
const AGENT_COLORS: Record<string, string> = {
|
||||
opentoad: "\x1b[32m", // green
|
||||
opencode: "\x1b[32m", // green
|
||||
};
|
||||
const RESET = "\x1b[0m";
|
||||
|
||||
@@ -325,7 +325,7 @@ export interface TestRunnerOptions {
|
||||
repoSetup?: string;
|
||||
// tags for grouping tests (e.g., ["agnostic"], ["fs"])
|
||||
// special tags:
|
||||
// - "agnostic": runs with opentoad only, excluded when filtering by agent
|
||||
// - "agnostic": runs with opencode only, excluded when filtering by agent
|
||||
// - "adhoc": excluded from default runs, must be explicitly requested
|
||||
tags?: TestTag[];
|
||||
}
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"noEmit": false,
|
||||
"emitDeclarationOnly": true,
|
||||
"declarationMap": false,
|
||||
"outDir": "./dist"
|
||||
},
|
||||
"include": ["index.ts", "internal/index.ts"]
|
||||
}
|
||||
+2
-1
@@ -20,5 +20,6 @@
|
||||
"stripInternal": true,
|
||||
"moduleDetection": "force",
|
||||
"useUnknownInCatchVariables": true
|
||||
}
|
||||
},
|
||||
"exclude": []
|
||||
}
|
||||
|
||||
+2
-2
@@ -2,8 +2,8 @@ import { describe, expect, it } from "vitest";
|
||||
import { resolveAgent } from "./agent.ts";
|
||||
|
||||
describe("resolveAgent", () => {
|
||||
it("returns opentoad", () => {
|
||||
it("returns opencode", () => {
|
||||
const agent = resolveAgent({});
|
||||
expect(agent.name).toBe("opentoad");
|
||||
expect(agent.name).toBe("opencode");
|
||||
});
|
||||
});
|
||||
|
||||
+1
-1
@@ -64,5 +64,5 @@ export function resolveAgent(ctx: { model?: string | undefined }): Agent {
|
||||
}
|
||||
|
||||
// 3. default: OpenCode (universal, supports all providers)
|
||||
return agents.opentoad;
|
||||
return agents.opencode;
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@ import { afterEach, beforeEach, describe, expect, it } from "vitest";
|
||||
import { validateAgentApiKey } from "./apiKeys.ts";
|
||||
|
||||
const base = {
|
||||
agent: { name: "opentoad" },
|
||||
agent: { name: "opencode" },
|
||||
owner: "test-owner",
|
||||
name: "test-repo",
|
||||
};
|
||||
|
||||
@@ -13,7 +13,7 @@ export interface WorkflowRunFooterInfo {
|
||||
}
|
||||
|
||||
export interface BuildPullfrogFooterParams {
|
||||
/** add "Triggered by Pullfrog" link */
|
||||
/** add "via Pullfrog" link */
|
||||
triggeredBy?: boolean;
|
||||
/** add "View workflow run" link */
|
||||
workflowRun?: WorkflowRunFooterInfo | undefined;
|
||||
@@ -52,7 +52,7 @@ export function buildPullfrogFooter(params: BuildPullfrogFooterParams): string {
|
||||
}
|
||||
|
||||
if (params.triggeredBy) {
|
||||
parts.push("Triggered by [Pullfrog](https://pullfrog.com)");
|
||||
parts.push("via [Pullfrog](https://pullfrog.com)");
|
||||
}
|
||||
|
||||
if (params.model) {
|
||||
|
||||
@@ -153,9 +153,10 @@ ${ctx.userQuoted}`;
|
||||
|
||||
const eventInstructions = ctx.payload.eventInstructions ?? "";
|
||||
if (eventInstructions) {
|
||||
const parts = [ctx.eventTitle, eventInstructions].filter(Boolean);
|
||||
return `************* YOUR TASK *************
|
||||
|
||||
${eventInstructions}`;
|
||||
${parts.join("\n\n")}`;
|
||||
}
|
||||
|
||||
return "";
|
||||
@@ -280,6 +281,8 @@ Never use \`sleep\` to wait for commands to complete. Commands run synchronously
|
||||
|
||||
When posting comments via ${pullfrogMcpName}, write as a professional team member would. Your final comments should be polished and actionable — do not include intermediate reasoning like "I'll now look at the code" or "Let me respond to the question."
