diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml index f64eb7d..542991f 100644 --- a/.github/workflows/agent.yml +++ b/.github/workflows/agent.yml @@ -40,7 +40,7 @@ concurrency: jobs: agent: - uses: YiAgent/OpenCI/.github/workflows/reusable/agent.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/agent.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: task: ${{ inputs.task }} prompt: ${{ inputs.prompt }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86cd14b..de549da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ concurrency: jobs: ci: - uses: YiAgent/OpenCI/.github/workflows/reusable/ci.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/ci.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ github.sha }} registry: ghcr.io diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 57dd8b1..3c31a91 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -15,6 +15,6 @@ concurrency: jobs: deps: - uses: YiAgent/OpenCI/.github/workflows/reusable/deps.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/deps.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: runner: blacksmith-32vcpu-ubuntu-2404 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 614560c..5cf70a5 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -33,7 +33,7 @@ jobs: && github.event.workflow_run.name == 'ci' && github.event.workflow_run.conclusion == 'success') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'stg') - uses: YiAgent/OpenCI/.github/workflows/reusable/stg.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/stg.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: app-name: ${{ vars.APP_NAME || github.event.repository.name }} image-name: ${{ vars.IMAGE_NAME || github.event.repository.name }} @@ -54,7 +54,7 @@ jobs: && github.event.workflow_run.name == 'release' && github.event.workflow_run.conclusion == 'success') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'prd') - uses: YiAgent/OpenCI/.github/workflows/reusable/prd.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/prd.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: app-name: ${{ vars.APP_NAME || github.event.repository.name }} image-name: ${{ vars.IMAGE_NAME || github.event.repository.name }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index a5d70a0..41be760 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -22,13 +22,14 @@ concurrency: jobs: docs: - uses: YiAgent/OpenCI/.github/workflows/reusable/docs.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/docs.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: build-cmd: ${{ vars.DOCS_BUILD_CMD || '' }} docs-path: ${{ vars.DOCS_DIR || 'docs' }} site-dir: ${{ vars.DOCS_SITE_DIR || 'site' }} enable-agent: true runner: blacksmith-32vcpu-ubuntu-2404 + model: ${{ vars.AI_MODEL || '' }} secrets: anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }} diff --git a/.github/workflows/issue-ops.yml b/.github/workflows/issue-ops.yml index 94eaab5..08c4df2 100644 --- a/.github/workflows/issue-ops.yml +++ b/.github/workflows/issue-ops.yml @@ -17,6 +17,11 @@ on: type: choice default: lifecycle options: [lifecycle, maintenance, ingest] + model: + required: false + type: string + default: "" + description: "AI model override (e.g. glm-4-flash). Leave empty to use vars.AI_MODEL or the reusable default." permissions: contents: write @@ -32,13 +37,14 @@ concurrency: jobs: lifecycle: if: github.event_name == 'issues' || github.event_name == 'issue_comment' - uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: lifecycle runner: blacksmith-32vcpu-ubuntu-2404 + model: ${{ vars.AI_MODEL || '' }} secrets: anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} - api-base-url: ${{ secrets.API_BASE_URL }} + api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }} sentry-token: ${{ secrets.SENTRY_TOKEN }} linear-token: ${{ secrets.LINEAR_TOKEN }} slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -46,13 +52,14 @@ jobs: ingest: if: github.event_name == 'repository_dispatch' - uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: ingest runner: blacksmith-32vcpu-ubuntu-2404 + model: ${{ vars.AI_MODEL || '' }} secrets: anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} - api-base-url: ${{ secrets.API_BASE_URL }} + api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }} sentry-token: ${{ secrets.SENTRY_TOKEN }} linear-token: ${{ secrets.LINEAR_TOKEN }} slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -60,13 +67,14 @@ jobs: maintenance: if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.mode == 'maintenance') - uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: maintenance runner: blacksmith-32vcpu-ubuntu-2404 + model: ${{ vars.AI_MODEL || '' }} secrets: anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} - api-base-url: ${{ secrets.API_BASE_URL }} + api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }} sentry-token: ${{ secrets.SENTRY_TOKEN }} linear-token: ${{ secrets.LINEAR_TOKEN }} slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -74,13 +82,14 @@ jobs: manual: if: github.event_name == 'workflow_dispatch' && inputs.mode != 'maintenance' - uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: ${{ inputs.mode }} runner: blacksmith-32vcpu-ubuntu-2404 + model: ${{ inputs.model || vars.AI_MODEL || '' }} secrets: anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} - api-base-url: ${{ secrets.API_BASE_URL }} + api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }} sentry-token: ${{ secrets.SENTRY_TOKEN }} linear-token: ${{ secrets.LINEAR_TOKEN }} slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/observability.yml b/.github/workflows/observability.yml index 8b61485..715720f 100644 --- a/.github/workflows/observability.yml +++ b/.github/workflows/observability.yml @@ -30,7 +30,7 @@ concurrency: jobs: observe-canary: if: ${{ github.event_name == 'schedule' && github.event.schedule == '*/15 * * * *' }} - uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: canary-watch runner: blacksmith-32vcpu-ubuntu-2404 @@ -38,7 +38,7 @@ jobs: observe-drift: if: ${{ github.event_name == 'schedule' && github.event.schedule == '0 4 * * *' }} - uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: terraform-drift infra-dir: ${{ vars.INFRA_DIR || 'infrastructure' }} @@ -50,7 +50,7 @@ jobs: (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || github.event_name == 'repository_dispatch' || (github.event_name == 'workflow_dispatch' && inputs.mode == 'verify-fix') - uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: verify-fix runner: blacksmith-32vcpu-ubuntu-2404 diff --git a/.github/workflows/on-maintenance.yml b/.github/workflows/on-maintenance.yml index 76a3e8d..378c718 100644 --- a/.github/workflows/on-maintenance.yml +++ b/.github/workflows/on-maintenance.yml @@ -115,7 +115,7 @@ jobs: if: | !contains(fromJSON('["pr-review","flag-audit"]'), needs.resolve-mode.outputs.mode) - uses: YiAgent/OpenCI/.github/workflows/reusable/maintenance.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/maintenance.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: ${{ needs.resolve-mode.outputs.mode }} openci-ref: ${{ needs.resolve-mode.outputs.openci-ref }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index ea2004e..62cd118 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -28,9 +28,12 @@ concurrency: jobs: checks: - uses: YiAgent/OpenCI/.github/workflows/reusable/pr.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/pr.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: enable-ai-review: true enable-eval: true runner: blacksmith-32vcpu-ubuntu-2404 - secrets: inherit + model: ${{ vars.AI_MODEL || '' }} + secrets: + anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} + api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1986939..68ff6e2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ concurrency: jobs: release: - uses: YiAgent/OpenCI/.github/workflows/reusable/release.yml@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/.github/workflows/reusable/release.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: mode: ${{ inputs.mode || 'both' }} image-name: ${{ vars.IMAGE_NAME || github.event.repository.name }} diff --git a/.github/workflows/reusable/ci.yml b/.github/workflows/reusable/ci.yml index e19d51f..ed45eca 100644 --- a/.github/workflows/reusable/ci.yml +++ b/.github/workflows/reusable/ci.yml @@ -127,7 +127,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - name: Probe secrets @@ -155,7 +155,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - id: detect @@ -183,7 +183,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - id: build @@ -212,7 +212,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - id: scan @@ -235,7 +235,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 @@ -282,7 +282,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - uses: ./.openci/actions/ci/check-migration @@ -305,7 +305,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - uses: ./.openci/actions/ci/eval-smoke @@ -485,7 +485,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: { persist-credentials: false } - name: Resolve OpenCI ref and checkout - uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d + uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1 with: openci-ref: ${{ inputs.openci-ref }} - name: Download ci-context artifact diff --git a/.gitignore b/.gitignore index 33f4a38..5ef728e 100644 --- a/.gitignore +++ b/.gitignore @@ -39,4 +39,5 @@ gate-context/ .history # act local testing -.act.env \ No newline at end of file +.act.env*.yml-e +*.yaml-e diff --git a/manifest.yml b/manifest.yml index 4282d10..88dcfb8 100644 --- a/manifest.yml +++ b/manifest.yml @@ -101,7 +101,7 @@ deps: softprops/action-gh-release: "b4309332981a82ec1c5618f44dd2e27cc8bfbfda" # v3.0.0 # ── Self (OpenCI vendoring itself via remote action reference) ────────── - YiAgent/OpenCI: "ebe8fca3260dce68d34d51b74703169e776bc72d" # resolve-openci bootstrap + YiAgent/OpenCI: "be43e4efd2f14f2a3da7d5264356a9e6774c8ef1" # resolve-openci bootstrap # ───────────────────────────────────────────────────────────────────────────── # Reusable workflow catalog (consumed via `uses: YiAgent/OpenCI/.github/workflows/.yml@`) diff --git a/scripts/bump-self-sha.sh b/scripts/bump-self-sha.sh index f869d35..7e16913 100755 --- a/scripts/bump-self-sha.sh +++ b/scripts/bump-self-sha.sh @@ -95,7 +95,7 @@ if [ -z "$old_sha" ]; then die "YiAgent/OpenCI not found in manifest.yml .deps — add it manually first." fi -sed -i'' -e "s|${old_sha}|${new_sha}|g" "$MANIFEST" +perl -pi -e "s|\Q${old_sha}\E|${new_sha}|g" "$MANIFEST" info "Updated manifest.yml" # ── 5. Update all workflow files that reference the old SHA ────────────────── @@ -103,7 +103,7 @@ info "Updated manifest.yml" updated=0 while IFS= read -r -d '' f; do if grep -q "$old_sha" "$f" 2>/dev/null; then - sed -i'' -e "s|${old_sha}|${new_sha}|g" "$f" + perl -pi -e "s|\Q${old_sha}\E|${new_sha}|g" "$f" info "Updated $f" updated=$((updated + 1)) fi diff --git a/tests/actions/on-pr-routing.bats b/tests/actions/on-pr-routing.bats index 3e77222..028f023 100644 --- a/tests/actions/on-pr-routing.bats +++ b/tests/actions/on-pr-routing.bats @@ -56,8 +56,8 @@ setup() { grep -q 'runner:.*blacksmith-32vcpu-ubuntu-2404' "$ENTRY" } -@test "checks job inherits secrets" { - grep -q 'secrets: inherit' "$ENTRY" +@test "checks job passes anthropic-api-key secret" { + grep -q 'anthropic-api-key:' "$ENTRY" } # ---------------------------------------------------------------------------