Commit graph

360 commits

Author SHA1 Message Date
易良
55311c3b51
ci: route full CI follow-up jobs to selected runner (#6608)
* ci: route coverage comment job to selected runner

Resolves #6604

* ci: route web-shell smoke job to selected runner

Updates #6604

* ci: harden selected-runner follow-up jobs

* ci: route assigned autofix issues

* ci(autofix): preserve issue assignment gates

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-07-10 01:47:00 +00:00
顾盼
21cdb4a4dc
chore(cua-driver): update version refs to 0.7.1 + add fix doc (#6616)
Bump baked version in install scripts, CD workflow default, and
README examples to 0.7.1 so the release pipeline picks up the
correct version. Add docs/0.7.1-coord-norm-fixes.md documenting
all fixes in this release.
2026-07-09 14:43:58 +00:00
易良
a6902c5d46
ci(autofix): per-issue concurrency, route cancel-in-progress, assigned trigger (#6609)
- Change issue-autofix concurrency group from global `qwen-autofix-issue`
  to per-issue `qwen-autofix-issue-${{ issue_number }}`, allowing multiple
  issues to be fixed in parallel instead of serializing all runs.

- Add concurrency group to the route job with `cancel-in-progress: true`,
  so stacked empty runs from rapid label events cancel each other instead
  of queuing up (previously 9+ runs queued for 39+ minutes).

- Add `assigned` event trigger: when an issue is assigned to the autofix
  bot, the route job routes directly to the issue phase, bypassing the
  label gates. The assignee itself serves as the trust signal.

Co-authored-by: Qoder <noreply@qoder.com>
2026-07-09 13:46:50 +00:00
Shaojin Wen
41c405b3bf
feat(review): post Suggestion findings as inline comments (#6593)
Suggestion-level findings were routed to a single updatable issue comment
(the "suggestion summary") while only Critical findings became inline review
comments. That split traded away two things that turned out to matter more
than the convergence it bought:

- An issue comment has no lifecycle. GitHub folds an inline review thread away
  as Outdated once the author edits the line it is anchored to, so an addressed
  finding removes itself from the page. The summary comment just sits in the PR
  conversation forever; PATCHing it to "all addressed" replaces its content but
  not the comment. The mechanism meant to prevent clutter was the clutter.
- A Markdown table cannot carry a one-click fix. GitHub renders a ```suggestion
  fence as an applicable change only inside a review comment on a diff line.
  Suggestion findings are exactly the mechanical, localized cleanups that
  benefit most from one-click apply, so the split withheld the feature from the
  findings that needed it most.

Both severities now post as inline comments, distinguished by a **[Critical]**
or **[Suggestion]** body prefix. The `qwen review post-suggestions` subcommand
and its plumbing are removed.

Follow-on changes required by the reroute:

- pr-context: the "Previous suggestion summary" section is gone. Legacy summary
  comments are still recognised so they stay out of "Already discussed", but the
  exclusion is now marker-only rather than author-gated. The author check missed
  summaries posted by the *other* identity: /review runs as a maintainer locally
  and as qwen-code-ci-bot in CI, and roughly half of the last 60 PRs carry a
  bot-authored summary. Those leaked into "Already discussed" and told the review
  agents not to re-report the findings listed there. The check originally guarded
  promotion into a trusted rendering section; that section no longer exists, so
  it only gated exclusion, where a third party embedding the marker merely hides
  their own comment.

- qwen-autofix: the workflow filters "suggestion summaries" out of the autofix
  bot's actionable queue, but only on the issue-comment channel. With Suggestions
  now inline, they entered the unfiltered inline channel and the bot would apply
  non-blocking recommendations and spend a review round on them. The inline
  channel now applies the same gate, keyed on the **[Suggestion]** prefix plus
  the /review footer so a human quoting the prefix stays actionable.

- Step 7 gains a 422 fallback. Create Review is all-or-nothing, so one Suggestion
  anchored outside the diff would take the Critical findings down with it — a risk
  that did not exist when Suggestions travelled on a line-agnostic issue comment.
  GitHub's 422 does not name the offending entry, so the model rechecks anchors
  against the diff, relocates failing Criticals into the body, discards failing
  Suggestions, and degrades to an all-prose review rather than posting nothing.
  COMMENT reviews now always carry a one-line body: an empty body is only known
  to be accepted alongside inline comments on REQUEST_CHANGES, and a Suggestion-
  only review is the common case for a clean PR.
2026-07-09 12:39:10 +00:00
易良
2a1807f08d
fix(ci): detect silent triage failures with empty-response check (#6566)
* fix(ci): detect silent triage failures with empty-response check

The qwen-triage workflow relied on qwen-code-action to surface failures,
but when the CLI exited 0 with empty output the step reported success
with no triage comments posted. Add a post-step that checks the action's
summary output and fails the job if it is empty, making silent failures
visible in the Actions log.

Defense-in-depth for QwenLM/qwen-code#6553 (primary fix in
qwen-code-action).

* ci: bump qwen-code-action pin to 6d08e91

Picks up the stderr visibility fix (QwenLM/qwen-code-action#12) that
always emits stderr to the step log and warns on empty responses.
Bumps all 5 workflows pinned to the action.

* fix(ci): pass triage summary through env
2026-07-09 11:10:44 +00:00
Copilot
f2885a09b1
fix(ci): add retry logic to VSCode IDE Companion publish steps (#6574)
* Initial plan

* fix(ci): add retry logic to VSCode IDE Companion publish steps

The publish step failed due to a request timeout when publishing the
universal VSIX to the VS Code Marketplace. Add retry logic (up to 3
attempts with 15s delay) to both the Microsoft Marketplace and OpenVSX
publish steps to handle transient network failures gracefully.

Closes #6550

* fix(ci): make OpenVSX publish retries idempotent

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
2026-07-09 09:54:27 +00:00
ermin.zem
5c82857fea
Add harness infrastructure for web-shell package (#6517)
Some checks are pending
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
E2E Tests / web-shell Browser Regression (push) Waiting to run
* test(web-shell): add browser and lint harness

* test(web-shell): harden browser smoke harness

* fix(web-shell): guard mock daemon model state

* test(web-shell): remove unused scenario harness

* fix(web-shell): remove stale lint disables

* test(web-shell): make matchMedia stub writable

* fix(web-shell): exclude tests from package typecheck

* test(web-shell): tighten mock daemon route contract

* Update packages/web-shell/client/e2e/utils/mockDaemon.ts

Co-authored-by: qwen-code-ci-bot <qwen-code-ci@service.alibaba.com>

* test(web-shell): clear stale SSE connections

* ci(web-shell): gate smoke on full CI profile

---------

Co-authored-by: ermin.zem <ermin.zem@alibaba-inc.com>
Co-authored-by: qwen-code-ci-bot <qwen-code-ci@service.alibaba.com>
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
Co-authored-by: 易良 <1204183885@qq.com>
2026-07-09 08:11:58 +00:00
易良
ba709c2c2c
ci(autofix): Add single-target scheduler (#6547)
* ci(autofix): add single-target scheduler

* ci(autofix): handle failed PR checks in scheduler

* ci(autofix): remove scheduler plan doc

* ci(autofix): watermark failed PR checks

* ci(autofix): harden failed check feedback

* ci(autofix): count review-address failures

* ci(autofix): include review-address failures in feedback
2026-07-09 01:05:02 +00:00
Shaojin Wen
e3e449fc4c
feat(autofix): extend review loop to all dev-bot PRs, add real-time triggers (#6528)
* feat(autofix): extend review loop to all dev-bot PRs, add real-time triggers

* fix(autofix): address review feedback — trusted checkout, sender gate, in-repo check, issue comments

* fix(autofix): address suggestion feedback — API warning, bot comment filter, branch prefix doc, test coverage

* fix(autofix): drop pull_request_review_comment trigger to avoid redundant runs
2026-07-08 14:18:17 +00:00
易良
010bedfc88
fix(autofix): report review handoff failures (#6415)
* fix(autofix): report review handoff failures

* fix(autofix): distinguish terminal review handoffs

* fix(autofix): harden review handoff reporting

* test(autofix): cover agent failure handoff marker

* fix(autofix): avoid hanging on destroyed log stream

* fix(autofix): harden handoff failure reporting

* fix(autofix): detect split loop guard output

* fix(autofix): kill timed-out qwen process group
2026-07-07 12:27:13 +00:00
Salman Chishti
df6be035e1
Upgrade GitHub Actions for Node 24 compatibility (#5157)
* Upgrade GitHub Actions for Node 24 compatibility

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>

* ci: update remaining checkout pins

---------

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com>
Co-authored-by: 易良 <1204183885@qq.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
2026-07-07 12:17:22 +00:00
易良
5f7b57f933
fix(autofix): improve review addressing and verification (#6382)
* fix(autofix): run verification before committing

* ci(autofix): trigger review addressing on feedback

* fix(autofix): narrow npm command allowlist

* fix(autofix): address review workflow guards

* fix(autofix): keep review addressing on scheduled sweep
2026-07-06 14:10:58 +00:00
易良
0c28ddc180
ci(autofix): move agent prompts into a project skill (#6306)
* ci(autofix): move agent prompts into project skill

* ci(autofix): avoid rewriting bot branch history

* fix(ci): address autofix skill review comments

* fix(ci): preserve autofix skill guardrails

* fix(ci): restore autofix review self-check

* test(ci): pin autofix review self-check

* fix(ci): tighten autofix skill guardrails

* fix(ci): restore autofix skill guardrails

* fix(ci): restore autofix merge verification guidance

* ci(autofix): add maintainer comment dry-run trigger

* fix(autofix): expand skill prompt in workflow

* fix(autofix): preserve qwen failure artifacts

* fix(autofix): move prompt runner into skill

* refactor(autofix): slim skill runner

* refactor(autofix): trim skill prompt

* fix(autofix): clarify verification handoff

* fix(autofix): skip issues with open bot PRs

* fix(autofix): expose existing PR context to skill

* fix(autofix): require strict null-safe TypeScript patches

* feat(autofix): formalize full pipeline phases in skill specification

Expand the autofix skill from 3 modes to an 8-phase pipeline definition
covering design, review-design, develop, verify, repair, cross-review,
and address-review. Adds bounded repair, scope creep self-check, and
structured failure classification. Future phases clearly marked.

* fix(autofix): keep skill scope to active modes

* fix(autofix): tighten manual command routing

* fix(autofix): harden comment-triggered runs

* fix(autofix): remove comment-triggered autofix route

* fix(autofix): restore review safety checks

* test(autofix): relax runner failure timeout

* fix(autofix): keep issue fixes in workflow checkout

* fix(autofix): harden review feedback handling

* fix(autofix): guard forced routing, improve runner observability (#6306)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* fix(autofix): address workflow review feedback

* fix(autofix): tighten review feedback handling

* test(autofix): trim runner test boilerplate

---------

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-07-06 06:28:16 +00:00
易良
e3906392b5
perf(ci): optimize autofix pipeline — fast-track, skip duplicate build, scoped tests (#6315)
* perf(ci): optimize autofix pipeline — fast-track, skip duplicate build, scoped tests (#6196)

Three optimizations to reduce autofix wall-clock from ~48 min to ~28-35 min:

1. Fast-track decision: skip LLM assessment for trusted triggers
   (workflow_dispatch with explicit issue, issues:labeled event).
2. Skip duplicate build: set QWEN_SKIP_PREPARE=1 so npm ci does not
   re-run the prepare hook that builds+bundles before the explicit
   build step.
3. Scoped verification tests: run only changed-file tests via
   --changed instead of full per-package suites. Full regression
   is covered by regular CI on the PR.

Also hardens live test gating (require QWEN_CODE_RUN_LIVE_TESTS=1)
and increases crawler test timeout to 30s.

* refactor(ci): simplify verification gate package discovery

Replace 30-line inline Node script with the original one-liner
`grep -oE '^packages/[^/]+'`. The Node script checked for
package.json existence and test scripts, but `--if-present` already
handles missing test scripts and all workspace dirs have package.json.

Addresses design-review item #7.

* fix(ci): tighten autofix changed-test gate
2026-07-05 02:32:04 +00:00
易良
905c5c95a7
fix(ci): skip stale PR review runs (#6313)
* fix(ci): skip stale PR review runs

* test(ci): trigger review cancellation

* fix(ci): make PR review cancellation interruptible

* fix(ci): block stale review comment writes
2026-07-04 20:15:30 +00:00
易良
ba7561af49
fix(ci): Stop review bots for closed PRs (#6304)
* fix(ci): stop review bots for closed PRs

* test(ci): scope closed review workflow assertions

* test(ci): cover closed PR review guards
2026-07-04 14:16:47 +00:00
易良
e48999ddb2
fix(ci): require maintainer-applied autofix/approved label for tier-1 fast-path (#6276)
* fix(ci): require maintainer-applied `autofix/approved` label for tier-1 fast-path

The scheduled scan and `issues:labeled` event paths in `qwen-autofix.yml`
previously trusted the `status/ready-for-agent` label alone, which is
applied by an LLM reading untrusted issue text. An attacker could craft
issue content to trick the triage LLM into labeling it ready, bypassing
human review.

Introduce an `autofix/approved` label that only maintainers (write+
permission) can apply. Both the cron scan and event-triggered paths now
require this label alongside `status/ready-for-agent` before entering the
autonomous fix pipeline (dual-factor: LLM signal + human confirmation).

Also:
- `release.yml` automatically adds `autofix/approved` on workflow-created
  release-failure issues (trusted source, preserves existing automation)
- Forced-issue path (non-dispatch) also checks for the new label
- Claim step strips `autofix/approved` to keep processed issues clean

Closes #5634

* fix(ci): address autofix approval review

* fix(ci): address autofix approval follow-ups

* test(ci): cover autofix approval gate

* fix(ci): harden autofix approval revalidation

* fix(ci): avoid autofix approval retry loop

* fix(ci): harden autofix claim handling

* fix(ci): clarify autofix reapproval label

* fix(ci): make autofix claim label update non-destructive
2026-07-04 08:06:27 +00:00
Barry
18e2eed19e
Clarify macOS audio prebuild artifact naming (#6275)
The macOS audio prebuild job now packages both arm64 and x64 slices from the macos-14 runner, but the artifact name still advertised only arm64. Add a matrix suffix so that upload-artifact names the macOS bundle accurately while leaving other platform names unchanged.

Constraint: Existing collect job downloads prebuilds-* and should not need a pattern change
Confidence: high
Scope-risk: narrow
Tested: actionlint v1.7.7 .github/workflows/audio-capture-prebuilds.yml
Tested: node YAML parse for .github/workflows/audio-capture-prebuilds.yml
Tested: git diff --check
2026-07-04 01:55:17 +00:00
qwen-code-dev-bot
9f87c90a50
fix(autofix): unconditionally restore tracked files before branch checkout (#6281) (#6286)
git diff --quiet exits 0 when only CRLF normalization differs (content
is identical after filter), so the conditional git restore was skipped
even though the working tree was dirty. This caused git checkout -B to
fail on NOTICES.txt. Remove the conditional guard so restore always runs.

Co-authored-by: Qwen Autofix <qwen-autofix@alibaba-inc.com>
2026-07-03 20:11:42 +00:00
易良
e1fc45d508
ci(autofix): restore sandbox image flow (#6261)
* ci(autofix): restore sandbox image flow

* test(ci): update autofix workflow assertions

* ci(autofix): restore tracked output before review checkout

* test(ci): clarify autofix workspace assertion

* style(ci): format sandbox image resolver

* ci(autofix): address sandbox review feedback

* test(ci): cover sandbox image publish gating

* ci(autofix): validate sandbox image config

* ci(autofix): address workflow review comments
2026-07-03 15:30:58 +00:00
Shaojin Wen
081c46c5bc
fix(ci): add always() to delay-automatic-review and ack-review-request (#6260)
These jobs transitively depend on precheck-pr via authorize. precheck-pr
is intentionally skipped for same-repo PRs (only runs for forks). Without
always(), GitHub Actions' default behavior propagates the skipped upstream
job, causing delay-automatic-review to be skipped even when authorize
succeeds. This breaks the entire review chain for same-repo PRs on
opened/synchronize events.

Fixes PR #5629 review not triggering.
2026-07-03 11:47:28 +00:00
顾盼
5cd459ece3
fix(mobile-mcp): add production-release environment + scope to CD workflow for npm auth (#6258) 2026-07-03 10:28:30 +00:00
顾盼
9ea309961c
fix(mobile-mcp): align CD workflow with release.yml npm auth (add scope, drop provenance) (#6257) 2026-07-03 09:37:21 +00:00
顾盼
972cb044d1
fix(mobile-mcp): remove lint step from CD workflow (monorepo prettier conflicts with upstream eslint) (#6255) 2026-07-03 09:16:00 +00:00
顾盼
23c6c7032a
feat(mobile-mcp): vendor mobile-mcp with opt-in 0-1000 relative coordinates (#6235)
* Squashed 'packages/mobile-mcp/' content from commit c5d7d27fd

git-subtree-dir: packages/mobile-mcp
git-subtree-split: c5d7d27fd61e4762e15ae4b1c68b6c011be88bb7

* feat(mobile-mcp): vendor mobile-mcp with opt-in 0-1000 relative coordinates

Fork mobile-next/mobile-mcp (v0.0.61) into packages/mobile-mcp/ via git
subtree, renamed to @qwen-code/mobile-mcp with the following additions:

Relative coordinate shim (src/coord-norm.ts):
- MOBILE_MCP_COORDINATE_SPACE=1 enables 0-1000 normalized coordinates
- MOBILE_MCP_COORDINATE_SCALE configurable (default 1000, 999 for mobile_use)
- Input denormalization for click/double_tap/long_press/swipe
- Output normalization for list_elements and get_screen_size
- Tool description rewriting when enabled
- Default off = zero behavior change

Android enhancements:
- mobile_install_app: -r/-g/-d/-t install flags (Android only)
- mobile_ui_dump: full UIAutomator XML hierarchy dump
- mobile_adb_pull / mobile_adb_push: file transfer via ADB

Infrastructure:
- cd-mobile-mcp.yml: npm publish workflow (tag mobile-mcp-v*)
- scripts/sync-from-upstream.sh: git subtree pull for upstream sync
- .vendored-from / .vendored-patches.md: vendoring metadata
- Upstream telemetry disabled by default
- eslint.config.js: exclude packages/mobile-mcp from root lint

* chore(mobile-mcp): update package-lock.json for workspace dependencies

* fix(mobile-mcp): quote all YAML strings to pass yamllint

* fix(mobile-mcp): fix cd workflow yaml to pass both yamllint and actionlint

* fix(mobile-mcp): address review findings on our additions

- ensureScreenSize: log warning instead of silent failure (#4)
- invalidateScreenSize on orientation change (#5)
- adb_push: path.posix.resolve to prevent /sdcard/ traversal (#6)
- adb_pull: readOnlyHint → destructiveHint (writes local file) (#9)
- adb_push: remove validateOutputPath on read-source local_path (#11)
- normalizeElementResult: log error instead of bare catch (#16)
- rewriteDescription: remove dead duplicate regex (#17)
- cd workflow: add test step between build and publish (#19)

* fix(mobile-mcp): update server.json identity and fix package.json main entrypoint

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-07-03 08:50:27 +00:00
易良
183ad54b11
ci: add lightweight PR profiles (#6186)
* ci: add lightweight PR profiles

* fix(ci): harden lightweight profile classification

* fix(ci): harden lightweight profile edge cases

* fix(ci): report classifier invocation failures

* fix(ci): tighten docs-only path matching

* ci: restrict light profiles to same-repo PRs

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-07-03 07:40:25 +00:00
易良
e743f0e2e0
ci(autofix): run agents on dedicated ECS runners (#6207)
* ci(autofix): run agents on dedicated ECS runners

* ci(autofix): retry repository checkout

* ci(autofix): use local qwen bundle fallback

* ci(autofix): harden ECS runner failure handling

* ci(autofix): retry transient qwen runner failures

* fix(ci): proxy autofix model credentials

* fix(ci): limit ECS autofix to ready issues

* fix(ci): address autofix workflow review feedback

* fix(ci): restore autofix known bots

* chore(ci): trim autofix ECS scope

* fix(ci): consolidate autofix OpenAI proxy

* fix(ci): restrict autofix agent execution tools

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-07-03 07:40:07 +00:00
易良
b16baf1ffc
ci(release): optimize validation steps (#6133)
* ci(release): optimize validation steps

* fix(ci): address release validation review comments

* fix(ci): document prepare skip contract

* test(ci): cover prepare failure exit

* fix(ci): prefix prepare error logs

* fix(ci): keep release quality build artifacts

* fix(ci): address release validation comments

* fix(ci): preserve release publish hooks

* test(ci): cover prepare failure paths

* fix(ci): disable release coverage safely
2026-07-02 23:53:08 +00:00
易良
89ddc701a9
fix(ci): limit fork PR precheck to safety signals (#6178)
* fix(ci): narrow fork PR precheck gating

* fix(ci): scan PR text for leaked secrets

* test(ci): avoid token-shaped precheck fixtures

* fix(ci): trust write-access fork authors in precheck

* fix(ci): address precheck review findings

* fix(ci): resolve precheck review findings

* fix(ci): catch multiline secret sink args
2026-07-02 20:56:41 +08:00
易良
e1e99f76ff
ci: add autofix PR preparation skill (#6184) 2026-07-02 10:40:36 +00:00
易良
262186cc18
fix(ci): diagnose autofix publish credentials (#6162)
* fix(ci): diagnose autofix publish credentials

* fix(ci): harden autofix credential diagnostics
2026-07-02 07:50:08 +00:00
Shaojin Wen
60c2a639ec
fix(ci): create precheck comments via REST (#6156) 2026-07-02 13:52:42 +08:00
易良
505430320f
fix(ci): fall back to latest autofix sandbox image (#6159)
* fix(ci): fall back to latest autofix sandbox image

* fix(ci): satisfy autofix workflow lint

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-07-02 13:52:33 +08:00
易良
3026db3039
fix(ci): allow prechecked fork PR automation (#6160)
* fix(ci): allow triage for fork PRs that pass safety precheck

Fork PRs by non-write authors were blocked from triage even when the
safety precheck passed, because the authorize job gates on write
permission. Triage is read-only (checks out trusted base code, reads PR
via API), so precheck pass is sufficient to run it safely.

