chore: import upstream snapshot with attribution
govulncheck / govulncheck (push) Waiting to run
Harness (E2E) / Harnesses (mock LLM) (push) Waiting to run
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Waiting to run
Lint / golangci-lint (push) Waiting to run
Run Tests / Unit Tests (push) Waiting to run
Run Tests / Etcd Integration Tests (push) Waiting to run
govulncheck / govulncheck (push) Waiting to run
Harness (E2E) / Harnesses (mock LLM) (push) Waiting to run
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Waiting to run
Lint / golangci-lint (push) Waiting to run
Run Tests / Unit Tests (push) Waiting to run
Run Tests / Etcd Integration Tests (push) Waiting to run
This commit is contained in:
@@ -0,0 +1,2 @@
|
||||
github: asim
|
||||
custom: ["https://go-micro.dev/support"]
|
||||
@@ -0,0 +1,51 @@
|
||||
---
|
||||
name: Bug report
|
||||
about: Create a report to help us improve
|
||||
title: '[BUG] '
|
||||
labels: bug
|
||||
assignees: ''
|
||||
---
|
||||
|
||||
## Describe the bug
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
## To Reproduce
|
||||
Steps to reproduce the behavior:
|
||||
1. Create service with '...'
|
||||
2. Configure plugin '...'
|
||||
3. Run command '...'
|
||||
4. See error
|
||||
|
||||
## Expected behavior
|
||||
A clear and concise description of what you expected to happen.
|
||||
|
||||
## Code sample
|
||||
```go
|
||||
// Minimal reproducible code
|
||||
```
|
||||
|
||||
## Environment
|
||||
- Go Micro version: [e.g. v5.3.0]
|
||||
- Go version: [run `go version`]
|
||||
- OS/Platform: [e.g. Ubuntu 22.04, macOS 14, Docker]
|
||||
- Plugins/Integrations: [e.g. consul registry, nats broker, redis cache]
|
||||
|
||||
## Logs
|
||||
```
|
||||
Paste relevant logs here (use -v flag for verbose output)
|
||||
```
|
||||
|
||||
## Checklist
|
||||
- [ ] I've searched existing issues and this is not a duplicate
|
||||
- [ ] I've provided a minimal code sample that reproduces the issue
|
||||
- [ ] I've included my environment details
|
||||
- [ ] I've checked the documentation
|
||||
|
||||
## Additional context
|
||||
Add any other context about the problem here.
|
||||
|
||||
## Helpful Resources
|
||||
- [Troubleshooting Guide](https://github.com/micro/go-micro/tree/master/internal/website/docs/getting-started.md)
|
||||
- [Examples](https://github.com/micro/go-micro/tree/master/examples)
|
||||
- [API Reference](https://pkg.go.dev/go-micro.dev/v5)
|
||||
- [Discord Community](https://discord.gg/G8Gk5j3uXr)
|
||||
@@ -0,0 +1,23 @@
|
||||
---
|
||||
name: Commercial Support / Consulting
|
||||
about: Inquire about paid support, consulting, training, or a retainer
|
||||
title: '[SUPPORT] '
|
||||
labels: commercial-support
|
||||
assignees: asim
|
||||
---
|
||||
|
||||
## What are you building?
|
||||
A short description of your project and how you're using (or planning to use) Go Micro.
|
||||
|
||||
## What do you need?
|
||||
- [ ] Production support / retainer (priority fixes, direct line, response SLA)
|
||||
- [ ] Consulting (integration, architecture, agent design)
|
||||
- [ ] Training / onboarding for a team
|
||||
- [ ] Sponsored feature or fix
|
||||
- [ ] Not sure yet — let's talk
|
||||
|
||||
## Scale & timeline
|
||||
Team size, where you're running it, and any timeline that matters.
|
||||
|
||||
## Anything else?
|
||||
Links, context, constraints. For anything you'd rather keep private, become a [sponsor](https://github.com/sponsors/asim) and message directly.
|
||||
@@ -0,0 +1,11 @@
|
||||
blank_issues_enabled: true
|
||||
contact_links:
|
||||
- name: 🔒 Report a vulnerability
|
||||
url: https://github.com/micro/go-micro/security/advisories/new
|
||||
about: Privately disclose security vulnerabilities to the maintainers.
|
||||
- name: 💖 Sponsor Go Micro
|
||||
url: https://github.com/sponsors/asim
|
||||
about: Fund ongoing development and see your name or logo on the project.
|
||||
- name: 📖 Documentation
|
||||
url: https://go-micro.dev/docs
|
||||
about: Guides, examples, and the full reference.
|
||||
@@ -0,0 +1,42 @@
|
||||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea for this project
|
||||
title: '[FEATURE] '
|
||||
labels: enhancement
|
||||
assignees: ''
|
||||
---
|
||||
|
||||
## Is your feature request related to a problem?
|
||||
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
||||
|
||||
## Describe the solution you'd like
|
||||
A clear and concise description of what you want to happen.
|
||||
|
||||
## Describe alternatives you've considered
|
||||
A clear and concise description of any alternative solutions or features you've considered.
|
||||
|
||||
## Use case
|
||||
Describe how this feature would be used in practice. What problem does it solve?
