From 86d3acb4669a95c4707497c55a39efc076824334 Mon Sep 17 00:00:00 2001 From: "const.koutsakis@aurecongroup.com" Date: Tue, 26 May 2026 21:31:02 +1000 Subject: [PATCH 1/4] chore: bump Node-20 actions to Node-24 compatible SHAs (#109) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub-Actions runners force Node-24 on 2026-06-02 (≈one week from this commit) and remove Node-20 entirely on 2026-09-16. The release.yml run for v0.2.17 emitted Node-20 deprecation annotations on three actions; bumping them to current major-version SHAs makes the warnings go away and unblocks the forced-migration date. Bumps (SHA + documented tag both updated): actions/checkout 34e1148... # v4 -> 93cb6ef... # v5 actions/setup-python a26af69... # v5 -> a309ff8... # v6 docker/login-action c94ce9f... # v3 -> 650006c... # v4 49 lines changed across 10 workflow files: .github/workflows/artifact-cleanup.yml 1 line .github/workflows/branch-protection.yml 1 line .github/workflows/changelog-prestage.yml 2 lines .github/workflows/changelog-rollup.yml 2 lines .github/workflows/ci.yml 30 lines .github/workflows/codeql.yml 1 line .github/workflows/eval-nightly.yml 2 lines .github/workflows/pin-freshness-audit.yml 2 lines .github/workflows/release.yml 3 lines .github/workflows/security.yml 5 lines No behaviour change beyond the underlying Node runtime. The actions themselves keep the same input/output contract across these majors (per upstream release notes). Local verification: pin-freshness audit: 68 pins checked, 0 findings pytest tests/: 215 passed mypy --strict, ruff, ci-script compile gate, branch-protection contexts sync: all clean Self-version bump 0.2.17 -> 0.2.18 (chore = PATCH). Closes #109 --- .github/workflows/artifact-cleanup.yml | 2 +- .github/workflows/branch-protection.yml | 2 +- .github/workflows/changelog-prestage.yml | 4 +- .github/workflows/changelog-rollup.yml | 4 +- .github/workflows/ci.yml | 60 +++++++++++------------ .github/workflows/codeql.yml | 2 +- .github/workflows/eval-nightly.yml | 4 +- .github/workflows/pin-freshness-audit.yml | 4 +- .github/workflows/release.yml | 6 +-- .github/workflows/security.yml | 10 ++-- pyproject.toml | 2 +- uv.lock | 2 +- 12 files changed, 51 insertions(+), 51 deletions(-) diff --git a/.github/workflows/artifact-cleanup.yml b/.github/workflows/artifact-cleanup.yml index 234af34..f512048 100644 --- a/.github/workflows/artifact-cleanup.yml +++ b/.github/workflows/artifact-cleanup.yml @@ -42,7 +42,7 @@ jobs: name: Prune old artifacts runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Compute threshold id: threshold diff --git a/.github/workflows/branch-protection.yml b/.github/workflows/branch-protection.yml index 8da4bef..71ddc0e 100644 --- a/.github/workflows/branch-protection.yml +++ b/.github/workflows/branch-protection.yml @@ -35,7 +35,7 @@ jobs: matrix: branch: [main, develop] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Verify token is configured env: diff --git a/.github/workflows/changelog-prestage.yml b/.github/workflows/changelog-prestage.yml index aa90d41..c31e5ba 100644 --- a/.github/workflows/changelog-prestage.yml +++ b/.github/workflows/changelog-prestage.yml @@ -48,7 +48,7 @@ jobs: name: Open prestage PR runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: develop # Full history so `git describe --abbrev=0 --tags` can resolve @@ -61,7 +61,7 @@ jobs: # opens, but its CI doesn't run until a user pushes on top. token: ${{ secrets.RELEASE_BOT_TOKEN || secrets.GITHUB_TOKEN }} - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" diff --git a/.github/workflows/changelog-rollup.yml b/.github/workflows/changelog-rollup.yml index 3851077..b6af7a6 100644 --- a/.github/workflows/changelog-rollup.yml +++ b/.github/workflows/changelog-rollup.yml @@ -35,7 +35,7 @@ jobs: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: develop # full history needed for `git describe --abbrev=0 --tags ^` @@ -48,7 +48,7 @@ jobs: # pushes a commit on top. token: ${{ secrets.RELEASE_BOT_TOKEN || secrets.GITHUB_TOKEN }} - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a22fb1..de28d65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,9 +17,9 @@ jobs: name: Lint & Format runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -30,9 +30,9 @@ jobs: name: Type Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -43,9 +43,9 @@ jobs: runs-on: ubuntu-latest # Pure in-process tests — completes fast so PR authors get quick feedback. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -56,9 +56,9 @@ jobs: runs-on: ubuntu-latest # Enforces [tool.coverage.report].fail_under from pyproject.toml (75%). steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -68,9 +68,9 @@ jobs: name: Architecture (import-linter) runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -83,9 +83,9 @@ jobs: # `uv run pre-commit install` can't leak unformatted code or a stray # secret past the first defence layer. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -99,8 +99,8 @@ jobs: # this job enforces the file-half. No exemption mechanism — pre-existing # offenders should be split before this job lands, not allowlisted. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: python .github/scripts/check_file_length.py @@ -113,10 +113,10 @@ jobs: # that the 75 % coverage gate cannot detect on its own. if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # full history so `git show origin/:` resolves - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: python .github/scripts/check_version_bump.py @@ -129,8 +129,8 @@ jobs: # First-party = major tag; astral-sh/setup-uv = patch tag; third-party # = SHA + trailing `# vN.M.P` comment. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: python .github/scripts/check_action_pins.py @@ -143,10 +143,10 @@ jobs: # `::warning::` if src/ is touched without tests/. if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # full history so the diff resolves - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: python .github/scripts/check_tests_present.py @@ -158,8 +158,8 @@ jobs: # line cites a `#NNN` ticket; closed cites warn (or fail under # ASPIRATIONAL_STRICT=1). GITHUB_TOKEN enables ticket-state lookup. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - env: @@ -173,8 +173,8 @@ jobs: # interfaces. The audit checks shape (presence + min 200 bytes) and # structure (`## Key interfaces` heading). No exemption mechanism. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: python .github/scripts/check_src_readmes.py @@ -183,7 +183,7 @@ jobs: name: Frontend Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" @@ -198,7 +198,7 @@ jobs: # enjoys (ruff + mypy + pytest); the Frontend Build job above validates # the bundler output, this one validates source quality. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" @@ -217,9 +217,9 @@ jobs: # .github/branch-protection/*.json contexts arrays disagree with the # actual workflow jobs on disk. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -233,9 +233,9 @@ jobs: # Adding a type in one but not the other would mean commits pass locally # while PR titles fail in CI (or vice versa). steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 85c73ad..f060887 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: - language: javascript-typescript build-mode: none steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/eval-nightly.yml b/.github/workflows/eval-nightly.yml index 2ca8981..9a92bd6 100644 --- a/.github/workflows/eval-nightly.yml +++ b/.github/workflows/eval-nightly.yml @@ -45,9 +45,9 @@ jobs: name: Run golden QA dataset runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python_version || '3.14' }} - run: uv sync --frozen --extra dev --extra eval diff --git a/.github/workflows/pin-freshness-audit.yml b/.github/workflows/pin-freshness-audit.yml index 92bbf6f..690499e 100644 --- a/.github/workflows/pin-freshness-audit.yml +++ b/.github/workflows/pin-freshness-audit.yml @@ -34,8 +34,8 @@ jobs: name: Pin freshness audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60d3df2..6642b9d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,11 +27,11 @@ jobs: # Actions are SHA-pinned because this workflow has elevated permissions # (contents: write + packages: write). Bump SHAs with the # vX.Y.Z # annotation when a new release lands and you've reviewed the diff. - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" @@ -65,7 +65,7 @@ jobs: . - name: Log in to GHCR - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 8a01886..3e2d91a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -23,7 +23,7 @@ jobs: name: Secret scan (gitleaks) runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 # full history so gitleaks can scan every commit # Install and run the binary directly — the v2 action attempts to upload @@ -43,9 +43,9 @@ jobs: name: Python deps (pip-audit) runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.14" - run: uv sync --frozen --extra dev @@ -71,7 +71,7 @@ jobs: name: Frontend deps (npm audit) runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "24" @@ -87,7 +87,7 @@ jobs: runs-on: ubuntu-latest # Blocking: any fixable HIGH/CRITICAL CVE in the built image fails the PR. steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Build image run: docker build -t harness-python-react:ci . - name: Run Trivy vulnerability scanner diff --git a/pyproject.toml b/pyproject.toml index 3e2e858..3f7210d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "harness-python-react" -version = "0.2.17" +version = "0.2.18" description = "Production-quality LLM-driven coding harness — Python (FastAPI) backend, Vite + React + TypeScript frontend." readme = "README.md" requires-python = ">=3.14" diff --git a/uv.lock b/uv.lock index 77c0d17..c128ec3 100644 --- a/uv.lock +++ b/uv.lock @@ -337,7 +337,7 @@ wheels = [ [[package]] name = "harness-python-react" -version = "0.2.17" +version = "0.2.18" source = { virtual = "." } dependencies = [ { name = "fastapi" }, From b9e4a923cb4e9bd86e4f5e85cfe86bd5e4e9fffd Mon Sep 17 00:00:00 2001 From: "const.koutsakis@aurecongroup.com" Date: Tue, 26 May 2026 22:00:53 +1000 Subject: [PATCH 2/4] chore: trigger CI re-evaluation From 216c9d52852c3adf4a01c417aa849545ee52b7e0 Mon Sep 17 00:00:00 2001 From: "const.koutsakis@aurecongroup.com" Date: Wed, 27 May 2026 23:10:16 +1000 Subject: [PATCH 3/4] chore: retrigger CI after Actions outage From 0dc72bd54cfece6c34797076488ef7f337683f73 Mon Sep 17 00:00:00 2001 From: "const.koutsakis@aurecongroup.com" Date: Wed, 27 May 2026 23:10:46 +1000 Subject: [PATCH 4/4] chore: retrigger CI after Actions outage