Merge branch 'main' into lifei/logging-whne-start-error

* main: (29 commits)
  chore(deps): bump winreg from 0.55.0 to 0.56.0 (#8829)
  Fix grammar issue (#8669)
  colorize context window indicator (#8851)
  Refresh canonical model metadata from models.dev (#8838)
  fix(ci): prevent flaky smoke test timeouts from failing the build (#8837)
  updates: release 0.19.0 of the tui/sdk/etc (#8806)
  add a goose2 signed release flow (#8728)
  Port provider tests to typescript (#8237)
  refactor: make ACP server smaller (#8787)
  Add NVIDIA provider, and improve declarative provider UX (#8798)
  fix: removed failed provider test for deprecated providers (#8801)
  fix: only call cleanup when the pr is from same repo (#8799)
  chore: check stale for draft pr (#8803)
  fix: use _meta instead of meta in newSession request (#8796)
  fix: add missing underscore prefix in updateWorkingDir method name (#8743)
  feat: migrate session metadata storage from frontend overlay to backend (#8769)
  Add more info to BUILDING_LINUX (#8789)
  feat(acp): Align to new request patterns of ACP Streamable HTTP/WS transport (#8605)
  Dedupe and organize skills/sources (#8731)
  docs: add skills slash command (#8783)
  ...

Author: lifeizhou-ap

.github/workflows/bundle-goose2.yml

@@ -38,6 +38,11 @@ on:
         required: false
         default: ""
         type: string
+      windows-signing:
+        description: "Whether to perform Windows signing via Azure Trusted Signing"
+        required: false
+        default: false
+        type: boolean
       cli-run-id:
         description: >
           Run ID of a prior build-cli.yml workflow run to download the goose
@@ -125,7 +130,7 @@ jobs:
 
       - name: Cache Rust dependencies
         if: inputs.cli-run-id == ''
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           key: goose2-macos-arm64
 
@@ -175,13 +180,11 @@ jobs:
           certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
 
       # ── Tauri bundle ──
-      - name: Check disk space before bundle
-        run: df -h
-
       - name: Bundle Goose 2 (pnpm tauri build)
         env:
+          APPLE_SIGNING_IDENTITY: ${{ inputs.signing && 'Developer ID Application' || '' }}
           APPLE_ID: ${{ inputs.signing && secrets.APPLE_ID || '' }}
-          APPLE_ID_PASSWORD: ${{ inputs.signing && secrets.APPLE_ID_PASSWORD || '' }}
+          APPLE_PASSWORD: ${{ inputs.signing && secrets.APPLE_ID_PASSWORD || '' }}
           APPLE_TEAM_ID: ${{ inputs.signing && secrets.APPLE_TEAM_ID || '' }}
         working-directory: ui/goose2
         run: |
@@ -291,7 +294,7 @@ jobs:
 
       - name: Cache Rust dependencies
         if: inputs.cli-run-id == ''
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           key: goose2-macos-x86_64
 
@@ -360,8 +363,9 @@ jobs:
       # ── Tauri bundle (cross-compile for Intel) ──
       - name: Bundle Goose 2 for Intel
         env:
+          APPLE_SIGNING_IDENTITY: ${{ inputs.signing && 'Developer ID Application' || '' }}
           APPLE_ID: ${{ inputs.signing && secrets.APPLE_ID || '' }}
-          APPLE_ID_PASSWORD: ${{ inputs.signing && secrets.APPLE_ID_PASSWORD || '' }}
+          APPLE_PASSWORD: ${{ inputs.signing && secrets.APPLE_ID_PASSWORD || '' }}
           APPLE_TEAM_ID: ${{ inputs.signing && secrets.APPLE_TEAM_ID || '' }}
         working-directory: ui/goose2
         run: |
@@ -477,7 +481,7 @@ jobs:
 
       - name: Cache Rust dependencies
         if: inputs.cli-run-id == ''
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           key: goose2-linux-x86_64
 
@@ -564,6 +568,7 @@ jobs:
     runs-on: windows-latest
     timeout-minutes: 60
     permissions:
+      id-token: write
       contents: read
       actions: read
     steps:
@@ -621,7 +626,7 @@ jobs:
 
       - name: Cache Rust dependencies
         if: inputs.cli-run-id == ''
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           key: goose2-windows-x86_64
 
