Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
125 commits
Select commit Hold shift + click to select a range
6f0289d
fix: bake chrome-devtools mcp cache
nikolanovoselec Jul 6, 2026
c172a8c
chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#577)
dependabot[bot] Jul 6, 2026
e5786e2
chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (#596)
dependabot[bot] Jul 6, 2026
428e6b1
chore(deps): bump graphify 0.9.6 -> 0.9.7 (#619)
github-actions[bot] Jul 6, 2026
712a05f
feat(landing): Inference Mesh family hero, Matrix sign-in, scramble c…
nikolanovoselec Jul 10, 2026
6c314e6
feat: anchor inference mesh band as sibling hero, add live terminal reel
nikolanovoselec Jul 10, 2026
a66323e
feat: mesh band uses console-hero lockup; Enter Matrix; tighter secti…
nikolanovoselec Jul 10, 2026
bd589e4
feat: reframe inference mesh band as optional source; drop Codeflare …
nikolanovoselec Jul 10, 2026
9c2c3ee
feat: add 'inference' to the hero kicker capability reel
nikolanovoselec Jul 10, 2026
8531097
feat: elevate infrastructure operations to a peer section; fix mobile…
nikolanovoselec Jul 10, 2026
3a1280b
feat: mesh band white headline + ~/inference chiplet + micro-cta; con…
nikolanovoselec Jul 10, 2026
adba87d
feat: reorder operations before security; hero/header CTA restyle; Ze…
nikolanovoselec Jul 10, 2026
05758b6
feat: unify mobile copy-to-terminal spacing via --gap-copy-terminal t…
nikolanovoselec Jul 10, 2026
0a236bb
fix(spec): hero top line is 'The agentic [word] engine' not 'enterpri…
nikolanovoselec Jul 10, 2026
c50f3bd
docs: retag llms.txt positioning to 'the agentic engineering engine'
nikolanovoselec Jul 10, 2026
cad2e8d
fix(landing): width-lock 'Enter Matrix' hover-decode so header stops …
nikolanovoselec Jul 10, 2026
2625282
fix: exclude regenerated artifacts from R2 sync
nikolanovoselec Jul 10, 2026
2d954e6
Merge pull request #629 from nikolanovoselec/mesh
nikolanovoselec Jul 10, 2026
5fbcc39
fix(landing): mobile/tablet copy-to-terminal spacing — block flow bel…
nikolanovoselec Jul 10, 2026
ae46f56
[autonomous] fix: resolve PR-boundary review findings
nikolanovoselec Jul 10, 2026
b805fc7
ci: accept CVE-2026-39822 (Go os.Root symlink traversal) in vendored …
nikolanovoselec Jul 10, 2026
60dabc2
[autonomous] docs: log CVE-2026-39822 Trivy acceptance in changes.md
nikolanovoselec Jul 10, 2026
47633ab
feat: browser IDE Worker route + SDD domain (REQ-IDE-001/002)
nikolanovoselec Jul 11, 2026
e722085
feat: browser IDE host proxy (REQ-IDE-001/003)
nikolanovoselec Jul 11, 2026
b983e9c
feat: browser IDE container install + lazy-start supervisor (REQ-IDE-…
nikolanovoselec Jul 11, 2026
e559d9e
feat: browser IDE header button + gating (REQ-IDE-001/002/003)
nikolanovoselec Jul 11, 2026
09aceaf
docs(sdd): finalize browser IDE spec (REQ-IDE Implemented + AD95)
nikolanovoselec Jul 11, 2026
e815ac1
test: export -f supervisor helpers so the inner timeout bash inherits…
nikolanovoselec Jul 11, 2026
00e5813
fix: drop unused getSessionKey import in vscode route (oxlint --deny-…
nikolanovoselec Jul 11, 2026
a9faa7c
[autonomous] fix: address PR #630 review findings (code/spec/doc)
nikolanovoselec Jul 11, 2026
e8cdf6b
[autonomous] fix: PR #630 round-2 review findings + frontend CI test
nikolanovoselec Jul 11, 2026
8aaa049
[autonomous] fix: backend tsc error + api-reference REQ-IDE-003 backlink
nikolanovoselec Jul 11, 2026
84bdc78
[autonomous] chore: accept vendored OpenVSCode Server CVEs in .trivyi…
nikolanovoselec Jul 11, 2026
8e6d2fa
[autonomous] fix: correct .trivyignore rationale + spec/doc hygiene (…
nikolanovoselec Jul 11, 2026
31108f4
[autonomous] fix: round-6 review accuracy fixes (PR #630)
nikolanovoselec Jul 11, 2026
3b7c6e4
chore(deps): bump docker/setup-buildx-action from 4.1.0 to 4.2.0 (#622)
dependabot[bot] Jul 11, 2026
8e41f69
chore(deps): bump github/codeql-action/analyze from 4.36.2 to 4.37.0 …
dependabot[bot] Jul 11, 2026
e76d3b9
chore(deps): bump github/codeql-action/autobuild from 4.36.2 to 4.37.…
dependabot[bot] Jul 11, 2026
2ef84f5
chore(deps): bump github/codeql-action/init from 4.36.2 to 4.37.0 (#623)
dependabot[bot] Jul 11, 2026
ebdb86f
chore(deps): bump github/codeql-action/upload-sarif (#626)
dependabot[bot] Jul 11, 2026
e0604b7
refactor: remove bookmark button from terminal header (frontend)
nikolanovoselec Jul 11, 2026
6bd266f
refactor: remove presets routes + KV (backend)
nikolanovoselec Jul 11, 2026
7fe4496
test: drop bookmark/preset tests and mocks
nikolanovoselec Jul 11, 2026
d32c24f
docs: remove REQ-TERM-010 bookmark spec + doc refs
nikolanovoselec Jul 11, 2026
fd405e1
chore(deps-dev): bump fast-check from 4.8.0 to 4.9.0 in /host (#624)
dependabot[bot] Jul 11, 2026
5fd0fe6
chore(deps-dev): bump typescript from 6.0.3 to 7.0.2 in /web-ui (#627)
dependabot[bot] Jul 11, 2026
bde4be4
chore(deps-dev): bump @cloudflare/vitest-pool-workers (#597)
dependabot[bot] Jul 11, 2026
708e5f6
chore(deps-dev): bump @types/node from 25.9.3 to 26.1.1 in /host (#578)
dependabot[bot] Jul 11, 2026
aa708ec
chore(deps): bump astro from 6.4.8 to 7.0.7 in /landing (#583)
dependabot[bot] Jul 11, 2026
de83c72
chore(deps-dev): bump knip from 6.17.1 to 6.26.0 in /web-ui (#608)
dependabot[bot] Jul 11, 2026
3f28490
chore: bump vitest monorepo to 4.1.10 (aligned; supersedes split #556…
nikolanovoselec Jul 11, 2026
90ee97a
chore(deps-dev): bump oxlint from 1.70.0 to 1.73.0 in /web-ui (#606)
dependabot[bot] Jul 11, 2026
c94138b
chore(deps-dev): bump @types/node from 25.9.4 to 26.1.1 in /web-ui (#…
dependabot[bot] Jul 11, 2026
592c774
chore(deps-dev): bump vite from 8.0.16 to 8.1.4 in /web-ui (#609)
dependabot[bot] Jul 11, 2026
c78704a
chore(deps): bump hono from 4.12.25 to 4.12.29 (#572)
dependabot[bot] Jul 11, 2026
8358a82
chore(deps-dev): bump typescript from 6.0.3 to 7.0.2 in /host (#625)
dependabot[bot] Jul 11, 2026
18eb5bf
chore(deps): bump motion from 12.40.0 to 12.42.2 in /landing (#584)
dependabot[bot] Jul 11, 2026
4392a5d
chore(deps): bump lazygit 0.62.2 -> 0.63.0 (#617)
github-actions[bot] Jul 11, 2026
a106efa
chore(deps): bump zoxide 0.9.9 -> 0.10.0 (#618)
github-actions[bot] Jul 11, 2026
08bdf5c
chore(deps-dev): bump puppeteer from 25.1.0 to 25.3.0 (#598)
dependabot[bot] Jul 11, 2026
c4f8d3f
chore(deps-dev): bump vitest from 4.1.8 to 4.1.10 in /landing (#561)
dependabot[bot] Jul 11, 2026
22801b9
Merge remote-tracking branch 'origin/develop' into deps
nikolanovoselec Jul 11, 2026
c122689
chore: bump turnstile-spin worker template vitest to 4.1.10 (mirror #…
nikolanovoselec Jul 11, 2026
16cbe2d
fix: remove imports/vars orphaned by bookmark removal (lint)
nikolanovoselec Jul 11, 2026
e1ee962
fix: stabilize VS Code websocket proxy
nikolanovoselec Jul 11, 2026
0af4d41
fix: remove stale frontend imports
nikolanovoselec Jul 11, 2026
2edd636
fix: preserve terminal scrollback position during output
nikolanovoselec Jul 11, 2026
6176318
chore: bump graphify plugin to 0.9.12 (mirror #632; verified no break…
nikolanovoselec Jul 11, 2026
2c2c9a9
fix: merge VS Code and terminal fixes
nikolanovoselec Jul 11, 2026
17e0b4e
fix: purge legacy presets KV on account deletion; strip version drift…
nikolanovoselec Jul 11, 2026
