Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
inkeep-oss-sync Bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
* fix app creds * changeset * fix tests * add tests * address playgrounds and global apps * further fix and tests * style: auto-format with biome * logger addressed * style: auto-format with biome * typecheck --------- Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> GitOrigin-RevId: 57a5b7064e18ded41f0acfadda6eed1c6dc630a1
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
* fix(vercel): use turbo-ignore so PR previews skip unaffected projects (#136) * fix(vercel): use turbo-ignore so PR previews skip unaffected projects The ignoreCommand in every vercel.json unconditionally exited 1, which forced a build on every non-changeset PR regardless of what actually changed. This overrides Vercel's "Skip deployments when there are no changes to the root directory or its dependencies" UI toggle — that toggle is only consulted when ignoreCommand is absent. Real-world symptom: PR #135 touched a single file under private/inkeep-cloud-mcp/ and triggered full builds of agents-api and agents-manage-ui anyway. Burns minutes and clutters the PR with orange dots for everyone. Replace the exit-1 fallback with turbo-ignore, which reads the turbo dependency graph and exits 0 (skip) when the current app is not affected by the diff, or 1 (build) when it is: if [ "$VERCEL_GIT_COMMIT_REF" = "changeset-release/main" ]; then exit 0 fi npx -y turbo-ignore <package> --fallback=HEAD^10 The changeset-release short-circuit is preserved. Files updated: - public/agents/agents-api/vercel.json (@inkeep/agents-api) - public/agents/agents-manage-ui/vercel.json (@inkeep/agents-manage-ui) - public/agents/agents-docs/vercel.json (@inkeep/agents-docs) Also adds private/inkeep-cloud-mcp/vercel.json (new project, no config existed). Configures pnpm workspace-aware install + build, requires "Include files outside the root directory" to be ENABLED on that Vercel project. * chore(vercel): re-trigger preview deploy after UI setting flip The inkeep-cloud-mcp Vercel project just had 'Include files outside the root directory in the Build Step' flipped from Disabled to Enabled. This empty commit forces a fresh deployment against the new setting so we can verify the vercel.json install/build commands work end-to-end. GitOrigin-RevId: 6cf52a3e00eead9454c565e5ba019fe30cc20d63 * fix app creds (#106) * fix app creds * changeset * fix tests * add tests * address playgrounds and global apps * further fix and tests * style: auto-format with biome * logger addressed * style: auto-format with biome * typecheck --------- Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> GitOrigin-RevId: 57a5b7064e18ded41f0acfadda6eed1c6dc630a1 * Credential gateway: RFC 8693 token exchange for Support Copilot apps (#145) * [US-001] Add SpiceDB schema and helpers for app→credential_reference access Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [US-002] Add setup-gateway-client script and env examples Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [US-002] Declare COPILOT_GATEWAY_CLIENT_ID and COPILOT_GATEWAY_CLIENT_SECRET env vars Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [US-003] Add POST /credential-gateway/token RFC 8693 handler with full auth chain Six-step authorization: Basic Auth client creds, JWT verification, app lookup, project membership, SpiceDB credential grant check, Nango credential fetch. 19 unit tests covering happy path and all error scenarios. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [US-004] Add manage API routes for app credential access grant/revoke GET/PUT/DELETE on /apps/:id/credential-access for SpiceDB app_reader tuples. PUT writes both app→organization and credential_reference→app_reader tuples. DELETE removes only the app_reader tuple. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [US-005][US-006] Add credential access UI: SpiceDB-backed toggles and Apps bucket - CredentialAccessSection: per-credential toggle calling PUT/DELETE endpoints with optimistic updates and rollback on error - Replaced CredentialMultiSelect (config-based) with SpiceDB-backed toggles (D18) - CredentialResourcesList: added Apps bucket alongside Tools and External Agents Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [US-007] Add credential gateway documentation and changesets - Deployment docs page covering setup, token exchange, error codes, rotation - Changeset for agents-api (RFC 8693 endpoint) and agents-core (SpiceDB helpers) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * [credential-gateway] Platform-scoped apps, branded SpiceDB IDs, atomic access rewrite Consolidated refactor across the credential-gateway feature: - Support Copilot config is now platform-scoped: a single `{ platform, credentialReferenceId? }` per app (replacing the prior `credentialReferenceIds[]`). Platforms come from a new `SUPPORT_COPILOT_PLATFORMS` catalog in agents-core that also drives `audience` validation in token exchange and a new `GET /credential-gateway/.well-known/platforms` discovery endpoint for browser extensions. - SpiceDB `credential_reference` object IDs are now tenant+project scoped via `toSpiceDbCredentialReferenceId` and enforced by branded types (`SpiceDbCredentialReferenceId`, `SpiceDbProjectId`) — closes the cross-tenant/project ID-collision hole where two projects with the same cred slug shared one SpiceDB object. - Dropped the `app.organization` SpiceDB relation; app IDs are globally-unique randoms enforced at the backing-store PK, so tenant isolation is structural (no tuple needed). - New `rewriteAppCredentialAccess` helper atomically diffs prior vs next credential in a single `WriteRelationships` batch (covers clear, swap, grant, revoke). Replaces the old grant/revoke pair. - App credential binding now happens through the app create/update routes (with platform-aware `credentialRequired` enforcement) — removed the standalone `/apps/:id/credential-access` endpoints. - CORS split for `/credential-gateway/*`: public catalog for `.well-known/platforms`, server-to-server-only (origin → null) for everything else. - Manage UI: single credential selector per platform (removed `credential-multi-select`); form validation updated to match the new schema shape. - Removed the deprecated `agents-docs/content/deployment/credential-gateway.mdx` page from nav. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(apps): expose projectId in app responses for support_copilot consumer `sanitizeAppConfig` now strips only `tenantId` (not `projectId`) from app responses. The Support Copilot client (lives outside this monorepo) needs `projectId` to scope subsequent token-exchange calls. Updates the crud apps security test to drop the `projectId` assertion accordingly; `tenantId` and `keyHash` remain stripped. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(credential-gateway): address PR review findings - Revoke SpiceDB credential grant when deleting a support_copilot app so app→credential tuples don't outlive the app they reference - Remove unused TokenExchangeError classes - Add Credential Gateway OpenAPI tag description and regenerate docs - Replace non-null assertion in credential-resources-list to satisfy biome --error-on-warnings Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * address comments * style: auto-format with biome * test(credential-gateway): cover missing error paths and platforms endpoint Adds 9 cases flagged in PR review: /.well-known/platforms (Cache-Control contract), unconfigured gateway env vars, missing app credentialReferenceId or platform, resolveRef null, credential-reference-not-found, malformed credential JSON, and missing access_token field. 28/28 tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> GitOrigin-RevId: c63567e619531b686c6c726406853adfc86e9635 * fix for playground (#148) GitOrigin-RevId: 4f7396faaa1cb200260205b946d7b5ff58ac7df7 * Split release: agents-private owns Version PR, inkeep/agents publishes to npm (#144) * Split release responsibilities: agents-private creates Version PR, inkeep/agents publishes Per Rob's ask: decouple Version Packages PR creation (agents-private, private master) from npm publishing (inkeep/agents, public mirror). Keep the handoff automatic via copybara + a single cross-repo reverse-sync. Before: - agents-private's public-agents-version-packages.yml tried to do everything: detect changesets, open Version PR, publish to npm, create GitHub Release. - inkeep/agents's release.yml used changesets/action to also create a Version PR from the same synced .md files, producing duplicate PRs. - Trusted publisher identity on npm was ambiguous (both repos authed). After: - agents-private/public-agents-version-packages.yml: ONLY creates the Version Packages PR for public/agents. No publish, no GitHub Release. - inkeep/agents/release.yml (via public/agents/.../release.yml that copybara-mirrors): ONLY publishes. Detects pending changesets and no-ops if any are present (that means copybara hasn't caught up yet; agents-private owns PR creation). Retains the chat-to-edit snapshot path. Adds --provenance for attestations. - After publish, inkeep/agents fires repository_dispatch back to agents-private with outcome (agents-release-success or -failure). - New agents-private/.github/workflows/release-handler.yml listens for those dispatches. On success, creates a GitHub Release on agents-private — which cascades to the existing public-agents-vercel-production.yml via its release:published trigger. On failure, opens an issue tagged release,urgent. - Cross-repo auth uses the existing INTERNAL_CI_APP (already installed on both repos; token generation now scopes to both owners). Simplifications this unlocks: - Trusted publisher configs for the 10 public @inkeep/agents-* packages now point at inkeep/agents (public mirror) with workflow=release.yml, not agents-private. The 4 private @inkeep/agents-ui* packages continue to publish from agents-private via private-agents-ui-version-packages.yml. - Vercel prod deploy trigger is unchanged: release:published on agents-private still fires public-agents-vercel-production.yml. - Duplicate Version PRs disappear — only agents-private creates them. What still needs to be done on npmjs.com by a package owner (separate task, not git-able): reconfigure trusted publishers for the 10 public packages to point at inkeep/agents + release.yml (was pointing at agents-private + public-agents-version-packages.yml). The 4 agents-ui packages stay pointed at agents-private. * Address PR review: idempotency, error surfacing, label creation, failure payload Five review findings from pullfrog + claude: 1. (claude MAJOR, release-handler.yml:68) gh pr list error silently suppressed. Now captures stderr and exits non-zero on API failure so auth issues / rate limits can't masquerade as "no PR found" (which would ship a release with minimal notes). 2. (claude MINOR, release-handler.yml:89) gh release create non-idempotent. Now checks if v{version} already exists and updates in place instead of failing. Makes manual re-dispatch during incident recovery safe. 3. (pullfrog / claude MAJOR, release-handler.yml:148) gh issue create --label fails if labels don't exist, meaning the failure-notification path itself would fail silently. Ensures release + urgent labels exist (creates if missing) before issue creation. 4. (pullfrog, release.yml:183) Failure payload omitted version. Now passes steps.publish.outputs.version so partial version info (if the publish got far enough to extract one) surfaces in the failure issue. GitOrigin-RevId: f012c1e7ee63f6496f61e6947152a5f64ef89333 --------- Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: shagun-singh-inkeep <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: omar-inkeep <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.