Split the pull_request_target and issue_comment authorization paths:
- pull_request_target: accept write permission OR precheck pass
- issue_comment /triage: still require write permission on the commenter

tmux-testing is unchanged — it executes PR code and must keep the write
permission gate.

* fix(ci): allow prechecked fork PR automation

* docs(ci): clarify PR review authorization routing

* test(ci): guard fork precheck authorization

* fix(ci): tighten fork precheck review guards

* test(ci): guard review-request authorization
2026-07-02 13:52:25 +08:00
易良
4537cc3c71
fix(ci): use CI_BOT_PAT for precheck comment on fork PRs (#6151)
Some checks are pending
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
* fix(ci): use CI_BOT_PAT for precheck comment on fork PRs

The precheck workflow's "Upsert/Clear manual approval comment" steps
fail with HTTP 403 on fork PRs because `github.token` from
`pull_request_target` via `workflow_call` lacks sufficient permissions
to read/write issue comments.

- Use `secrets.CI_BOT_PAT || github.token` for the comment steps
- Add `secrets: inherit` to both caller workflows so the reusable
  workflow can access CI_BOT_PAT
- Drop the `.user.login == "github-actions[bot]"` filter from the jq
  query since the HTML comment marker is sufficient and the posting
  user may differ depending on which token is used

* fix(ci): scope precheck comment dedup to known bot users

Narrow the jq filter to match comments from github-actions[bot],
qwen-code-ci-bot, or any Bot-type user — prevents a manually posted
marker from hijacking the dedup logic.

* ci: pass only precheck bot token
2026-07-02 03:04:37 +00:00
Shaojin Wen
b1c5950606
fix(ci): list workflow comments with GET (#6148) 2026-07-02 02:14:45 +00:00
Shaojin Wen
fd76550924
fix(ci): grant PR review precheck permissions (#6147) 2026-07-02 00:14:09 +00:00
易良
9031d09af3
ci: persist npm cache on self-hosted runners (#6130) 2026-07-01 19:56:07 +00:00
易良
32d2f4674d
ci: add fork PR safety precheck (#5926)
* ci: add fork PR safety precheck

* fix(ci): lint PR safety precheck script
2026-07-01 19:31:25 +00:00
易良
1287ac10ca
ci: stabilize actionlint on self-hosted runners (#6113) 2026-07-01 09:25:42 +00:00
易良
66521d8a0e
ci(autofix): fix scheduled and labeled issue triggers (#6080)
* ci(autofix): fix scheduled and labeled issue triggers

* ci(autofix): harden issue label routing

* ci(autofix): scope manual forced routing

* ci(autofix): address routing review comments

* ci(autofix): clarify issue routing comments

* fix(ci): address autofix routing review

* fix(ci): reuse issue label trigger guard

* fix(ci): preserve manual autofix issue override

* fix(ci): guard autofix label routing

* fix(ci): check autofix label sender permission

* fix(ci): address autofix route review comments

* fix(ci): serialize autofix issue runs
2026-07-01 16:23:12 +08:00
Gaurav
fc184f20e5
fix(deps): clear critical runtime audit findings (#6065)
* fix(deps): clear critical runtime audit findings

* fix(core): allow intentional worktree hooks path setup
2026-07-01 05:28:32 +00:00
Shaojin Wen
52f875a875
ci(workflows): remind authors not to force-push active PRs (#6035)
* ci(workflows): remind authors not to force-push active PRs

Add a workflow that detects force-pushes (rebase/amend/reset) to open PRs
via the pull_request_target synchronize event and posts a one-time,
bilingual reminder that force-pushing invalidates existing review comments
and that the integration bots squash all changes into a single commit
automatically. A normal push (compare status "ahead") is ignored; the
reminder is posted at most once per PR, bot-initiated pushes are skipped,
and a failed compare is treated conservatively (no comment).

* ci(workflows): address review — add issues:write, serialize without cancel

- Add `issues: write`: the listComments/createComment calls go through the
  Issues API; declaring it matches the repo's other PR-commenting workflows
  and avoids any risk of a 403 making the workflow inert.
- Set `cancel-in-progress: false`: an in-flight run that already detected a
  force-push must finish and post. The concurrency group still serializes
  runs per PR, and the once-per-PR marker prevents duplicates, so later
  pushes queue and then no-op instead of cancelling (and silently dropping)
  a pending reminder.