7e037c8
fix: complete REQ-TERM-014 verification field; align npm table policy…
nikolanovoselec Jul 11, 2026
493b87c
test: use compact dot reporter in CI to cut deploy/PR-check test log …
nikolanovoselec Jul 11, 2026
e73413e
Merge main into develop; regenerate agent-seed.generated.ts
nikolanovoselec Jul 11, 2026
2434694
docs: fix CI crash-guard error-count claim; document CI reporter split
nikolanovoselec Jul 11, 2026
da0cfa1
fix: restore mobile fullscreen TUI scrolling
nikolanovoselec Jul 11, 2026
3e4340a
feat: add Browser IDE continuity band to the landing page
nikolanovoselec Jul 11, 2026
0fe675e
feat(landing): show real codeflare-inference-mesh code in the IDE mock
nikolanovoselec Jul 11, 2026
1787194
fix(landing): vertically centre the brand mark on the codeflare wordmark
nikolanovoselec Jul 11, 2026
1b5e7fa
fix(landing): centre the brand mark on the codeflare lowercase optica…
nikolanovoselec Jul 11, 2026
50b1c71
Merge pull request #633 from nikolanovoselec/feat/landing-ide
nikolanovoselec Jul 11, 2026
53cc539
[autonomous] docs: address spec/doc review findings for REQ-LANDING-0…
nikolanovoselec Jul 11, 2026
38d13e5
[autonomous] docs: relocate REQ-LANDING-007 reduced-motion guarantee …
nikolanovoselec Jul 11, 2026
bf8973e
feat: rebuild Browser IDE band as the full VS Code workbench
nikolanovoselec Jul 11, 2026
eaa2bea
[autonomous] fix: address review findings on the Browser IDE workbench
nikolanovoselec Jul 11, 2026
8209a9b
[autonomous] fix: resolve spec/doc review findings on the IDE workbench
nikolanovoselec Jul 11, 2026
205c599
fix: prevent terminal scrollback top clamp
nikolanovoselec Jul 11, 2026
e1c9691
fix: support fullscreen terminal page controls
nikolanovoselec Jul 11, 2026
837bca3
chore: deactivate opencode/codex/copilot build-time prewarm (keep cla…
nikolanovoselec Jul 11, 2026
ad7aa3d
[autonomous] fix: resolve e1c9691 terminal-fix + prewarm-change revie…
nikolanovoselec Jul 11, 2026
cddc3b1
[autonomous] fix: resolve spec/doc review findings on prewarm + termi…
nikolanovoselec Jul 11, 2026
1600321
[autonomous] fix: resolve spec-lane AC-granularity + test-anchor find…
nikolanovoselec Jul 11, 2026
81a7d77
[autonomous] test: tighten REQ-AGENT-001 AC5 install assertion to the…
nikolanovoselec Jul 11, 2026
22ad5d9
fix: width-lock hero scramble words so churn can't reflow the headlin…
nikolanovoselec Jul 11, 2026
6b84df7
fix: paint hero scramble on an overlay so churn neither clips letters…
nikolanovoselec Jul 11, 2026
8e454bd
fix: rename header sign-in CTA to "Enter The Matrix"; de-pin the labe…
nikolanovoselec Jul 11, 2026
46e6cad
fix: register landing tests in spec test_globs; complete the landing-…
nikolanovoselec Jul 11, 2026
addc003
fix: run hero accent-word scramble at every viewport width
nikolanovoselec Jul 11, 2026
72b87c3
docs: reconcile same-day changelog for mobile-scramble change
nikolanovoselec Jul 11, 2026
98b8a1b
[sdd-clean] split oversized landing and mobile requirements
nikolanovoselec Jul 11, 2026
75d9727
[sdd-clean] restore canonical documentation layout
nikolanovoselec Jul 11, 2026
1bf41e4
[sdd-clean] enforce documentation element budgets
nikolanovoselec Jul 11, 2026
78a6f51
[sdd-clean] record whole-tree enforcement dispositions
nikolanovoselec Jul 11, 2026
d49d668
[sdd-clean] normalize verified behavioral test anchors
nikolanovoselec Jul 11, 2026
f7af5dc
[sdd-clean] normalize source anchors with named sites
nikolanovoselec Jul 11, 2026
00231fc
[sdd-clean] fold noncanonical documentation lanes
nikolanovoselec Jul 11, 2026
de7d686
[sdd-clean] consolidate repeated ADR alternatives
