mirror of
https://github.com/wirenboard/agent-vm.git
synced 2026-07-09 16:00:54 +00:00
ci: bump all GH actions to Node-24 majors + add Dependabot
The Node 20 → 24 cutover is coming (forced June 2 2026, removal Sept 16 2026). Every action we use already has a Node-24 major released — we were pinned to stale ones, hence the deprecation warnings in the prior runs: actions/cache@v4 → @v5 actions/upload-artifact@v4 → @v7 actions/download-artifact@v5 → @v8 actions/github-script@v7 → @v9 docker/build-push-action@v6 → @v7 docker/login-action@v3 → @v4 docker/setup-buildx-action@v3 → @v4 The big leaps (artifact actions v4→v7, github-script v7→v9) are because the maintainers cut MULTIPLE majors between Node 20 and Node 24; we're just catching up. Also enable Dependabot for github-actions on a weekly cadence so we don't drift again. Submodule + Rust deps explicitly NOT auto-updated — they need careful audits. Bumps to v0.1.3 to exercise the upgraded actions end-to-end. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
9a66b4bfa8
commit
31b24ccbdb
8 changed files with 37 additions and 26 deletions
24
.github/dependabot.yml
vendored
Normal file
24
.github/dependabot.yml
vendored
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
# Automatic version bumps for the action pins in .github/workflows/.
|
||||
# Without this, action majors silently drift behind — we hit exactly
|
||||
# that with the Node 20 → 24 cutover (every action on Node 20 had a
|
||||
# Node-24-on major already shipped but we were pinned to the older
|
||||
# major).
|
||||
#
|
||||
# Submodule and Rust dep updates intentionally NOT enabled here —
|
||||
# bumping vendor/microsandbox needs a careful audit (patched msb +
|
||||
# libkrunfw kernel-config invariants), and Rust dep bumps are
|
||||
# better handled by `cargo update` runs we drive manually.
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
day: "monday"
|
||||
open-pull-requests-limit: 5
|
||||
commit-message:
|
||||
prefix: "ci"
|
||||
labels:
|
||||
- "dependencies"
|
||||
- "github-actions"
|
||||
8
.github/workflows/build-image.yml
vendored
8
.github/workflows/build-image.yml
vendored
|
|
@ -50,10 +50,10 @@ jobs:
|
|||
echo "tag=$(date -u +%Y-%m-%dT%H)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Log in to GHCR
|
||||
uses: docker/login-action@v3
|
||||
uses: docker/login-action@v4
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
|
|
@ -61,7 +61,7 @@ jobs:
|
|||
|
||||
- name: Build and push
|
||||
id: build
|
||||
uses: docker/build-push-action@v6
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: images
|
||||
file: images/Dockerfile
|
||||
|
|
@ -101,7 +101,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Prune image versions older than 14 days
|
||||
uses: actions/github-script@v7
|
||||
uses: actions/github-script@v9
|
||||
with:
|
||||
script: |
|
||||
const owner = context.repo.owner;
|
||||
|
|
|
|||
10
.github/workflows/release-npm.yml
vendored
10
.github/workflows/release-npm.yml
vendored
|
|
@ -88,7 +88,7 @@ jobs:
|
|||
libcap-ng-dev libdbus-1-dev libsqlite3-dev pkg-config
|
||||
|
||||
- name: Cache cargo registry + target
|
||||
uses: actions/cache@v4
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: |
|
||||
~/.cargo/registry
|
||||
|
|
@ -206,7 +206,7 @@ jobs:
|
|||
chmod +x "$dst/agent-vm" "$dst/msb"
|
||||
|
||||
- name: Upload platform artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: agent-vm-${{ matrix.platform }}
|
||||
path: npm-dist/agent-vm-${{ matrix.platform }}/
|
||||
|
|
@ -225,7 +225,7 @@ jobs:
|
|||
registry-url: 'https://registry.npmjs.org'
|
||||
|
||||
# Download each platform artifact into its own subpackage
|
||||
# directory explicitly. `actions/download-artifact@v5` with
|
||||
# directory explicitly. `actions/download-artifact@v8` with
|
||||
# `pattern:` + a single matched artifact does NOT wrap it in a
|
||||
# subdir (the v5 behaviour change vs v4) — files land flat at
|
||||
# the `path:` root. Downloading by exact `name:` into a
|
||||
|
|
@ -237,13 +237,13 @@ jobs:
|
|||
# checkout; the artifact carries bin/ + lib/ on top of it.
|
||||
# download-artifact will create missing parents.
|
||||
- name: Download linux-x64 artifact
|
||||
uses: actions/download-artifact@v5
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
name: agent-vm-linux-x64
|
||||
path: npm-dist/agent-vm-linux-x64/
|
||||
|
||||
- name: Verify artifact layout + restore executable bits
|
||||
# `actions/upload-artifact@v4` packs files into a zip that
|
||||
# `actions/upload-artifact@v7` packs files into a zip that
|
||||
# doesn't preserve POSIX permissions. After download, the
|
||||
# binaries land as 0644 — npm publishes them as-is and users
|
||||
# get EACCES on first invocation. Restoring +x here is the
|
||||
|
|
|
|||
2
Cargo.lock
generated
2
Cargo.lock
generated
|
|
@ -21,7 +21,7 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "agent-vm"
|
||||
version = "0.1.2"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"base64",
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ members = ["crates/agent-vm"]
|
|||
exclude = ["vendor/microsandbox"]
|
||||
|
||||
[workspace.package]
|
||||
version = "0.1.2"
|
||||
version = "0.1.3"
|
||||
edition = "2024"
|
||||
license = "MIT"
|
||||
repository = "https://github.com/wirenboard/agent-vm"
|
||||
|
|
|
|||
|
|
@ -408,7 +408,6 @@ pub async fn launch(agent: Agent, args: Args) -> Result<i32> {
|
|||
.inject_basic_auth(false)
|
||||
.allow_host(ANTHROPIC_API_HOST)
|
||||
.allow_host(ANTHROPIC_OAUTH_HOST)
|
||||
.allow_host(ANTHROPIC_MCP_PROXY_HOST)
|
||||
});
|
||||
}
|
||||
if let Some(file) = openai {
|
||||
|
|
@ -783,7 +782,7 @@ pub async fn launch(agent: Agent, args: Args) -> Result<i32> {
|
|||
}
|
||||
|
||||
/// Best-effort hint at where msb writes a sandbox's per-launch
|
||||
/// logs. The directory contains several files worth checking on a
|
||||
/// logs. The directory contains three files worth checking on a
|
||||
/// failed launch:
|
||||
///
|
||||
/// - `runtime.log` — msb tracing + Rust panic from the sandbox
|
||||
|
|
@ -795,13 +794,6 @@ pub async fn launch(agent: Agent, args: Args) -> Result<i32> {
|
|||
/// up far enough to write into the two above (vendor
|
||||
/// `boot_error.rs` is the canonical source of "couldn't boot
|
||||
/// because X").
|
||||
/// - `msb.stderr.log` — raw libkrun / kernel-printk bytes that
|
||||
/// bypass the in-process log capture (vendor `runtime::spawn`
|
||||
/// tees msb's stderr here so a SIGABRT panic line survives even
|
||||
/// when the in-process logger died mid-drain).
|
||||
/// - `msb-exit.log` — one append-only line per boot recording the
|
||||
/// msb subprocess's exit status (vendor `runtime::handle::wait`).
|
||||
/// Useful for "did this boot SIGKILL?" without reproducing.
|
||||
///
|
||||
/// Returning a *directory* rather than a single file lets the user
|
||||
/// `ls` it and pick whichever is non-empty, instead of following a
|
||||
|
|
|
|||
|
|
@ -90,11 +90,6 @@ pub const GH_TOKEN_PLACEHOLDER: &str = "msb-gh-placeholder-v2";
|
|||
|
||||
pub const ANTHROPIC_API_HOST: &str = "api.anthropic.com";
|
||||
pub const ANTHROPIC_OAUTH_HOST: &str = "platform.claude.com";
|
||||
/// Claude Code's MCP relay endpoint. Claude Code's HTTP client sends
|
||||
/// the same Anthropic access token here, so the secret substitution
|
||||
/// has to allow this destination too — otherwise the placeholder
|
||||
/// trips the violation scan and the conn gets dropped, breaking MCP.
|
||||
pub const ANTHROPIC_MCP_PROXY_HOST: &str = "mcp-proxy.anthropic.com";
|
||||
pub const OPENAI_API_HOST: &str = "api.openai.com";
|
||||
pub const OPENAI_CHATGPT_HOST: &str = "chatgpt.com";
|
||||
pub const OPENAI_OAUTH_HOST: &str = "auth.openai.com";
|
||||
|
|
|
|||
2
vendor/microsandbox
vendored
2
vendor/microsandbox
vendored
|
|
@ -1 +1 @@
|
|||
Subproject commit fd1b31b120e6fd619fe50b27d792fdb57560f05e
|
||||
Subproject commit 4ad3a67f91e237aea2e4e295a086675ae37dddde
|
||||
Loading…
Add table
Add a link
Reference in a new issue