|
||||
|
||||
When embedding images (e.g. uploaded screenshots) in comments or PR bodies, always use markdown image syntax: \`\`. Never paste a naked URL — it will not render as an image.
|
||||
|
||||
### Progress reporting
|
||||
|
||||
**Task list**: at the start of every run, create an internal task list based on the steps in your current mode. Update it as you complete each step. The system automatically renders this list to the progress comment — you do not need to call \`report_progress\` for this.
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
import type { ToolContext } from "../mcp/server.ts";
|
||||
import { apiFetch } from "./apiFetch.ts";
|
||||
import { log } from "./cli.ts";
|
||||
import { retry } from "./retry.ts";
|
||||
|
||||
/** Keys accepted by PATCH /api/workflow-run/[runId] — keep in sync with `ALLOWED_FIELDS` in `app/api/workflow-run/[runId]/route.ts`. */
|
||||
export type WorkflowRunArtifactPatchKey =
|
||||
| "prNodeId"
|
||||
| "issueNodeId"
|
||||
| "reviewNodeId"
|
||||
| "planCommentNodeId"
|
||||
| "summaryCommentNodeId";
|
||||
|
||||
export type WorkflowRunArtifactPatch = Partial<Record<WorkflowRunArtifactPatchKey, string>>;
|
||||
|
||||
const ARTIFACT_PATCH_KEYS: WorkflowRunArtifactPatchKey[] = [
|
||||
"prNodeId",
|
||||
"issueNodeId",
|
||||
"reviewNodeId",
|
||||
"planCommentNodeId",
|
||||
"summaryCommentNodeId",
|
||||
];
|
||||
|
||||
/** PATCH workflow-run artifact fields (Pullfrog JWT, not GitHub). */
|
||||
export async function patchWorkflowRunFields(
|
||||
ctx: ToolContext,
|
||||
fields: WorkflowRunArtifactPatch
|
||||
): Promise<void> {
|
||||
if (ctx.runId === undefined || !ctx.apiToken) return;
|
||||
const body: Record<string, string> = {};
|
||||
for (const key of ARTIFACT_PATCH_KEYS) {
|
||||
const value = fields[key];
|
||||
if (typeof value === "string" && value.length > 0) {
|
||||
body[key] = value;
|
||||
}
|
||||
}
|
||||
if (Object.keys(body).length === 0) return;
|
||||
try {
|
||||
await retry(
|
||||
async () => {
|
||||
const response = await apiFetch({
|
||||
path: `/api/workflow-run/${ctx.runId}`,
|
||||
method: "PATCH",
|
||||
headers: {
|
||||
authorization: `Bearer ${ctx.apiToken}`,
|
||||
"content-type": "application/json",
|
||||
},
|
||||
body: JSON.stringify(body),
|
||||
signal: AbortSignal.timeout(10_000),
|
||||
});
|
||||
if (!response.ok) throw new Error(`PATCH workflow-run: ${response.status}`);
|
||||
},
|
||||
{
|
||||
maxAttempts: 3,
|
||||
delayMs: 2000,
|
||||
label: "patchWorkflowRunFields",
|
||||
}
|
||||
);
|
||||
} catch (error) {
|
||||
log.warning(`patchWorkflowRunFields exhausted retries: ${error}`);
|
||||
}
|
||||
}
|
||||
@@ -24,7 +24,7 @@ export async function postReviewCleanup(ctx: ToolContext): Promise<void> {
|
||||
delete ctx.toolState.review;
|
||||
|
||||
// mark review as submitted — unlocks webhook dedup for new pushes
|
||||
await bestEffort(() => reportReviewNodeId(ctx, review.nodeId), "reportReviewNodeId");
|
||||
await bestEffort(() => reportReviewNodeId(ctx, { nodeId: review.nodeId }), "reportReviewNodeId");
|
||||
|
||||
