From 23e43f4fa8f49cfe6f3e693fbabca19375e07c79 Mon Sep 17 00:00:00 2001 From: Conal <33135619+Conalh@users.noreply.github.com> Date: Thu, 21 May 2026 15:50:10 -0700 Subject: [PATCH] Harden TaskBound action install path --- .github/workflows/taskbound.yml | 2 +- README.md | 6 +++--- action.yml | 6 +++--- package-lock.json | 4 ++-- package.json | 2 +- test/workflow.test.mjs | 6 ++++-- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/taskbound.yml b/.github/workflows/taskbound.yml index 86b27d5..1adb3b6 100644 --- a/.github/workflows/taskbound.yml +++ b/.github/workflows/taskbound.yml @@ -14,6 +14,6 @@ jobs: with: fetch-depth: 0 - - uses: ./ + - uses: Conalh/TaskBound@main with: fail-on: none diff --git a/README.md b/README.md index 54f676c..acb9b44 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ jobs: with: fetch-depth: 0 - - uses: Conalh/TaskBound@v0.1.0 + - uses: Conalh/TaskBound@v0.2.0 with: fail-on: none ``` @@ -127,7 +127,7 @@ The action uploads nothing by default. It reads local git state from the checked You can still override the task explicitly: ```yaml - - uses: Conalh/TaskBound@v0.1.0 + - uses: Conalh/TaskBound@v0.2.0 with: task: Fix header CSS styling fail-on: none @@ -138,7 +138,7 @@ API key to the job. If the key is absent or the model call fails, TaskBound fall back to heuristic scope inference and records `scopeSource: llm_fallback` in JSON. ```yaml - - uses: Conalh/TaskBound@v0.1.0 + - uses: Conalh/TaskBound@v0.2.0 env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} with: diff --git a/action.yml b/action.yml index 5f6d89e..da07125 100644 --- a/action.yml +++ b/action.yml @@ -12,7 +12,7 @@ inputs: required: false default: '' scope-llm: - description: Optional OpenAI model for LLM-assisted scope extraction. Falls back to heuristic scope when offline or unauthenticated. + description: Optional OpenAI or Anthropic model for LLM-assisted scope extraction. Falls back to heuristic scope when offline or unauthenticated. required: false default: '' repo: @@ -54,14 +54,14 @@ runs: run: | set -euo pipefail cd "$GITHUB_ACTION_PATH" - npm ci + npm ci --ignore-scripts - name: Build TaskBound shell: bash run: | set -euo pipefail cd "$GITHUB_ACTION_PATH" - npm run build + npm run build --ignore-scripts - name: Run TaskBound scope review id: run diff --git a/package-lock.json b/package-lock.json index dc9f9fa..a60a3c3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "taskbound", - "version": "0.1.0", + "version": "0.2.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "taskbound", - "version": "0.1.0", + "version": "0.2.0", "license": "MIT", "bin": { "taskbound": "dist/index.js" diff --git a/package.json b/package.json index 15f48d1..80ace7a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "taskbound", - "version": "0.1.0", + "version": "0.2.0", "description": "Post-session scope creep review for AI agent edits.", "type": "module", "bin": { diff --git a/test/workflow.test.mjs b/test/workflow.test.mjs index cc58601..8789ffc 100644 --- a/test/workflow.test.mjs +++ b/test/workflow.test.mjs @@ -19,12 +19,14 @@ test('action.yml can derive task scope from pull request event context', async ( assert.match(action, /--scope-context/); assert.match(action, /--github-event/); assert.match(action, /--scope-llm/); + assert.match(action, /npm ci --ignore-scripts/); assert.match(action, /scope-match-count/); }); -test('self-dogfood workflow uses local action with pull request event task fallback', async () => { +test('self-dogfood workflow uses trusted action ref with pull request event task fallback', async () => { const workflow = await readFile(join(packageRoot, '.github/workflows/taskbound.yml'), 'utf8'); - assert.match(workflow, /uses: \.\//); + assert.match(workflow, /uses: Conalh\/TaskBound@main/); + assert.doesNotMatch(workflow, /uses: \.\//); assert.match(workflow, /fetch-depth: 0/); assert.doesNotMatch(workflow, /task:/); });