mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-04-25 00:51:20 +00:00
eed891f1bb
CI/CD Hardening:
- Pin all 12 GitHub Actions to full commit SHAs (was mutable @vN tags)
- Add explicit permissions: {contents: read} to 4 workflows
- Pin CI pip installs to exact versions (pyyaml==6.0.2, httpx==0.28.1)
- Extend supply-chain-audit.yml to scan workflow, Dockerfile, dependency
manifest, and Actions version changes
Dependency Pinning:
- Pin git-based Python deps to commit SHAs (atroposlib, tinker, yc-bench)
- Pin WhatsApp Baileys from mutable branch to commit SHA
Tool Registry:
- Reject tool name shadowing from different tool families (plugins/MCP
cannot overwrite built-in tools). MCP-to-MCP overwrites still allowed.
MCP Security:
- Add tool description content scanning for prompt injection patterns
- Log detailed change diff on dynamic tool refresh at WARNING level
Skill Manager:
- Fix dangerous verdict bug: agent-created skills with dangerous
findings were silently allowed (ask->None->allow). Now blocked.
73 lines
2.5 KiB
YAML
73 lines
2.5 KiB
YAML
name: Contributor Attribution Check
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
# Only run when code files change (not docs-only PRs)
|
|
- '*.py'
|
|
- '**/*.py'
|
|
- '.github/workflows/contributor-check.yml'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check-attribution:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
fetch-depth: 0 # Full history needed for git log
|
|
|
|
- name: Check for unmapped contributor emails
|
|
run: |
|
|
# Get the merge base between this PR and main
|
|
MERGE_BASE=$(git merge-base origin/main HEAD)
|
|
|
|
# Find any new author emails in this PR's commits
|
|
NEW_EMAILS=$(git log ${MERGE_BASE}..HEAD --format='%ae' --no-merges | sort -u)
|
|
|
|
if [ -z "$NEW_EMAILS" ]; then
|
|
echo "No new commits to check."
|
|
exit 0
|
|
fi
|
|
|
|
# Check each email against AUTHOR_MAP in release.py
|
|
MISSING=""
|
|
while IFS= read -r email; do
|
|
# Skip teknium and bot emails
|
|
case "$email" in
|
|
*teknium*|*noreply@github.com*|*dependabot*|*github-actions*|*anthropic.com*|*cursor.com*)
|
|
continue ;;
|
|
esac
|
|
|
|
# Check if email is in AUTHOR_MAP (either as a key or matches noreply pattern)
|
|
if echo "$email" | grep -qP '\+.*@users\.noreply\.github\.com'; then
|
|
continue # GitHub noreply emails auto-resolve
|
|
fi
|
|
|
|
if ! grep -qF "\"${email}\"" scripts/release.py 2>/dev/null; then
|
|
AUTHOR=$(git log --author="$email" --format='%an' -1)
|
|
MISSING="${MISSING}\n ${email} (${AUTHOR})"
|
|
fi
|
|
done <<< "$NEW_EMAILS"
|
|
|
|
if [ -n "$MISSING" ]; then
|
|
echo ""
|
|
echo "⚠️ New contributor email(s) not in AUTHOR_MAP:"
|
|
echo -e "$MISSING"
|
|
echo ""
|
|
echo "Please add mappings to scripts/release.py AUTHOR_MAP:"
|
|
echo -e "$MISSING" | while read -r line; do
|
|
email=$(echo "$line" | sed 's/^ *//' | cut -d' ' -f1)
|
|
[ -z "$email" ] && continue
|
|
echo " \"${email}\": \"<github-username>\","
|
|
done
|
|
echo ""
|
|
echo "To find the GitHub username for an email:"
|
|
echo " gh api 'search/users?q=EMAIL+in:email' --jq '.items[0].login'"
|
|
exit 1
|
|
else
|
|
echo "✅ All contributor emails are mapped in AUTHOR_MAP."
|
|
fi
|