// dispatch follow-up if PR HEAD moved past the reviewed commit
|
||||
if (review.reviewedSha) {
|
||||
|
||||
+10
-4
@@ -57,18 +57,24 @@ const defaultRunContext: RunContext = {
|
||||
export async function fetchRunContext(params: {
|
||||
token: string;
|
||||
repoContext: RepoContext;
|
||||
oidcToken?: string | undefined;
|
||||
}): Promise<RunContext> {
|
||||
const timeoutMs = 30000;
|
||||
const controller = new AbortController();
|
||||
const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
|
||||
|
||||
try {
|
||||
const headers: Record<string, string> = {
|
||||
Authorization: `Bearer ${params.token}`,
|
||||
"Content-Type": "application/json",
|
||||
};
|
||||
if (params.oidcToken) {
|
||||
headers["X-GitHub-OIDC-Token"] = params.oidcToken;
|
||||
}
|
||||
|
||||
const response = await apiFetch({
|
||||
path: `/api/repo/${params.repoContext.owner}/${params.repoContext.name}/run-context`,
|
||||
headers: {
|
||||
Authorization: `Bearer ${params.token}`,
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
headers,
|
||||
signal: controller.signal,
|
||||
});
|
||||
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import * as core from "@actions/core";
|
||||
import type { Octokit } from "@octokit/rest";
|
||||
import packageJson from "../package.json" with { type: "json" };
|
||||
import { log } from "./cli.ts";
|
||||
@@ -32,9 +33,16 @@ export async function resolveRunContextData(
|
||||
|
||||
const repoContext = parseRepoContext();
|
||||
|
||||
let oidcToken: string | undefined;
|
||||
try {
|
||||
oidcToken = await core.getIDToken("pullfrog-api");
|
||||
} catch {
|
||||
// OIDC not available (local dev, non-actions environment, fork PRs)
|
||||
}
|
||||
|
||||
const [repoResponse, runContext] = await Promise.all([
|
||||
params.octokit.repos.get({ owner: repoContext.owner, repo: repoContext.name }),
|
||||
fetchRunContext({ token: params.token, repoContext }),
|
||||
fetchRunContext({ token: params.token, repoContext, oidcToken }),
|
||||
]);
|
||||
|
||||
return {
|
||||
|
||||
+1
-39
@@ -1,10 +1,7 @@
|
||||
/**
|
||||
* Secret detection and redaction utilities
|
||||
* Redacts actual secret values rather than using pattern matching
|
||||
* Secret detection and env filtering utilities
|
||||
*/
|
||||
|
||||
import { getGitHubInstallationToken } from "./token.ts";
|
||||
|
||||
// patterns for sensitive env var names
|
||||
export const SENSITIVE_PATTERNS = [
|
||||
/_KEY$/i,
|
||||
@@ -47,38 +44,3 @@ export function resolveEnv(mode: EnvMode | undefined): Record<string, string | u
|
||||
// custom env object - merge with restricted base
|
||||
return { ...filterEnv(), ...mode };
|
||||
}
|
||||
|
||||
function getAllSecrets(): string[] {
|
||||
const secrets: string[] = [];
|
||||
|
||||
// collect all env var values matching SENSITIVE_PATTERNS
|
||||
for (const [key, value] of Object.entries(process.env)) {
|
||||
if (value && isSensitiveEnvName(key)) {
|
||||
secrets.push(value);
|
||||
}
|
||||
}
|
||||
|
||||
// add GitHub installation token (stored in memory, not in env)
|
||||
try {
|
||||
const token = getGitHubInstallationToken();
|
||||
if (token) {
|
||||
secrets.push(token);
|
||||
}
|
||||
} catch {
|
||||
// token not set yet, ignore
|
||||
}
|
||||
|
||||
return secrets;
|
||||
}
|
||||
|
||||
export function redactSecrets(content: string, secrets?: string[]): string {
|
||||
const secretsToRedact = [...(secrets ?? []), ...getAllSecrets()];
|
||||
let redacted = content;
|
||||
for (const secret of secretsToRedact) {
|
||||
if (secret) {
|
||||
const escaped = secret.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
|
||||
redacted = redacted.replaceAll(new RegExp(escaped, "g"), "[REDACTED_SECRET]");
|
||||
}
|
||||
}
|
||||
return redacted;
|
||||
}
|
||||
|
||||
+29
-2
@@ -1,6 +1,19 @@
|
||||
import { spawnSync } from "node:child_process";
|
||||
import { tmpdir } from "node:os";
|
||||
import { log } from "./cli.ts";
|
||||
import { getDevDependencyVersion } from "./version.ts";
|
||||
|
||||
const skillsVersion = getDevDependencyVersion("skills");
|
||||
|
||||
/**
|
||||
* install a skill globally via the `skills` CLI.
|
||||
*
|
||||
* runs `npx skills add <ref> --skill <name> -g` with `cwd` set to os tmpdir
|
||||
* so npm doesn't walk up and find a project-level `.npmrc` with pnpm-specific
|
||||
* settings (e.g. `public-hoist-pattern`) that break npx binary resolution.
|
||||
* the `-g` flag writes to `$HOME/.agents/skills/` which is controlled by
|
||||
* `params.env.HOME` (the fake HOME), so cwd has no effect on install location.
|
||||
*/
|
||||
export function addSkill(params: {
|
||||
ref: string;
|
||||
skill: string;
|
||||
@@ -9,8 +22,20 @@ export function addSkill(params: {
|
||||
}): void {
|
||||
const result = spawnSync(
|
||||
"npx",
|
||||
["skills", "add", params.ref, "--skill", params.skill, "-g", "-a", params.agent, "-y"],
|
||||
[
|
||||
"-y",
|
||||
`skills@${skillsVersion}`,
|
||||
"add",
|
||||
params.ref,
|
||||
"--skill",
|
||||
params.skill,
|
||||
"-g",
|
||||
"-a",
|
||||
params.agent,
|
||||
"-y",
|
||||
],
|
||||
{
|
||||
cwd: tmpdir(),
|
||||
env: { ...process.env, ...params.env },
|
||||
stdio: "pipe",
|
||||
timeout: 30_000,
|
||||
@@ -19,6 +44,8 @@ export function addSkill(params: {
|
||||
if (result.status === 0) {
|
||||
log.info(`installed ${params.skill} skill (${params.agent})`);
|
||||
} else {
|
||||
log.info(`${params.skill} skill install failed: ${(result.stderr?.toString() || "").trim()}`);
|
||||
const stderr = (result.stderr?.toString() || "").trim();
|
||||
const errorMsg = result.error ? result.error.message : stderr;
|
||||
log.info(`${params.skill} skill install failed: ${errorMsg}`);
|
||||
}
|
||||
}
|
||||
|
||||
+1
-1
@@ -6,7 +6,7 @@ import { onExitSignal } from "./exitHandler.ts";
|
||||
import { acquireNewToken } from "./github.ts";
|
||||
import { isGitHubActions } from "./globals.ts";
|
||||
|
||||
// re-export for get-installation-token action
|
||||
// re-export for `pullfrog gha token` subcommand
|
||||
export { acquireNewToken as acquireInstallationToken };
|
||||
export { revokeGitHubInstallationToken as revokeInstallationToken };
|
||||
|
||||
|
||||
Reference in New Issue
Block a user