@@ -697,3 +702,70 @@ jobs:
           name: Goose2-windows-x64-msi
           path: ui/goose2/src-tauri/target/x86_64-pc-windows-msvc/release/bundle/msi/*.msi
           if-no-files-found: warn
+
+  sign-windows:
+    name: "Sign Windows installers"
+    needs: bundle-windows
+    if: inputs.windows-signing
+    runs-on: windows-latest
+    environment: signing
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Download NSIS installer
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        with:
+          name: Goose2-windows-x64-nsis
+          path: unsigned/nsis
+
+      - name: Download MSI installer
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        with:
+          name: Goose2-windows-x64-msi
+          path: unsigned/msi
+
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Sign Windows installers with Azure Trusted Signing
+        uses: azure/trusted-signing-action@db7a3a6bd3912025c705162fb7475389f5b69ec6 # v1
+        with:
+          endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }}
+          trusted-signing-account-name: ${{ secrets.AZURE_SIGNING_ACCOUNT_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_CERTIFICATE_PROFILE_NAME }}
+          files-folder: ${{ github.workspace }}/unsigned
+          files-folder-filter: exe,msi
+          files-folder-recurse: true
+
+      - name: Verify signed installers
+        shell: pwsh
+        run: |
+          $files = Get-ChildItem -Path unsigned -Recurse -Include *.exe,*.msi
+          foreach ($file in $files) {
+            Write-Output "Verifying signature: $($file.FullName)"
+            $sig = Get-AuthenticodeSignature $file.FullName
+            if ($sig.Status -ne "Valid") {
+              throw "Signature invalid for $($file.Name): $($sig.Status)"
+            }
+            Write-Output "✅ Signature valid: $($file.Name)"
+          }
+
+      - name: Upload signed NSIS installer
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: Goose2-windows-x64-nsis-signed
+          path: unsigned/nsis/*.exe
+          if-no-files-found: error
+
+      - name: Upload signed MSI installer
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: Goose2-windows-x64-msi-signed
+          path: unsigned/msi/*.msi
+          if-no-files-found: error

.github/workflows/pr-smoke-test.yml

@@ -108,9 +108,13 @@ jobs:
           node-version: '22'
 
       - name: Install agentic providers
-        run: npm install -g @anthropic-ai/claude-code @openai/codex @google/gemini-cli @zed-industries/claude-agent-acp @zed-industries/codex-acp
+        run: npm install -g @anthropic-ai/claude-code @zed-industries/claude-agent-acp @zed-industries/codex-acp
 
-      - name: Run Smoke Tests with Provider Script
+      - name: Install Node.js Dependencies
+        run: source ../../bin/activate-hermit && pnpm install --frozen-lockfile
+        working-directory: ui/desktop
+
+      - name: Run Smoke Tests (Normal Mode)
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
@@ -127,12 +131,10 @@ jobs:
           SKIP_BUILD: 1
           SKIP_PROVIDERS: ${{ vars.SKIP_PROVIDERS || '' }}
         run: |
-          # Ensure the HOME directory structure exists
           mkdir -p $HOME/.local/share/goose/sessions
           mkdir -p $HOME/.config/goose
-
-          # Run the provider test script (binary already built and downloaded)
-          bash scripts/test_providers.sh
+          source ../../bin/activate-hermit && pnpm run test:integration:providers
+        working-directory: ui/desktop
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -188,6 +190,10 @@ jobs:
       - name: Make Binary Executable
         run: chmod +x target/debug/goose
 
+      - name: Install Node.js Dependencies
+        run: source ../../bin/activate-hermit && pnpm install --frozen-lockfile
+        working-directory: ui/desktop
+
       - name: Run Provider Tests (Code Execution Mode)
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -205,7 +211,8 @@ jobs:
         run: |
           mkdir -p $HOME/.local/share/goose/sessions
           mkdir -p $HOME/.config/goose
-          bash scripts/test_providers_code_exec.sh
+          source ../../bin/activate-hermit && pnpm run test:integration:providers-code-exec
+        working-directory: ui/desktop
 
   compaction-tests:
     name: Compaction Tests
@@ -277,7 +284,8 @@ jobs:
           GOOSE_PROVIDER: anthropic
           GOOSE_MODEL: claude-sonnet-4-5-20250929
           SHELL: /bin/bash
+          SKIP_BUILD: 1
         run: |
             echo 'export PATH=/some/fake/path:$PATH' >> $HOME/.bash_profile
-            source ../../bin/activate-hermit && pnpm run test:integration:debug
+            source ../../bin/activate-hermit && pnpm run test:integration:goosed
         working-directory: ui/desktop

.github/workflows/pr-website-preview.yml

@@ -51,7 +51,7 @@ jobs:
   cleanup:
     runs-on: ubuntu-latest
     needs: deploy
-    if: github.event.action == 'closed'
+    if: github.event.action == 'closed' && github.event.pull_request.head.repo.full_name == 'aaif-goose/goose'
     permissions:
       contents: write
     steps: