Update pullfrog action to use version tag instead of commit hash#2757
Merged
amikofalvy merged 1 commit intomainfrom Mar 18, 2026
Merged
Update pullfrog action to use version tag instead of commit hash#2757amikofalvy merged 1 commit intomainfrom
amikofalvy merged 1 commit intomainfrom
Conversation
The action is actively under development, so referencing the v0 tag allows picking up updates automatically. https://claude.ai/code/session_01QZyvEs97scVf1ahTG8C1rV
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Contributor
There was a problem hiding this comment.
Clean single-line change — switches from a pinned commit hash to the v0 tag. LGTM.
Contributor
There was a problem hiding this comment.
This PR switches the pullfrog/pullfrog action reference from a pinned commit SHA to a mutable v0 tag. The workflow grants broad permissions (contents:write, pull-requests:write, id-token:write) and exposes up to 9 API key secrets to the action. While pullfrog appears to be a first-party action (reducing supply-chain risk), using a mutable tag means the exact code executed is no longer guaranteed by the workflow file. This is also inconsistent with the SHA-pinned actions/checkout on line 27.
| fetch-depth: 1 | ||
| - name: Run agent | ||
| uses: pullfrog/pullfrog@9c99bcbbac7a7877e0390b7b3f91e28379bf2a5f # v0 | ||
| uses: pullfrog/pullfrog@v0 |
Contributor
There was a problem hiding this comment.
This workflow exposes 9 API key secrets and grants contents:write + id-token:write permissions to this action. Switching from a pinned SHA to a mutable tag (v0) means a compromised or force-pushed tag could exfiltrate these secrets or inject code. Consider keeping the SHA pin (with a # v0 comment for readability) and using Dependabot or Renovate to auto-update it, or document why the risk is accepted for this first-party action.
Contributor
There was a problem hiding this comment.
PR Review Summary
(1) Total Issues | Risk: High
🔴❗ Critical (1) ❗🔴
Inline Comments:
- 🔴 Critical:
.github/workflows/pullfrog.yml:31Supply chain security risk — mutable tag replaces SHA pinning for third-party action with elevated permissions
🚫 REQUEST CHANGES
Summary: This PR introduces a supply chain security vulnerability by replacing SHA pinning with a mutable version tag for a public third-party GitHub Action that has elevated permissions and access to 9 API keys. The PR description frames this as "best practice," but the opposite is true for security-sensitive workflows — SHA pinning is the recommended approach per GitHub, CISA, and industry security guidance. The change also creates inconsistency within the file itself, where actions/checkout correctly remains SHA-pinned.
The fix is straightforward: revert to the original SHA-pinned reference with a version comment for readability (a 1-click suggestion is provided in the inline comment).
Discarded (0)
No findings discarded.
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-devops |
2 | 0 | 0 | 0 | 1 | 0 | 0 |
| Total | 2 | 0 | 0 | 0 | 1 | 0 | 0 |
Note: The MAJOR finding (inconsistent pinning) was merged into the CRITICAL finding as supporting context rather than a separate issue.
| fetch-depth: 1 | ||
| - name: Run agent | ||
| uses: pullfrog/pullfrog@9c99bcbbac7a7877e0390b7b3f91e28379bf2a5f # v0 | ||
| uses: pullfrog/pullfrog@v0 |
Contributor
There was a problem hiding this comment.
🔴 CRITICAL Supply chain security risk — mutable tag replaces SHA pinning
Issue: This change moves from a SHA-pinned action reference (@9c99bcbbac7a7877e0390b7b3f91e28379bf2a5f) to a mutable version tag (@v0). The pullfrog/pullfrog action is a public third-party action, and this workflow has elevated permissions (contents: write, pull-requests: write, issues: write, id-token: write) plus access to 9 API keys.
Why: Mutable tags can be updated by upstream maintainers at any time without triggering a PR review in this repo. If the tag is force-pushed (either by maintainers or by a compromised account), new code would execute in this workflow automatically with full write access and all secrets. This is a well-documented supply chain attack vector for GitHub Actions. Additionally, this creates inconsistency within the same file — actions/checkout (line 27) remains correctly SHA-pinned.
Fix: Revert to SHA pinning with version comment for readability:
Suggested change
| uses: pullfrog/pullfrog@v0 | |
| uses: pullfrog/pullfrog@9c99bcbbac7a7877e0390b7b3f91e28379bf2a5f # v0 |
Refs:
amikofalvy
pushed a commit
that referenced
this pull request
Mar 18, 2026
…-frequency deps - Update pullfrog from v0.0.178 SHA to v0.0.181 SHA (30d68e5) to stay on commit-pinned references for security (action has write permissions + 9 API keys) - Split dependabot github-actions config into a "high-frequency" group for pullfrog with daily schedule, so SHA pins get updated automatically - This supersedes PR #2757's approach of moving to mutable tag references https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap
dimaMachina
pushed a commit
that referenced
this pull request
Mar 18, 2026
The action is actively under development, so referencing the v0 tag allows picking up updates automatically. https://claude.ai/code/session_01QZyvEs97scVf1ahTG8C1rV Co-authored-by: Claude <[email protected]>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 19, 2026
…-frequency deps (#2780) * Update pullfrog to latest SHA and add daily dependabot group for high-frequency deps - Update pullfrog from v0.0.178 SHA to v0.0.181 SHA (30d68e5) to stay on commit-pinned references for security (action has write permissions + 9 API keys) - Split dependabot github-actions config into a "high-frequency" group for pullfrog with daily schedule, so SHA pins get updated automatically - This supersedes PR #2757's approach of moving to mutable tag references https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Split dependabot github-actions into daily (pullfrog) and monthly (rest) Separate into two ecosystem entries so pullfrog gets daily SHA updates while other GitHub Actions stay on a monthly cadence. https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Fix invalid dependabot config: merge duplicate github-actions entries Dependabot disallows duplicate ecosystem+directory pairs. Use a single entry with two groups instead: high-frequency (pullfrog) and github-actions (everything else via exclude-patterns). https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap --------- Co-authored-by: Claude <[email protected]>
dimaMachina
pushed a commit
that referenced
this pull request
Mar 20, 2026
…-frequency deps (#2780) * Update pullfrog to latest SHA and add daily dependabot group for high-frequency deps - Update pullfrog from v0.0.178 SHA to v0.0.181 SHA (30d68e5) to stay on commit-pinned references for security (action has write permissions + 9 API keys) - Split dependabot github-actions config into a "high-frequency" group for pullfrog with daily schedule, so SHA pins get updated automatically - This supersedes PR #2757's approach of moving to mutable tag references https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Split dependabot github-actions into daily (pullfrog) and monthly (rest) Separate into two ecosystem entries so pullfrog gets daily SHA updates while other GitHub Actions stay on a monthly cadence. https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Fix invalid dependabot config: merge duplicate github-actions entries Dependabot disallows duplicate ecosystem+directory pairs. Use a single entry with two groups instead: high-frequency (pullfrog) and github-actions (everything else via exclude-patterns). https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap --------- Co-authored-by: Claude <[email protected]>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 30, 2026
* skill generator * polish skill generator * skills tests * upd * upd * generation.test wip * add generation.test * tree node * skill page * skill loader * skill loader refactor * skill loader * move skills sidebar to layout * use pure monaco-editor component since we can have different file extension * add shadcn context menu component * format context menu * skills files and edit pages * dry * update layout * add docs * add a changeset * redirect to first skill * skill files utils * skill selector * upd treenode * skill files * skill file editor * delete skill confirmation * add skill files actions * skills data * rm * up skills route * upd * upd * better project error message on dev * types * skill files * skill loader * format * project test * entities * project full tests * upd introspect * upd cliiii * nested skills tests * remove edit page * remove edit page * update files page * upd * upd file editor * add SkillFileInsertSchema * superRefine * add transform * rm some cases in superRefine * use pipe * use pipe * upd skill loader * validation skills * upd * rm * upd * data access tests * skills db changes * add * skill files * upd * upd * upd skill update * SkillUpdateSchema has required files * upd skills manage * upd * upd layout and page * style: auto-format with biome * move empty state comp to page * upd schemas * update schemas * move to with-sidebar * polish * upd * upd skill generator * Make webhooks docs user friendly (#2752) * shaping a2a webhooks page * moved triggers to visual builder * vb webhooks wip * numbered TOC steps * added