feat: add event bus, task outcomes, diff policy, sandbox provider (#398, #396, #395, #394) #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AI-powered breaking change detector for the agent-governance-toolkit. | |
| # Critical for published PyPI packages — detects removed/renamed public APIs, | |
| # changed function signatures, modified exports in __init__.py, and changed | |
| # exception types. Posts findings as a PR comment with severity ratings. | |
| name: AI Breaking Change Detector | |
| # SECURITY: Uses pull_request_target for write access to post PR comments. | |
| # All checkouts pin to BASE ref (never HEAD) to prevent RCE via modified | |
| # composite actions in fork PRs. See MSRC Case 111178. | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| branches: [main] | |
| paths: | |
| - "packages/*/src/**" | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| models: read | |
| jobs: | |
| detect-breaking-changes: | |
| name: API Compatibility Check | |
| runs-on: ubuntu-latest | |
| if: >- | |
| github.event.pull_request.draft == false && | |
| github.actor != 'dependabot[bot]' | |
| continue-on-error: true | |
| steps: | |
| - name: Fork safety check | |
| if: github.event.pull_request.head.repo.full_name != github.repository | |
| run: echo "::notice::Running on fork PR — composite action resolved from base branch (safe)" | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # SECURITY: pull_request_target defaults to base branch checkout (safe). | |
| # Do NOT add ref: head.sha — see MSRC Case 111178. | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| - name: Run breaking change analysis | |
| uses: ./.github/actions/ai-agent-runner | |
| with: | |
| agent-type: breaking-change-detector | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| model: gpt-4o | |
| fallback-model: gpt-4o-mini | |
| max-tokens: "4000" | |
| context-mode: pr-diff | |
| output-mode: pr-comment | |
| custom-instructions: | | |
| You are an API compatibility analyzer for microsoft/agent-governance-toolkit. | |
| These packages are published to PyPI — breaking changes affect downstream users. | |
| Analyze the diff for: | |
| 1. **🔴 Removed/renamed** public functions, classes, or methods | |
| 2. **🔴 Changed function signatures** — removed params, changed types, new required params | |
| 3. **🔴 Removed/changed exports** in `__init__.py` files | |
| 4. **🔴 Changed exception types** — different exceptions raised | |
| 5. **🟡 Changed default values** — may alter existing behavior | |
| 6. **🟡 Changed return types** — may break callers | |
| 7. **🔵 New public API** — not breaking, but should be documented | |
| Classification: | |
| - 🔴 **BREAKING** — will break existing code | |
| - 🟡 **POTENTIALLY BREAKING** — may break depending on usage | |
| - 🔵 **ADDITIVE** — new API, not breaking | |
| If NO breaking changes found, say so clearly with ✅. | |
| Format: | |
| ## 🔍 API Compatibility Report | |
| ### Summary | |
| (brief overall assessment) | |
| ### Findings | |
| | Severity | Package | Change | Impact | | |
| |----------|---------|--------|--------| | |
| | 🔴 | agent-os | `PolicyEngine.evaluate()` removed `strict` param | Callers using `strict=True` will fail | | |
| ### Migration Guide | |
| (if breaking changes found, suggest migration steps) |