dependabot[bot]
c4981167e6
chore(actions)(deps): bump actions/checkout from 4.3.1 to 6.0.2
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](34e114876b...de0fac2e45
2026-05-19 03:27:54 -07:00
dependabot[bot]
b10b783208
chore(actions)(deps): bump actions/setup-python from 5.3.0 to 6.2.0
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 5.3.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](https://github.com/actions/setup-python/compare/v5.3.0...a309ff8b426b58ec0e2a45f0f869d46889d02405 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-version: 6.2.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-05-19 03:27:42 -07:00
dependabot[bot]
424f2cc6e5
chore(actions)(deps): bump the actions-minor-patch group across 1 directory with 2 updates
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml](https://github.com/google/osv-scanner-action ) and [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python ).
Updates `google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml` from 2.3.5 to 2.3.8
- [Release notes](https://github.com/google/osv-scanner-action/releases )
- [Commits](c518547040...9a49870895https://github.com/sigstore/gh-action-sigstore-python/releases )
- [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md )
- [Commits](f514d46b90...04cffa1d79
2026-05-19 03:27:09 -07:00
Siddharth Balyan
e3a254d65b
feat(dep_ensure): complete Windows bootstrap — dep_ensure + install.ps1 + detection ( #27845 )
...
* feat(dep_ensure): complete Windows bootstrap — dep_ensure + install.ps1 + detection
dep_ensure.py gains Windows awareness: PowerShell invocation, platform-
specific browser detection, (path, shell) tuple returns.
install.ps1 gains -Ensure/-PostInstall modes using npm -g --prefix
(aligned with install.sh) and agent-browser install for Chromium.
browser_tool.py gains node/ in candidate dirs for Windows .cmd shims.
Both install scripts bundled in pip wheel.
Tracking: #27826
* fix(install.ps1): add --ignore-scripts to npm install for camofox
@askjo/camofox-browser has a dependency (impit) whose postinstall
script runs `npx only-allow pnpm`, which fails under npm. Adding
--ignore-scripts avoids the spurious failure without affecting
functionality.
Tracking: #27826
* fix: remove duplicate install scripts from git
CI already copies scripts/install.{sh,ps1} into hermes_cli/scripts/
during wheel build. No need to commit copies — .gitignore keeps them
out, _find_install_script() falls back to scripts/ for git-clone users.
Tracking: #27826
* fix: address review — remove env_extra, fix ps1 error handling
- Remove unused env_extra parameter from ensure_dependency()
- Invoke-EnsureMode node case now uses Test-Node consistently
- Install-AgentBrowser uses throw instead of exit 1
2026-05-18 16:34:24 +05:30
alt-glitch
e38a478c05
chore(ci): pin actions/setup-node to SHA for supply-chain consistency
2026-05-15 14:45:43 -07:00
alt-glitch
259ae846c8
feat: add ensure_dependency() wrapper + ship install.sh in wheel
...
Includes paired change: browser tool now searches ~/.hermes/node_modules/.bin/
for agent-browser installed via install.sh --ensure browser.
2026-05-15 14:45:43 -07:00
alt-glitch
3215ef1609
ci(pypi): build web dashboard + TUI bundle before creating wheel
2026-05-15 14:45:43 -07:00
Siddharth Balyan
6bdad1f3b2
ci: add PyPI publish workflow (salvaged from #25901 ) ( #26148 )
...
* ci(pypi): add publish workflow for automated PyPI releases
Triggered by CalVer tag pushes from scripts/release.py (v20* pattern).
Three jobs: build (uv build) → publish (OIDC trusted publishing) → sign
(Sigstore + attach to existing GitHub Release).
- workflow_dispatch as manual escape hatch
- skip-existing for safe re-runs
- Graceful skip when GitHub Release not found (sign job)
- Top-level permissions: contents: read (CodeQL compliant)
Requires one-time setup: PyPI trusted publisher + GitHub pypi environment.
Co-authored-by: dmahan93 <44207705+dmahan93@users.noreply.github.com>
* fix(release): address review findings
- Stage acp_registry/agent.json in version bump commit (was silently left unstaged)
- Add missing return when no previous tags found without --first-release
- Fix get_pr_number return type annotation (str -> str | None)
- Prefer uv build over python -m build (matches CI workflow), with fallback
- Use unit separator (%x1f) in git log format to handle | in author names
- Add explicit encoding='utf-8' to .release_notes.md write
Workflow hardening:
- Gracefully skip signing when GitHub Release not found (env var gate
instead of exit 1, so PyPI publish still shows green)
* fix(ci): harden PyPI workflow — SHA-pin actions, guard workflow_dispatch, explicit build flags
- Pin all actions to commit SHAs (supply-chain hardening for id-token:write)
- workflow_dispatch now requires confirm_tag input + checks out that tag
- Both uv build paths explicitly pass --sdist --wheel
---------
Co-authored-by: dmahan93 <44207705+dmahan93@users.noreply.github.com>
2026-05-15 13:21:48 +05:30
