GitHub Actions deprecates the Node 20 runtime; older versions of every
docker/* action run on Node 20 and emit the "Node.js 20 actions are
deprecated" warning in every release / e2e / image-build run today.
Each action shipped a "Node 24 as default runtime" major:
- docker/setup-buildx-action v3 → v4 (2026-03-05)
- docker/setup-qemu-action v3 → v4
- docker/metadata-action v5 → v6
- docker/login-action v3 → v4
- docker/build-push-action v6 → v7
None of our usages touch the deprecated inputs removed in the bumps —
release.yml / e2e.yml call setup-buildx with no `with:` block, and
build-and-publish-image.yml only passes the universally-supported
`images` / `tags` / `registry` / `username` / `password` / `context` /
`platforms` / `push` / `labels` / `build-args` inputs. ESM internal
refactor of each action is transparent to consumers.
Ratchet-pinned bumps use the v4.0.0 commit SHA
`4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd` (release.yml + e2e.yml).
Other action references in build-and-publish-image.yml use
`# ratchet:exclude` per existing convention, so version-string bumps
suffice there.
Verified runtime hosts (`actions/runner` v2.327.1+) are already in use
on github-hosted runners as of 2026-03; no infra bump required.
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
* test(e2e): stabilize MCP tool message flow
* ci(e2e): cancel stale main E2E runs
* test(e2e): accept paired MCP tool results
* test(e2e): stabilize monitor tool check
* test(e2e): stabilize run_shell_command file-listing assertion
The model consistently picks list_directory over run_shell_command
for file-listing prompts. Make the prompt explicit about which tool
to use, matching the approach taken for the MCP tool flow test.
* chore(deps): upgrade ink 6.2.3 -> 7.0.2 + bump Node engine to 22
ink 7 requires Node >=22 and react-reconciler 0.33 with React >=19.2,
so this PR also bumps:
- Node engines (root + cli + core) 20 -> 22
- React/react-dom 19.1 -> 19.2.4 (pinned exact via overrides to keep
the transitive React graph deduped to a single instance)
- @types/node pinned to 20.19.1 via overrides to avoid an unrelated
Dirent NonSharedBuffer regression in sessionService tests
- @vitest/eslint-plugin pinned to 1.3.4 to avoid an unrelated lint
regression introduced by the 1.6.x rule additions
- react-devtools-core 4.28 -> 6.1 (ink 7 peerOptional requires >=6.1.2)
- ink hoisted to root devDeps so workspace-private peer-dep contention
doesn't push ink-link/spinner/gradient into nested workspace
installs (which would skip transitive resolution for terminal-link)
Workflow + image + installer alignment:
- .nvmrc 20 -> 22
- Dockerfile node:20-slim -> node:22-slim
- CI test matrix drops 20.x (keeps 22.x + 24.x)
- terminal-bench workflow Node 20 -> 22
- Linux/Windows install scripts upgrade their Node version targets
Documentation alignment:
- README.md badge + prerequisites
- AGENTS.md, CONTRIBUTING.md, docs/users/quickstart.md,
docs/users/configuration/settings.md, docs/developers/contributing.md,
docs/developers/sdk-typescript.md, docs/users/extension/extension-releasing.md,
packages/sdk-typescript/README.md, packages/zed-extension/README.md,
scripts/installation/INSTALLATION_GUIDE.md
Test gating:
- Two AuthDialog/AskUserQuestionDialog tests that drive <SelectInput>
through ink-testing-library now race ink 7's frame-throttled input
delivery and land on the wrong option. The maintainers had already
marked one of them unreliable (skip on Win32 + CI+Node20). Extend
that gate to cover all environments until upstream
ink-testing-library ships an ink-7-compatible release that flushes
input deterministically. The other test now uses it.skip with the
same comment. No business code changes.
Verified locally:
- npm run typecheck across all workspaces: clean
- npm run lint (root): clean
- npm run test --workspaces:
cli 312/312 files, 4918 passed, 9 skipped
core 266/266 files, 6836 passed, 3 skipped
webui 6/6, 201 passed
sdk 40/40, 283 passed, 1 skipped
- npm ls ink: single ink@7.0.2 instance across all peer deps
- single react@19.2.4 instance
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* chore: align Node 22 floor across all shipping artifacts
Reviewer (tanzhenxin) flagged five surfaces where the >=22 engine bump
leaked: SDK package metadata, web-templates engines, /doctor runtime
check, main bundler target, and SDK bundler target. Each was a separate
escape hatch letting Node 18/20 consumers install or run the artifact
on an unsupported runtime.
- packages/sdk-typescript/package.json: engines.node >=18.0.0 -> >=22.0.0
- packages/web-templates/package.json: engines.node >=20 -> >=22
- packages/cli/src/utils/doctorChecks.ts: MIN_NODE_MAJOR 20 -> 22
- esbuild.config.js: target node20 -> node22 (main CLI bundle)
- packages/sdk-typescript/scripts/build.js: target node18 -> node22 (esm + cjs)
- packages/cli/src/utils/doctorChecks.test.ts: rename test label to v22+
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* ci(e2e): bump E2E workflow Node matrix to 22.x
Reviewer (tanzhenxin) flagged that e2e.yml still pinned node-version
20.x while root engines is now >=22, so every E2E run on push would
either fail at npm ci with engine error or silently exercise the bundle
on a runtime that's no longer in ci.yml's test matrix.
The macOS job in the same workflow already reads .nvmrc (which is 22)
so this only updates the Linux matrix.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(deps): drop root wrap-ansi override so ink 7 gets its declared dep
Reviewer (tanzhenxin) flagged that the root overrides.wrap-ansi: 9.0.2
predates this upgrade and forces every consumer (including ink) to v9,
while ink 7 declares wrap-ansi: ^10.0.0. The lockfile had no nested
install under node_modules/ink/, so ink 7 was running with a transitive
dep one major below its declared minimum.
Dropping the global override lets ink resolve its own wrap-ansi 10
nested install (now visible in the lockfile under
node_modules/ink/node_modules/wrap-ansi), while the cli package's own
direct `wrap-ansi: 9.0.2` dependency keeps the cli code path
(TableRenderer.tsx) on the version it has been tested against. The
nested cliui override is preserved for yargs which still needs v7.
Verified via `npm ls wrap-ansi`:
- ink@7.0.2 -> wrap-ansi@10.0.0 (newly nested)
- @qwen-code/qwen-code -> wrap-ansi@9.0.2 (unchanged)
- yargs/cliui -> wrap-ansi@7.0.0 (unchanged)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(InputPrompt): un-skip placeholder ID reuse after deletion
Reviewer (tanzhenxin) flagged that the new it.skip on the
'should reuse placeholder ID after deletion' test was undisclosed in
the PR description and removed coverage of real product behavior
(freePlaceholderId / bracketed-paste backspace path) without a
TODO(#NNNN) link.
Their argument was sound: the skip rationale pointed at ink 7's input
throttle, but this same file just bumped the wait helper from 50ms to
150ms specifically to give ink 7 frame time. Re-running the test under
the bumped wait shows it passes reliably (5/5 runs in the full-file
context, 9/10 alone), so the skip was masking the throttle-flake that
the wait bump already addresses, not a real product bug.
Drop the it.skip and the now-stale comment so coverage of the
freePlaceholderId reuse logic is restored.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(InputPrompt): bump first prompt-suggestion test wait to 350ms
The "accepts and submits the prompt suggestion on Enter when the buffer
is empty" test is the first in its describe block, so it pays the
renderer cold-start cost. On macOS-22.x CI runners that pushes the
Enter → onSubmit microtask past the default 150ms post-Enter wait. Match
the 350ms initial render wait used immediately above to absorb the cold
start.
* Revert "test(InputPrompt): bump first prompt-suggestion test wait to 350ms"
This reverts commit 6add83b62e.
* test(InputPrompt): wait for followup suggestion debounce before pressing Enter
Root cause of the failing prompt-suggestion tests on macOS and Windows
CI is not flaky timing of the test post-Enter wait — it's the 300ms
debounce inside createFollowupController.setSuggestion (shared core).
The Enter handler reads followup.state.isVisible synchronously, so if
the debounce timer has not fired before stdin.write('\\r'), the
suggestion path is skipped and onSubmit never runs. No amount of
post-Enter wait can recover from that — the keypress was already
processed against stale state.
The original wait(350) only left ~50ms margin over the 300ms debounce,
which ink 7 / React 19.2 mount overhead consumed on slow Windows
runners. Bump the initial wait to 700ms (named SUGGESTION_VISIBLE_WAIT_MS)
to give the debounce timer + cold-start render a generous buffer.
Apply to the two sibling tests too — without the wait their "does not
accept" assertions pass trivially when suggestion is never visible,
which is a false green that hides regressions in the actual reject path.
* fix(deps): align cli wrap-ansi with ink 7 (9.0.2 -> ^10.0.0)
Ink 7 ships its own wrap-ansi@10. CLI's direct dep was pinned to 9.0.2,
causing two copies of wrap-ansi in node_modules and a potential drift in
CJK width / ANSI handling between ink's internal text wrapping and our
TableRenderer.
Upgrading the CLI's direct dep to ^10.0.0 lets npm dedupe to a single
wrap-ansi@10 used by both ink and TableRenderer. API surface is
identical; the only documented behaviour change is that tabs are
expanded to 8-column tab stops before wrapping, which TableRenderer
doesn't feed in.
TableRenderer test suite (43 tests) passes against wrap-ansi@10.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* chore(deps): document @types/node 20.x pin in overrides
The override pinning @types/node to 20.19.1 (while engines require
Node >=22) is intentional: bumping to @types/node@22.x re-introduces
a Dirent<NonSharedBuffer> type regression that breaks
@qwen-code/qwen-code-core/sessionService tests.
Add a sibling "//@types/node" note inside `overrides` so future
maintainers see the rationale and know when to revisit the pin
without having to dig through PR #3860 history.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(AskUserQuestionDialog): link skipped Submit-tab test to tracking issue
The 'shows unanswered questions as (not answered) in Submit tab' test
was switched to `it.skip` in the ink 7 upgrade because
`ink-testing-library@4.0.0` doesn't flush input deterministically
through ink 7's 30fps throttle.
Add a `// TODO(#4036):` marker so the skip is greppable and can be
re-enabled once upstream ships an ink-7-compatible release.
Refs #4036
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(deps): move @types/node pin comment out of overrides block
npm's `overrides` field requires every key to be a real package name —
the `"//@types/node"` comment-key added in 205855875 trips Arborist with
"Override without name" and breaks `npm ci` across all CI jobs.
Move the explanation to a sibling top-level `"//overrides"` key, which
npm ignores at the document root. Same documentation value, no
override-parser collateral damage.
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(sdk-python): replace verbatim release notes inheritance with --generate-notes
The previous implementation fetched the entire body of the previous GitHub
release and appended it to the new release notes. Because each release body
already contained the body of the one before it, this created a linear chain
that grew with every stable release — eventually hitting GitHub's 125 KB
release body limit.
Replace the body-chaining approach with GitHub's built-in --generate-notes
flag, which auto-generates a bounded, PR-based changelog scoped between two
tags via --notes-start-tag. The SDK metadata header (package name + version)
is preserved via --notes-file, which GitHub prepends above the auto-generated
changelog.
For the first-ever release (no previous SDK tag), --generate-notes is skipped
to avoid pulling in unrelated non-SDK commits, falling back to a static
"Initial release" message instead.
Closes#3796🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): address review comments on release notes
- Rename NOTES_START_TAG_FLAG → NOTES_START_TAG_ARG (contains key-value
pair, not just a flag)
- Fix misleading "Initial release" message — PREVIOUS_RELEASE_TAG is empty
for all nightly/preview releases, not just the first release
- Add comments explaining why old error handling is safe to remove
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): validate previous tag exists before using --notes-start-tag
If a prior release published to PyPI but failed to create a GitHub
release/tag, the tag won't exist in Git. Using --notes-start-tag with
a nonexistent tag would cause gh release create to fail after PyPI
publish, leaving a partial release state.
Add a git rev-parse check before using --notes-start-tag. When the tag
is missing, fall back to static notes with a :⚠️: annotation,
ensuring the GitHub release is always created.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): clarify else-branch comment covers first stable + preview/nightly
The comment previously implied the else-branch was only for
preview/nightly, but PREVIOUS_RELEASE_TAG is also empty for the
very first stable release (no prior stable version on PyPI).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): use Bash array for gh release args to fix SC2086 lint
ShellCheck SC2086 flags unquoted variables containing spaces
(NOTES_START_TAG_ARG holds "--notes-start-tag sdk-python-v0.1.0").
Replace string-based flag variables with a Bash array that is expanded
via "${GH_RELEASE_ARGS[@]}" — properly quoted and shellcheck-safe.
Also consolidates the prerelease flag into the same array, removing the
now-unused PRERELEASE_FLAG variable.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(sdk-python): extract PREVIOUS_TAG_NAME to reduce repetition
DRY improvement: sdk-python-${PREVIOUS_RELEASE_TAG} was repeated 3
times. Extract into a local PREVIOUS_TAG_NAME variable, symmetric with
the existing TAG_NAME at the top of the script.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* ci(release): skip CI on auto-generated version-bump PRs
Append `[skip ci]` to both the bump commit message and the
release-PR title in `release.yml` and `release-sdk.yml`.
The PR title doubles as the squash-merge commit message on `main`,
so adding `[skip ci]` there is required to skip CI when the release
PR is auto-merged into `main`.
Affected flows:
- release.yml -> chore(release): vX.Y.Z
- release-sdk.yml -> chore(release): sdk-typescript vX.Y.Z
These PRs only bump `package.json` / `package-lock.json` versions
and do not need the full lint/test/CodeQL matrix to run on PR open,
on the release branch push, or on the post-merge push to `main`.
* ci(release): make skip-ci squash subject explicit
* ci(release): scope skip-ci to the squash commit and bind RELEASE_TAG
Two follow-ups on the release-PR skip-ci change:
- Drop `[skip ci]` from the release-branch commit. Putting it there
also suppressed `push: tags: [v*]` workflows because the release
tag points at the release-branch tip, so `Build and Publish Docker
Image` would silently skip when the release was tagged. Keeping the
marker only on the squash subject preserves the "do not re-run CI
on main" goal without affecting tag pushes.
- Export `RELEASE_TAG` to the `Enable auto-merge for release PR` step
in both workflows. The step runs under `set -euo pipefail`, so the
new `--subject` referencing `${RELEASE_TAG}` would otherwise crash
with `unbound variable` and abort the merge.
The follow-up bot occasionally posted comments where paragraph and
list breaks collapsed onto a single line because the agent emitted a
literal `\n` (backslash + n) inside the `--body` argument. Bash
double-quoted strings do not interpret that escape, so it reached
GitHub verbatim (see comment 4396808119 on issue 3914).
Two changes:
- Add explicit prompt guidance reminding the agent that `--body`
needs real newline characters, with concrete multi-line and
ANSI-C-quoted examples.
- Normalize literal `\n` to a real newline in the `--body` value
inside the safe-gh shim, just before exec, so future model drift
does not regress the rendering.
* ci: add issue follow-up bot workflow
* ci: gate issue follow-up bot rollout
* ci: reduce issue follow-up batch size
* ci: address issue follow-up bot review
* ci: add temporary issue bot canary
* ci: fix canary verification
* ci: dedupe bot token issue comments
* ci: remove temporary issue bot canary
* ci: avoid repeated issue bot followups
* ci: simplify issue follow-up bot prompt
* ci: refine issue follow-up bot flow
* ci: harden issue follow-up bot workflow
* ci: harden issue follow-up bot rollout
* ci: enforce follow-up bot dry-run writes
* ci: redact blocked bot command args
* ci: lock follow-up bot gh wrapper to current repo
- Require explicit `--repo <expected>` on every gh command path; reject
any --repo value that does not match REPOSITORY/GITHUB_REPOSITORY so a
poisoned issue body cannot redirect bot writes to another repo.
- Add OPENAI_BASE_URL to the secret-scrubbing list so an internal proxy
URL is not echoed into comments or labels.
- Print the resolved DISPATCH_DRY_RUN / ISSUE_OPENED_DRY_RUN /
SCHEDULE_DRY_RUN inputs alongside the resolved dry_run state for
easier debugging of automatic vs manual paths.
