chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 12:38:34 +08:00
commit 0549b088a4
2405 changed files with 810255 additions and 0 deletions
+111
View File
@@ -0,0 +1,111 @@
#!/usr/bin/env python3
"""Bump version, release-tag URLs, and per-platform sha256 in a Composio Homebrew formula.
Used by .github/workflows/cli.bump-homebrew-tap.yml. Reads inputs from env vars
so the bash side has a clean interface; can be run locally for testing:
TAG=@composio/cli@0.2.29 VERSION=0.2.29 \\
DARWIN_ARM=<sha> DARWIN_X86=<sha> LINUX_ARM=<sha> LINUX_X86=<sha> \\
.github/scripts/bump-homebrew-formula.py path/to/Formula/composio.rb
Exits non-zero if any required env var is missing/invalid or if no edits land.
"""
from __future__ import annotations
import os
import re
import sys
REQUIRED_ENV = ("TAG", "VERSION", "DARWIN_ARM", "DARWIN_X86", "LINUX_ARM", "LINUX_X86")
SHA256_RE = re.compile(r"[0-9a-f]{64}")
def main(argv: list[str]) -> int:
if len(argv) != 2:
print(f"usage: {argv[0]} <formula-path>", file=sys.stderr)
return 2
path = argv[1]
missing = [k for k in REQUIRED_ENV if not os.environ.get(k)]
if missing:
print(f"missing env vars: {', '.join(missing)}", file=sys.stderr)
return 2
tag = os.environ["TAG"]
version = os.environ["VERSION"]
shas = {
"darwin-aarch64": os.environ["DARWIN_ARM"],
"darwin-x64": os.environ["DARWIN_X86"],
"linux-aarch64": os.environ["LINUX_ARM"],
"linux-x64": os.environ["LINUX_X86"],
}
for plat, sha in shas.items():
if not SHA256_RE.fullmatch(sha):
print(f"invalid sha for {plat}: {sha!r}", file=sys.stderr)
return 2
with open(path) as f:
src = f.read()
# Bump version line. Lambda avoids replacement-string backreference parsing
# (e.g. a hostile tag containing \g<1>); same defense on tag/sha below.
src, n_ver = re.subn(
r'^(\s*version\s+)"[^"]+"',
lambda m: f'{m.group(1)}"{version}"',
src,
count=1,
flags=re.M,
)
# Bump the release-tag segment of each download URL.
src, n_url = re.subn(
r"(releases/download/)@composio/cli@[^/]+(/composio-)",
lambda m: f"{m.group(1)}{tag}{m.group(2)}",
src,
)
# Bump each sha256 by pairing it with the URL line directly above.
updated_platforms: set[str] = set()
def repl_sha(match: re.Match[str]) -> str:
url_line, sha_line = match.group(1), match.group(2)
for plat, sha in shas.items():
if f"composio-{plat}.zip" in url_line:
updated_platforms.add(plat)
return url_line + re.sub(
r'"[0-9a-f]{64}"',
lambda _m: f'"{sha}"',
sha_line,
)
return match.group(0)
src, n_sha = re.subn(
r'(url\s+"[^"]+"\s*\n)(\s*sha256\s+"[0-9a-f]{64}")',
repl_sha,
src,
)
expected_platforms = set(shas)
if (
n_ver != 1
or n_url != len(shas)
or n_sha != len(shas)
or updated_platforms != expected_platforms
):
print(
"bump produced unexpected edits "
f"(version={n_ver}, url={n_url}, sha={n_sha}, "
f"updated_platforms={sorted(updated_platforms)})",
file=sys.stderr,
)
return 1
with open(path, "w") as f:
f.write(src)
return 0
if __name__ == "__main__":
sys.exit(main(sys.argv))
+135
View File
@@ -0,0 +1,135 @@
#!/usr/bin/env bash
# Check the validity of all actions used in the workflows.
#
# Example output:
#
.github/scripts/check-action-repos.sh
# Found 18 unique uses: entries
# WARN: unrecognized uses format: ---
# ERROR: ref not found (tag/branch/commit): peter-evans/create-pull-request@271a8d0340265f705b14b601f8cf3c8c27d2d6cf
# ERROR: ref not found (tag/branch/commit): slackapi/slack-github-action@b4590ed38561d3cb7512cbee19cef0e0a6064ff1
set -euo pipefail
fail=0
# Collect all `uses:` entries
mapfile -t USES < <(
yq -r '
.jobs[]?.steps[]? |
select(has("uses")) |
.uses
' .github/workflows/*.yml .github/workflows/*.yaml 2>/dev/null \
| sed '/^null$/d' \
| sort -u
)
if [[ ${#USES[@]} -eq 0 ]]; then
echo "No uses: entries found."
exit 0
fi
echo "Found ${#USES[@]} unique uses: entries"
check_local() {
local p="$1"
if [[ ! -e "$p" ]]; then
echo "ERROR: local action path does not exist: $p"
return 1
fi
if [[ -d "$p" ]]; then
if [[ -f "$p/action.yml" || -f "$p/action.yaml" ]]; then
return 0
fi
echo "ERROR: local action dir missing action.yml/action.yaml: $p"
return 1
fi
# If a file is used directly (rare), just ensure it exists
return 0
}
# For remote actions, verify:
# - repo exists
# - ref exists (tag/branch/sha)
# - action.yml or action.yaml exists at path (or root) at that ref
check_remote() {
local spec="$1" # owner/repo/path@ref OR owner/repo@ref
local before_at="${spec%@*}"
local ref="${spec#*@}"
local owner_repo="${before_at%%/*}/${before_at#*/}"
owner_repo="${owner_repo%%/*}/${owner_repo#*/}" # keep first two segments
local owner="${before_at%%/*}"
local rest="${before_at#*/}"
local repo="${rest%%/*}"
local path=""
if [[ "$before_at" == */*/* ]]; then
path="${before_at#"$owner/$repo/"}"
fi
# 1) repo exists
if ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo" >/dev/null 2>&1; then
echo "ERROR: repo not found or inaccessible: $owner/$repo (from $spec)"
return 1
fi
# 2) ref exists (try tag, branch, then commit)
if ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo/git/ref/tags/$ref" >/dev/null 2>&1 \
&& ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo/git/ref/heads/$ref" >/dev/null 2>&1 \
&& ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo/commits/$ref" >/dev/null 2>&1
then
echo "ERROR: ref not found (tag/branch/commit): $spec"
return 1
fi
# 3) action metadata exists at path (or root)
local base_path="${path}"
if [[ -z "$base_path" ]]; then
base_path=""
fi
local try_paths=()
if [[ -z "$base_path" ]]; then
try_paths=("action.yml" "action.yaml")
else
try_paths=("$base_path/action.yml" "$base_path/action.yaml")
fi
for p in "${try_paths[@]}"; do
if gh api -H "Accept: application/vnd.github+json" \
"/repos/$owner/$repo/contents/$p?ref=$ref" >/dev/null 2>&1
then
return 0
fi
done
echo "ERROR: action metadata not found at ref: $spec (looked for action.yml/action.yaml under '${base_path:-repo root}')"
return 1
}
for u in "${USES[@]}"; do
# Ignore reusable workflows here: they also use `uses:` but are `./.github/workflows/x.yml` or `owner/repo/.github/workflows/x.yml@ref`
# If you want to validate those too, add logic similar to check_local/check_remote for workflow files.
if [[ "$u" == docker://* ]]; then
echo "SKIP (docker image): $u"
continue
fi
if [[ "$u" == ./* ]]; then
if ! check_local "$u"; then fail=1; fi
continue
fi
# Remote action or reusable workflow reference (both look like owner/repo/...@ref)
if [[ "$u" == *@* && "$u" == */* ]]; then
if ! check_remote "$u"; then fail=1; fi
continue
fi
echo "WARN: unrecognized uses format: $u"
done
exit $fail
+71
View File
@@ -0,0 +1,71 @@
#!/usr/bin/env bash
#
# Report orphaned CI plumbing — the GitHub Actions analogue of the "dead file"
# problem knip/vulture catch for TS/Python:
#
# * composite actions under .github/actions/* that no workflow `uses:`
# * reusable workflows (on: workflow_call) that nothing calls AND that have
# no self-trigger (push/pull_request/schedule/...), i.e. truly unreachable
#
# Report-only: prints findings and always exits 0 so it never blocks CI on a
# heuristic. Vet anything it prints by hand before deleting.
set -uo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
workflows_dir="$repo_root/.github/workflows"
actions_dir="$repo_root/.github/actions"
findings=0
note() {
findings=$((findings + 1))
echo " - $1"
}
echo "### Orphaned CI check"
echo ""
echo "Composite actions with no callers:"
if [[ -d "$actions_dir" ]]; then
for action_yml in "$actions_dir"/*/action.yml "$actions_dir"/*/action.yaml; do
[[ -f "$action_yml" ]] || continue
name="$(basename "$(dirname "$action_yml")")"
# A caller references it as `uses: ./.github/actions/<name>`.
if ! grep -rqs "uses:.*\.github/actions/$name\b" "$workflows_dir" "$actions_dir"; then
note "action \`$name\` (.github/actions/$name) is referenced by no workflow"
fi
done
fi
[[ $findings -eq 0 ]] && echo " _(none)_"
before_wf=$findings
echo ""
echo "Reusable workflows that are unreachable:"
for wf in "$workflows_dir"/*.yml "$workflows_dir"/*.yaml; do
[[ -f "$wf" ]] || continue
# Only reusable workflows are candidates.
grep -qs "workflow_call:" "$wf" || continue
base="$(basename "$wf")"
# Called by another workflow?
if grep -rqs "uses:.*\.github/workflows/$base\b" "$workflows_dir"; then
continue
fi
# Self-triggering (has a real event trigger besides workflow_call)?
if grep -Eqs "^[[:space:]]+(push|pull_request|schedule|workflow_dispatch|release|issues|issue_comment|repository_dispatch|merge_group):" "$wf"; then
continue
fi
note "workflow \`$base\` exposes workflow_call but has no caller and no self-trigger"
done
[[ $findings -eq $before_wf ]] && echo " _(none)_"
echo ""
if [[ $findings -eq 0 ]]; then
echo "No orphaned CI plumbing found."
else
echo "Found $findings orphaned CI item(s) above — review before removing."
fi
# Report-only.
exit 0
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
#
# Create the GitHub Release as a DRAFT with every asset attached, or resume an existing
# draft by re-uploading (--clobber). Refuse to mutate a tag that is already published.
#
# Drafts fire no `release: published` event and are excluded from `/releases/latest`, so no
# anonymous consumer (install.sh, Homebrew, the redirect) can observe a release before its
# assets are attached and verified. The release is only flipped to published by a later step.
#
# Inputs (env): RELEASE_TAG, RELEASE_NAME, CHECKOUT_REF, PRERELEASE, GH_TOKEN
# BINARIES_DIR (optional, defaults to the CLI dist dir)
set -euo pipefail
binaries_dir="${BINARIES_DIR:-ts/packages/cli/dist/binaries}"
flags=(
--draft
--title "$RELEASE_NAME"
--target "$CHECKOUT_REF"
--generate-notes
)
# Preserve prerelease status on the draft so betas stay prereleases once published.
if [[ "$PRERELEASE" == "true" ]]; then
flags+=(--prerelease)
fi
# Idempotent for re-runs of a not-yet-published release: reuse an existing draft and clobber
# its assets. Refuse to mutate a tag that is already published.
if gh release view "$RELEASE_TAG" --json isDraft --jq '.isDraft' 2>/dev/null | grep -qx true; then
echo "Draft $RELEASE_TAG already exists — re-uploading assets with --clobber"
gh release upload "$RELEASE_TAG" \
"$binaries_dir"/*.zip \
"$binaries_dir/checksums.txt" --clobber
elif gh release view "$RELEASE_TAG" >/dev/null 2>&1; then
# A red ❌ here is EXPECTED, not a bug, when two runs target the same tag (e.g. two quick CLI
# version bumps): per-tag `concurrency` serializes them, the first publishes, and the second —
# finding the tag already published — fails loudly here rather than silently clobbering a live
# release. If you hit this, confirm the tag is genuinely published before re-running.
echo "::error::Release $RELEASE_TAG is already published — refusing to mutate it. Investigate the publish path."
exit 1
else
gh release create "$RELEASE_TAG" "${flags[@]}" \
"$binaries_dir"/*.zip \
"$binaries_dir/checksums.txt"
fi
+148
View File
@@ -0,0 +1,148 @@
#!/usr/bin/env bash
#
# Resolve the CLI release target and write its metadata to $GITHUB_OUTPUT for the
# build/release jobs of build-cli-binaries.yml. Three modes:
#
# - push to `next` with a ts/packages/cli/package.json version bump → stable release
# - push to `next` without a bump, or workflow_dispatch build-beta → rolling beta
# - workflow_dispatch promote-stable <beta tag> → stable promotion
#
# Inputs (env): EVENT_NAME, ACTION_INPUT, BETA_TAG_INPUT, GITHUB_TOKEN,
# REPOSITORY, RUN_NUMBER, COMMIT_SHA
# Output: key=value lines appended to $GITHUB_OUTPUT
set -euo pipefail
# Latest STABLE @composio/cli release tag, by true semver order (empty if none).
#
# A lexical sort is wrong here: "@composio/cli@0.2.9" sorts AFTER "0.2.10", so once a
# patch reaches double digits `last` would pick the older release and beta versions
# would regress. Parse the version triplet to numbers and sort numerically instead.
latest_stable_tag() {
gh release list \
--repo "$REPOSITORY" \
--exclude-drafts \
--limit 1000 \
--json tagName,isPrerelease \
--jq '[.[]
| select(.tagName | startswith("@composio/cli@"))
| select(.isPrerelease == false)]
| sort_by(.tagName | ltrimstr("@composio/cli@") | split(".") | map(tonumber))
| last | .tagName // empty'
}
# Echo the next "<major>.<minor>.<patch+1>" off the latest stable release, falling
# back to the working-tree package.json when no stable release exists yet.
next_beta_base_version() {
local latest current
latest=$(latest_stable_tag)
if [[ -z "$latest" ]]; then
echo "No stable @composio/cli release found, falling back to package.json" >&2
current=$(node -p "require('./ts/packages/cli/package.json').version")
else
current=${latest#@composio/cli@}
fi
local major minor patch
IFS='.' read -r major minor patch <<<"$current"
echo "${major}.${minor}.$((patch + 1))"
}
emit_beta_target() {
local next_version release_tag
next_version=$(next_beta_base_version)
release_tag="@composio/cli@${next_version}-beta.${RUN_NUMBER}"
{
echo "checkout_ref=${COMMIT_SHA}"
echo "release_name=CLI Beta ${release_tag}"
echo "release_tag=${release_tag}"
echo "release_version=${next_version}"
echo "prerelease=true"
echo "make_latest=false"
} >>"$GITHUB_OUTPUT"
}
emit_stable_target() {
local release_tag=$1 release_version=$2 checkout_ref=$3
{
echo "checkout_ref=${checkout_ref}"
echo "release_name=CLI ${release_tag}"
echo "release_tag=${release_tag}"
echo "release_version=${release_version}"
echo "prerelease=false"
echo "make_latest=true"
} >>"$GITHUB_OUTPUT"
}
# ── Push to next ──
if [[ "$EVENT_NAME" == "push" ]]; then
current_version=$(node -p "require('./ts/packages/cli/package.json').version")
previous_version=$(git show HEAD^:ts/packages/cli/package.json 2>/dev/null \
| node -p "JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).version" 2>/dev/null || echo "")