|
||||
|
||||
**Example:**
|
||||
```go
|
||||
// Show how the feature would be used
|
||||
```
|
||||
|
||||
## Implementation ideas (optional)
|
||||
If you have thoughts on how this could be implemented, share them here.
|
||||
|
||||
## Additional context
|
||||
Add any other context, code examples, or screenshots about the feature request here.
|
||||
|
||||
## Checklist
|
||||
- [ ] I've searched existing issues and this is not a duplicate
|
||||
- [ ] I've checked the roadmap and this isn't already planned
|
||||
- [ ] I've provided a clear use case
|
||||
- [ ] I'd be willing to submit a PR for this feature (optional)
|
||||
|
||||
## Helpful Resources
|
||||
- [Roadmap](https://github.com/micro/go-micro/blob/master/ROADMAP.md)
|
||||
- [Contributing Guide](https://github.com/micro/go-micro/blob/master/CONTRIBUTING.md)
|
||||
- [Architecture Docs](https://github.com/micro/go-micro/tree/master/internal/website/docs/architecture.md)
|
||||
- [Discord Community](https://discord.gg/G8Gk5j3uXr)
|
||||
@@ -0,0 +1,61 @@
|
||||
---
|
||||
name: Performance issue
|
||||
about: Report a performance problem or regression
|
||||
title: '[PERFORMANCE] '
|
||||
labels: performance
|
||||
assignees: ''
|
||||
---
|
||||
|
||||
## Performance Issue
|
||||
|
||||
**Symptom:**
|
||||
Describe the performance problem (e.g., high latency, memory leak, CPU usage)
|
||||
|
||||
**Expected Performance:**
|
||||
What performance did you expect?
|
||||
|
||||
## Benchmarks
|
||||
|
||||
Please provide benchmarks or profiling data:
|
||||
|
||||
```bash
|
||||
# CPU profiling
|
||||
go test -cpuprofile=cpu.prof -bench=.
|
||||
|
||||
# Memory profiling
|
||||
go test -memprofile=mem.prof -bench=.
|
||||
|
||||
# Results
|
||||
```
|
||||
|
||||
**Before/After comparison (if applicable):**
|
||||
- Before: X req/sec, Y ms latency
|
||||
- After: X req/sec, Y ms latency
|
||||
|
||||
## Code Sample
|
||||
|
||||
```go
|
||||
// Minimal code that demonstrates the performance issue
|
||||
```
|
||||
|
||||
## Environment
|
||||
- Go Micro version: [e.g. v5.3.0]
|
||||
- Go version: [run `go version`]
|
||||
- Hardware: [e.g. 4 CPU, 8GB RAM]
|
||||
- OS: [e.g. Ubuntu 22.04]
|
||||
- Load: [e.g. 1000 req/sec, 100 concurrent connections]
|
||||
|
||||
## Profiling Data
|
||||
|
||||
Attach pprof profiles if available:
|
||||
- CPU profile
|
||||
- Memory profile
|
||||
- Goroutine dump
|
||||
|
||||
## Additional Context
|
||||
|
||||
Add any other context about the performance issue.
|
||||
|
||||
## Resources
|
||||
- [Performance Guide](https://github.com/micro/go-micro/tree/master/internal/website/docs/performance.md)
|
||||
- [Benchmarking](https://pkg.go.dev/testing#hdr-Benchmarks)
|
||||
@@ -0,0 +1,31 @@
|
||||
---
|
||||
name: Question
|
||||
about: Ask a question about using Go Micro
|
||||
title: '[QUESTION] '
|
||||
labels: question
|
||||
assignees: ''
|
||||
---
|
||||
|
||||
## Your question
|
||||
A clear and concise question about Go Micro usage.
|
||||
|
||||
## What have you tried?
|
||||
Describe what you've already attempted or researched.
|
||||
|
||||
## Code sample (if applicable)
|
||||
```go
|
||||
// Your code here
|
||||
```
|
||||
|
||||
## Context
|
||||
Provide any additional context that might help answer your question.
|
||||
|
||||
## Resources you've checked
|
||||
- [ ] [Getting Started Guide](https://github.com/micro/go-micro/tree/master/internal/website/docs/getting-started.md)
|
||||
- [ ] [Examples](https://github.com/micro/go-micro/tree/master/internal/website/docs/examples)
|
||||
- [ ] [API Documentation](https://pkg.go.dev/go-micro.dev/v5)
|
||||
- [ ] Searched existing issues
|
||||
|
||||
## Helpful links
|
||||
- [Documentation](https://github.com/micro/go-micro/tree/master/internal/website/docs)
|
||||
- [Plugins Guide](https://github.com/micro/go-micro/tree/master/internal/website/docs/plugins.md)
|
||||
@@ -0,0 +1,32 @@
|
||||
# North Star
|
||||
|
||||
The direction the loop aligns every increment to. Depth lives in
|
||||
[`internal/docs/THESIS.md`](../../internal/docs/THESIS.md); this is the short,
|
||||
operative version the planner and builder read each run.
|
||||
|
||||
## Mission
|
||||
|
||||
Make building an **agent** as easy as building a **service**, on one runtime.
