Merge branch 'main' into fix/goose-path-root-configdir

Author: jamadeo

.cargo/config.toml

@@ -0,0 +1,5 @@
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-C", "link-args=/FORCE:MULTIPLE"]
+
+[target.aarch64-pc-windows-msvc]
+rustflags = ["-C", "link-args=/FORCE:MULTIPLE"]

.github/CODEOWNERS

@@ -1,6 +1,6 @@
 # CODEOWNERS file for block/goose repository
 # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
-# Documentation owned by DevRel team
-/documentation/ @block/goose-devrel
+# Documentation owned by DevRel
+/documentation/ @blackgirlbytes @angiejones
 

.github/copilot-instructions.md

@@ -34,8 +34,8 @@
 - Async/await misuse or blocking operations in async contexts
 - Improper trait implementations
 
-### No Prerelease Docs
-- If the PR contains both code changes to features/functionality AND updates in `/documentation`: Documentation updates must be separated to keep public docs in sync with released versions. Either mark new topics with `unlisted: true` or remove/hide the documentation.
+### No Doc Updates with Code Changes
+- PRs with code changes shouldn't update `/documentation` - docs deploy on merge, code on release. Use `unlisted: true` or remove/hide docs.
 
 ## Project-Specific Context
 

.github/workflows/bundle-desktop-linux.yml

@@ -134,7 +134,7 @@ jobs:
         run: |
           source ./bin/activate-hermit
           cd ui/desktop
-          npm install
+          npm ci
           # Verify installation
           ls -la node_modules/.bin/ | head -5
 

.github/workflows/bundle-desktop-windows.yml

@@ -137,7 +137,7 @@ jobs:
         run: |
           cd ui/desktop
 
-          npm install
+          npm ci
           node scripts/build-main.js
           node scripts/prepare-platform-binaries.js
           npm run make -- --platform=win32 --arch=x64

.github/workflows/ci.yml

@@ -151,6 +151,10 @@ jobs:
       #     restore-keys: |
       #       ci-npm-cache-v1-${{ runner.os }}-
 
+      - name: Check lockfile has cross-platform entries
+        run: ./scripts/check-lockfile-platforms.sh
+        working-directory: ui/desktop
+
       - name: Install Dependencies
         run: source ../../bin/activate-hermit && npm ci
         working-directory: ui/desktop

.github/workflows/create-release-pr.yaml

@@ -101,10 +101,18 @@ jobs:
 
     - name: Create Pull Request
       run: |
-        gh pr create \
+        PR_URL=$(gh pr create \
           -B "$TARGET_BRANCH" \
           -H "${{ env.branch_name }}" \
           --title "chore(release): release version ${{ env.version }} ($BUMP_TYPE)" \
-          --body-file pr_body.txt
+          --body-file pr_body.txt)
+        echo "pr_url=$PR_URL" >> $GITHUB_ENV
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Post release checklist comment
+      run: |
+        sed 's/{{VERSION}}/${{ env.version }}/g' RELEASE_CHECKLIST.md > checklist_comment.md
+        gh pr comment "${{ env.pr_url }}" --body-file checklist_comment.md
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/goose-issue-solver.yml

@@ -181,9 +181,11 @@ jobs:
         run: |
           echo "number=$(jq -r '.number' /tmp/issue.json)" >> $GITHUB_OUTPUT
 
-          echo "title<<TITLE_EOF" >> $GITHUB_OUTPUT
+          # SECURITY: Use random delimiter to prevent injection if title contains our delimiter
+          DELIMITER="EOF_$(openssl rand -hex 8)"
+          echo "title<<$DELIMITER" >> $GITHUB_OUTPUT
           jq -r '.title' /tmp/issue.json >> $GITHUB_OUTPUT
-          echo "TITLE_EOF" >> $GITHUB_OUTPUT
+          echo "$DELIMITER" >> $GITHUB_OUTPUT
 
       - name: Run goose
         id: goose
@@ -202,9 +204,11 @@ jobs:
 
           if [ -n "$(git status --porcelain)" ] && [ -f /tmp/issue_summary.txt ]; then
             echo "has_changes=true" >> $GITHUB_OUTPUT
-            echo "summary<<SUMMARY_EOF" >> $GITHUB_OUTPUT
+            # SECURITY: Use random delimiter to prevent injection if summary contains our delimiter
+            SUMMARY_DELIMITER="EOF_$(openssl rand -hex 8)"
+            echo "summary<<$SUMMARY_DELIMITER" >> $GITHUB_OUTPUT
             cat /tmp/issue_summary.txt >> $GITHUB_OUTPUT
-            echo "SUMMARY_EOF" >> $GITHUB_OUTPUT
+            echo "$SUMMARY_DELIMITER" >> $GITHUB_OUTPUT
           else
             echo "has_changes=false" >> $GITHUB_OUTPUT
           fi

.github/workflows/goose-pr-reviewer.yml

@@ -274,9 +274,11 @@ jobs:
             INSTRUCTIONS="No specific instructions - perform a general code review."
           fi
           
-          echo "instructions<<INSTRUCTIONS_EOF" >> $GITHUB_OUTPUT
+          # SECURITY: Use random delimiter to prevent injection if comment contains our delimiter
+          DELIMITER="EOF_$(openssl rand -hex 8)"
+          echo "instructions<<$DELIMITER" >> $GITHUB_OUTPUT
           echo "$INSTRUCTIONS" >> $GITHUB_OUTPUT
-          echo "INSTRUCTIONS_EOF" >> $GITHUB_OUTPUT
+          echo "$DELIMITER" >> $GITHUB_OUTPUT
 
       - name: Run goose review
         id: goose
@@ -285,14 +287,16 @@ jobs:
           PR_TITLE: ${{ github.event.issue.title }}
           PR_BODY: ${{ github.event.issue.body }}
           REVIEW_INSTRUCTIONS: ${{ steps.instructions.outputs.instructions }}
+          # SECURITY: Pass issue JSON via environment variable to avoid heredoc injection
+          # (GHSA-mm8p-57gq-3xj6) - user-controlled content could terminate heredoc early
+          ISSUE_JSON: ${{ toJson(github.event.issue) }}
         run: |
           mkdir -p $HOME/.local/share/goose/sessions
           mkdir -p $HOME/.config/goose
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
-          cat > /tmp/pr.json << 'PRJSON'
-          ${{ toJson(github.event.issue) }}
-          PRJSON
+          # SECURITY: Use printf with env var instead of heredoc to prevent injection
+          printf '%s' "$ISSUE_JSON" > /tmp/pr.json
 
           echo "$GOOSE_RECIPE" | envsubst '$PR_NUMBER $PR_TITLE $PR_BODY $REVIEW_INSTRUCTIONS' > /tmp/recipe.yaml