Skip to content

main -> v1.5.0 backmerge #2732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
akshaydeo merged 63 commits into from
Apr 18, 2026
Merged

main -> v1.5.0 backmerge #2732

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
63 commits
Select commit Hold shift + click to select a range
a8cf690
fix(helm): use correct templating for mcpClientConfig (#2673)
crust3780 Apr 13, 2026
79a1ab4
docs updates (#2691)
akshaydeo Apr 13, 2026
8f84688
chore: regenerate openapi.json --skip-pipeline
github-actions[bot] Apr 13, 2026
663ded6
changelog update (#2693)
akshaydeo Apr 13, 2026
588e975
fix(bedrock): preserve image content in tool results for Converse API…
Edward-Upton Apr 14, 2026
188fc0e
chore: updates compat plugin docs (#2698)
sammaji Apr 14, 2026
1bda46a
fix: allow custom providers without a list models endpoint to pass in…
danpiths Apr 14, 2026
67938e2
docs: update langchain sdk docs for google (#2702)
BearTS Apr 15, 2026
b423d7d
[fix]: Bedrock provider - emit message_stop event for Anthropic invok…
tefimov Apr 15, 2026
5d3b34b
fix: otel plugin fixes (#2727)
sammaji Apr 15, 2026
1efbfcd
docs: delete example for patronus_ai (#2734)
BearTS Apr 15, 2026
f2005ef
helm chart updates (#2736)
akshaydeo Apr 15, 2026
132b0d4
fixed validation checks (#2737)
akshaydeo Apr 15, 2026
254e41e
fix: capture responses streaming api error (#2681)
BearTS Apr 15, 2026
12e443b
test case fixes for helm release (#2738)
akshaydeo Apr 15, 2026
e7ef535
removes prerelease tag from helm chart (#2739)
akshaydeo Apr 15, 2026
15b67f2
new docs updates for scim (#2748)
akshaydeo Apr 15, 2026
56c3cb4
chore: regenerate openapi.json --skip-pipeline
github-actions[bot] Apr 15, 2026
32138be
removed keycloak (#2749)
akshaydeo Apr 15, 2026
f76f600
fix: delete fallbacks from anthropic req (#2754)
TejasGhatte Apr 16, 2026
aa360ca
fix: preserve context values in async requests (#2703)
TejasGhatte Apr 16, 2026
b9efa11
[fix]: Gemini provider - handle content block tool outputs in Respons…
tom-diacono Apr 16, 2026
6d6b554
fix: gemini thinking level and finish reason round-trip preservation …
TejasGhatte Apr 16, 2026
6d0e64f
fix: remove cc user agent guard from streaming in anthropic (#2706)
TejasGhatte Apr 16, 2026
83599a2
remove unnecessary marshalling of payload (#2770)
akshaydeo Apr 16, 2026
ca5174e
feat: claude opus 4.7 compatibility (#2773)
TejasGhatte Apr 16, 2026
fce84de
docs: restructure helm guide into comprehensive multi-page reference …
BearTS Apr 16, 2026
896f571
v1.4.23 cut (#2778)
akshaydeo Apr 16, 2026
61e8079
validator fix (#2780)
akshaydeo Apr 16, 2026
594b508
fix: token usage for vllm --skip-pipeline (#2784)
sammaji Apr 17, 2026
3ed64a6
[fix]: OpenAI provider - flatten array-form tool_result output for Re…
martingiguere Apr 17, 2026
18427ac
fix: prevent send on closed channel panic in provider queue shutdown …
Pratham-Mishra04 Apr 17, 2026
16896bd