nikolanovoselec Jul 11, 2026
3625133
[sdd-clean] classify unverifiable legacy contracts for manual checks
nikolanovoselec Jul 11, 2026
fd592a8
[sdd-clean] condense acceptance criteria and constraints
nikolanovoselec Jul 11, 2026
2dccd96
[sdd-clean] repair constraint prose and test traceability
nikolanovoselec Jul 11, 2026
87b7e59
[sdd-clean] complete whole-spec enforcement manifest
nikolanovoselec Jul 11, 2026
f36680c
[autonomous] docs: accept upstream OpenVSCode vulnerability risk
nikolanovoselec Jul 11, 2026
dd1092c
[autonomous] fix: preserve Browser IDE startup input and idle activity
nikolanovoselec Jul 11, 2026
164f27c
[autonomous] fix review findings and complete SDD cleanup
nikolanovoselec Jul 11, 2026
fa8f95f
[autonomous] chore: retry failed review lanes
nikolanovoselec Jul 11, 2026
cfec09e
chore: retry review after superseded lane shutdown
nikolanovoselec Jul 11, 2026
38e23b4
[autonomous] test: include Fast Start status output
nikolanovoselec Jul 11, 2026
b7e1184
[autonomous] fix: restore documentation structure and resolve review …
nikolanovoselec Jul 12, 2026
3f045a6
docs: move non-default deployment operations private
nikolanovoselec Jul 12, 2026
9066bd6
docs: align private deployment ownership
nikolanovoselec Jul 12, 2026
699972c
docs: resolve PR-boundary review findings (spec AC trims, orphaned-as…
nikolanovoselec Jul 12, 2026
623030c
docs: fix follow-up review findings (adjacent mechanism-leakage, rest…
nikolanovoselec Jul 12, 2026
57f0e20
docs: resolve corpus-wide spec mechanism-leakage + verbosity findings…
nikolanovoselec Jul 12, 2026
b638546
chore: refresh graphify knowledge graph (AST rebuild, 11.4k→16.1k nodes)
nikolanovoselec Jul 12, 2026
554111e
chore: rebuild graphify graph from scratch, AST-only (drop stale node…
nikolanovoselec Jul 12, 2026
bd1be58
docs: add agent-facing private-config guidance; move enterprise GitHu…
nikolanovoselec Jul 12, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 129 additions & 24 deletions .github/workflows/bump-shadow-pins.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ name: Bump Shadow Pins
# - context-mode npm package (plugin.json + entrypoint.sh + README.md)
# - graphify PyPI package graphifyy (plugin.json; Dockerfile reads the pin via jq,
# so no Dockerfile literal to bump)
# - zoxide, yazi, lazygit, silverbullet (GitHub release binaries pinned in Dockerfile)
# - zoxide, yazi, lazygit, silverbullet, openvscode-server (GitHub release binaries pinned in Dockerfile)
# - bun npm package (pinned `npm install -g` literal in Dockerfile for context-mode speed)
# - consult-llm-mcp npm package (pinned `npm install -g` literal in Dockerfile)
# - chrome-devtools-mcp npm package (pinned `npx` literal in entrypoint.sh)
# - chrome-devtools-mcp npm package (Dockerfile-baked npx cache + stable bin)
# - browser-run-mcp: @modelcontextprotocol/sdk pin in
# preseed/agents/claude/browser-run-mcp/package.json (baked into the image; no
# Dockerfile literal — the job reads/bumps the package.json pin via jq)
Expand All @@ -32,7 +32,7 @@ jobs:
context-mode:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -195,7 +195,7 @@ jobs:
graphify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -306,7 +306,7 @@ jobs:
zoxide:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -401,7 +401,7 @@ jobs:
yazi:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -496,7 +496,7 @@ jobs:
lazygit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -591,7 +591,7 @@ jobs:
silverbullet:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -683,13 +683,118 @@ jobs:
EOF
)"

