Skip to content

chore(deps): update OpenShell to 0.0.72#2798

Merged
ralphbean merged 1 commit into
mainfrom
update-openshell-0.0.72
Jul 1, 2026
Merged

chore(deps): update OpenShell to 0.0.72#2798
ralphbean merged 1 commit into
mainfrom
update-openshell-0.0.72

Conversation

@ralphbean

Copy link
Copy Markdown
Member

Summary

  • Bump pinned OpenShell version from 0.0.63 to 0.0.72 in .github/scripts/openshell-version.sh
  • Update version references in docs/guides/user/running-agents-locally.md
  • Pinning to 0.0.72 rather than 0.0.73 which introduces a breaking change

Test plan

  • Verify e2e tests pass with the new OpenShell version
  • Confirm sandbox creation works with supervisor:0.0.72 image

🤖 Generated with Claude Code

Bump the pinned OpenShell version from 0.0.63 to 0.0.72 and update
the docs to match. Pinning to 0.0.72 rather than 0.0.73 which
introduces a breaking change.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@ralphbean ralphbean requested a review from a team as a code owner June 30, 2026 19:36
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Bump pinned OpenShell to 0.0.72 (avoid 0.0.73 breaking change)

⚙️ Configuration changes 📝 Documentation 🕐 10-20 Minutes

Grey Divider

AI Description

• Bump the pinned OpenShell version (and SHA) used by GitHub automation to 0.0.72.
• Update local-run documentation to reference OpenShell 0.0.72 for macOS/Linux.
• Keep pin at 0.0.72 to avoid the breaking change introduced in 0.0.73.
Diagram

graph TD
  A["GitHub workflows"] --> B["openshell-version.sh"] --> E{{"OpenShell GitHub release"}}
  C["Developer (local)"] --> D["running-agents-locally.md"] --> E
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Track latest OpenShell tag (no pin)
  • ➕ Always picks up upstream fixes automatically
  • ➕ Less manual maintenance of version references
  • ➖ Breakages can land without warning (especially given known breaking change at 0.0.73)
  • ➖ Harder to reproduce CI/local environments
2. Move to 0.0.73 and adapt immediately
  • ➕ Avoids accumulating upgrade debt
  • ➕ Aligns sooner with upstream’s newest behavior
  • ➖ Requires doing breaking-change work now (larger, riskier PR)
  • ➖ May delay this straightforward security/bugfix uptake in 0.0.72

Recommendation: Keep the explicit pin to 0.0.72 as done here: it preserves reproducibility and avoids the known 0.0.73 break. Consider a follow-up PR specifically to handle the 0.0.73 breaking change once validated in e2e/sandbox creation.

Files changed (2) +4 / -4

Documentation (1) +2 / -2
running-agents-locally.mdUpdate local-run guide to reference OpenShell 0.0.72 +2/-2

Update local-run guide to reference OpenShell 0.0.72

• Updates the documented OpenShell requirement for macOS/Linux and the example export command to use 0.0.72. Ensures the guide matches the repo’s pinned OpenShell version.

docs/guides/user/running-agents-locally.md

Other (1) +2 / -2
openshell-version.shBump pinned OpenShell version and SHA to 0.0.72 +2/-2

Bump pinned OpenShell version and SHA to 0.0.72

• Updates the pinned OpenShell version from 0.0.63 to 0.0.72 and replaces the associated SHA. This keeps GitHub automation aligned with the desired upstream release for reproducible installs.

.github/scripts/openshell-version.sh

@ralphbean

Copy link
Copy Markdown
Member Author

I think 0.0.73 broke us (the supervisor image). Let's try 0.0.72 here.

Make sure to confirm that e2e really really ran here (click to see the logs). We had issues before where it wasn't really triggering. I think those are fixed now.