step circles * indented toc steps more * added newsletter signup to docs * added share feedback button * moved newsletter subscribe route to agent docs * subscribe confirm polish * improved spacing * improved spacing * added high quality images * added verification step * Sync lockfile after rebase * Use tag reference for pullfrog action instead of pinned SHA (#2757) The action is actively under development, so referencing the v0 tag allows picking up updates automatically. https://claude.ai/code/session_01QZyvEs97scVf1ahTG8C1rV Co-authored-by: Claude <[email protected]> * ci: provision PR preview environments in Railway (#2681) * ci: add preview env diagnostics * ci: probe preview env schema before deploy * ci: probe preview env schema before deploy * ci: harden preview api env defaults * ci: attach git metadata to preview deploys * ci: harden preview workflow operations * ci: broaden preview log redaction * ci: extract preview workflow scripts * ci: harden preview script extraction * fix(ci): correct Playwright cache restore-key prefix mismatch (#2760) The restore-keys used `${{ runner.os }}-playwright-` but primary keys used `playwright-${{ runner.os }}-`, so the prefix never matched on cache miss, forcing a full browser download (~8.5 min) instead of a cache restore (~13 sec). Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * fix(ci): replace full git clone with shallow checkout in CI job (#2761) Remove fetch-depth: 0 from the ci job's checkout step, which cloned the entire git history (1.5-5 min overhead). Only the OpenAPI change detection step needs the base branch ref, so fetch it on-demand with --depth=1. Also switches the diff from three-dot merge-base syntax to a two-dot pathspec-filtered diff against the fetched base ref, which works correctly with shallow clones. Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * format * rm migration * add new migrations * validation for skill is ok * move empty state to page * delete skill * delete skill revalidate path * move skills schemas to own file * upd * upd * upd * upd * upd * upd * upd * upd * upd * upd * more typecheck fixes * more typecheck fixes * fix * fix isRequired * f1x * move skill sidebar * refactor skill sidebar * add collapse file tree button * upd * upd * upd * deleteSkillFile * upd * deleteSkillFile * fileId * fileId * upd schemas * DeleteSkillFileConfirmation * updateSkillFile * rm simplematter from sdk * Get Skill File * getSkillFileById * add new skill file page * update skill file editor * format * Create Skill File * upd * createSkillFileAction * createSkillFileById * fix: Make OpenTelemetry startup idempotent (#2684) * fix: Make OpenTelemetry startup idempotent * fix: Re-export defaultSDK and cache NodeSDK instance on globalThis Restores the export on defaultSDK to avoid breaking the create-agents-template subpath import. Moves the new NodeSDK() construction behind a globalThis guard (getOrCreateSDK) so repeated Vite HMR module evaluations reuse the same instance instead of leaking fresh SDK objects. Co-authored-by: mike-inkeep <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> * fix(template): use idempotent startOpenTelemetrySDK() in instrumentation * fix: guard all OTel singletons behind globalThis for HMR idempotency - Cache otlpExporter, batchProcessor, resource, instrumentations, spanProcessors, contextManager, and propagator on globalThis via Symbol keys and getOrCreate* helpers so HMR re-evaluation reuses existing instances instead of leaking new ones - Make OtelGlobal type strict with per-key types, eliminating the loose `boolean | NodeSDK` union and the `as NodeSDK` cast - Add logger.debug in the MetricReader catch block to distinguish clean idempotency from error-recovery idempotency - Remove defaultSDK export (now module-private) since all consumers use startOpenTelemetrySDK() instead * Fix type errors * Simplify to just suppress the error since it's not an issue in prod, only local * Limit to dev mode * Add changeset for OTel HMR idempotency fix Co-authored-by: Dimitri POSTOLOV <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: mike-inkeep <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> Co-authored-by: inkeep[bot] <257615677+inkeep[bot]@users.noreply.github.com> Co-authored-by: Dimitri POSTOLOV <[email protected]> * Fix scheduled trigger invocations being skipped (#2777) * Fix scheduled trigger invocations being skipped when trigger is edited without changing the next execution time * claude comments * adding app id (#2779) * Update pullfrog to latest SHA and add daily dependabot group for high-frequency deps (#2780) * Update pullfrog to latest SHA and add daily dependabot group for high-frequency deps - Update pullfrog from v0.0.178 SHA to v0.0.181 SHA (30d68e5) to stay on commit-pinned references for security (action has write permissions + 9 API keys) - Split dependabot github-actions config into a "high-frequency" group for pullfrog with daily schedule, so SHA pins get updated automatically - This supersedes PR #2757's approach of moving to mutable tag references https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Split dependabot github-actions into daily (pullfrog) and monthly (rest) Separate into two ecosystem entries so pullfrog gets daily SHA updates while other GitHub Actions stay on a monthly cadence. https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Fix invalid dependabot config: merge duplicate github-actions entries Dependabot disallows duplicate ecosystem+directory pairs. Use a single entry with two groups instead: high-frequency (pullfrog) and github-actions (everything else via exclude-patterns). https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap --------- Co-authored-by: Claude <[email protected]> * ci: seed preview auth in PR previews (#2775) * ci: bootstrap preview auth * ci: require secure preview auth config * ci: recover preview auth runtime vars * ci: install railway in preview bootstrap * ci: provision preview db tcp proxies * ci: proxy preview spicedb bootstrap * ci: harden preview retry and error logging --------- Co-authored-by: Andrew Mikofalvy <[email protected]> * Fix scopes placeholder to show correct Nango format (#2784) * Fix misleading scopes placeholder in credential form The Nango API validates scopes against a strict comma-separated pattern with no spaces. Updated placeholder and help text to show the correct format and prevent 400 errors when users enter multiple scopes. Made-with: Cursor * Add changeset for scopes placeholder fix Made-with: Cursor * fix(manage-ui): fix URL validation bypass and permission guard in credential provider setup (#2776) * fix(manage-ui): fix URL validation bypass and permission guard in credential provider setup Reorder Zod schema construction so custom validators (e.g. URL protocol allowlist) are chained after required/optional base schema instead of being overwritten. Move all React hooks above the canEdit early-return guard to satisfy Rules of Hooks, with canEdit checks inside hook bodies. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(manage-ui): add server-side URL protocol validation in buildCredentialsPayload Validate app_link against HTTP/HTTPS allowlist in the server action to prevent bypassing client-side form validation. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Update agents-manage-ui/src/components/credentials/views/generic-auth-form.tsx Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * fix err --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * feat(pdf): Support PDF attachments (#2709) * feat(pdf): Support PDF attachments * Add tests and other review feedback * Fix doc * More renaming and cleanup * refactor: extract Vercel content part schemas to types/chat.ts for reuse Move inline Zod schemas from chatDataStream.ts and message-parts.ts into types/chat.ts as shared, exported schemas. This eliminates duplicate definitions and makes schema management easier. Co-authored-by: Andrew Mikofalvy <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> * feat: Composio connected account ID pinning (#2783) * feat: Composio connected account ID pinning Pin connected_account_id to Composio MCP URLs to prevent cross-project credential leakage. Implements "both or none" policy — user_id and connected_account_id are injected together or not at all. - Add ComposioCredentialStore for credential lifecycle management - Update AgentMcpManager and discoverToolsFromServer with pinning logic - Mark Composio tools without connectedAccountId as needs_auth - Add generic disconnect credential UI (works for all credential types) - Store authScheme in credential retrievalParams for display - Update OAuth login flow to create credential references post-connect - Add unit tests for new credential store, composio client, and pinning Made-with: Cursor * feedback * fix test * Version Packages (#2778) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Add back link to projects sidebar, add org settings link to user drop… (#2787) * Add back link to projects sidebar, add org settings link to user dropdown, adjust sidebar highlight color in dark mode * Apply suggestion from @claude[bot] Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * Fix bad claude formatting --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * fix: return FileUIPart-compliant file parts from /run conversations endpoint (#2782) * fix: return Vercel AI SDK FileUIPart-compliant file parts from /run conversations endpoint - Resolve blob:// URIs to proxy HTTP URLs via resolveMessagesListBlobUris() - Reshape file parts from { data, metadata.mimeType } to { url, mediaType, filename? } - Matches Vercel AI SDK FileUIPart spec for useChat() compatibility Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Skip malformed file parts --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Mike Rashkovsky <[email protected]> * fix: treat load_skill as internal tool to suppress false-positive Sentry errors (#2756) * fix: provide relationshipId for load_skill tool calls in graph events * fix: treat load_skill as internal tool, suppress chat/graph streaming events * fix for fetch trace (#2791) * fix for fetch trace * fix for fetch trace * Fix empty breadcrumb on `/[tenantId]/profile` page and replace prop-drilled permission flags (`readOnly`, `canEdit`, `canUse`) with direct hook call `useProjectPermissionsQuery()` (#2792) * upd * upd * format * format * format * format * format * format * format * format * format * fix review * fix breadcrumb on profile page * Apply suggestions from code review Co-authored-by: Dimitri POSTOLOV <[email protected]> * Update agents-manage-ui/src/lib/api/projects.ts Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * Update agents-manage-ui/src/app/[tenantId]/profile/layout.tsx Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * style: auto-format with biome * fix review --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(manage-ui): fix user-scoped MCP credential card not refreshing after connect/disconnect (#2794) Fetch user-scoped credential server-side in page.tsx (matching the project-scoped pattern) instead of via a client-side React Query hook. This ensures router.refresh() after OAuth connect or credential delete re-fetches the credential data, so the "Your Connection" card updates without a manual page refresh. Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * reuse `useProjectsQuery` instead of `fetchProjectsAction` in `useEffect` (#2793) * reuse `useProjectsQuery` instead of `fetchProjectsAction` in `useEffect` * format * upd * fix lint * Create little-hounds-battle.md * upd * upd skill file editor * polish skill editor like in github * remove canEdit * upd * move skill metadata under collapsible advanced section * reuse DeleteConfirmation * upd skill file editor * upd skill file editor2 * add useInitialCollapsedSidebar * add useInitialCollapsedSidebar * upd skill file editor * rm * // Avoid including metadata in the frontmatter when it's null * fetchSkillFile and createSkillFile * refactor skill breadcrumb * format * polish * upd * skills integration tests * fix validation tests * update skill form * upd api skills in manage ui * upd entities * partial * fix skill loader test * chore: update OpenAPI snapshot * polish skill file editor * upd core skills tests * upd core skills tests * add SkillCreateDataSchema * update skills data manage * remove redundant * lint * lint * typecheck * typecheck * typecheck * knip * lint * rollback skill modals * make modal opens in skill selector * fix typecheck * this should fix cypress * fix sdk tests * split permissions call * add folder feature * findNodeByPath * SkillDirectoryBrowser * upd * polish * fix * fix edge case metadata validation * fix * fix cli test * format * upd * upd * upd * chore: update OpenAPI snapshot * fix skill generator * add button group * connect submit logic with extension select * polish * update skill generator tests * update generation test * polish skill generator * format * format * fixes for tests * typecheck * fix review * format * new migration * upd * rm migration * add migrations * fix migration and add * rm outdated * Apply suggestions from code review Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * polish * Add detailed changeset for nested skill files feature Co-authored-by: Dimitri POSTOLOV <[email protected]> * fix typecheck --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Gaurav Varma <[email protected]> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: Claude <[email protected]> Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: mike-inkeep <[email protected]> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: mike-inkeep <[email protected]> Co-authored-by: inkeep[bot] <257615677+inkeep[bot]@users.noreply.github.com> Co-authored-by: Dimitri POSTOLOV <[email protected]> Co-authored-by: shagun-singh-inkeep <[email protected]> Co-authored-by: omar-inkeep <[email protected]> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: inkeep-internal-ci[bot] <259778081+inkeep-internal-ci[bot]@users.noreply.github.com> Co-authored-by: sarah <[email protected]> Co-authored-by: Abraham <[email protected]> Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
tim-inkeep
pushed a commit
that referenced
this pull request
Mar 31, 2026
* skill generator * polish skill generator * skills tests * upd * upd * generation.test wip * add generation.test * tree node * skill page * skill loader * skill loader refactor * skill loader * move skills sidebar to layout * use pure monaco-editor component since we can have different file extension * add shadcn context menu component * format context menu * skills files and edit pages * dry * update layout * add docs * add a changeset * redirect to first skill * skill files utils * skill selector * upd treenode * skill files * skill file editor * delete skill confirmation * add skill files actions * skills data * rm * up skills route * upd * upd * better project error message on dev * types * skill files * skill loader * format * project test * entities * project full tests * upd introspect * upd cliiii * nested skills tests * remove edit page * remove edit page * update files page * upd * upd file editor * add SkillFileInsertSchema * superRefine * add transform * rm some cases in superRefine * use pipe * use pipe * upd skill loader * validation skills * upd * rm * upd * data access tests * skills db changes * add * skill files * upd * upd * upd skill update * SkillUpdateSchema has required files * upd skills manage * upd * upd layout and page * style: auto-format with biome * move empty state comp to page * upd schemas * update schemas * move to with-sidebar * polish * upd * upd skill generator * Make webhooks docs user friendly (#2752) * shaping a2a webhooks page * moved triggers to visual builder * vb webhooks wip * numbered TOC steps * added step circles * indented toc steps more * added newsletter signup to docs * added share feedback button * moved newsletter subscribe route to agent docs * subscribe confirm polish * improved spacing * improved spacing * added high quality images * added verification step * Sync lockfile after rebase * Use tag reference for pullfrog action instead of pinned SHA (#2757) The action is actively under development, so referencing the v0 tag allows picking up updates automatically. https://claude.ai/code/session_01QZyvEs97scVf1ahTG8C1rV Co-authored-by: Claude <[email protected]> * ci: provision PR preview environments in Railway (#2681) * ci: add preview env diagnostics * ci: probe preview env schema before deploy * ci: probe preview env schema before deploy * ci: harden preview api env defaults * ci: attach git metadata to preview deploys * ci: harden preview workflow operations * ci: broaden preview log redaction * ci: extract preview workflow scripts * ci: harden preview script extraction * fix(ci): correct Playwright cache restore-key prefix mismatch (#2760) The restore-keys used `${{ runner.os }}-playwright-` but primary keys used `playwright-${{ runner.os }}-`, so the prefix never matched on cache miss, forcing a full browser download (~8.5 min) instead of a cache restore (~13 sec). Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * fix(ci): replace full git clone with shallow checkout in CI job (#2761) Remove fetch-depth: 0 from the ci job's checkout step, which cloned the entire git history (1.5-5 min overhead). Only the OpenAPI change detection step needs the base branch ref, so fetch it on-demand with --depth=1. Also switches the diff from three-dot merge-base syntax to a two-dot pathspec-filtered diff against the fetched base ref, which works correctly with shallow clones. Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * format * rm migration * add new migrations * validation for skill is ok * move empty state to page * delete skill * delete skill revalidate path * move skills schemas to own file * upd * upd * upd * upd * upd * upd * upd * upd * upd * upd * more typecheck fixes * more typecheck fixes * fix * fix isRequired * f1x * move skill sidebar * refactor skill sidebar * add collapse file tree button * upd * upd * upd * deleteSkillFile * upd * deleteSkillFile * fileId * fileId * upd schemas * DeleteSkillFileConfirmation * updateSkillFile * rm simplematter from sdk * Get Skill File * getSkillFileById * add new skill file page * update skill file editor * format * Create Skill File * upd * createSkillFileAction * createSkillFileById * fix: Make OpenTelemetry startup idempotent (#2684) * fix: Make OpenTelemetry startup idempotent * fix: Re-export defaultSDK and cache NodeSDK instance on globalThis Restores the export on defaultSDK to avoid breaking the create-agents-template subpath import. Moves the new NodeSDK() construction behind a globalThis guard (getOrCreateSDK) so repeated Vite HMR module evaluations reuse the same instance instead of leaking fresh SDK objects. Co-authored-by: mike-inkeep <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> * fix(template): use idempotent startOpenTelemetrySDK() in instrumentation * fix: guard all OTel singletons behind globalThis for HMR idempotency - Cache otlpExporter, batchProcessor, resource, instrumentations, spanProcessors, contextManager, and propagator on globalThis via Symbol keys and getOrCreate* helpers so HMR re-evaluation reuses existing instances instead of leaking new ones - Make OtelGlobal type strict with per-key types, eliminating the loose `boolean | NodeSDK` union and the `as NodeSDK` cast - Add logger.debug in the MetricReader catch block to distinguish clean idempotency from error-recovery idempotency - Remove defaultSDK export (now module-private) since all consumers use startOpenTelemetrySDK() instead * Fix type errors * Simplify to just suppress the error since it's not an issue in prod, only local * Limit to dev mode * Add changeset for OTel HMR idempotency fix Co-authored-by: Dimitri POSTOLOV <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: mike-inkeep <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> Co-authored-by: inkeep[bot] <257615677+inkeep[bot]@users.noreply.github.com> Co-authored-by: Dimitri POSTOLOV <[email protected]> * Fix scheduled trigger invocations being skipped (#2777) * Fix scheduled trigger invocations being skipped when trigger is edited without changing the next execution time * claude comments * adding app id (#2779) * Update pullfrog to latest SHA and add daily dependabot group for high-frequency deps (#2780) * Update pullfrog to latest SHA and add daily dependabot group for high-frequency deps - Update pullfrog from v0.0.178 SHA to v0.0.181 SHA (30d68e5) to stay on commit-pinned references for security (action has write permissions + 9 API keys) - Split dependabot github-actions config into a "high-frequency" group for pullfrog with daily schedule, so SHA pins get updated automatically - This supersedes PR #2757's approach of moving to mutable tag references https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Split dependabot github-actions into daily (pullfrog) and monthly (rest) Separate into two ecosystem entries so pullfrog gets daily SHA updates while other GitHub Actions stay on a monthly cadence. https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap * Fix invalid dependabot config: merge duplicate github-actions entries Dependabot disallows duplicate ecosystem+directory pairs. Use a single entry with two groups instead: high-frequency (pullfrog) and github-actions (everything else via exclude-patterns). https://claude.ai/code/session_01D3ZGYHG8VhsZwqjjXqy2Ap --------- Co-authored-by: Claude <[email protected]> * ci: seed preview auth in PR previews (#2775) * ci: bootstrap preview auth * ci: require secure preview auth config * ci: recover preview auth runtime vars * ci: install railway in preview bootstrap * ci: provision preview db tcp proxies * ci: proxy preview spicedb bootstrap * ci: harden preview retry and error logging --------- Co-authored-by: Andrew Mikofalvy <[email protected]> * Fix scopes placeholder to show correct Nango format (#2784) * Fix misleading scopes placeholder in credential form The Nango API validates scopes against a strict comma-separated pattern with no spaces. Updated placeholder and help text to show the correct format and prevent 400 errors when users enter multiple scopes. Made-with: Cursor * Add changeset for scopes placeholder fix Made-with: Cursor * fix(manage-ui): fix URL validation bypass and permission guard in credential provider setup (#2776) * fix(manage-ui): fix URL validation bypass and permission guard in credential provider setup Reorder Zod schema construction so custom validators (e.g. URL protocol allowlist) are chained after required/optional base schema instead of being overwritten. Move all React hooks above the canEdit early-return guard to satisfy Rules of Hooks, with canEdit checks inside hook bodies. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(manage-ui): add server-side URL protocol validation in buildCredentialsPayload Validate app_link against HTTP/HTTPS allowlist in the server action to prevent bypassing client-side form validation. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Update agents-manage-ui/src/components/credentials/views/generic-auth-form.tsx Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * fix err --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * feat(pdf): Support PDF attachments (#2709) * feat(pdf): Support PDF attachments * Add tests and other review feedback * Fix doc * More renaming and cleanup * refactor: extract Vercel content part schemas to types/chat.ts for reuse Move inline Zod schemas from chatDataStream.ts and message-parts.ts into types/chat.ts as shared, exported schemas. This eliminates duplicate definitions and makes schema management easier. Co-authored-by: Andrew Mikofalvy <[email protected]> Co-Authored-By: Claude Opus 4.6 <[email protected]> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]> * feat: Composio connected account ID pinning (#2783) * feat: Composio connected account ID pinning Pin connected_account_id to Composio MCP URLs to prevent cross-project credential leakage. Implements "both or none" policy — user_id and connected_account_id are injected together or not at all. - Add ComposioCredentialStore for credential lifecycle management - Update AgentMcpManager and discoverToolsFromServer with pinning logic - Mark Composio tools without connectedAccountId as needs_auth - Add generic disconnect credential UI (works for all credential types) - Store authScheme in credential retrievalParams for display - Update OAuth login flow to create credential references post-connect - Add unit tests for new credential store, composio client, and pinning Made-with: Cursor * feedback * fix test * Version Packages (#2778) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Add back link to projects sidebar, add org settings link to user drop… (#2787) * Add back link to projects sidebar, add org settings link to user dropdown, adjust sidebar highlight color in dark mode * Apply suggestion from @claude[bot] Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * Fix bad claude formatting --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * fix: return FileUIPart-compliant file parts from /run conversations endpoint (#2782) * fix: return Vercel AI SDK FileUIPart-compliant file parts from /run conversations endpoint - Resolve blob:// URIs to proxy HTTP URLs via resolveMessagesListBlobUris() - Reshape file parts from { data, metadata.mimeType } to { url, mediaType, filename? } - Matches Vercel AI SDK FileUIPart spec for useChat() compatibility Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Skip malformed file parts --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Mike Rashkovsky <[email protected]> * fix: treat load_skill as internal tool to suppress false-positive Sentry errors (#2756) * fix: provide relationshipId for load_skill tool calls in graph events * fix: treat load_skill as internal tool, suppress chat/graph streaming events * fix for fetch trace (#2791) * fix for fetch trace * fix for fetch trace * Fix empty breadcrumb on `/[tenantId]/profile` page and replace prop-drilled permission flags (`readOnly`, `canEdit`, `canUse`) with direct hook call `useProjectPermissionsQuery()` (#2792) * upd * upd * format * format * format * format * format * format * format * format * format * fix review * fix breadcrumb on profile page * Apply suggestions from code review Co-authored-by: Dimitri POSTOLOV <[email protected]> * Update agents-manage-ui/src/lib/api/projects.ts Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * Update agents-manage-ui/src/app/[tenantId]/profile/layout.tsx Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * style: auto-format with biome * fix review --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * fix(manage-ui): fix user-scoped MCP credential card not refreshing after connect/disconnect (#2794) Fetch user-scoped credential server-side in page.tsx (matching the project-scoped pattern) instead of via a client-side React Query hook. This ensures router.refresh() after OAuth connect or credential delete re-fetches the credential data, so the "Your Connection" card updates without a manual page refresh. Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> * reuse `useProjectsQuery` instead of `fetchProjectsAction` in `useEffect` (#2793) * reuse `useProjectsQuery` instead of `fetchProjectsAction` in `useEffect` * format * upd * fix lint * Create little-hounds-battle.md * upd * upd skill file editor * polish skill editor like in github * remove canEdit * upd * move skill metadata under collapsible advanced section * reuse DeleteConfirmation * upd skill file editor * upd skill file editor2 * add useInitialCollapsedSidebar * add useInitialCollapsedSidebar * upd skill file editor * rm * // Avoid including metadata in the frontmatter when it's null * fetchSkillFile and createSkillFile * refactor skill breadcrumb * format * polish * upd * skills integration tests * fix validation tests * update skill form * upd api skills in manage ui * upd entities * partial * fix skill loader test * chore: update OpenAPI snapshot * polish skill file editor * upd core skills tests * upd core skills tests * add SkillCreateDataSchema * update skills data manage * remove redundant * lint * lint * typecheck * typecheck * typecheck * knip * lint * rollback skill modals * make modal opens in skill selector * fix typecheck * this should fix cypress * fix sdk tests * split permissions call * add folder feature * findNodeByPath * SkillDirectoryBrowser * upd * polish * fix * fix edge case metadata validation * fix * fix cli test * format * upd * upd * upd * chore: update OpenAPI snapshot * fix skill generator * add button group * connect submit logic with extension select * polish * update skill generator tests * update generation test * polish skill generator * format * format * fixes for tests * typecheck * fix review * format * new migration * upd * rm migration * add migrations * fix migration and add * rm outdated * Apply suggestions from code review Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * polish * Add detailed changeset for nested skill files feature Co-authored-by: Dimitri POSTOLOV <[email protected]> * fix typecheck --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Gaurav Varma <[email protected]> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: Claude <[email protected]> Co-authored-by: Varun Varahabhotla <[email protected]> Co-authored-by: mike-inkeep <[email protected]> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: mike-inkeep <[email protected]> Co-authored-by: inkeep[bot] <257615677+inkeep[bot]@users.noreply.github.com> Co-authored-by: Dimitri POSTOLOV <[email protected]> Co-authored-by: shagun-singh-inkeep <[email protected]> Co-authored-by: omar-inkeep <[email protected]> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Andrew Mikofalvy <[email protected]> Co-authored-by: inkeep-internal-ci[bot] <259778081+inkeep-internal-ci[bot]@users.noreply.github.com> Co-authored-by: sarah <[email protected]> Co-authored-by: Abraham <[email protected]> Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updated the pullfrog GitHub Action reference to use the semantic version tag
v0instead of a specific commit hash for improved maintainability and clarity.Changes
9c99bcbbac7a7877e0390b7b3f91e28379bf2a5f) to the version tag (v0)Details
This change simplifies the action reference by using the stable version tag rather than pinning to a specific commit. This approach:
v0taghttps://claude.ai/code/session_01QZyvEs97scVf1ahTG8C1rV