Skip to content

Comments

⚙️ setup (ci): pin action versions and update release workflow#7

Merged
warengonzaga merged 45 commits intomainfrom
dev
Feb 20, 2026
Merged

⚙️ setup (ci): pin action versions and update release workflow#7
warengonzaga merged 45 commits intomainfrom
dev

Conversation

@warengonzaga
Copy link
Owner

@warengonzaga warengonzaga commented Feb 20, 2026
edited
Loading

This pull request updates several GitHub Actions workflows to improve security and reliability by pinning the actions/checkout action to a specific commit hash instead of a version tag. Additionally, it removes the check-version job from the release workflow and updates the release action to a newer version.

Workflow action pinning:

  • All workflows now use actions/checkout pinned to commit 34e114876b0b11c390a56381ad16ebd13914f8d5 for improved security, replacing the previous @v4 tag. This change affects .github/workflows/ci.yml, .github/workflows/commit-lint.yml, .github/workflows/container.yml, .github/workflows/package.yml, and .github/workflows/release.yml. [1] [2] [3] [4] [5] [6]

Release workflow improvements:

  • The check-version job has been removed from .github/workflows/release.yml, simplifying the workflow and removing the dependency between jobs.
  • The release job now uses wgtechlabs/release-build-flow-action pinned to commit 849220473bb8656723d3528d4b705641cffaa5cd (v1.3.0), updating from the previous version and removing several configuration options.

warengonzaga and others added 30 commits February 18, 2026 23:38
@warengonzaga
📦 new: add update checker functionality and context injection
0d15382
@warengonzaga
📦 new: implement update checker with caching and runtime detection
ec863b1
@warengonzaga
🧪 test: add comprehensive tests for update checker module
054b7c8
@warengonzaga
📦 new: add updateContext to AgentContext for software updates
59c79d9
@warengonzaga
📦 new: add software update check and context to start command
c0a9883
@warengonzaga
📦 new: update package versions to 1.0.1 across all packages
9398d21
@warengonzaga
⚙️ setup: update CI workflows for release process and permissions
4e31c8a
@warengonzaga
🔧 update: enhance version parsing in isNewerVersion function
1cd2fca
@warengonzaga
📦 new: add build step for all packages in CI workflow
3f91a71
@warengonzaga @Copilot
⚙️ setup (ci): update package-build-flow-action to v2.0.1
080224e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup: enforce clean commit convention with husky and ci
6e46e61 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (husky): add clean commit validation hook
57d3d0f 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (ci): fix security, guards, and validation issues
d71d865 
- add if-guard to package/container jobs (main push only)
- narrow ci.yml top-level permissions to contents: read
- add per-job permissions for package and container jobs
- remove unused packages/security-events write from release.yml
- fix commit-lint push range to validate all commits (before..after)
- quote SHA interpolations in commit-lint PR log command
- remove duplicate bun run build step from package.yml
- add --bail flag to pre-commit bun test hook
- add msgFile undefined guard in validate-commit-msg.mjs
- make variation selector optional for trash and gear emojis
- strengthen readCache to validate latest and runtime field types

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (ci): remove redundant permissions from reusable workflow calls
0407858 
permissions are already defined in the called workflows (package.yml,
container.yml) - specifying them in the caller causes startup_failure
on duplicate runs triggered by open PRs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
🔧 update (ci): handle initial push and improve update-checker test
a240bb6 
- update commit-lint workflow to capture all reachable commits on initial push
- improve update-checker test to assert cache file absence when fetch fails

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
📦 new (landing): add landing page with svelte and tailwindcss
283a069 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (ci): add deploy workflow for landing page
cbe57e2 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (landing): add build:landing script and update lockfile
01135d6 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (husky): add error handling and allow revert commits
af268be 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
🔒 security (update-checker): sanitize version and url for prompt inje…
cf70b85 
…ction

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
🧪 test (update-checker): add sanitizeForPrompt tests and improve mocking
7094636 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
⚙️ setup (ci): pin action shas and scope deploy permissions
858ff22 
- pin all GitHub Actions to full commit SHAs for supply chain security
- move pages/id-token permissions to deploy job only
- pin bun version to 1.2.x and use --frozen-lockfile
- use dynamic concurrency group name with workflow prefix

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
🔒 security (core): harden update checker cache and fetch logic
a5c1305 
- validate runtime value against allowed list when reading cache
- sanitize current version before embedding in prompt context
- move AbortController setup outside try block and use finally to clear timeout

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
📦 new (landing): extract GitHubIcon component and improve accessibility
ea45a35 
- add reusable GitHubIcon Svelte component to replace inline SVG duplication
- add skip-to-main-content link for keyboard navigation
- add aria-label to primary nav element
- add aria-hidden to decorative SVG icons

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
🔧 update (landing): improve scrollbar styling and Firefox support
c142513 
- add scrollbar-width and scrollbar-color for Firefox compatibility
- use CSS variable for scrollbar thumb hover color
- remove quoted font family name for Inter

