d93ddcbf4a
* expose push: restricted to users the action runtime already understood `disabled | restricted | enabled` for `push` (see action/external.ts, action/mcp/git.ts); the DB enum, the zod schema, the React settings UI, and the action.yml input docs lagged behind. catches all four up. UI surfaces a 2-state toggle (restricted ↔ enabled) in the Security card alongside shell isolation — `disabled` stays in the enum so non-UI callers (action.yml input) still accept it but is intentionally hidden from the console. * address reviews: doc full restricted scope + disabled UI edge case reviewers flagged that "restricted" blocks more than default-branch pushes (also delete_branch + push_tags per action/mcp/git.ts:621-700), and that the popover's "off = full push access" claim is wrong for repos whose workflow sets `push: disabled` (also renders as OFF since the toggle is `props.push === "restricted"`). action.yml description now enumerates the full restricted scope, and the popover frames off behavior in terms of the workflow input so disabled repos aren't misrepresented.
48 lines
1.9 KiB
YAML
48 lines
1.9 KiB
YAML
name: "Pullfrog Action"
|
|
description: "Execute coding agents with a prompt"
|
|
author: "Pullfrog"
|
|
|
|
inputs:
|
|
prompt:
|
|
description: "Prompt to send to the agent (string or JSON payload)"
|
|
required: true
|
|
timeout:
|
|
description: "Maximum run duration (e.g., 10m, 1h30m). Default: 1h"
|
|
required: false
|
|
model:
|
|
description: "Model to use (e.g., anthropic/claude-opus). Overrides repo settings."
|
|
required: false
|
|
cwd:
|
|
description: "Working directory for the agent (defaults to GITHUB_WORKSPACE)"
|
|
required: false
|
|
push:
|
|
description: "Git push permission: disabled (read-only), restricted (push feature branches only — blocks pushes to the default branch, branch deletion, and tag pushes), or enabled (full push access). Default: enabled"
|
|
required: false
|
|
shell:
|
|
description: "Shell permission: disabled, restricted (filters secrets from env vars), or enabled. Public repos default to restricted for security; private repos default to enabled."
|
|
required: false
|
|
output_schema:
|
|
description: "JSON Schema (draft-07) for structured output validation. When provided, the action output becomes required and must conform to this schema."
|
|
required: false
|
|
token:
|
|
description: "GitHub-provided token with job-scoped permissions. Do not set this unless you know what you are doing."
|
|
required: false
|
|
default: ${{ github.token }}
|
|
|
|
outputs:
|
|
result:
|
|
description: "It's set when the prompt explicitly requests it and is required when output_schema is provided; use it to capture actionable output for the next workflow step."
|
|
|
|
runs:
|
|
using: "node24"
|
|
main: "entry.ts"
|
|
# Always-run post step persists best-effort state that must survive
|
|
# cancellation, timeouts, and unhandled errors in the main step. Today's
|
|
# only consumer: Codex auth.json refresh write-back. See wiki/codex-auth.md.
|
|
post: "entryPost.ts"
|
|
post-if: "always()"
|
|
|
|
branding:
|
|
icon: "code"
|
|
color: "green"
|