openvscode-server:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}

- name: Compare Dockerfile pin against latest GitHub release
id: ver
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
CURRENT=$(grep -oP 'OPENVSCODE_VERSION="\K[^"]+' Dockerfile)
TAG=$(gh api repos/gitpod-io/openvscode-server/releases/latest --jq .tag_name)
LATEST="${TAG#openvscode-server-v}"
VERSION_RE='^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$'
if [[ ! "$CURRENT" =~ $VERSION_RE ]] || [[ ! "$LATEST" =~ $VERSION_RE ]]; then
echo "Invalid OpenVSCode version: current=$CURRENT latest=$LATEST" >&2
exit 1
fi
echo "current=$CURRENT" >> "$GITHUB_OUTPUT"
echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
if [ "$CURRENT" = "$LATEST" ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "Already on $LATEST, nothing to do."
else
echo "Bumping $CURRENT -> $LATEST"
fi

- name: Skip if a branch for this version already exists
if: steps.ver.outputs.skip != 'true'
id: branch
env:
LATEST: ${{ steps.ver.outputs.latest }}
run: |
BRANCH="bump/openvscode-server-$LATEST"
if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
echo "Branch $BRANCH already exists, skipping."
echo "skip=true" >> "$GITHUB_OUTPUT"
else
echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
fi

- name: Apply bump
if: steps.ver.outputs.skip != 'true' && steps.branch.outputs.skip != 'true'
run: |
set -euo pipefail
git config user.email "github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
git checkout -B "$BRANCH"

node <<'NODE'
const fs = require('node:fs');
const lat = process.env.LAT;
let content = fs.readFileSync('Dockerfile', 'utf-8');
content = content.replace(/OPENVSCODE_VERSION="[^"]+"/, `OPENVSCODE_VERSION="${lat}"`);
content = content.replace(/OPENVSCODE_SHA256="[^"]+"/, `OPENVSCODE_SHA256="NEEDS_UPDATE_SEE_PR_BODY"`);
fs.writeFileSync('Dockerfile', content);
NODE

git add Dockerfile
if git diff --cached --quiet; then
echo "Nothing changed - aborting."
exit 1
fi
git commit -m "chore(deps): bump openvscode-server $CUR -> $LAT"
git push -u origin "$BRANCH"
env:
BRANCH: ${{ steps.branch.outputs.branch }}
CUR: ${{ steps.ver.outputs.current }}
LAT: ${{ steps.ver.outputs.latest }}