* ci: tighten follow-up bot wrapper and trim noise
- Fold the repo-match check into validate_issue_edit_args /
validate_issue_comment_args; replace the standalone require_explicit_repo
with a smaller require_repo_match used only by the read-only paths.
- Add an upfront guard that fails fast when expected_repo is unset,
and document the positional subcommand match.
- Drop the configuration-notice job: it warned on every issues.opened
and cron tick when QWEN_ISSUE_FOLLOWUP_BOT_ENABLED was unset, which
is the default state.
- Remove the redundant BOT_GITHUB_TOKEN re-export at step level
(already inherited from the workflow env).
- Invert the dry_run resolution so every branch starts from `true` and
flips to `false` on explicit opt-in, removing the duplicate assignments.
- Collapse the multi-line dry-run debug block into a single state line.
- Note in the prompt that global flags and short aliases (`-b`, `-F`)
are rejected by the runner so the model only emits long-form gh
commands.
* ci: fix shim reject logs to include full subcommand context
Agent-Logs-Url: https://github.com/QwenLM/qwen-code/sessions/1cf8097d-b747-4838-a206-63a11352facc
Co-authored-by: yiliang114 <11473889+yiliang114@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: yiliang114 <11473889+yiliang114@users.noreply.github.com>
* feat(sdk-python): add pypi release workflow
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): build cli before smoke test
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): tighten release conflict handling
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): harden python release workflow
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): tighten stable release guards
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): harden prerelease publish flow
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): reuse release branches on rerun
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): resume incomplete releases
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(release): tighten missing-release checks
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): resume stable release reruns
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): tighten release recovery guards
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(sdk-python): cover release version edge cases
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address release workflow review feedback
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* refactor(sdk-python): address review feedback on release version script
- Remove unreachable `if (type === 'stable')` branch in bumpVersion();
the stable path was dead code since getVersion() throws for all
stable conflicts before calling bumpVersion(). Move nightly conflict
throw to the call site for symmetry.
- Rename getNextPatchBaseVersion → getNextBaseVersion to reflect that
the function can return a prerelease base without incrementing patch.
- Add test for preview+nightly coexistence where nightly base is higher.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): address remaining review feedback on release workflow
- Fix failure-issue gate to read github.event.inputs.dry_run directly
instead of steps.vars.outputs.is_dry_run (which is empty when early
steps fail). Add --repo flag for gh issue create when checkout failed.
- Add diagnostic state table to failure-issue body (RELEASE_TAG,
PACKAGE_VERSION, PUBLISH_CHANNEL, RESUME_EXISTING_RELEASE, etc.)
- Fix release-notes error swallow: only silence release not found /
Not Found / HTTP 404, emit :⚠️: for other gh release view errors.
- Improve validateVersion error messages to use human-readable format
keys (X.Y.Z, X.Y.Z-preview.N) matching TS sibling convention.
- Filter fully-yanked versions in getAllVersionsFromPyPI.
- Add console.error log when stable is derived from nightly.
- Add bash regex guard for inputs.version to prevent shell injection.
- Use per-release-type concurrency groups (nightly/preview/stable).
- Add jq null-guard checks for all 6 field extractions.
- Remove misleading --follow-tags from git push (lightweight tags).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): rename misleading test description
The test asserts that preview/nightly releases return empty
previousReleaseTag, but the name said "same-channel previous
release tags" which implied non-empty values.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): address unresolved review comments on release workflow
- Remove -z check in extract_field() that blocked preview/nightly releases
(previousReleaseTag is legitimately empty for non-stable releases)
- Use static environment.url since step outputs aren't available at job startup
- Use skip-existing for resumed PyPI publish to fill in missing artifacts
- Add AbortSignal.timeout(30s) to PyPI fetch to prevent indefinite hangs
- Add downgrade guard for stable_version_override
- Use GHA :⚠️: annotation instead of console.error for visibility
- Separate yanked/non-yanked version lists so conflict detection includes
yanked versions (PyPI still reserves those slots)
- Filter current release from previousReleaseTag to avoid self-reference on resume
- Add tests for yanked conflict detection, downgrade guard, and resume previousReleaseTag
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address final review round on release version script
- Fix getNextBaseVersion() first-release skip: use pyproject.toml version
directly when PyPI has no stable versions instead of unconditionally
incrementing
- Fix getNextBaseVersion() off-by-one: change > to >= so equal prerelease
base continues the existing line instead of incrementing patch
- Add :⚠️: annotation when preview auto-bumps due to orphan git
tags (tag exists without PyPI version or GitHub release)
- Add set -euo pipefail to 5 workflow steps missing it: release_branch,
persist_source, Create GitHub release, Delete prerelease branch, Create
issue on failure
- Fix 2 existing tests affected by first-release change, add 4 new tests
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): use stderr for GHA warning annotations to avoid corrupting JSON stdout
console.log writes to stdout, which gets captured by VERSION_JSON=$(node ...)
in the workflow and corrupts the JSON output for jq. Switch to console.error
so :⚠️: annotations go to stderr (GHA recognizes workflow commands on
both streams). Also add set -euo pipefail to the "Get the version" step for
consistency with other workflow steps.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
---------
Co-authored-by: jinye.djy <jinye.djy@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* docs: scaffold branch for #3247 tool execution unification
Placeholder commit to establish the branch for PR creation.
Actual refactoring will be done in subsequent commits.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* feat(core): add shared permission flow for tool execution unification
This addresses #3247 by consolidating duplicated tool execution behavior
across Interactive, Non-Interactive, and ACP modes behind shared execution
utilities.
- Add permissionFlow.ts: shared L3→L4 permission evaluation logic
- Add permissionFlow.test.ts: comprehensive test coverage (17 tests)
- Export from index.ts for use across all execution modes
Why: Permission handling logic was duplicated in CoreToolScheduler and
Session.runTool(). This shared module ensures consistent behavior across
all modes and provides a single source of truth for future fixes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix(e2e): add bundle step to E2E workflow and fix canUseTool test
- Add 'npm run bundle' to E2E workflow so dist/cli.js exists for SDK tests
- Fix 'should handle control responses when stdin closes before replies' test:
- Use helper.getPath() for absolute file path
- Make prompt explicitly invoke write_file tool
- Remove inputStreamDonePromise timeout that caused false failures
- Add q.endInput() to signal stdin done
- Assert canUseTool was called and file content is updated
* fix(core): wire evaluatePermissionFlow() and address PR review feedback
Address review feedback on PR #3723:
- Wire evaluatePermissionFlow() in coreToolScheduler.ts (both call sites)
- Wire evaluatePermissionFlow() in Session.ts (ACP mode)
- Delete TOOL_EXECUTION_UNIFICATION.md (had literal \n artifacts)
- Add PermissionFlowPermission union type for stronger typing
- Document the 'default' permission state in docstring
- Use needsConfirmation/isPlanModeBlocked/isAutoEditApproved helpers
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
After a stable/patch CLI release, the release branch version bump was
never synced back to main, causing nightly versions to fall behind
stable (e.g. nightly 0.15.3 < stable 0.15.5). Add automated PR
creation and auto-merge steps (matching the existing release-sdk.yml
pattern) so package.json on main stays in sync after each release.
Resolves#3756
The repo disallows merge commits, so `gh pr merge --merge --auto` always
exits 1 — every release run goes red even when publish, tag, and PR
creation all succeed (e.g. v0.1.7 in run 25036315088). Switch to
`--squash` to match the repo's allowed merge methods.
* Codex worktree snapshot: startup-cleanup
Co-authored-by: Codex
* Add Python SDK real smoke test
Adds a repository-only real E2E smoke script for the Python SDK, plus npm and developer documentation entry points.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address review findings — bugs, type safety, and test coverage
- Fix prepare_spawn_info: JS files now use "node" instead of sys.executable
- Fix protocol.py: correct total=False misuse on 7 TypedDicts (required fields were optional)
- Fix query.py: add _closed guard in _ensure_started, suppress exceptions in close()
- Fix sync_query.py: prevent close() deadlock, add context manager, add timeouts
- Fix transport.py: handle malformed JSON lines, add _closed guard in start()
- Fix validation.py: use uuid.RFC_4122 instead of magic UUID
- Fix __init__.py: export TextBlock, widen query_sync signature
- Remove dead code: ensure_not_aborted, write_json_line, _thread_error
- Add 12 new tests (29 → 41): context managers, JSON skip, closed guards, spawn info, timeouts
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address wenshao review — session_id, bool validation, debug stderr
- Fix continue_session=True generating a wrong random session_id
- Add _as_optional_bool helper for strict type validation on bool fields
- Default debug stderr to sys.stderr when no custom callback is provided
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address remaining wenshao review feedback
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(cli): harden settings dialog restart prompt test
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): review fixes — UUID compat, stderr fallback, sync cleanup
- Remove UUID version restriction to support v6/v7/v8 (RFC 9562)
- Always write to sys.stderr when stderr callback raises (was silent when debug=False)
- Prevent duplicate _STOP sentinel in SyncQuery.close() via _stop_sent flag
- Add ruff format --check to CI workflow
- Fix smoke_real.py version guard: fail early before imports instead of NameError
- Apply ruff format to existing files
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): remaining review fixes — exit_code attr, guard strictness, sync timeout
- Add exit_code attribute to ProcessExitError for programmatic access
- Strengthen is_control_response/is_control_cancel guards to require
payload fields, preventing misrouting of malformed messages
- Expose control_request_timeout property on Query so SyncQuery uses
the configured timeout instead of a hardcoded 30s default
- Use dataclasses.replace() instead of direct mutation on frozen-style
QueryOptions in query() factory
- Add ResourceWarning in SyncQuery.__del__ when not properly closed
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): add exit_code default and guard __del__ against partial GC
- Give ProcessExitError.exit_code a default value (-1) so user code can
construct the exception with just a message string
- Wrap SyncQuery.__del__ in try/except AttributeError to prevent crashes
when the object is partially garbage-collected
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): review fixes — resource leak, type safety, CI matrix, docs
- Fix SyncQuery.__del__ to call close() on GC instead of only warning
- Replace hasattr duck-type check with isinstance(prompt, AsyncIterable)
- Type-validate permission_mode/auth_type in QueryOptions.from_mapping
- Use TypeGuard return types on all is_sdk_*/is_control_* predicates
- Add 5s margin to sync wrapper timeouts to prevent error type masking
- Expand CI matrix to test Python 3.10, 3.11, 3.12
- Change ProcessExitError.exit_code default from -1 to None
- Add stderr to docs QueryOptions listing
- Update README sync example to use context manager pattern
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): preserve iterator exhaustion state and suppress detached task warning
- Add _exhausted flag to Query.__anext__ and SyncQuery.__next__ so
repeated iteration after end-of-stream raises Stop(Async)Iteration
instead of blocking forever.
- Remove re-raise in _initialize() to prevent asyncio
"Task exception was never retrieved" warning on detached tasks;
the error is already surfaced via _finish_with_error().
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): reject mcp_servers at validation time and add iterator/init tests
- Reject mcp_servers in validate_query_options() with a clear error
instead of advertising MCP support to the CLI and then failing at
runtime when mcp_message arrives.
- Remove dead mcp_servers branch from _initialize().
- Add tests for async/sync iterator exhaustion, detached init task
warning suppression, and mcp_servers validation.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): fix ruff lint errors in new tests
- Use ControlRequestTimeoutError instead of bare Exception (B017)
- Fix import sorting for stdlib vs third-party (I001)
- Break long line to stay within 88-char limit (E501)
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* style(sdk-python): apply ruff format to new tests
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: jinye.djy <jinye.djy@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(i18n): sync mismatched keys between en.js and zh.js (#3503)
Add 4 keys missing from en.js that are actively used in source code,
add 5 missing Chinese translations to zh.js, integrate check-i18n
into CI to prevent future drift, and skip JSON file write in CI to
avoid dirtying the working tree.
---
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* ci(stale): enable 28+28 stale/close policy for pull requests
- Fix the repository guard so the workflow actually runs on
QwenLM/qwen-code (it was previously gated to google-gemini/gemini-cli
and never executed in this repo).
- Scope the behavior to pull requests for now; issue policy will be
introduced separately once triage labels are in place.
- Mark a PR stale after 4 weeks without activity, then close it after
another 4 weeks.