@github-actions

Copy link
Copy Markdown

Site preview

Preview: https://dea89aab-site.fullsend-ai.workers.dev

Commit: ae7416657a8bcf8f0308aa4220493335a3667832

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:39 PM UTC · Completed 7:46 PM UTC
Commit: ae74166 · View workflow run →

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

High

  • [protected-path] .github/scripts/openshell-version.sh — This PR modifies a file under the protected .github/ path but has no linked issue providing authorization for the change. Protected paths contain governance and infrastructure files that require human approval. The change itself is a straightforward OpenShell version bump (0.0.63 → 0.0.72) with corresponding documentation updates, but protected-path changes require explicit authorization via a linked issue.
    Remediation: Link this PR to an issue that authorizes the dependency update, or ensure a human reviewer with appropriate permissions approves the change to .github/scripts/openshell-version.sh.

Labels: PR bumps the OpenShell sandbox dependency version and updates related docs.

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

@fullsend-ai-review fullsend-ai-review Bot added component/sandbox OpenShell sandbox environment dependencies Pull requests that update a dependency file labels Jun 30, 2026

@waynesun09 waynesun09 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified locally with A/B boundary testing:

  • supervisor:0.0.72 → sandbox Ready ✅
  • supervisor:0.0.73 → sandbox Error ❌ (cap_drop_bound() crash in rootless Podman)

SHA 8cb16de9 confirmed against NVIDIA/OpenShell v0.0.72 tag. Version strings consistent across both changed files. PR #2795 (gateway.toml supervisor pin) already merged — this bump correctly propagates to the supervisor image.

The bump also picks up 3 security fixes over v0.0.63: h2c L7 tunnel escape (PR #1967), proxy accept race condition (PR #1968), and provider policy namespace reservation (PR #1991).

Follow-up recommendation: consider adding a Renovate allowedVersions constraint to prevent automated bump to v0.0.73 before the upstream regression is fixed.

@ralphbean ralphbean added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit 081a1bf Jul 1, 2026
27 checks passed
@ralphbean ralphbean deleted the update-openshell-0.0.72 branch July 1, 2026 03:18
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 3:22 AM UTC · Completed 3:27 AM UTC
Commit: ae74166 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2798 — chore(deps): update OpenShell to 0.0.72

Timeline

  1. 2026-06-30 19:36 — ralphbean opened PR #2798, a 2-file, 4-line dependency version bump (OpenShell 0.0.63 → 0.0.72), noting that 0.0.73 introduced a breaking change.
  2. 2026-06-30 19:39 — Review agent completed.
  3. 2026-06-30 19:46 — Review agent posted CHANGES_REQUESTED with a single HIGH finding: [protected-path].github/scripts/openshell-version.sh is under a protected path with no linked authorizing issue.
  4. 2026-06-30 20:09 — ben-alkov approved (human).
  5. 2026-06-30 20:36 — waynesun09 approved (human) with a thorough verification including local A/B testing of 0.0.72 vs 0.0.73.
  6. 2026-07-01 03:18 — PR merged.

Assessment

The review agent's CHANGES_REQUESTED verdict was governance noise on a straightforward human-authored dependency bump. The protected-path finding is technically correct (.github/scripts/ matches the .github/ protected prefix), but using CHANGES_REQUESTED for this class of change creates friction without adding safety value — both humans approved without hesitation.

Proposals: None (existing issues provide full coverage)

Every improvement opportunity identified is already tracked by open issues:

Opportunity Existing Issue
Downgrade protected-path severity for human-authored PRs #1551
Don't use CHANGES_REQUESTED for governance-only findings the fix agent can't resolve #1068
Refine .github/ protected path to target specific subdirectories (workflows, not scripts) #2614
Downgrade protected-path severity for dependency update PRs #2588
Use COMMENT verdict instead of CHANGES_REQUESTED for informational findings #2115

This PR is a good motivating example for prioritizing #1551 and #1068 — together they would eliminate the false friction seen here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component/sandbox OpenShell sandbox environment dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants