chore(aaif): rename a bunch of repository references#8152
Conversation
jamadeo
requested review from
DOsinga,
angiejones and
blackgirlbytes
as code owners
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6a0948d4c8
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| let tag = if canary { "canary" } else { "stable" }; | ||
| let asset = asset_name(); | ||
| let url = format!("https://github.com/block/goose/releases/download/{tag}/{asset}"); | ||
| let url = format!("https://github.com/aaif-goose/goose/releases/download/{tag}/{asset}"); |
There was a problem hiding this comment.
The update() download endpoint now hardcodes aaif-goose/goose with no fallback, so goose update will fail with HTTP errors in any staged-migration period where releases are still published under block/goose (or if redirects are unavailable). Because this URL is the only source for the update artifact, users lose the self-update path entirely; keep a temporary fallback to the prior repo until the cutover is fully complete.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
That's okay, we won't do a release of this code without also doing the migration.
| deny: | ||
| runs-on: ubuntu-latest | ||
| if: github.repository == 'block/goose' | ||
| if: github.repository == 'aaif-goose/goose' |
There was a problem hiding this comment.
This repository check now only matches aaif-goose/goose, which causes the job to be skipped outright in pre-transfer environments where the repo is still block/goose. That silently disables cargo-deny enforcement on PR and scheduled runs, removing a dependency/security gate during the migration window; the guard should permit both repo names until migration is finalized.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
That's okay, we should do the repo transfer first and then merge
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 139bb73e42
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| RATE_LIMIT_PER_SECOND = "2" | ||
|
|
||
| ALLOWED_REPOS = "block/goose,aaif/goose" | ||
| ALLOWED_REPOS = "aaif-goose/goose,aaif/goose" |
There was a problem hiding this comment.
This change drops block/goose from ALLOWED_REPOS, but the proxy validator rejects any JWT whose payload.repository is not in that list (oidc-proxy/src/index.js checks this before forwarding). In any deployment where workflows still mint tokens for block/goose (for example, if config rolls out before the repo transfer is complete), requests to the OIDC proxy will start returning 401 and automation that depends on it (like code-review runs) will fail; keep both repo slugs until migration is finished.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
we'll merge after transfer, this is OK
| for attempt in range(max_retries): | ||
| try: | ||
| url = "https://api.github.com/repos/block/goose/stats/contributors" | ||
| url = "https://api.github.com/repos/aaif-goose/goose/stats/contributors" |
There was a problem hiding this comment.
The script now fetches contributors from aaif-goose/goose, but the internal-user classifier still only recognizes Block org/company signals (BLOCK_ORGS and is_block_employee) and then records those users as block_non_goose. Once contributors come from AAIF-maintained repos, internal contributors not tied to Block will be misclassified as external, which skews the community-stars rankings and downstream award decisions.
Useful? React with 👍 / 👎.
DOsinga
added
the
needs_human
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
Signed-off-by: Michael Neale <michael.neale@gmail.com>
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
- Map SECURITY_SCANNER_ANTHROPIC_API_KEY to OPENAI_API_KEY in scan-recipe.sh (broken since PRs #7387/#7391 renamed the env var in the workflow but never updated the script) - Add contents: write permission to docs deploy job so pr-preview-action can push to gh-pages Signed-off-by: Michael Neale <michael.neale@gmail.com>
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
Signed-off-by: Michael Neale <michael.neale@gmail.com>
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
|
The scanner runs goose with GOOSE_PROVIDER=openai and GOOSE_MODEL=gpt-4o, so it needs OPENAI_API_KEY. The workflow was passing SECURITY_SCANNER_ANTHROPIC_API_KEY which the script doesn't recognize. Use the existing OPENAI_API_KEY repo secret directly. Signed-off-by: Michael Neale <michael.neale@gmail.com>
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
The goose CLI binary requires libgomp.so.1 (OpenMP) which is missing from the scanner's Debian container. Signed-off-by: Michael Neale <michael.neale@gmail.com>
|
🔍 Recipe Security Scan Results 📊 Scan Summary:
📋 Individual Recipe Results: 🔗 View detailed scan results in the workflow artifacts. |
* origin/main: (32 commits) docs: rework homepage and add aaif migration blog post (#8356) chore(aaif): rename a bunch of repository references (#8152) fix: use OPENAI_API_KEY secret for recipe security scanner (#8358) feat: configurable extension timeouts via ACP _meta and global default (#8295) fix: hide hidden extensions in UI (#8346) refactor: skills as its own platform ext (#8244) fix baseUrl (#8347) Fix desktop slash commands (#8341) fix(cli): display platform-correct secrets path in keyring config dialog (#8328) feat(acp): add reusable ACP provider controls (#8314) fix: resolve MDX compilation error in using-goosehints.md (#8332) fix: use v1beta1 API version for Google/MaaS models on GCP Vertex AI (#8278) docs: add MCP Roots guide (#8252) rust acp client for extension methods (#8227) fix: reconsolidate split tool-call messages to follow OpenAI format (#7921) fix: clean up MCP subprocesses after abrupt parent exit (#8242) build: raise default stack reserve to 8 MB (#8234) fix(config): honour GOOSE_DISABLE_KEYRING from config.yaml at startup (#8219) feat: add configurable fast_model for declarative providers (#8194) fix(authentication): Allow connecting to Oauth servers that use protected-resource fallback instead of the WWW-authenticate header (#8148) ...
3 participants
Uses
aaif-gooseas the org placeholder, but we can easily swap this.