- Exempt pinned, security, status/blocked, status/on-hold, and
status/ready-for-merge from auto-close.
- Remove the stale label automatically when activity resumes, and
process the oldest PRs first on each run.
* ci(stale): loosen PR cadence from 28+28 to 35+35
Five weeks + five weeks gives contributors more slack around holidays
and busy periods, and reduces the first-run impact on the existing
backlog. The total window moves from 56 days to 70 days.
* ci(stale): move cron from 01:30 UTC to 00:30 UTC
Shift by one hour so results are ready before the Beijing work day
starts (08:30 local), while still avoiding the top of the hour (the
high-contention window for GitHub-hosted runners) and staying 30
minutes after release.yml at 00:00 UTC.
* ci(stale): drop redundant repo guard and document ops-per-run
- Remove the `github.repository == 'QwenLM/qwen-code'` job guard:
scheduled runs are already disabled on forks by GitHub, and
workflow_dispatch is manually-triggered so the guard adds no safety.
- Add a comment explaining the `operations-per-run: 100` rationale
(rate-limit headroom given the ~150-PR backlog).
The broad CODEOWNERS wildcard was adding notification noise without
providing meaningful ownership boundaries. Removing it so that any
team member with write access can provide approving reviews.
- Mark @qwen-code/channel-plugin-example as private in package.json
- Remove publish step from release workflow
- Remove file: to semver rewrite logic in version script
- Use file: reference for @qwen-code/channel-base dependency
This change prevents the example plugin from being published to npm, as it's only intended for internal/development use.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Move non-interactive tests to cli/, interactive tests to interactive/.
Add cron-interactive.test.ts wrapping terminal-capture E2E in vitest.
Update npm scripts and release workflow for new directory layout.
- Bump channel package versions to 0.13.0
- Add publish steps for @qwen-code/channel-base and @qwen-code/channel-plugin-example
- Update version script to convert file: references to semver for published packages
This enables proper npm publishing of channel packages during the release process.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Move "Dive Deeper" section after "Screenshots / Video Demo" to improve
readability. Screenshots section is more actionable and should appear
earlier in the template.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Add a new section to the PR template encouraging contributors to attach
visual demos of their changes. This helps reviewers understand changes
quickly and prioritizes reviews. Also update CONTRIBUTING.md with
guidelines for different types of changes (bug fixes, features, refactors).
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Use printf instead of echo for safer string output
- Remove --notes-start-tag as we use --notes-file for custom release notes
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Fix release-sdk.yml: Use file-based approach with --notes-file instead of
complex inline string interpolation to avoid shell parsing errors with
backticks and special characters
- Fix release.yml: Add --prerelease flag for nightly and preview releases
to properly mark them as pre-releases on GitHub
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add getNextPatchVersion() to calculate next patch version from npm latest
- Fix getNightlyVersion() to use npm latest + 1 patch instead of package.json
- Fix getPreviewVersion() to use npm latest + 1 patch instead of nightly version
- Add version info logging in workflow for dry-run verification
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Remove dist/ directory requirement from workflow (CLI files are in package root)
- Update bundle-cli-from-npm.js to use package root directly instead of package/dist
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Fix SC2086: double quote variables to prevent globbing and word splitting
- Fix yamllint quoted-strings: wrap if conditions with double quotes
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add 'cli_ref' input parameter to specify CLI version to bundle
- Auto-detect latest stable CLI tag when cli_ref not specified
- Validate that stable SDK releases use tagged CLI versions (not main)
- Record bundled CLI version in SDK dist and release notes
This ensures SDK releases bundle stable, tested CLI code instead of
potentially unstable main branch code.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Prevents workflow failure when some platform VSIXes are already
published (e.g., darwin-arm64, darwin-x64) during retry runs.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
When create_preview_release is enabled, allow the workflow_dispatch version input
to control the preview version (and avoid appending a timestamp if a preview id
is already provided) to match user intent.
- Re-enable macOS x64 CI builds using macos-15-intel runner
- Remove generic node-pty dependency in favor of platform-specific @lydell/node-pty-* packages
- Add ripgrep binary pruning for platform-specific builds to reduce VSIX size
- Add Windows workaround to remove npm junction self-references during packaging