feat: preserve MCP tool annotations in bidirectional conversion --ski…
Pratham-Mishra04 Apr 17, 2026
8c11869
fix: add support for Anthropic structured output and response format …
emirhanmutlu-natuvion Apr 17, 2026
ce62c64
test fixes --skip-pipeline (#2782)
akshaydeo Apr 17, 2026
d1d1004
anthropic container changes --skip-pipeline (#2783)
akshaydeo Apr 17, 2026
19a4473
core schema changes --skip-pipeline (#2787)
akshaydeo Apr 17, 2026
0485a49
dependabot fixes --skip-pipeline (#2788)
akshaydeo Apr 17, 2026
a80bb41
move back go to 1.26.1 (#2792)
akshaydeo Apr 17, 2026
9c00d7b
temp gotoolchain auto (#2809)
akshaydeo Apr 17, 2026
f75d607
temp hack for tests (#2810)
akshaydeo Apr 17, 2026
72ecaca
temp block docker build (#2811)
akshaydeo Apr 17, 2026
c4a191d
removed docker build steps (#2812)
akshaydeo Apr 17, 2026
c907a4d
moves tests to 1.26.2 and 1.26.1 (#2813)
akshaydeo Apr 17, 2026
304d547
ocr test fixes (#2814)
akshaydeo Apr 17, 2026
12c68f3
revert to old schema (#2815)
akshaydeo Apr 17, 2026
9dc2478
reduced release pipeline for this cut for go downgrade (#2816)
akshaydeo Apr 17, 2026
3e0dd03
force verstion back to go 1.26.1 (#2817)
akshaydeo Apr 17, 2026
485810b
revert everything to go1.26.1 (#2818)
akshaydeo Apr 17, 2026
0ac9518
bumped up hello-world dep (#2819)
akshaydeo Apr 17, 2026
bfe8360
framework: bump core to v1.4.22 --skip-pipeline
github-actions[bot] Apr 17, 2026
f962154
plugins/governance: bump core to v1.4.22 and framework to v1.2.39 --s…
github-actions[bot] Apr 17, 2026
314f13f
plugins/jsonparser: bump core to v1.4.22 and framework to v1.2.39 --s…
github-actions[bot] Apr 17, 2026
dd36ff0
plugins/litellmcompat: bump core to v1.4.22 and framework to v1.2.39 …
github-actions[bot] Apr 17, 2026
aec4b7e
plugins/logging: bump core to v1.4.22 and framework to v1.2.39 --skip…
github-actions[bot] Apr 17, 2026
cbfa4f4
plugins/maxim: bump core to v1.4.22 and framework to v1.2.39 --skip-p…
github-actions[bot] Apr 17, 2026
40737ff
plugins/mocker: bump core to v1.4.22 and framework to v1.2.39 --skip-…
github-actions[bot] Apr 17, 2026
adc31bc
plugins/otel: bump core to v1.4.22 and framework to v1.2.39 --skip-pi…
github-actions[bot] Apr 17, 2026
67340ad
plugins/semanticcache: bump core to v1.4.22 and framework to v1.2.39 …
github-actions[bot] Apr 17, 2026
b31cc3a
plugins/telemetry: bump core to v1.4.22 and framework to v1.2.39 --sk…
github-actions[bot] Apr 17, 2026
67319e5
enforce go 1.26.1 (#2820)
akshaydeo Apr 17, 2026
be3edf3
transports: update dependencies --skip-pipeline
github-actions[bot] Apr 17, 2026
1e79b19
Adds changelog for v1.4.23 --skip-pipeline
github-actions[bot] Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/dependabot-alerts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,12 @@ jobs:
create-issues:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
Comment on lines +15 to +20
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/dependabot-alerts.yml

Repository: maximhq/bifrost

Length of output: 2436

🌐 Web query:

GitHub REST API Dependabot alerts endpoint permission requirements security-events

💡 Result:

The GitHub REST API endpoints for Dependabot alerts (under /repos/{owner}/{repo}/dependabot/alerts and related paths) require the security_events scope for OAuth apps and personal access tokens (classic). For public repositories only, the public_repo scope is sufficient instead. Users must have appropriate repository permissions, such as access to security alerts (e.g., repository owners, security managers, or those granted access via "Granting access to security alerts"). This applies consistently across list, get, update, and related operations like dismissal requests.

Citations:

Add the missing read permission for Dependabot alerts.

The gh api call on line 26 reads repository Dependabot alerts, but this workflow only grants issues: write. The Dependabot alerts API requires the security-events scope. Without it, the API call will fail with a 403 error before the issue-creation loop runs.

Suggested fix 
 permissions:
+  security-events: read
   issues: write
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-alerts.yml around lines 15 - 20, The workflow
is missing the security-events read permission required for the Dependabot
alerts API call (the `gh api` step that reads Dependabot alerts will 403 with
only `issues: write`); update the workflow permissions to include
"security-events: read" alongside the existing "issues: write" (ensure the job
or workflow-level permissions block contains security-events: read so the `gh
api` call can successfully read repository Dependabot alerts).


- name: Create issues from Dependabot alerts
env:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,15 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.securityscorecards.dev:443
github.com:443

- name: 'Checkout Repository'
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
Expand Down
12 changes: 10 additions & 2 deletions .github/workflows/docs-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,18 @@ jobs:
name: Check Broken Links
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
nodejs.org:443
ph.mintlify.com:443
registry.npmjs.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.26.2"
go-version: "1.26.1"

- name: Set up Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
Expand Down
16 changes: 13 additions & 3 deletions .github/workflows/helm-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,26 @@
workflow_dispatch:

permissions:
contents: write
contents: write

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 0: topLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help

jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
get.helm.sh:443
github.com:443
maximhq.github.io:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/openapi-bundle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,14 @@ jobs:
name: Bundle OpenAPI Spec
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.26.2"
go-version: "1.26.1"

- name: Set up Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/release-cli.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
push:
branches:
- main

# Prevent concurrent runs
concurrency:
group: release-cli
Expand All @@ -20,10 +20,12 @@ jobs:
version: ${{ steps.get-version.outputs.version }}
tag_exists: ${{ steps.check-tag.outputs.exists }}
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
Comment on lines +23 to +28
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n 'egress-policy:\s*(audit|block)' .github/workflows/release-cli.yml

Repository: maximhq/bifrost

Length of output: 195

🏁 Script executed:

sed -n '50,65p' .github/workflows/release-cli.yml

Repository: maximhq/bifrost

Length of output: 598

🏁 Script executed:

sed -n '80,95p' .github/workflows/release-cli.yml

Repository: maximhq/bifrost

Length of output: 593

🏁 Script executed:

sed -n '120,130p' .github/workflows/release-cli.yml

Repository: maximhq/bifrost

Length of output: 448

🏁 Script executed:

rg -n 'GH_TOKEN|secrets\.R2' .github/workflows/release-cli.yml

Repository: maximhq/bifrost

Length of output: 435

Egress blocking only applied to the lowest-privilege job.

Lines 59, 88, and 127 still run with egress-policy: audit. The release-cli job (line 88) uses GH_TOKEN and R2 credentials (R2_ENDPOINT, R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY, R2_BUCKET), and push-mintlify-changelog (line 127) also uses GH_TOKEN. These are the highest-risk operations and should have egress restrictions enabled instead of audit mode.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-cli.yml around lines 23 - 28, The workflow applies
step-security/harden-runner egress-policy:block only to the lowest-privilege
job; update the Harden Runner step usage in the higher-risk jobs named
release-cli and push-mintlify-changelog (and any other jobs currently using
egress-policy:audit) to set egress-policy: block and restrict allowed-endpoints
as needed so GH_TOKEN and R2 credentials cannot exfiltrate data; locate the
Harden Runner step (uses: step-security/harden-runner) within those job
definitions and change the with: egress-policy value from audit to block (and
ensure allowed-endpoints remains appropriate).


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -65,7 +67,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.26.2"
go-version: "1.26.1"

- name: Run CLI tests
working-directory: cli
Expand Down Expand Up @@ -95,7 +97,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "1.26.2"
go-version: "1.26.1"

- name: Configure Git
run: |
Expand Down
Loading
Loading