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga @Copilot
🔧 update (landing): clarify QuickStart step 3 description
302f44b 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@warengonzaga
⚙️ setup (ci): streamline CI workflows by removing unused jobs
99c228a
@warengonzaga
🗑️ remove: delete pre-commit script for bun test
bab10e0
@warengonzaga
🔧 update (ci): add build step for workspace packages
3004a38
@warengonzaga
🔧 update (dockerfile): upgrade bun version for builder and production…
67f0a76 
… stages
@github-actions
Copy link

github-actions bot commented Feb 20, 2026

📦 Package Build Flow — Monorepo Build

🔀 Pull Request Build — Pre-release package for testing PR changes

Package Version Status Install
@tinyclaw/plugins 1.1.0-dev.e2789f3 ✅ Published npm i @tinyclaw/plugins@1.1.0-dev.e2789f3
@tinyclaw/types 1.1.0-dev.e2789f3 ✅ Published npm i @tinyclaw/types@1.1.0-dev.e2789f3
tinyclaw 1.1.0-dev.e2789f3 ✅ Published npm i tinyclaw@1.1.0-dev.e2789f3
@tinyclaw/plugin-channel-discord 1.1.0-dev.e2789f3 ✅ Published npm i @tinyclaw/plugin-channel-discord@1.1.0-dev.e2789f3
@tinyclaw/plugin-channel-friends 1.1.0-dev.e2789f3 ✅ Published npm i @tinyclaw/plugin-channel-friends@1.1.0-dev.e2789f3
@tinyclaw/plugin-provider-openai 1.1.0-dev.e2789f3 ✅ Published npm i @tinyclaw/plugin-provider-openai@1.1.0-dev.e2789f3

📥 Quick Install (changed packages)

npm i @tinyclaw/types@1.1.0-dev.e2789f3 @tinyclaw/plugins@1.1.0-dev.e2789f3 @tinyclaw/plugin-channel-discord@1.1.0-dev.e2789f3 @tinyclaw/plugin-channel-friends@1.1.0-dev.e2789f3 @tinyclaw/plugin-provider-openai@1.1.0-dev.e2789f3 tinyclaw@1.1.0-dev.e2789f3

This package was built automatically by the Package Build Flow action.

@github-actions
Copy link

github-actions bot commented Feb 20, 2026
edited
Loading

🛠️ Container Build Complete - Dev Build

Build Status: ✅ Success
Flow Type: dev
Description: Development and testing

📦 Pull Image

Docker Hub: docker pull warengonzaga/tinyclaw:dev-322f16b
GHCR: docker pull ghcr.io/warengonzaga/tinyclaw:dev-322f16b

📋 Build Details

Property Value
Flow Type dev
Commit 3cf25ab
Registry Docker Hub + GHCR

🏷️ Image Tags

warengonzaga/tinyclaw:dev-322f16b
ghcr.io/warengonzaga/tinyclaw:dev-322f16b

🔍 Testing Your Changes

  1. Pull the image using one of the commands above
  2. Run the container with your test configuration
  3. Verify the changes work as expected
  4. Report any issues in this PR

🚀 Quick Start

# Pull and run the container
Docker Hub: docker pull warengonzaga/tinyclaw:dev-322f16b
docker run <your-options> <image>

🔒 Security Scan Results

📋 Pre-Build Security Checks

Source Code Scan: 0 vulnerabilities found
Dockerfile Scan: 0 misconfigurations found

🐳 Container Image Vulnerabilities

Severity Count
Total 0

📊 Detailed Security Reports

View detailed vulnerability reports in the GitHub Security tab.

🤖 Powered by Container Build Flow Action v1.2.0
💻 with ❤️ by Waren Gonzaga under WG Technology Labs, and Him 🙏

@github-actions
Copy link

github-actions bot commented Feb 20, 2026

📦 Package Build Flow — Monorepo Build

🔀 Pull Request Build — Pre-release package for testing PR changes

Package Version Status Install
@tinyclaw/plugins 1.1.0-dev.322f16b ✅ Published npm i @tinyclaw/plugins@1.1.0-dev.322f16b
@tinyclaw/types 1.1.0-dev.322f16b ✅ Published npm i @tinyclaw/types@1.1.0-dev.322f16b
tinyclaw 1.1.0-dev.322f16b ✅ Published npm i tinyclaw@1.1.0-dev.322f16b
@tinyclaw/plugin-channel-discord 1.1.0-dev.322f16b ✅ Published npm i @tinyclaw/plugin-channel-discord@1.1.0-dev.322f16b
@tinyclaw/plugin-channel-friends 1.1.0-dev.322f16b ✅ Published npm i @tinyclaw/plugin-channel-friends@1.1.0-dev.322f16b
@tinyclaw/plugin-provider-openai 1.1.0-dev.322f16b ✅ Published npm i @tinyclaw/plugin-provider-openai@1.1.0-dev.322f16b

📥 Quick Install (changed packages)

npm i @tinyclaw/types@1.1.0-dev.322f16b @tinyclaw/plugins@1.1.0-dev.322f16b @tinyclaw/plugin-channel-discord@1.1.0-dev.322f16b @tinyclaw/plugin-channel-friends@1.1.0-dev.322f16b @tinyclaw/plugin-provider-openai@1.1.0-dev.322f16b tinyclaw@1.1.0-dev.322f16b

This package was built automatically by the Package Build Flow action.

@warengonzaga warengonzaga changed the title Dev ⚙️ setup (ci): pin action versions and update release workflow Feb 20, 2026
@warengonzaga warengonzaga merged commit 5f99d56 into main Feb 20, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@warengonzaga