Merge branch 'main' of github.com:block/goose into dkatz/canonical-context

* 'main' of github.com:block/goose:
  feat: add onFallbackRequest handler to McpAppRenderer (#7208)
  feat: add streaming support for Claude Code CLI provider (#6833)
  fix: The detected filetype is PLAIN_TEXT, but the provided filetype was HTML (#6885)
  Add prompts (#7212)
  Add testing instructions for speech to text (#7185)
  Diagnostic files copying (#7209)
  fix: allow concurrent tool execution within the same MCP extension (#7202)
  fix: handle missing arguments in MCP tool calls to prevent GUI crash (#7143)
  Filter Apps page to only show standalone Goose Apps (#6811)
  opt: use static for Regex (#7205)
  nit: show dir in title, and less... jank (#7138)
  feat(gemini-cli): use stream-json output and re-use session (#7118)
  chore(deps): bump qs from 6.14.1 to 6.14.2 in /documentation (#7191)
  Switch jsonwebtoken to use aws-lc-rs (already used by rustls) (#7189)
  chore(deps): bump qs from 6.14.1 to 6.14.2 in /evals/open-model-gym/mcp-harness (#7184)
  Add SLSA build provenance attestations to release workflows (#7097)
  fix save and run recipe not working (#7186)
  Upgraded npm packages for latest security updates (#7183)
  docs: reasoning effort levels for Codex provider (#6798)

Author: katzdave

.github/workflows/canary.yml

@@ -15,6 +15,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Permissions for SLSA attestation, AWS OIDC codesigning, and release creation
+permissions:
+  id-token: write      # Required for Sigstore OIDC signing and AWS OIDC codesigning
+  contents: write      # Required for creating releases and by actions/checkout
+  actions: read        # Required by bundle-desktop-windows.yml reusable workflow
+  attestations: write  # Required for SLSA build provenance attestations
+
 jobs:
   # ------------------------------------
   # 1) Prepare Version
@@ -100,13 +107,26 @@ jobs:
     needs: [build-cli, install-script, bundle-desktop, bundle-desktop-linux, bundle-desktop-windows]
     permissions:
       contents: write
+      id-token: write      # Required for Sigstore OIDC signing
+      attestations: write  # Required for SLSA build provenance attestations
 
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
         with:
           merge-multiple: true
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
+        with:
+          subject-path: |
+            goose-*.tar.bz2
+            Goose*.zip
+            *.deb
+            *.rpm
+            *.flatpak
+            download_cli.sh
+
       # Create/update the canary release
       - name: Release canary
         uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b  # v1.20.0

.github/workflows/pr-comment-bundle.yml

@@ -136,4 +136,20 @@ jobs:
             [📱 Download macOS Desktop App (arm64, unsigned)](https://nightly.link/${{ github.repository }}/actions/runs/${{ github.run_id }}/Goose-darwin-arm64.zip)
 
             **Instructions:**
-            After downloading, unzip the file and drag the goose.app to a location you prefer. The app is unsigned, so to run it run `xattr -r -d com.apple.quarantine '/path/to/goose.app'` and then open the app
+            
+            The easiest way is to just run the following script:
+            
+            `./scripts/pre-release.sh`
+            
+            script which will download the latest release (or you can specify the release you need), does the
+            unzip, xattr to get it out of quarantine and signs it.
+            
+            If you need to do this manually:
+            
+               * Download the file
+               * Unzip
+               * run `xattr -r -d com.apple.quarantine '/path/to/Goose.app'`
+               * optionally run `codesign --force --deep --sign - --entitlements ui/desktop/entitlements.plist '/path/to/Goose.app'`
+               * start the app
+            
+            The signing step is only needed if you do something that uses mac entitlements like speech to text

.github/workflows/publish-docker.yml

@@ -15,6 +15,8 @@ on:
 permissions:
   contents: read
   packages: write
+  id-token: write      # Required for Sigstore OIDC signing
+  attestations: write  # Required for SLSA build provenance attestations
 
 jobs:
   docker:
@@ -51,6 +53,7 @@ jobs:
             type=raw,value={{tag}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
       
       - name: Build and push Docker image
+        id: docker-push
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # pin@v6.18.0
         with:
           context: .
@@ -60,3 +63,10 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
+
+      - name: Attest Docker image
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
+        with:
+          subject-name: ghcr.io/${{ github.repository_owner }}/goose
+          subject-digest: ${{ steps.docker-push.outputs.digest }}
+          push-to-registry: true

.github/workflows/release-branches.yml

@@ -28,3 +28,8 @@ jobs:
 
             **Instructions:**
             After downloading, unzip the file and drag the goose.app to a location you prefer. The app is unsigned, so to run it run `xattr -r -d com.apple.quarantine '/path/to/goose.app'` and then open the app
+
+            **To test speech-to-text**, you also need to codesign the app with the microphone entitlement:
+            ```
+            codesign --force --deep --sign - --entitlements ui/desktop/entitlements.plist '/path/to/Goose.app'
+            ```

.github/workflows/release.yml

@@ -13,6 +13,7 @@ permissions:
   id-token: write   # Required for AWS OIDC authentication in called workflow
   contents: write   # Required for creating releases and by actions/checkout
   actions: read     # May be needed for some workflows
+  attestations: write  # Required for SLSA build provenance attestations
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -92,12 +93,26 @@ jobs:
     needs: [build-cli, install-script, bundle-desktop, bundle-desktop-intel, bundle-desktop-linux, bundle-desktop-windows]
     permissions:
       contents: write
+      id-token: write      # Required for Sigstore OIDC signing
+      attestations: write  # Required for SLSA build provenance attestations
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
         with:
           merge-multiple: true
 
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
+        with:
+          subject-path: |
+            goose-*.tar.bz2
+            goose-*.zip
+            Goose*.zip
+            *.deb
+            *.rpm
+            *.flatpak
+            download_cli.sh
+
       # Create/update the versioned release
       - name: Release versioned
         uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b  # v1.20.0