Stacked on #60502 and targets it — #60502 must land first (its
orchestrator fix is what lets this `tooling/lints/`-touching PR go green
rather than tripping the `rdeps(lints)` nextest filter). Re-creates the
symlinks from #60504, which was accidentally merged into #60502's branch
and reverted.
Follow-up to #60468, which added a `LICENSE-APACHE` symlink to the
`tooling/lints` crate but not to the `test_fixture` sub-crates. Those
five sub-crates each carry a `Cargo.toml`, so `script/check-licenses`
requires a `LICENSE-GPL`/`LICENSE-APACHE` symlink in each, and
`check_licenses` fails on any PR that changes `Cargo.lock`. This adds
`LICENSE-APACHE` symlinks to the five fixture crates, matching #60468;
`script/check-licenses` passes locally afterward.
Release Notes:
- N/A
The `orchestrate` job maps changed directories to root-workspace package
names, and when no mapping was found it fell back to using the raw
directory name as a package. Because `tooling/lints` is a separate
workspace (not a root-workspace member), a change under
`tooling/lints/**` produced the filter `rdeps(lints)`, which `cargo
nextest run --workspace` rejects with "operator didn't match any
packages" — failing `run_tests` for any such PR. This drops that
fallback so an unmapped directory falls through to the existing "no
package changes → run all tests" path instead.
Release Notes:
- N/A
Seeing `script/check-license` fail because we forgot to add a license in
#58496
> Error: tooling/lints does not contain a LICENSE-GPL or LICENSE-APACHE
symlink
Release Notes:
- N/A
Adds a dylint library under tooling/lints that flags Zed-specific
anti-patterns:
* shared_string_from_str_literal,
* async_block_without_await,
* entity_update_in_render,
* notify_in_render,
* owned_string_into_shared,
* len_in_loop_condition, and
* blocking_io_on_foreground.
Includes UI tests, a single-lint helper, and workspace.metadata.dylint
registration so cargo dylint --all discovers it. The library pins its
own nightly toolchain (kept out of the main workspace) and tracks dylint
6.
Release Notes:
- N/A
Self-Review Checklist:
- [ ] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [ ] Tests cover the new/changed behavior
- [ ] Performance impact has been considered and is acceptable
Closes #ISSUE
Release Notes:
- N/A or Added/Fixed/Improved ...
Summary
- Adds Windows agent terminal sandboxing by routing commands through WSL
and Bubblewrap.
- Supports native Windows and WSL project paths, including elevated
write grants for WSL paths.
- Shows a confirmation prompt to turn off sandboxing when WSL sandbox
setup is unavailable.
This builds on the work in the sandbox-linux branch.
Closes AI-376
Release Notes:
- Added Windows terminal sandboxing for agent commands when sandboxing
is enabled.
---------
Co-authored-by: cameron <cameron.studdstreet@gmail.com>
Co-authored-by: Richard Feldman <oss@rtfeldman.com>
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
## What
Adds `step-security/harden-runner` as the first step of the Linux
Namespace
jobs in `run_tests.yml`, running in audit mode (`egress-policy: audit`).
In
audit mode it records each job's outbound network connections and blocks
nothing — there is no change to what the jobs can do.
Pinned to
`step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411`
(v2.19.4); v2.19.0+ is required for Namespace runners. Each run links to
its
per-run insights from the job log.
## Scope
- **Included:** the 13 Linux Namespace jobs in `run_tests.yml`.
- **macOS excluded:** harden-runner's monitoring agent is Linux-only on
Namespace runners — it skips install on Namespace macOS, so it adds no
coverage there and its cleanup step fails.
- **Also not included:** the Windows jobs, the `tests_pass` gate (no
checkout,
no egress to record), and the `extension_tests` reusable-workflow call.
- The shared job builders (`clippy`, `run_platform_tests`,
`check_scripts`,
`orchestrate`) are reused by other workflows, so they take a flag to add
the
step only in the `run_tests` context. `release.yml`,
`release_nightly.yml`,
and `extension_tests.yml` are unchanged.
## How
Edits the workflow DSL under `tooling/xtask/src/tasks/workflows/`; the
YAML is
regenerated with `cargo xtask workflows`.
## Verification
- `cargo xtask workflows` is idempotent — the `check_scripts` parity
check passes.
- `cargo fmt --check` and `actionlint` clean; `zizmor` shows no new
findings vs. baseline.
Release Notes:
- N/A
---------
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Adds a step to the release and run_bundling workflows to build a
statically-linked bubblewrap binary and upload it
---
Release Notes:
- N/A or Added/Fixed/Improved ...
---------
Co-authored-by: Tom Houlé <tom@tomhoule.com>
Release Notes:
- N/A or Added/Fixed/Improved ...
---------
Co-authored-by: Richard Feldman <oss@rtfeldman.com>
Co-authored-by: Martin Ye <martin@zed.dev>
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
# Objective
We were not caching builds for nightly/bundling jobs AT ALL.
## Solution
## Testing
## Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content adheres to Zed's UI standards
([UX/UI](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
and
[icon](https://github.com/zed-industries/zed/blob/main/crates/icons/README.md)
guidelines)
- [ ] Tests cover the new/changed behavior
- [ ] Performance impact has been considered and is acceptable
Release Notes:
- N/A
This slightly reworks the extension CLI bump workflow - instead of
triggering on label push, it now triggers on workflow dispatch with a
message enforced to be added there.
This primarily allows us to add a message to these bumps to better
communicate what changes with that version of the CLI. Furthermore, we
can soon restrict the label to be only created by that workflow, which
has the advantage that it can only be based off of main. Also, it has
the nice side-effect that we actually only ever update the label if
everything worked properly.
Release Notes:
- N/A
## Summary
Routine housekeeping to remove seven inactive GitHub Actions workflows,
surfaced by a workflow-activity review (run history via the Actions
API).
The removals fall into two groups:
- **Four hand-written workflows** that are manually disabled, never run,
or long dormant.
- **Three xtask-generated workflows** (manual eval/perf tools) dormant
for >90 days — removed at the source in `tooling/xtask` and regenerated,
with now-unused helper code dropped.
Reusable workflows `extension_tests` and `extension_bump` were
intentionally **kept** — their low standalone run counts are an artifact
of `workflow_call` (they run constantly via `run_tests` and
`extension_auto_bump`), so they are not dormant.
## What is being removed
| Workflow | Roughly what it does | Author | Last run | Reason |
|---|---|---|---|---|
| `assign-reviewers.yml` | Auto-assigns reviewers to PRs (via a GitHub
App token) | John D. Swanson | 2026-04-17 | Manually disabled in Actions
settings |
| `assign_contributor_issue.yml` | Assigns/labels contributor issues and
notifies Slack | Lena | 2026-05-12 | Manually disabled in Actions
settings |
| `background_agent_mvp.yml` | Experimental background-agent MVP (manual
dispatch; schedule commented out) | morgankrey | 2026-02-24 | Dormant
>90 days; experimental, never promoted |
| `randomized_tests.yml` | Runs randomized tests via
`script/randomized-test-ci` | Max Brunsfeld | never | Never run; only
triggers on pushes to a branch that is never pushed |
| `compare_perf.yml` \* | Manual perf comparison between two commits for
a crate | Conrad Irwin | 2025-11-06 | Dormant >90 days; on-demand tool |
| `run_unit_evals.yml` \* | Manual agent unit evals for a given
model/commit | Ben Kunkle | 2025-11-14 | Dormant >90 days; on-demand
tool |
| `run_cron_unit_evals.yml` \* | Agent unit evals across a model matrix
(manual dispatch) | Richard Feldman | 2026-01-27 | Dormant >90 days;
on-demand tool |
\* xtask-generated — removed via `tooling/xtask` and regenerated (commit
2).
## Notes
- **Commit 1** removes the four hand-written workflows.
- **Commit 2** removes the three xtask-generated workflows: it deletes
their generator modules and registry entries, regenerates with `cargo
xtask workflows`, and drops the helper code left unused by the removal
(`vars` secrets and `steps::git_checkout`). Regeneration is a no-op for
all other workflows, and `./script/clippy` (deny-warnings) is clean.
Release Notes:
- N/A
Pins the remaining tag- and branch-referenced GitHub Actions and the
`postgres` service image to specific commit SHAs / digests, so workflow
runs resolve to fixed versions. Edited in the xtask workflow DSL and
regenerated with `cargo xtask workflows`.
- `bufbuild/buf-setup-action` → `a47c93e0` (v1.50.0)
- `bufbuild/buf-breaking-action` → `c57b3d84` (v1.1.4)
- `digitalocean/action-doctl` → `3cb39531` (v2.5.2)
- `postgres:15` → `@sha256:1b92e7a8…`
- `deploy_docs.yml` reusable workflow → pinned to a commit
Release Notes:
- N/A
This PR bumps the extension CLI version used in the extension workflows
to `9ee3c503a4`.
Release Notes:
- N/A
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
This PR bumps the extension CLI version used in the extension workflows
to `ca0fd8d4e1`.
Release Notes:
- N/A
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [ ] Tests cover the new/changed behavior
- [ ] Performance impact has been considered and is acceptable
Release Notes:
- N/A
## Summary
This moves the remaining first-party AGPL surface to GPL, a less
restrictive license for these components. Apache-2.0 components are
unchanged.
Changes:
- Updates the `collab` crate from `AGPL-3.0-or-later` to
`GPL-3.0-or-later`
- Removes the root AGPL license file and first-party crate AGPL symlinks
- Updates web, documentation, Flatpak, README, and terms references to
reflect the GPL/Apache licensing split
- Updates the open-source component example list in the terms and
regenerates the RTF copy; no other terms changes are intended
- Adds guardrails so first-party crates cannot declare AGPL licensing or
carry `LICENSE-AGPL` files
Release timing: preview during the week of June 1, 2026; stable during
the week of June 8, 2026.
## Residual AGPL/Affero references
- `LICENSE-GPL`: GPLv3's own compatibility clause; unchanged official
license text.
- `crates/json_schema_store/src/schemas/package.json`: generic npm
package-license schema value, not Zed licensing.
- `script/check-licenses`, `script/new-crate`,
`script/licenses/zed-licenses.toml`: guardrails that reject or warn
against reintroducing AGPL.
## Verification
- `script/check-licenses`
- `script/generate-licenses`
- `script/generate-terms-rtf`
- `script/new-crate license_probe_for_gpl`, then discarded generated
crate
- `script/new-crate license_probe_for_agpl agpl` fails as expected
- `mdbook build docs`
- `./script/clippy`
- `git grep -n -I -E "AGPL|Affero"`
- `git diff --check`
Release Notes:
- The `collab` crate, used to implement Zed's collaboration backend, is
now licensed under the GPL instead of the AGPL. The AGPL license is no
longer used in the zed repository.
This PR bumps the extension CLI version used in the extension workflows
to `2a00db06ce`.
Release Notes:
- N/A
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] No unsafe blocks
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Closes#57057
Release Notes:
- N/A
---------
Co-authored-by: zed-zippy[bot] <234243425+zed-zippy[bot]@users.noreply.github.com>
Self-Review Checklist:
- [x] I've reviewed my own diff for quality, security, and reliability
- [x] Unsafe blocks (if any) have justifying comments
- [x] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [ ] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable
Closes #ISSUE
Release Notes:
- N/A or Added/Fixed/Improved ...
This updates the nightly workflow to run hourly as opposed to once
daily.
Notably, it also
- changes the poll duration for the auto updater - we now poll 4 times
an hour on the Nightly channel and continue with the old rate for all
other channels
- moves the pre-checks to the linux runners, since we have more
resources available there
- only ever allow one concurrent nightly run
Release Notes:
- N/A
https://github.com/zed-industries/zed/actions/runs/25881329418 complains
about the deprecation of Node.js version 20, which will soon be
force-bumped to 24 in the runner contexts.