|
||||
Go Micro is a holistic agent harness and service framework encapsulating the
|
||||
lifecycle of **services → agents → workflows** — pluggable, progressive, and
|
||||
AI-native by default.
|
||||
|
||||
## Right now — developer adoption
|
||||
|
||||
The framework's depth is strong; the **on-ramp** is the gap. Weight the developer
|
||||
experience — a walkable first-agent tutorial, discoverable examples, docs
|
||||
wayfinding, install friction, debugging, the 0→1 and 0→hero path — **at least as
|
||||
highly as internal hardening**. A developer succeeding on their first agent
|
||||
matters more right now than another conformance/observability/interop increment.
|
||||
Do not let the queue fill entirely with internal depth work.
|
||||
|
||||
## Guardrails
|
||||
|
||||
- One concern per PR; small and reversible.
|
||||
- The gate is green CI (`go build`, `go test`, `golangci-lint`, `make harness`),
|
||||
not human review — keep the suite strong; the loop is only as good as its evaluator.
|
||||
- **Off-limits without a human** (surface as notes, never auto-merge): breaking
|
||||
public-API changes, brand/positioning/marketing copy, new dependencies,
|
||||
architectural rewrites, product-default changes with broad behavioral impact.
|
||||
- Stay on `claude/*` / `codex/*` branches; base PRs on `master`. See
|
||||
[`CODEX.md`](../../CODEX.md) and [`internal/docs/CONTINUOUS_IMPROVEMENT.md`](../../internal/docs/CONTINUOUS_IMPROVEMENT.md).
|
||||
@@ -0,0 +1,41 @@
|
||||
# Priorities
|
||||
|
||||
The ranked work queue for the autonomous improvement loop. The **planner** owns
|
||||
this file: each run it turns the [roadmap](../../ROADMAP.md) plus an internal scan
|
||||
into a single ordered list — highest-value first — each item linked to a tracking
|
||||
issue. The **builder** works the top item whose issue is still open. So the
|
||||
planner decides *what*, the builder *builds* it.
|
||||
|
||||
**Bias to capability, not busy-work.** The top of this queue is net-new capability
|
||||
from the roadmap's *Now/Next* items. Hardening/conformance/DX polish is background
|
||||
work (roadmap *Ongoing*) — kept low here and capped, never allowed to crowd out
|
||||
capability. If an area has had several increments with no user-visible gain, it is done
|
||||
for now; rank real-headroom capability instead.
|
||||
|
||||
**Reading / editing.** An item is done when its linked issue closes (the PR that
|
||||
builds it adds `Closes #<issue>`). The human can reorder this list or the issues at
|
||||
any time — direction always wins.
|
||||
|
||||
**Off-limits to the loop** (planner proposes as notes, never auto-merged queue
|
||||
items): brand/positioning copy, breaking public-API changes, architectural
|
||||
rewrites.
|
||||
|
||||
## Work queue (ranked)
|
||||
|
||||
### Capability — the headline (roadmap: Now / Next)
|
||||
|
||||
1. **A2A external-client conformance** ([#4815](https://github.com/micro/go-micro/issues/4815)) — make the gateway easier for non-go-micro agents to discover and stream from by serving the well-known agent card path and spec SSE events.
|
||||
2. **AP2 mandate foundation for agent payments** ([#4841](https://github.com/micro/go-micro/issues/4841)) — add opt-in checkout/payment mandate signing and verification so A2A-carried payment authority can settle over x402 without changing defaults.
|
||||
3. **Kubernetes CRD reconciler foundation** ([#4842](https://github.com/micro/go-micro/issues/4842)) — turn the shipped alpha `Agent`, `Service`, and `Flow` CRDs into a minimally runnable native deployment path with workload reconciliation and status conditions.
|
||||
|
||||
### In flight — do not re-queue
|
||||
|
||||
_None right now._
|
||||
|
||||
### Background — hardening & DX (roadmap: Ongoing; capped)
|
||||
|
||||
_Background hardening is intentionally empty right now. Recent work covered first-agent
|
||||
wayfinding, plan/delegate recovery, provider fallback repair, streaming, memory
|
||||
compaction, retry controls, provider-failure inspection, x402 buyer safety, gRPC-reflection MCP,
|
||||
MCP result conformance, and the alpha Kubernetes CRD surface. Further churn in those
|
||||
areas should be marked `needs-human` unless it unlocks a clear user-visible capability._
|
||||
@@ -0,0 +1,14 @@
|
||||
<!--
|
||||
The BUILDER prompt — go-micro's continuous-improvement increment. Editable
|
||||
policy; the workflow prepends the agent @mention and substitutes __ISSUE__
|
||||
before posting. Keep __ISSUE__ literal.
|
||||
-->
|
||||
Run one continuous-improvement increment per `internal/docs/CONTINUOUS_IMPROVEMENT.md`, aligned to the North Star in `.github/loop/NORTH_STAR.md` (the services → agents → workflows lifecycle, with developer adoption as the current goal).
|
||||
|
||||
PICK THE WORK FROM THE QUEUE: read `.github/loop/PRIORITIES.md` and take the highest-ranked item whose linked issue is still OPEN — that is your task, and its issue number is the one you close. If `PRIORITIES.md` is missing or every listed item's issue is already closed, fall back to the single highest-value roadmap / open-issue / improvement-radar item yourself.