* ci(workflows): harden force-push detection per review

- Marker dedup now requires the comment to be from github-actions[bot], so a
  user pasting the marker string into a comment can't suppress reminders.
- Skip known automation logins (qwen-code-dev-bot et al.) that push via PAT as
  sender.type 'User', not just GitHub App bots (mirrors qwen-autofix KNOWN_BOTS).
- Narrow the compare catch to 404 (orphaned old tip -> skip); rethrow other
  errors so auth/rate failures go red instead of silently no-op'ing.
- Wrap createComment with structured error logging + rethrow.

Kept 3-dot compare and base-repo owner: verified that 3-dot returns
diverged/behind for force-pushes and that the base repo resolves fork-PR
commits, while the suggested 2-dot syntax 404s in the REST API.

* test(ci): add structural test for the force-push reminder workflow

- Add scripts/tests/pr-force-push-reminder-workflow.test.js (runs under
  test:scripts, which CI chains into test:ci). It asserts the trigger, repo
  guard, permissions, serialized concurrency, KNOWN_AUTOMATION sync with
  qwen-autofix, the 3-dot compare on the base repo, 404-vs-rethrow, the marker
  author check, and the bilingual body — locking in the reviewed behaviors.
- Wrap the listComments paginate call in the same core.error + rethrow the
  other two API calls already use.
- Note that KNOWN_AUTOMATION must stay in sync with qwen-autofix.yml KNOWN_BOTS.

* ci(workflows): drop concurrency group, rely on marker for idempotency

A concurrency group keeps at most one pending run per group, so a burst of
pushes can cancel a still-pending force-push run before it reaches the script,
dropping the reminder this workflow exists to post. Remove the group entirely:
every synchronize event now runs independently and is always evaluated, and the
once-per-PR marker provides idempotency. A rare double-post on two
near-simultaneous first force-pushes is the acceptable cost of never silently
missing one. Update the structural test to assert there is no concurrency block.

The reviewer's suggested `queue: max` is not a valid GitHub Actions concurrency
key (only `group`/`cancel-in-progress` are allowed) and fails actionlint.

* test(ci): use Qwen Team header and assert the dedup skip path

- Switch the copyright header to the prevailing `Qwen Team` (14 of 17 sibling
  test files use it; this file had copied an older Google LLC header).
- Assert the idempotency skip log line so removing the marker guard fails a test.

* test(ci): mechanically enforce KNOWN_AUTOMATION sync with qwen-autofix

Read qwen-autofix.yml's KNOWN_BOTS and assert each login is also skipped here,
so adding a bot there without updating this workflow fails the test instead of
silently drifting. Replaces the hardcoded login list whose comment overclaimed
that the sync was verified.
2026-06-30 14:55:00 +00:00
易良
c5fb9fd1e7
fix(ci): create isolated home before tests (#6071)
Some checks are pending
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
2026-06-30 12:42:44 +00:00
易良
7f34cdabe1
fix(ci): stabilize merge queue checks (#6056) 2026-06-30 10:27:15 +00:00
jinye
565e4bc437
fix(cli): Guard serve fast-path bundle closure (#5995)
* fix(cli): guard serve fast-path bundle closure

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* test(cli): tighten serve fast-path bundle guard

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* codex: address PR review feedback (#5995)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* codex: address PR review feedback (#5995)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* codex: address PR review feedback (#5995)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

---------

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-06-29 14:38:32 +00:00
qqqys
30c35781b3
ci(autofix): loosen issue candidate filters so the agent finds work (#5860)
* ci(autofix): loosen issue candidate filters so the agent finds work

The scheduled issue phase had been finding 0 candidates on every run. Tier-1
requires the rarely-applied status/ready-for-agent label, and tier-2's
"unattended = no human comment at all" rule fought its ">2 days old" age
gate: on a busy repo every aged bug already has a community reply, so the
funnel collapsed (128 aged bugs -> 0 survivors) purely on the comment rule.

- Unattended now keys off maintainer engagement (OWNER/MEMBER/COLLABORATOR
  comments, excluding our own bots), not any human comment. Community
  "+1"/"me too" no longer disqualifies an issue.
- Tier-1 and tier-2 are always both gathered (tier-1 prioritized, then
  de-duped by number) so a single weak ready-for-agent issue can't starve
  the run.
- Tier-2 scans a bounded age window via MIN_ISSUE_AGE_DAYS..MAX_ISSUE_AGE_DAYS
  (1..15) to focus on fresh, settled bugs instead of an unbounded set.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* fix(ci): preserve autofix issue tier priority