Thus, this PR bumps all the jobs mentioned there to versions that run on
Node.js 24 by default. I checked all the release note section for the
three actions and this should not change any behaviour according to
their release notes and get us ready for the deprecation.
Release Notes:
- N/A
Since we download the grammars into the `./grammars` directory, the
formatting check can fail on unformatted query files that are present in
the grammars directory, as observed in
https://github.com/zed-extensions/log/pull/18
Thus, this PR changes the check to be more specific to just the queries
in the `languages` directory.
Release Notes:
- N/A
This ensures that upon workflow removal in Rust code, the corresponding
workflow file will not accidentally stay in the repository.
Release Notes:
- N/A
tl;dr: you can now run `cargo xtask setup_webrtc`, which:
1. Fetches webrtc artifacts into a gitignored directory in Zed repo
2. Adds a [env] section to `~/.cargo/config.toml` on your box which
forces
LK to NOT download webrtc artifacts as a part of its build script
The end result: `cargo clean` is no longer a horrid experience with in
horrid network environments.
Caveats:
1. This does not handle appending to existing cargo config. The setup
script will fail if there's one in place.
2. You need to redo this thing (fetch env var and whatnot) whenever LK
version is bumped.
3. This is not mandatory for builds to work. You only really have to do
this for your own convenience, but builds will work just fine without it
(unless your connection sucks).
Self-Review Checklist:
- [ ] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [ ] Tests cover the new/changed behavior
- [ ] Performance impact has been considered and is acceptable
Closes #ISSUE
Release Notes:
- N/A
Closes #ISSUE
Before you mark this PR as ready for review, make sure that you have:
- [x] Added a solid test coverage and/or screenshots from doing manual
testing
- [x] Done a self-review taking into account security and performance
aspects
- [x] Aligned any UI changes with the [UI
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
Release Notes:
- N/A *or* Added/Fixed/Improved ...
From now on, we will instead just make another patch version bump. That
has the advantage that tags will actually always only be applied to the
version bump and not some random change as well as us being able to
prohibit updates of tag refs for the Zed Zippy identity as well.
Release Notes:
- N/A
Self-Review Checklist:
- [ ] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [ ] Tests cover the new/changed behavior
- [ ] Performance impact has been considered and is acceptable
Release Notes:
- N/A
No, sadly, the title is not a typo. See
https://www.githubstatus.com/incidents/zsg1lk7w13cf for the context.
I'll read with joy and popcorn through that root cause analysis.
It makes literally zero sense what happened here, but for some completly
bonkers reason GitHub completely messed up the merge queue with
https://github.com/zed-industries/zed/pull/54632.
I have no idea how it happened. It makes literally zero sense. A PR
going into the merge queue should have the same LoC when getting out of
it. GitHub obviously does not check this. GitHub causes extra work with
a feature that is supposed to save time.
Thanks, I guess.
Release Notes:
- N/A
---------
Co-authored-by: Danilo Leal <daniloleal09@gmail.com>
This PR brings back the button to filter remote branches when accessing
the title bar's branch picker with the mouse. It was unintentionally
removed when we introduced the new worktree picker.
Release Notes:
- N/A
Not to be merged before https://github.com/zed-industries/zed/pull/54550
This makes it so that we perform not all checks sequentially but in
parallel which should overall make this a lot faster.
Ultimately, we can save some more requests if we were to search for all
co-author looking PRs with one GraphQL query, but for now, this here
should make things a lot faster already whilst working fine with rate
limits.
Release Notes:
- N/A
This changes some of the checks to use the existing `author_association`
where possible, which will result in no change of effect - this is also
what GitHub uses internally.
The advatage is that it saves us a few requests, especially in the
context of the GitHub worker, and allows us to share code more
efficiently here. It also removes some ugly duplication I wanted to get
rid of for some time and makes the code overall more readable IMO.
Release Notes:
- N/A