|
||||
|
||||
Implement it, and VERIFY `go build ./...`, `go test ./...`, and `golangci-lint run ./...`.
|
||||
|
||||
Open the PR YOURSELF from the shell — do NOT use the make_pr tool (in this environment it only records metadata and never creates a PR). Create a uniquely-named branch under the `codex/` prefix: `git switch -c codex/increment-__ISSUE__`, then `git push -u origin codex/increment-__ISSUE__`, then `gh pr create --base master --label codex --title "<title>" --body "<body; include 'Closes #<the priority issue you built>' so it leaves the queue, and 'Closes #__ISSUE__' for this run's tracker>"`. Finally enable auto-merge so GitHub merges it once CI is green: `gh pr merge --squash --auto --delete-branch`.
|
||||
|
||||
One concern per PR. Stay out of breaking public API and brand/positioning copy — surface those as notes for the human instead.
|
||||
@@ -0,0 +1,14 @@
|
||||
<!--
|
||||
The COHERENCE prompt — go-micro's DevRel pass (public-surface coherence +
|
||||
CHANGELOG upkeep + changelog blog). Editable policy; the workflow prepends the
|
||||
agent @mention and substitutes __ISSUE__ before posting. Keep __ISSUE__ literal.
|
||||
-->
|
||||
Act as DevRel for go-micro. Do these, in order.
|
||||
|
||||
COHERENCE AUDIT. Audit the public surface — `README.md`, `internal/website/` (landing `index.html` + `docs/`), and the blog under `internal/website/blog/` — for coherence with the North Star in `.github/loop/NORTH_STAR.md` (an agent harness and service framework; the services → agents → workflows lifecycle). Look for: places where README / website / docs contradict each other, are stale, or describe behavior that has since changed (cross-check against the code and recently merged PRs); whether the README is crisp and leads with the harness positioning; and one to three genuinely blog-worthy items from recently shipped work.
|
||||
|
||||
CHANGELOG UPKEEP (safe factual task — goes in the auto-merged PR). Keep `CHANGELOG.md` living, in Keep-a-Changelog format with newest content at the top under `## [Unreleased]`. Enumerate PRs merged to master since the last update (`gh pr list --state merged --base master --limit 60 --json number,title,mergedAt,labels`) and add a concise, user-facing entry for each genuine change not yet recorded under the right `### Added` / `### Changed` / `### Fixed` / `### Documentation` subheading — SKIP internal loop/CI/priorities-refresh churn. If a new `vX.Y.Z` tag was cut since the last run (`git fetch --tags --force`), rename `## [Unreleased]` to `## [X.Y.Z] - <Month YYYY>` and open a fresh empty `## [Unreleased]` above it. Do not invent entries.
|
||||
|
||||
CHANGELOG BLOG POST (blog voice — do NOT auto-merge). If, and only if, enough user-facing work has accumulated since the last changelog post to be worth reading (roughly a week's worth; not a near-empty post every day), draft a short "What's new in Go Micro" post as the next-numbered file in `internal/website/blog/`, mirroring the latest post's frontmatter and prev-nav, and add an entry at the top of `internal/website/blog/index.html`. Base it strictly on the CHANGELOG.
|
||||
|
||||
THEN: (A) post a findings report as a comment on this issue (#__ISSUE__) — what's aligned, what drifted, what you fixed, the CHANGELOG entries added, and whether you drafted a blog post (and why/why not). (B) Open ONE auto-merging PR for the SAFE factual work only — coherence/crispness fixes AND the CHANGELOG update (NOT brand/positioning rewrites, NOT the blog post): `git switch -c codex/coherence-__ISSUE__`, `git push -u origin codex/coherence-__ISSUE__`, `gh pr create --base master --label codex --title "<title>" --body "<summary, Closes #__ISSUE__>"`, then `gh pr merge --squash --auto --delete-branch`. (C) If you drafted a changelog blog post, open it as a SEPARATE PR (`codex/coherence-blog-__ISSUE__`, title prefixed `blog:`) and do NOT enable auto-merge — leave it for the human. Same for any brand/positioning copy. Do not use the make_pr tool.
|
||||
@@ -0,0 +1,20 @@
|
||||
<!--
|
||||
The PLANNER prompt — go-micro's "architect / founder lens". Editable policy;
|
||||
the workflow prepends the agent @mention and substitutes __ISSUE__ (this run's
|
||||
tracking issue) before posting. Keep __ISSUE__ literal.
|
||||
-->
|
||||
Act as the architect — the founder lens — for go-micro, running continuously alongside the builders. Hold the whole picture: how the harness, the framework, and the developer UX fit together, what is in flight and what just merged, what to prioritize next, and what is missing or has drifted.
|
||||
|
||||
(1) TRACK STATE — scan recently merged PRs and open `codex` PRs/issues to see what shipped and what is being built right now, so the queue reflects reality (drop done items, don't re-queue in-flight work).