* fix(ci): keep ready autofix issues in tier one

* fix(ci): reserve autofix tier two slots

* fix(ci): tolerate tier two autofix scan failures

* fix(ci): tolerate tier one autofix scan failures

* fix(ci): harden autofix candidate merging

* fix(ci): harden autofix issue scanning

* fix(ci): harden autofix diagnostics

* fix(ci): skip unsafe autofix comment fallbacks

* fix(ci): drop unused autofix comments payload

* test(ci): strengthen autofix comment refresh guard

* test(ci): satisfy autofix workflow lint

* test(ci): tighten autofix tier two assertion

* test(ci): cover autofix tier merge guards

* test(ci): cover autofix unattended filter

* fix(ci): summarize autofix comment refresh drops

* fix(ci): bound autofix tier-2 comment-refresh API calls

Cap the tier-2 issues fed into the comment-refresh loop to 15 (a margin
above the ~10 ever selected, since filter_unattended_candidates drops
attended issues afterward) and request full pages with per_page=100, to
avoid GitHub secondary rate limits. Add workflow tests asserting the
forced-issue skip/in-progress exclusion and the tier-2 ready-for-agent
label exclusion stay in place.

Co-Authored-By: Qwen-Coder <noreply@qwen.ai>

* fix(ci): refresh all scanned tier-2 autofix issues, not just first 15

The previous change capped comment-refresh to the first 15 tier-2 issues
before filter_unattended_candidates runs. The scan still fetches 30, so
valid unattended bugs at positions 16-30 were never refreshed nor
filterable: if the first 15 were all maintainer-attended/dropped, the run
could end with zero candidates again — the failure this PR set out to fix.

Drop the .[0:15] refresh cap and refresh the full scanned set (already
bounded by --limit 30 on the scan). per_page=100 stays as the
pages-per-issue rate-limit mitigation, and the drop summary total/counters
reflect the full refreshed set again. Top-N selection after filtering is
unchanged.

Co-Authored-By: Qwen-Coder <noreply@qwen.ai>

* fix(ci): order tier priority before recency in autofix assess prompt

The assess prompt gave two conflicting selection rules: the tier note says not to pick a tier-2 issue over a comparably actionable tier-1 one, while the recency tiebreaker says to prefer the most recently reported. Since tier-1 has no age bound and tier-2 is the recent (1-15 day) tier, these point in opposite directions for comparable confidence. Make recency apply only after the tier preference and only within the same tier, removing the contradiction. Prompt text only; no shell/jq change.

Co-Authored-By: Qwen-Coder <noreply@qwen.ai>

* fix(ci): guard forced-issue jq and derive autofix comment scratch path

Address two review suggestions on the autofix candidate scan step.

- Wrap the forced-issue candidate jq in the same error guard the other
  jq calls use (tier-1/tier-2 stamp, tier merge): on malformed
  forced-issue JSON it now emits a :⚠️: and falls back to an empty
  candidate list instead of silently producing an empty candidates.json
  with no diagnostic.
- Make refresh_issue_comments reuse-safe by deriving its NDJSON scratch
  path from the output_file parameter (${output_file%.json}.ndjson)
  instead of hardcoding tier2-with-comments.ndjson, so a second call or a
  different tier can't clobber a shared scratch file. Behavior for the
  current single call is unchanged.

Co-Authored-By: Qwen-Coder <noreply@qwen.ai>

---------

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: Qwen-Coder <noreply@qwen.ai>
2026-06-28 23:00:13 +00:00
易良
f876f4a250
ci: allow longer PR review timeout retries (#5961) 2026-06-28 15:41:04 +00:00
Shaojin Wen
680f523853
ci(review): increase PR review timeout from 90 to 120 minutes (#5959)
Large PRs with extensive diffs across multiple packages can exceed
the 85-minute effective review window (90 - 5 buffer). The recent
run #28318973107 timed out on PR #5777 which touched acp-bridge,
serve, config, and chrome-extension packages.

Bump both the job timeout-minutes and the validation cap to 120 so
the review agent has enough headroom for complex multi-package PRs.
2026-06-28 12:53:48 +00:00
Salman Chishti
34678cfbd9
Upgrade GitHub Actions to latest versions (#3683)
Some checks are pending
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
* Upgrade GitHub Actions to latest versions

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>

* ci: restore ratchet annotations on upgraded actions

The action version bumps had replaced '# ratchet:owner/repo@<ver>'
annotations with bare '# vX.Y.Z' comments, which silently breaks
ratchet's ability to track and update these SHA pins. Restore the
annotations on every changed line (updated to the new major), matching
each line's pre-existing convention on main.

---------

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
2026-06-27 17:03:32 +00:00