- name: Open PR
if: steps.ver.outputs.skip != 'true' && steps.branch.outputs.skip != 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRANCH: ${{ steps.branch.outputs.branch }}
CUR: ${{ steps.ver.outputs.current }}
LAT: ${{ steps.ver.outputs.latest }}
run: |
set -euo pipefail
gh pr create \
--base develop \
--head "$BRANCH" \
--title "chore(deps): bump openvscode-server $CUR -> $LAT" \
--body "$(cat <<EOF
Auto-generated bump of \`openvscode-server\` (the browser IDE, REQ-IDE-001) from \`$CUR\` to \`$LAT\`.

The version is pinned in \`Dockerfile\` with a SHA256 checksum - Dependabot can't see it, so \`bump-shadow-pins.yml\` opens this PR weekly.

**Action required before merge:** update \`OPENVSCODE_SHA256\` in Dockerfile with the linux-x64 asset digest:
\`\`\`bash
gh api repos/gitpod-io/openvscode-server/releases/tags/openvscode-server-v${LAT} \\
--jq '.assets[] | select(.name | endswith("linux-x64.tar.gz")) | .digest'
\`\`\`

## Test plan
- [ ] Update \`OPENVSCODE_SHA256\` in Dockerfile (strip the \`sha256:\` prefix)
- [ ] CI green (Docker build verifies the checksum + --version smoke)
EOF
)"

bun:
# Bun is installed globally as a pinned npm package because context-mode
# autodetects it for faster ctx_execute/ctx_batch_execute subprocess starts.
# The Dockerfile literal is invisible to Dependabot, so this job tracks it.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -795,7 +900,7 @@ jobs:
# graphify-native.ts extension.)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -940,7 +1045,7 @@ jobs:
# by impeccable.style and must be copied into both runtimes together.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -1033,7 +1138,7 @@ jobs:
# Dependabot, so this job bumps it weekly.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down Expand Up @@ -1128,12 +1233,12 @@ jobs:

chrome-devtools-mcp:
# chrome-devtools-mcp is the interactive Browser Run MCP server Claude Code
# and Pi use (Pi through pi-mcp-adapter). It is pinned as `npx -y
# chrome-devtools-mcp@X` literals in entrypoint.sh for both agents; those
# literals are invisible to Dependabot, so this job bumps them weekly.
# and Pi use (Pi through pi-mcp-adapter). It is baked into the Docker image
# as an npx cache + stable bin path; the Dockerfile version env is invisible
# to Dependabot, so this job bumps it weekly.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand All @@ -1143,11 +1248,11 @@ jobs:
with:
node-version: 22

- name: Diff entrypoint pin against npm latest
- name: Diff Dockerfile pin against npm latest
id: ver
run: |
set -euo pipefail
CURRENT=$(grep -oP 'chrome-devtools-mcp@\K[0-9][0-9.]*' entrypoint.sh | head -n1)
CURRENT=$(grep -oP 'CHROME_DEVTOOLS_MCP_VERSION=\K[0-9][0-9.]*' Dockerfile | head -n1)
LATEST=$(npm view chrome-devtools-mcp version)
echo "current=$CURRENT" >> "$GITHUB_OUTPUT"
echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -1182,13 +1287,13 @@ jobs:
const fs = require('node:fs');
const cur = process.env.CUR;
const lat = process.env.LAT;
const file = 'entrypoint.sh';
const file = 'Dockerfile';
const before = fs.readFileSync(file, 'utf-8');
const after = before.replaceAll(`chrome-devtools-mcp@${cur}`, `chrome-devtools-mcp@${lat}`);
const after = before.replaceAll(`CHROME_DEVTOOLS_MCP_VERSION=${cur}`, `CHROME_DEVTOOLS_MCP_VERSION=${lat}`);
if (before !== after) { fs.writeFileSync(file, after); console.log(`updated ${file}`); }
NODE