|
||||
|
||||
(2) ASSESS against the North Star in `.github/loop/NORTH_STAR.md` — lead with its Mission (*make building an agent as easy as building a service, on one runtime*) and re-derive alignment from the CANON: the blog under `internal/website/blog`, the `README`, and the website (read these, don't rely on the North Star alone), then `ROADMAP.md` (Now → Next → Later). Judge every priority against the mission: does it make the services → agents → workflows lifecycle simpler, more cohesive, and more operable? Weight real user-facing capability and the developer on-ramp; do not let the queue fill with internal depth work. Look at coherence and seams across the core packages (agent, ai, flow, gateway/mcp, gateway/a2a, model, server, store, registry) and the dev inner loop (scaffold → run → chat → inspect → deploy).
|
||||
|
||||
AVOID DIMINISHING-RETURNS CHURN — this is the most important judgment you make. Before ranking anything, ask: *would a real user notice this, or is it the loop grooming itself?* Do NOT queue: another regression-guard/breadcrumb/"verify the docs stay linked" test around docs the loop already wrote; the Nth robustness workaround for a weak provider's malformed output (e.g. AtlasCloud text-tool-call repair) once the agent already tolerates that class; another variation of a subsystem that has been hardened several times recently (e.g. plan/delegate notify/side-effect edge cases). If an area has had several increments with no user-visible gain, it is DONE for now — mark further work there `needs-human` and rank something with real headroom instead (new capability in gateway/flow/model/store, interop depth, observability). A full queue is not the goal; a queue of things that matter is.
|
||||
|
||||
(3) MAINTAIN THE QUEUE in `.github/loop/PRIORITIES.md` — a SINGLE ordered list, highest-value first, each item linking a scoped, CI-verifiable issue (#N). For any prioritized gap with no issue, file one: `gh issue create --label codex --label enhancement --title "<scoped task>" --body "<goal, scope, acceptance criteria>"`.
|
||||
|
||||
OUTPUT — default to NOT committing. Post a concise assessment as a comment on this issue (#__ISSUE__): what shipped, what's in flight, the top real gaps, and — honestly — whether the recent increments have been high-value or busy-work. Then, in almost all cases, just close this issue (`gh issue close __ISSUE__`) with NO PR.
|
||||
|
||||
Open a PR for `.github/loop/PRIORITIES.md` ONLY when the change is MATERIAL — meaning it changes what the builder builds next: (a) the top open item changes, (b) an item is added or removed, or (c) a top item's issue closed and must be dropped. Do NOT open a PR to reorder items below the top, reword descriptions, refresh notes, or "keep it current" — a re-rank that doesn't change the next build is not worth a commit, and this churn is the loop's single biggest waste. When a PR IS warranted: `git switch -c codex/planner-__ISSUE__`, `git push -u origin codex/planner-__ISSUE__`, `gh pr create --base master --label codex --title "<title>" --body "<summary, Closes #__ISSUE__>"`, then `gh pr merge --squash --auto --delete-branch`.
|
||||
|
||||
Do NOT make breaking public-API or architectural changes yourself — surface those in the assessment as notes for the human. Open the PR yourself from the shell with `gh`; do not use the make_pr tool (it is a no-op stub).
|
||||
@@ -0,0 +1,30 @@
|
||||
<!--
|
||||
The SECURITY prompt — go-micro's security audit. Editable policy; the workflow
|
||||
prepends the agent @mention and substitutes __ISSUE__ before posting. Keep
|
||||
__ISSUE__ literal.
|
||||
|
||||
Deliberately conservative: it does NOT auto-merge fixes, and it does NOT publish
|
||||
exploit details in public issues (responsible disclosure).
|
||||
-->
|
||||
Act as the security reviewer for go-micro. Audit for real, exploitable vulnerabilities — skip theoretical or lint-style noise.
|
||||
|
||||
GO-MICRO ATTACK SURFACE — weight these:
|
||||
- **MCP gateway** (`gateway/mcp`) and **A2A gateway** (`gateway/a2a`) — untrusted input from agents/tools: auth/scope enforcement, injection into downstream RPC, SSRF via tool/agent URLs, rate-limit/circuit-breaker bypass, info leak in errors.
|
||||
- **x402 payments** (`wrapper/x402`) — payment verification and settlement: signature/mandate validation, replay, budget-reservation races, facilitator auth (CDP bearer) handling, amount/network confusion.
|
||||
- **Auth** (`auth/jwt`, `wrapper/auth`) — token validation, algorithm confusion, scope/priority rule bypass, missing checks on endpoints.
|
||||
- **AI providers** (`ai/*`) — base-URL and endpoint handling: SSRF via config-controlled `BaseURL`, API keys leaking into logs/errors, TLS verification.
|
||||
- **Agent tool loop** (`agent/`) — prompt injection reaching real tool calls, guardrail (`MaxSteps`/`LoopLimit`/`ApproveTool`) bypass, delegate/plan side effects.
|
||||
- **Trust boundaries** — `server` RPC handlers, `broker` consumers, `store`/`registry` inputs, `transport` TLS defaults (v6 verifies by default — confirm nothing regressed).
|
||||
- **The loop itself** — `.github/workflows/loop-*.yml`: the `CODEX_TRIGGER_TOKEN` PAT must never be echoed/leaked; workflow inputs must not enable script injection.
