diff --git a/.github/workflows/agents-autofix-loop.yml b/.github/workflows/agents-autofix-loop.yml index 4fcf3ff2..23a34327 100644 --- a/.github/workflows/agents-autofix-loop.yml +++ b/.github/workflows/agents-autofix-loop.yml @@ -39,7 +39,7 @@ jobs: security_reason: ${{ steps.security_gate.outputs.reason }} steps: - name: Checkout (for security gate) - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: sparse-checkout: | .github/scripts/prompt_injection_guard.js @@ -47,7 +47,7 @@ jobs: - name: Security gate - prompt injection guard id: security_gate - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -102,7 +102,7 @@ jobs: - name: Evaluate workflow_run id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const run = context.payload.workflow_run; @@ -318,7 +318,7 @@ jobs: environment: agent-standard steps: - name: Add needs-human label and comment - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const prNumber = Number('${{ needs.prepare.outputs.pr_number }}'); @@ -372,7 +372,7 @@ jobs: steps: - name: Collect metrics id: collect - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -492,7 +492,7 @@ jobs: PY - name: Upload metrics artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@v4 with: name: agents-autofix-metrics path: autofix-metrics.ndjson diff --git a/.github/workflows/agents-bot-comment-handler.yml b/.github/workflows/agents-bot-comment-handler.yml index 7b6c21ee..cc451426 100644 --- a/.github/workflows/agents-bot-comment-handler.yml +++ b/.github/workflows/agents-bot-comment-handler.yml @@ -61,7 +61,7 @@ jobs: steps: - name: Resolve PR number and check conditions id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const eventName = context.eventName; @@ -162,7 +162,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Remove trigger label - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | try { diff --git a/.github/workflows/agents-guard.yml b/.github/workflows/agents-guard.yml index 0a96eb24..7a3e2258 100644 --- a/.github/workflows/agents-guard.yml +++ b/.github/workflows/agents-guard.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout base ref for safety validation if: github.event_name == 'pull_request_target' - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.base.sha }} sparse-checkout: | @@ -42,7 +42,7 @@ jobs: - name: Verify pull_request_target safety invariants if: github.event_name == 'pull_request_target' - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const path = require('path'); @@ -58,7 +58,7 @@ jobs: - name: Checkout PR head for pull_request event if: github.event_name == 'pull_request' - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: sparse-checkout: | .github/scripts/agents-guard.js @@ -66,7 +66,7 @@ jobs: - name: Evaluate protected file changes id: evaluate - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const fs = require('fs'); @@ -281,7 +281,7 @@ jobs: - name: Post guard failure comment if: steps.evaluate.outputs.blocked == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@v7 env: COMMENT_BODY_B64: ${{ steps.evaluate.outputs.comment_body_b64 }} COMMENT_MARKER: ${{ steps.evaluate.outputs.marker }} @@ -399,7 +399,7 @@ jobs: - name: Report agents guard commit status if: always() - uses: actions/github-script@v8 + uses: actions/github-script@v7 env: BLOCKED: ${{ steps.evaluate.outputs.blocked || 'false' }} SUMMARY: ${{ steps.evaluate.outputs.summary }} diff --git a/.github/workflows/agents-issue-intake.yml b/.github/workflows/agents-issue-intake.yml index 2a3be2da..e4b51a4d 100644 --- a/.github/workflows/agents-issue-intake.yml +++ b/.github/workflows/agents-issue-intake.yml @@ -65,7 +65,7 @@ jobs: steps: - name: Check labels and extract info id: check - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const eventName = context.eventName; diff --git a/.github/workflows/agents-keepalive-loop.yml b/.github/workflows/agents-keepalive-loop.yml index f070017f..6dcebe88 100644 --- a/.github/workflows/agents-keepalive-loop.yml +++ b/.github/workflows/agents-keepalive-loop.yml @@ -72,12 +72,12 @@ jobs: steps: # Dual checkout pattern: consumer repo for context, Workflows repo for scripts - name: Checkout consumer repository - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: path: consumer - name: Checkout Workflows scripts - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: repository: stranske/Workflows ref: main @@ -97,7 +97,7 @@ jobs: - name: Security gate - prompt injection guard id: security_gate - uses: actions/github-script@v8 + uses: actions/github-script@v7 env: INPUT_PR_NUMBER: ${{ inputs.pr_number || '' }} with: @@ -180,7 +180,7 @@ jobs: - name: Evaluate keepalive conditions id: evaluate if: steps.security_gate.outputs.blocked != 'true' - uses: actions/github-script@v8 + uses: actions/github-script@v7 env: INPUT_PR_NUMBER: ${{ inputs.pr_number || '' }} with: @@ -282,7 +282,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Workflows scripts - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: repository: stranske/Workflows ref: main @@ -292,7 +292,7 @@ jobs: fetch-depth: 1 - name: Update summary with running status - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -342,7 +342,7 @@ jobs: environment: agent-standard steps: - name: Checkout Workflows scripts - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: repository: stranske/Workflows ref: main @@ -419,7 +419,7 @@ jobs: echo "$metrics_json" >> keepalive-metrics.ndjson - name: Upload keepalive metrics artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@v4 with: name: keepalive-metrics path: keepalive-metrics.ndjson @@ -428,7 +428,7 @@ jobs: - name: Auto-reconcile task checkboxes if: needs.run-codex.outputs.changes-made == 'true' - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -461,7 +461,7 @@ jobs: core.setOutput('reconciliation_details', result.details); - name: Update summary comment - uses: actions/github-script@v8 + uses: actions/github-script@v7 env: CODEX_SUMMARY: ${{ needs.run-codex.outputs.final-message-summary || '' }} with: diff --git a/.github/workflows/agents-pr-meta.yml b/.github/workflows/agents-pr-meta.yml index e56a4db3..58300b0c 100644 --- a/.github/workflows/agents-pr-meta.yml +++ b/.github/workflows/agents-pr-meta.yml @@ -106,7 +106,7 @@ jobs: steps: - name: Resolve PR from workflow_run id: resolve - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: script: | const run = context.payload.workflow_run; diff --git a/.github/workflows/maint-coverage-guard.yml b/.github/workflows/maint-coverage-guard.yml index 6c0a199c..bb033bc0 100644 --- a/.github/workflows/maint-coverage-guard.yml +++ b/.github/workflows/maint-coverage-guard.yml @@ -35,11 +35,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v4 - name: Locate latest Gate workflow run id: discover - uses: actions/github-script@v8 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -79,7 +79,7 @@ jobs: - name: Download coverage trend artifact if: ${{ steps.discover.outputs.run_id }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@v4 continue-on-error: true with: name: gate-coverage-trend @@ -89,7 +89,7 @@ jobs: - name: Download coverage artifact if: ${{ steps.discover.outputs.run_id }} - uses: actions/download-artifact@v7 + uses: actions/download-artifact@v4 continue-on-error: true with: pattern: gate-coverage-* diff --git a/scripts/sync_test_dependencies.py b/scripts/sync_test_dependencies.py index 72204b72..2c4beddb 100644 --- a/scripts/sync_test_dependencies.py +++ b/scripts/sync_test_dependencies.py @@ -18,6 +18,7 @@ REPO_ROOT = Path(__file__).resolve().parents[1] SRC_PATH = REPO_ROOT / "src" +LOCAL_MODULES_FILE = REPO_ROOT / ".project_modules.txt" if SRC_PATH.exists(): sys.path.insert(0, str(SRC_PATH)) @@ -137,8 +138,6 @@ "fallback_split", "parse_chatgpt_topics", "health_summarize", - "diff_holdings", - "embeddings", } @@ -178,9 +177,41 @@ def _detect_local_project_modules() -> set[str]: return detected +def _read_local_modules() -> set[str]: + """Read repo-specific module names from .project_modules.txt if it exists. + + This allows consumer repos to specify additional first-party modules + (like standalone .py files in root) without modifying this script. + One module name per line, comments start with #. + """ + if not LOCAL_MODULES_FILE.exists(): + return set() + modules: set[str] = set() + try: + content = LOCAL_MODULES_FILE.read_text(encoding="utf-8") + except (OSError, UnicodeDecodeError) as exc: + print( + f"Warning: could not read {LOCAL_MODULES_FILE}: {exc}", + file=sys.stderr, + ) + return set() + for line in content.splitlines(): + line = line.strip() + if not line or line.startswith("#"): + continue + if not line.isidentifier(): + print( + f"Warning: ignoring invalid module name in {LOCAL_MODULES_FILE}: {line!r}", + file=sys.stderr, + ) + continue + modules.add(line) + return modules + + def get_project_modules() -> set[str]: - """Return the full set of project modules (static + dynamically detected).""" - return _BASE_PROJECT_MODULES | _detect_local_project_modules() + """Return the full set of project modules (static + dynamically detected + local).""" + return _BASE_PROJECT_MODULES | _detect_local_project_modules() | _read_local_modules() # For backward compatibility - will be populated on first use