git add entrypoint.sh
git add Dockerfile
if git diff --cached --quiet; then
echo "Nothing changed (replacement found nothing) - aborting."
exit 1
Expand All @@ -1210,10 +1315,10 @@ jobs:
BODY=$(cat <<EOF
Auto-generated bump of \`chrome-devtools-mcp\` from \`$CUR\` to \`$LAT\`.

The version is pinned as \`npx -y chrome-devtools-mcp@X\` literals in \`entrypoint.sh\` for Claude Code and Pi's bridged interactive Browser Run surface, so Dependabot can't see it - \`bump-shadow-pins.yml\` opens this PR weekly.
The version is pinned as \`CHROME_DEVTOOLS_MCP_VERSION\` in \`Dockerfile\`, which bakes an npx cache plus stable bin path for Claude Code and Pi's bridged interactive Browser Run surface. Dependabot can't see that Dockerfile env pin, so \`bump-shadow-pins.yml\` opens this PR weekly.

Files updated:
- \`entrypoint.sh\` (\`chrome-devtools-mcp@$CUR\` -> \`@$LAT\`)
- \`Dockerfile\` (\`CHROME_DEVTOOLS_MCP_VERSION=$CUR\` -> \`$LAT\`)

## Test plan
- [ ] CI green
Expand All @@ -1233,7 +1338,7 @@ jobs:
# reads the Pi package.json), so this job bumps it weekly.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: develop
fetch-depth: 0
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,20 +23,20 @@ jobs:
contents: read
security-events: write
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22

- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
with:
languages: javascript-typescript
config-file: ./.github/codeql/codeql-config.yml

- name: Autobuild
uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
uses: github/codeql-action/autobuild@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
8 changes: 4 additions & 4 deletions .github/workflows/deploy-dockerhub.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,22 +68,22 @@ jobs:
echo "::error::Production deploys are only allowed from main. Got branch: ${{ github.ref }}"
exit 1

- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22'

- name: Cache root node_modules
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: cache-root
with:
path: node_modules
key: root-${{ hashFiles('package-lock.json') }}
restore-keys: root-

- name: Cache web-ui node_modules
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: cache-webui
with:
path: web-ui/node_modules
Expand Down Expand Up @@ -253,7 +253,7 @@ jobs:
# docker-container driver (provisioned by setup-buildx-action) does
# and is what unlocks --cache-from / --cache-to against the
# built-in GitHub Actions cache service. No extra registry creds.
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0

- name: Build container image
id: docker-build
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ jobs:
# pull_request event (not push) and are filtered out before checkout.
# Scorecard scores the pattern 0 unconditionally because it cannot read
# the job `if:` guards. See the rationale at lines 54-64 (prior alert #34).
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
# On workflow_run: pin to the SHA whose PR Checks just ended
# green. Without this, actions/checkout falls back to default-
Expand All @@ -106,23 +106,23 @@ jobs:
node-version: '22'

- name: Cache root node_modules
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: cache-root
with:
path: node_modules
key: root-${{ hashFiles('package-lock.json') }}
restore-keys: root-

- name: Cache web-ui node_modules
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: cache-webui
with:
path: web-ui/node_modules
key: webui-${{ hashFiles('web-ui/package-lock.json') }}
restore-keys: webui-

- name: Cache landing node_modules
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
id: cache-landing
with:
path: landing/node_modules
Expand Down Expand Up @@ -308,7 +308,7 @@ jobs:
# docker-container driver (provisioned by setup-buildx-action) does
# and is what unlocks --cache-from / --cache-to against the
# built-in GitHub Actions cache service. No extra registry creds.
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0

- name: Build container image
id: docker-build
Expand Down
Loading