|
||||
- **Dependencies** — run `govulncheck ./...` (install if needed) and inspect `go.mod` for known CVEs.
|
||||
|
||||
DEDUPE against open issues first.
|
||||
|
||||
HOW TO REPORT:
|
||||
- **Known/public dependency CVEs**: file a `security` issue referencing the CVE + module; you MAY open a PR bumping to the patched version. Do NOT enable auto-merge.
|
||||
- **Novel, exploitable vulnerabilities in this code** (not yet public): do NOT post an exploit or PoC in a public issue. File a CONCISE `security` + `needs-human` issue naming the class, location (file/function), and impact only — and note it should go through GitHub private vulnerability reporting. Do NOT open a public fix PR that reveals it.
|
||||
- **Low-risk hardening**: a normal `security` issue is fine.
|
||||
|
||||
NEVER auto-merge a security change. Never weaken a control to make a test pass. Architectural/breaking fixes → `needs-human` with the tradeoff.
|
||||
|
||||
Post a summary as a comment on this issue (#__ISSUE__) — findings by severity, what you filed, what needs a human — then close it (`gh issue close __ISSUE__`). If you open a dependency-bump PR: `git switch -c loop/security-__ISSUE__`, `git push -u origin loop/security-__ISSUE__`, `gh pr create --base master --label codex --label security --title "<title>" --body "<summary, Closes #__ISSUE__>"` — then STOP, do NOT run `gh pr merge --auto`. Do not use the make_pr tool.
|
||||
@@ -0,0 +1,19 @@
|
||||
<!--
|
||||
The TRIAGE prompt — go-micro's CI-failure feedback path. Editable policy; the
|
||||
workflow prepends the agent @mention and substitutes __ISSUE__ (this tracking
|
||||
issue) and __RUNURL__ (the failed run) before posting. Keep both literal.
|
||||
-->
|
||||
Triage the failed CI run at __RUNURL__. It may be the linter (Lint), the unit/integration tests (Run Tests), the vulnerability gate (govulncheck), or the provider-conformance harness (Harness (E2E)).
|
||||
|
||||
Read the logs and root-cause each distinct failure. DEDUPE hard against open AND recently-closed issues — if a failure matches an existing or recurring one, comment "recurred" on that issue rather than filing a new one.
|
||||
|
||||
WHAT TO FILE:
|
||||
- **Lint, Run Tests, or govulncheck failing on master** — a real regression. File a scoped issue (`gh issue create --label codex --label enhancement --title "<scoped fix>" --body "<root cause, where, acceptance>"`) so it is fixed promptly.
|
||||
- **A genuinely NEW, distinct provider-conformance defect** — file it.
|
||||
|
||||
WHAT NOT TO FILE (this cap matters):
|
||||
- **Another instance of a class the agent already tolerates** — a weak provider (e.g. AtlasCloud) emitting malformed / text-rendered / partial tool calls, or another plan/delegate notify/side-effect edge case. These have been hardened repeatedly with diminishing returns. Do NOT auto-file yet another routine robustness patch. Comment "recurred — repeated class, capped" on the nearest existing issue and, if it seems genuinely worth more investment, label it `needs-human` for a human to decide. The loop should not keep chasing one weak provider's output shape.
|
||||
- **Transient flakes** — live-model latency, provider outages, rate limits, network timeouts with no code cause. Ignore.
|
||||
- **Anything needing a breaking or architectural change** — label `needs-human` and describe it.
|
||||
|
||||
Close this issue (`gh issue close __ISSUE__`) when triage is done. Open any PR yourself from the shell with `gh`; do not use the make_pr tool.
|
||||
@@ -0,0 +1,65 @@
|
||||
name: govulncheck
|
||||
|
||||
# Deterministic vulnerability gate: runs govulncheck (reachability-aware CVE
|
||||
# scanner) on every push/PR. Fails on any reachable vulnerability EXCEPT the
|
||||
# explicit ALLOWLIST of known-unfixable ones, so a new vuln breaks the build
|
||||
# while tracked, no-upstream-fix ones don't. This is the gate the loop's
|
||||
# `security` role sits on top of — the role audits; this blocks known CVEs.
|
||||
#
|
||||
# Make this a required status check on the default branch to enforce it.
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["**"]
|
||||
pull_request:
|
||||
branches: ["**"]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
govulncheck:
|
||||
name: govulncheck
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.25"
|
||||
check-latest: true
|
||||
- name: Install govulncheck
|
||||
run: go install golang.org/x/vuln/cmd/govulncheck@latest
|
||||
- name: Scan
|
||||
env:
|
||||
# Reachable vulnerabilities with NO upstream fix, accepted for now and
|
||||
# tracked for remediation. Remove an ID the moment its fix lands.
|
||||
# GO-2026-5004 github.com/jackc/pgx/v4 -> pgx v5 migration (#4556)
|
||||
# GO-2026-4518 github.com/jackc/pgproto3/v2 -> pgx v5 migration (#4556)
|
||||
ALLOWLIST: "GO-2026-5004 GO-2026-4518"
|
||||
run: |
|
||||
out=$(mktemp)
|
||||
govulncheck ./... >"$out" 2>&1 && code=0 || code=$?
