Skip to content

Commit 5b66860

Browse files
authored
Merge branch 'main' into fix/goose-path-root-configdir
2 parents 09edb58 + f740bb7 commit 5b66860

601 files changed

Lines changed: 110155 additions & 36408 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.cargo/config.toml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
[target.x86_64-pc-windows-msvc]
2+
rustflags = ["-C", "link-args=/FORCE:MULTIPLE"]
3+
4+
[target.aarch64-pc-windows-msvc]
5+
rustflags = ["-C", "link-args=/FORCE:MULTIPLE"]

.github/CODEOWNERS

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# CODEOWNERS file for block/goose repository
22
# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
33

4-
# Documentation owned by DevRel team
5-
/documentation/ @block/goose-devrel
4+
# Documentation owned by DevRel
5+
/documentation/ @blackgirlbytes @angiejones
66

.github/copilot-instructions.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,8 @@
3434
- Async/await misuse or blocking operations in async contexts
3535
- Improper trait implementations
3636

37-
### No Prerelease Docs
38-
- If the PR contains both code changes to features/functionality AND updates in `/documentation`: Documentation updates must be separated to keep public docs in sync with released versions. Either mark new topics with `unlisted: true` or remove/hide the documentation.
37+
### No Doc Updates with Code Changes
38+
- PRs with code changes shouldn't update `/documentation` - docs deploy on merge, code on release. Use `unlisted: true` or remove/hide docs.
3939

4040
## Project-Specific Context
4141

.github/workflows/bundle-desktop-linux.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ jobs:
134134
run: |
135135
source ./bin/activate-hermit
136136
cd ui/desktop
137-
npm install
137+
npm ci
138138
# Verify installation
139139
ls -la node_modules/.bin/ | head -5
140140

.github/workflows/bundle-desktop-windows.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -137,7 +137,7 @@ jobs:
137137
run: |
138138
cd ui/desktop
139139
140-
npm install
140+
npm ci
141141
node scripts/build-main.js
142142
node scripts/prepare-platform-binaries.js
143143
npm run make -- --platform=win32 --arch=x64

.github/workflows/ci.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,10 @@ jobs:
151151
# restore-keys: |
152152
# ci-npm-cache-v1-${{ runner.os }}-
153153

154+
- name: Check lockfile has cross-platform entries
155+
run: ./scripts/check-lockfile-platforms.sh
156+
working-directory: ui/desktop
157+
154158
- name: Install Dependencies
155159
run: source ../../bin/activate-hermit && npm ci
156160
working-directory: ui/desktop

.github/workflows/create-release-pr.yaml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -101,10 +101,18 @@ jobs:
101101

102102
- name: Create Pull Request
103103
run: |
104-
gh pr create \
104+
PR_URL=$(gh pr create \
105105
-B "$TARGET_BRANCH" \
106106
-H "${{ env.branch_name }}" \
107107
--title "chore(release): release version ${{ env.version }} ($BUMP_TYPE)" \
108-
--body-file pr_body.txt
108+
--body-file pr_body.txt)
109+
echo "pr_url=$PR_URL" >> $GITHUB_ENV
110+
env:
111+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
112+
113+
- name: Post release checklist comment
114+
run: |
115+
sed 's/{{VERSION}}/${{ env.version }}/g' RELEASE_CHECKLIST.md > checklist_comment.md
116+
gh pr comment "${{ env.pr_url }}" --body-file checklist_comment.md
109117
env:
110118
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/goose-issue-solver.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -181,9 +181,11 @@ jobs:
181181
run: |
182182
echo "number=$(jq -r '.number' /tmp/issue.json)" >> $GITHUB_OUTPUT
183183
184-
echo "title<<TITLE_EOF" >> $GITHUB_OUTPUT
184+
# SECURITY: Use random delimiter to prevent injection if title contains our delimiter
185+
DELIMITER="EOF_$(openssl rand -hex 8)"
186+
echo "title<<$DELIMITER" >> $GITHUB_OUTPUT
185187
jq -r '.title' /tmp/issue.json >> $GITHUB_OUTPUT
186-
echo "TITLE_EOF" >> $GITHUB_OUTPUT
188+
echo "$DELIMITER" >> $GITHUB_OUTPUT
187189
188190
- name: Run goose
189191
id: goose
@@ -202,9 +204,11 @@ jobs:
202204
203205
if [ -n "$(git status --porcelain)" ] && [ -f /tmp/issue_summary.txt ]; then
204206
echo "has_changes=true" >> $GITHUB_OUTPUT
205-
echo "summary<<SUMMARY_EOF" >> $GITHUB_OUTPUT
207+
# SECURITY: Use random delimiter to prevent injection if summary contains our delimiter
208+
SUMMARY_DELIMITER="EOF_$(openssl rand -hex 8)"
209+
echo "summary<<$SUMMARY_DELIMITER" >> $GITHUB_OUTPUT
206210
cat /tmp/issue_summary.txt >> $GITHUB_OUTPUT
207-
echo "SUMMARY_EOF" >> $GITHUB_OUTPUT
211+
echo "$SUMMARY_DELIMITER" >> $GITHUB_OUTPUT
208212
else
209213
echo "has_changes=false" >> $GITHUB_OUTPUT
210214
fi

.github/workflows/goose-pr-reviewer.yml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -274,9 +274,11 @@ jobs:
274274
INSTRUCTIONS="No specific instructions - perform a general code review."
275275
fi
276276
277-
echo "instructions<<INSTRUCTIONS_EOF" >> $GITHUB_OUTPUT
277+
# SECURITY: Use random delimiter to prevent injection if comment contains our delimiter
278+
DELIMITER="EOF_$(openssl rand -hex 8)"
279+
echo "instructions<<$DELIMITER" >> $GITHUB_OUTPUT
278280
echo "$INSTRUCTIONS" >> $GITHUB_OUTPUT
279-
echo "INSTRUCTIONS_EOF" >> $GITHUB_OUTPUT
281+
echo "$DELIMITER" >> $GITHUB_OUTPUT
280282
281283
- name: Run goose review
282284
id: goose
@@ -285,14 +287,16 @@ jobs:
285287
PR_TITLE: ${{ github.event.issue.title }}
286288
PR_BODY: ${{ github.event.issue.body }}
287289
REVIEW_INSTRUCTIONS: ${{ steps.instructions.outputs.instructions }}
290+
# SECURITY: Pass issue JSON via environment variable to avoid heredoc injection
291+
# (GHSA-mm8p-57gq-3xj6) - user-controlled content could terminate heredoc early
292+
ISSUE_JSON: ${{ toJson(github.event.issue) }}
288293
run: |
289294
mkdir -p $HOME/.local/share/goose/sessions
290295
mkdir -p $HOME/.config/goose
291296
git config --global --add safe.directory "$GITHUB_WORKSPACE"
292297
293-
cat > /tmp/pr.json << 'PRJSON'
294-
${{ toJson(github.event.issue) }}
295-
PRJSON
298+
# SECURITY: Use printf with env var instead of heredoc to prevent injection
299+
printf '%s' "$ISSUE_JSON" > /tmp/pr.json
296300
297301
echo "$GOOSE_RECIPE" | envsubst '$PR_NUMBER $PR_TITLE $PR_BODY $REVIEW_INSTRUCTIONS' > /tmp/recipe.yaml
298302

0 commit comments

Comments
 (0)