mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-30 01:41:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
hermes-agent/.github/workflows
History
Siddharth Balyan 18f585f091
ci(nix): auto-fix stale npm hashes on push to main (#16285) 
* ci(nix): auto-fix stale npm hashes on push to main

When a PR merges to main with updated package-lock.json or package.json
in ui-tui/ or web/, the new auto-fix-main job detects stale npmDepsHash
values and pushes a fix commit directly to main.

This eliminates the recurring manual hash-bump PRs (#15420, #15314,
#15272, #15244) by reusing the existing fix-lockfiles --apply pipeline.

The fix commit only touches nix/*.nix files, which are outside the push
path filter (package-lock.json / package.json), so it cannot re-trigger
itself.

Closes #15314

* fix(ci): use GitHub App token for auto-fix-main push

GITHUB_TOKEN commits are invisible to workflow triggers (GitHub's
infinite-loop prevention). The auto-fix-main job pushes directly to
main, so the fix commit never triggered downstream nix.yml verification.

Mint a short-lived token via the repo's GitHub App (daimon-nous, APP_ID
+ APP_PRIVATE_KEY secrets) so the push is treated as a real event and
nix.yml fires to verify the corrected hashes.

Tested via workflow_dispatch dry-run: app token minted successfully,
checkout with app token succeeded, fix job correctly gated.

Resolves review feedback from Bugbot (r3144569551).

* ci(nix): rename lockfile check job for required status check

Rename 'check' → 'nix-lockfile-check' so the status check name is
unambiguous when added as a required check on main.

* fix(ci): harden auto-fix-main against races, loops, and silent failures

Address adversarial review findings:

1. Race condition (#1): Job-level concurrency with cancel-in-progress
   collapses back-to-back pushes; ref: main checkout always gets latest
   branch state; explicit push target (origin HEAD:main).

2. Loop prevention (#2): File-whitelist check before commit aborts if
   any file outside nix/{tui,web}.nix was modified, preventing
   accidental self-triggering.

3. Silent infra failures (#8): nix-lockfile-check now fails explicitly
   when fix-lockfiles exits without reporting stale status (catches nix
   setup failures, network errors, script bugs that bypass continue-on-error).

4. Commit traceability (#11): Auto-fix commits include source SHA and
   workflow run URL in the commit body.

5. Explicit push target (#12): git push origin HEAD:main instead of
   bare git push.

---------

Co-authored-by: alt-glitch <alt-glitch@users.noreply.github.com>
2026-04-29 00:01:58 +05:30
..
contributor-check.yml security: supply chain hardening — CI pinning, dep pinning, and code fixes (#9801) 2026-04-14 14:23:37 -07:00
deploy-site.yml docs(website): dedicated page per bundled + optional skill (#14929) 2026-04-23 22:22:11 -07:00
docker-publish.yml Fix for broken docker build 2026-04-20 14:36:04 +10:00
docs-site-checks.yml docs(website): dedicated page per bundled + optional skill (#14929) 2026-04-23 22:22:11 -07:00
nix-lockfile-check.yml ci(nix): auto-fix stale npm hashes on push to main (#16285) 2026-04-29 00:01:58 +05:30
nix-lockfile-fix.yml ci(nix): auto-fix stale npm hashes on push to main (#16285) 2026-04-29 00:01:58 +05:30
nix.yml dedupe nix cache 2026-04-20 16:52:57 -04:00
skills-index.yml security: supply chain hardening — CI pinning, dep pinning, and code fixes (#9801) 2026-04-14 14:23:37 -07:00
supply-chain-audit.yml ci(security): narrow supply-chain-audit to high-signal patterns only 2026-04-19 16:25:21 -07:00
tests.yml ci: bump test-job timeout from 10m to 20m (#12718) 2026-04-19 16:28:13 -07:00