# A version bump on push is a stable release; anything else is a rolling beta.
if [[ -n "$previous_version" && "$current_version" != "$previous_version" ]]; then
emit_stable_target "@composio/cli@${current_version}" "$current_version" "$COMMIT_SHA"
else
emit_beta_target
fi
exit 0
fi
# ── workflow_dispatch: build-beta ──
if [[ "$EVENT_NAME" == "workflow_dispatch" && "$ACTION_INPUT" == "build-beta" ]]; then
emit_beta_target
exit 0
fi
# ── workflow_dispatch: promote-stable ──
if [[ "$ACTION_INPUT" != "promote-stable" ]]; then
echo "Unknown action: $ACTION_INPUT" >&2
exit 1
fi
if [[ -z "$BETA_TAG_INPUT" ]]; then
echo "beta_tag input is required for promote-stable" >&2
exit 1
fi
encoded_beta_tag=$(python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["BETA_TAG_INPUT"], safe=""))')
release_json=$(curl -fsSL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/${REPOSITORY}/releases/tags/${encoded_beta_tag}")
is_prerelease=$(jq -r '.prerelease' <<<"$release_json")
if [[ "$is_prerelease" != "true" ]]; then
echo "Release ${BETA_TAG_INPUT} is not a beta prerelease" >&2
exit 1
fi
if [[ ! "$BETA_TAG_INPUT" =~ ^@composio/cli@([0-9]+\.[0-9]+\.[0-9]+)-beta\.[0-9]+$ ]]; then
echo "Beta tag must match @composio/cli@<version>-beta.<number>" >&2
exit 1
fi
stable_version="${BASH_REMATCH[1]}"
stable_tag="@composio/cli@${stable_version}"
# Refuse to re-promote an already-PUBLISHED stable release, but allow resuming an
# existing DRAFT (a prior promote run that built assets but did not publish). The
# REST `/releases/tags/{tag}` endpoint returns 404 for drafts, so use `gh release view`
# — it resolves drafts by name and exposes `isDraft`.
if isdraft=$(gh release view "$stable_tag" --json isDraft --jq '.isDraft' 2>/dev/null); then
if [[ "$isdraft" == "true" ]]; then
echo "Stable release ${stable_tag} exists as a draft — resuming (assets will be re-uploaded)."
else
echo "Stable release ${stable_tag} is already published" >&2
exit 1
fi
fi
target_commitish=$(jq -r '.target_commitish' <<<"$release_json")
if [[ -z "$target_commitish" || "$target_commitish" == "null" ]]; then
echo "Beta release ${BETA_TAG_INPUT} does not expose target_commitish" >&2
exit 1
fi
emit_stable_target "$stable_tag" "$stable_version" "$target_commitish"
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/env bash
#
# Loud failure gate: assert the full canonical asset set is attached to the release AND fully
# uploaded (state == "uploaded"). An asset can appear in the listing while still processing,
# which is exactly how a release ends up serving 404s — so require state == "uploaded", with a
# bounded retry while uploads settle.
#
# Inputs (env): RELEASE_TAG, GH_TOKEN
# VERIFY_ATTEMPTS / VERIFY_SLEEP_SECONDS (optional, for fast tests)
set -euo pipefail
# Keep this list in lock-step with the build matrix in build-cli-binaries.yml (4 platforms)
# plus the skill bundle and checksums. Adding a platform to the matrix must extend this list.
expected=(
composio-linux-x64.zip
composio-linux-aarch64.zip
composio-darwin-x64.zip
composio-darwin-aarch64.zip
composio-skill.zip
checksums.txt
)
attempts="${VERIFY_ATTEMPTS:-10}"
sleep_seconds="${VERIFY_SLEEP_SECONDS:-15}"
for attempt in $(seq 1 "$attempts"); do
# Single snapshot per attempt — querying names and state separately would open a
# time-of-check/time-of-use gap in the very gate meant to close one.
payload=$(gh release view "$RELEASE_TAG" --json assets)
mapfile -t uploaded < <(jq -r '.assets[] | select(.state == "uploaded") | .name' <<<"$payload" | sort)
missing=()
for want in "${expected[@]}"; do
printf '%s\n' "${uploaded[@]}" | grep -qxF "$want" || missing+=("$want")
done
if [[ ${#missing[@]} -eq 0 ]]; then
echo "✅ All ${#expected[@]} expected assets present and uploaded."
exit 0
fi
echo "Attempt ${attempt}/${attempts} — missing or not-yet-uploaded: ${missing[*]}"
if [[ "$attempt" -eq "$attempts" ]]; then
echo "::error::Release $RELEASE_TAG is incomplete — missing or not uploaded: ${missing[*]}"
exit 1
fi
sleep "$sleep_seconds"
done