hermes-agent

mirrors/hermes-agent

Fork 0

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-31 06:51:29 +00:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
dependabot[bot]	424f2cc6e5	chore(actions)(deps): bump the actions-minor-patch group across 1 directory with 2 updates Bumps the actions-minor-patch group with 2 updates in the / directory: [google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml](https://github.com/google/osv-scanner-action) and [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python). Updates `google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml` from 2.3.5 to 2.3.8 - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](`c518547040...9a49870895`) Updates `sigstore/gh-action-sigstore-python` from 3.0.0 to 3.3.0 - [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases) - [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md) - [Commits](`f514d46b90...04cffa1d79`) --- updated-dependencies: - dependency-name: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml dependency-version: 2.3.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: sigstore/gh-action-sigstore-python dependency-version: 3.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-19 03:27:09 -07:00
Teknium	c77a6e3faa	chore(security): add OSV-Scanner CI + Dependabot for github-actions only (#20037 ) Adds two supply-chain controls that complement our existing pinning strategy (full-SHA action pins, exact-version source dep pins via uv.lock / package-lock.json) without undermining it. .github/workflows/osv-scanner.yml Detection-only scan of uv.lock and the ui-tui/website package-locks against the OSV vulnerability database. Runs on PRs that touch lockfiles, on push to main, and weekly against main so CVEs published after merge still surface. Uses Google's officially- recommended reusable workflow pinned by full SHA (v2.3.5). Findings upload to the Security tab; fail-on-vuln is disabled so pre-existing vulns in pinned deps do not block merges — we move pins deliberately, not under CI pressure. .github/dependabot.yml Scoped to github-actions only. Action pins must be moved when upstream publishes patches (often themselves security fixes); Dependabot opens a PR with the new SHA + release notes for normal review. Source-dependency ecosystems (pip, npm) are deliberately NOT enabled — automatic version-bump PRs against uv.lock / package-lock.json would fight our pinning strategy. CVE-driven security updates for source deps are enabled separately via the repo's Dependabot security updates setting (GitHub UI), which fires only when a pinned version becomes known-vulnerable.	2026-05-04 20:58:21 -07:00

dependabot[bot]

424f2cc6e5

chore(actions)(deps): bump the actions-minor-patch group across 1 directory with 2 updates

Bumps the actions-minor-patch group with 2 updates in the / directory: [google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml](https://github.com/google/osv-scanner-action) and [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python).


Updates `google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml` from 2.3.5 to 2.3.8
- [Release notes](https://github.com/google/osv-scanner-action/releases)
- [Commits](c518547040...9a49870895)

Updates `sigstore/gh-action-sigstore-python` from 3.0.0 to 3.3.0
- [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases)
- [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md)
- [Commits](f514d46b90...04cffa1d79)

---
updated-dependencies:
- dependency-name: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml
  dependency-version: 2.3.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: sigstore/gh-action-sigstore-python
  dependency-version: 3.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

2026-05-19 03:27:09 -07:00

Teknium

c77a6e3faa

chore(security): add OSV-Scanner CI + Dependabot for github-actions only (#20037 )

Adds two supply-chain controls that complement our existing pinning
strategy (full-SHA action pins, exact-version source dep pins via
uv.lock / package-lock.json) without undermining it.

.github/workflows/osv-scanner.yml
  Detection-only scan of uv.lock and the ui-tui/website package-locks
  against the OSV vulnerability database. Runs on PRs that touch
  lockfiles, on push to main, and weekly against main so CVEs
  published after merge still surface. Uses Google's officially-
  recommended reusable workflow pinned by full SHA (v2.3.5).
  Findings upload to the Security tab; fail-on-vuln is disabled so
  pre-existing vulns in pinned deps do not block merges — we move
  pins deliberately, not under CI pressure.

.github/dependabot.yml
  Scoped to github-actions only. Action pins must be moved when
  upstream publishes patches (often themselves security fixes);
  Dependabot opens a PR with the new SHA + release notes for normal
  review. Source-dependency ecosystems (pip, npm) are deliberately
  NOT enabled — automatic version-bump PRs against uv.lock /
  package-lock.json would fight our pinning strategy. CVE-driven
  security updates for source deps are enabled separately via the
  repo's Dependabot security updates setting (GitHub UI), which
  fires only when a pinned version becomes known-vulnerable.

2026-05-04 20:58:21 -07:00

2 commits