|
||||
cat "$out"
|
||||
if [ "$code" -eq 0 ]; then
|
||||
echo "govulncheck: no reachable vulnerabilities."
|
||||
exit 0
|
||||
fi
|
||||
if [ "$code" -ne 3 ]; then
|
||||
echo "::error::govulncheck failed to run (exit $code)."
|
||||
exit 1
|
||||
fi
|
||||
found=$(grep -oE 'Vulnerability #[0-9]+: GO-[0-9]{4}-[0-9]+' "$out" | grep -oE 'GO-[0-9]{4}-[0-9]+' | sort -u)
|
||||
unexpected=""
|
||||
for id in $found; do
|
||||
case " $ALLOWLIST " in
|
||||
*" $id "*) ;;
|
||||
*) unexpected="$unexpected $id" ;;
|
||||
esac
|
||||
done
|
||||
if [ -n "$unexpected" ]; then
|
||||
echo "::error::Unexpected reachable vulnerabilities:$unexpected"
|
||||
echo "If a fix exists, bump the dependency/toolchain. If genuinely unfixable, add the ID to ALLOWLIST with a tracking issue."
|
||||
exit 1
|
||||
fi
|
||||
echo "govulncheck: only allow-listed (known-unfixable) vulnerabilities present:$found"
|
||||
echo "OK."
|
||||
@@ -0,0 +1,116 @@
|
||||
name: Harness (E2E)
|
||||
|
||||
# Runs the end-to-end harnesses for agents, services, flows, and provider
|
||||
# conformance. The default job uses deterministic mock LLMs and needs no
|
||||
# secrets. A second job runs the same harnesses against the live provider set and
|
||||
# skips providers whose secrets are absent, so scheduled conformance
|
||||
# remains safe in no-key forks while still failing configured providers that drift.
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["**"]
|
||||
pull_request:
|
||||
branches: ["**"]
|
||||
schedule:
|
||||
- cron: "17 * * * *" # hourly, so real-model conformance keeps pace with the dev/loop velocity
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
providers:
|
||||
description: "Comma-separated providers for live conformance (default: all supported)"
|
||||
required: false
|
||||
default: "anthropic,openai,gemini,groq,minimax,mistral,together,atlascloud"
|
||||
harnesses:
|
||||
description: "Comma-separated harnesses for live conformance"
|
||||
required: false
|
||||
default: "agent,universe,agent-flow,plan-delegate,a2a-stream-fallback"
|
||||
require_configured:
|
||||
description: "Fail selected live providers that do not have repository secrets"
|
||||
required: false
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
jobs:
|
||||
harness:
|
||||
name: Harnesses (mock LLM)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: stable
|
||||
cache: true
|
||||
- name: Build
|
||||
run: go build ./...
|
||||
- name: 0→1 and 0→hero developer-flow harness
|
||||
run: make harness
|
||||
|
||||
harness-live:
|
||||
name: Provider harnesses (live LLM conformance)
|
||||
runs-on: ubuntu-latest
|
||||
# Only on the hourly schedule or a manual run — never automatically on
|
||||
# every push/PR, so changes don't quietly burn API credits. Trigger it
|
||||
# by hand (Actions → Harness → Run workflow) when changing the agent,
|
||||
# flow, or AI internals and you want a real-model check.
|
||||
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: stable
|
||||
cache: true
|
||||
- name: Provider conformance against live models
|
||||
env:
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
|
||||
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
|
||||
GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
|
||||
MINIMAX_API_KEY: ${{ secrets.MINIMAX_API_KEY }}
|
||||
MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
|
||||
TOGETHER_API_KEY: ${{ secrets.TOGETHER_API_KEY }}
|
||||
ATLASCLOUD_API_KEY: ${{ secrets.ATLASCLOUD_API_KEY }}
|
||||
# Atlas Cloud's default chat model was failing the agent/tool-use
|
||||
# conformance harnesses; run it against a stronger tool-use model.
|
||||
# Override with an Actions variable ATLASCLOUD_MODEL if the exact
|
||||
# catalog id differs (Atlas uses org/model ids).
|
||||
ATLASCLOUD_MODEL: ${{ vars.ATLASCLOUD_MODEL || 'minimaxai/minimax-m3' }}
|
||||
run: |
|
||||
PROVIDERS="${{ github.event.inputs.providers || 'anthropic,openai,gemini,groq,minimax,mistral,together,atlascloud' }}"
|
||||
HARNESSES="${{ github.event.inputs.harnesses || 'agent,universe,agent-flow,plan-delegate,a2a-stream-fallback' }}"
|
||||
REQUIRE_CONFIGURED="${{ github.event.inputs.require_configured || 'false' }}"
|
||||
|
||||
args=(
|
||||
-providers "$PROVIDERS"
|
||||
-harnesses "$HARNESSES"
|
||||
-summary-json provider-conformance-summary.json
|
||||
-summary-markdown provider-conformance-summary.md
|
||||
-capabilities-markdown provider-capabilities.md
|
||||
)
|
||||
if [ "$REQUIRE_CONFIGURED" = "true" ]; then
|
||||
args+=( -require-configured )
|
||||
fi
|
||||
|
||||
go run ./internal/harness/provider-conformance "${args[@]}"
|
||||
- name: Publish provider conformance summary
|
||||
if: always()
|
||||
run: |
|
||||
if [ -f provider-conformance-summary.md ]; then
|
||||
cat provider-conformance-summary.md >> "$GITHUB_STEP_SUMMARY"
|
||||
fi
|
||||
if [ -f provider-capabilities.md ]; then
|
||||
{
|
||||
echo
|
||||
echo "## Registered provider capabilities"
|
||||
echo
|
||||
cat provider-capabilities.md
|
||||
} >> "$GITHUB_STEP_SUMMARY"
|
||||
fi
|
||||
- name: Upload provider conformance summary
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: provider-conformance
|
||||
path: |
|
||||
provider-conformance-summary.json
|
||||
provider-conformance-summary.md
|
||||
provider-capabilities.md
|
||||
if-no-files-found: ignore
|
||||
@@ -0,0 +1,30 @@
|
||||
name: Lint
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- "**"
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
- reopened
|
||||
- synchronize
|
||||
branches:
|
||||
- "**"
|
||||
jobs:
|
||||
golangci:
|
||||
name: golangci-lint
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.25"
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: golangci-lint
|
||||
uses: golangci/golangci-lint-action@v8
|
||||
with:
|
||||
version: v2.5.0
|
||||
@@ -0,0 +1,63 @@
|
||||
name: "Loop: Builder"
|
||||
|
||||
# Generated by `micro loop init`. A dispatch role of the autonomous loop: on a
|
||||
# cadence it opens a fresh tracking issue and posts the instruction in
|
||||
# .github/loop/prompts/builder.md to the agent (@codex).
|
||||
#
|
||||
# The workflow is the MECHANISM; that prompt file is the editable POLICY —
|
||||
# change what this role does by editing the prompt, not this YAML. A FRESH
|
||||
# issue per run is deliberate: agents derive the PR branch name from the
|
||||
# triggering issue, so reusing one tracker collapses every run onto one branch.
|
||||
#
|
||||
# Gated on CODEX_TRIGGER_TOKEN: the agent ignores @mentions from the
|
||||
# github-actions bot, so dispatch posts as a real user (a PAT). No token → no-op.
|
||||
|
||||
on:
|
||||
workflow_dispatch: {}
|
||||
# PAUSED 2026-07-12: automatic schedule disabled while the team does focused
|
||||
# 1:1 fixes. Still runnable on demand via workflow_dispatch. Re-enable by
|
||||
# uncommenting the schedule below.
|
||||
# schedule:
|
||||
# - cron: "29 * * * *"
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
|
||||
concurrency:
|
||||
group: loop-builder
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
dispatch:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4 # needed to read the prompt file
|
||||
- name: Dispatch builder
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN || github.token }}
|
||||
HAS_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN != '' }}
|
||||
REPO: ${{ github.repository }}
|
||||
RUN_NUMBER: ${{ github.run_number }}
|
||||
run: |
|
||||
if [ "$HAS_TOKEN" != "true" ]; then
|
||||
echo "CODEX_TRIGGER_TOKEN is not set — skipping (the agent ignores bot @mentions)."
|
||||
exit 0
|
||||
fi
|
||||
PROMPT=".github/loop/prompts/builder.md"
|
||||
if [ ! -f "$PROMPT" ]; then
|
||||
echo "missing $PROMPT — run 'micro loop init'." >&2
|
||||
exit 1
|
||||
fi
|
||||
ISSUE_URL=$(gh issue create --repo "$REPO" \
|
||||
--title "Loop: build increment #$RUN_NUMBER" \
|
||||
--body "Autonomous builder pass. Direction: .github/loop/NORTH_STAR.md; queue: .github/loop/PRIORITIES.md.")
|
||||
ISSUE_NUM="${ISSUE_URL##*/}"
|
||||
echo "Opened issue #$ISSUE_NUM — dispatching builder."
|
||||
# The prompt file is the policy; strip its editorial <!-- --> header and
|
||||
# substitute the tracking issue number (__ISSUE__) at runtime.
|
||||
{
|
||||
echo "@codex"
|
||||
echo
|
||||
sed -e '/<!--/,/-->/d' -e "s/__ISSUE__/$ISSUE_NUM/g" "$PROMPT"
|
||||
} > "$RUNNER_TEMP/loop-body.md"
|
||||
gh issue comment "$ISSUE_NUM" --repo "$REPO" --body-file "$RUNNER_TEMP/loop-body.md"
|
||||
@@ -0,0 +1,63 @@
|
||||
name: "Loop: Coherence"
|
||||
|
||||
# Generated by `micro loop init`. A dispatch role of the autonomous loop: on a
|
||||
# cadence it opens a fresh tracking issue and posts the instruction in
|
||||
# .github/loop/prompts/coherence.md to the agent (@codex).
|
||||
#
|
||||
# The workflow is the MECHANISM; that prompt file is the editable POLICY —
|
||||
# change what this role does by editing the prompt, not this YAML. A FRESH
|
||||
# issue per run is deliberate: agents derive the PR branch name from the
|
||||
# triggering issue, so reusing one tracker collapses every run onto one branch.
|
||||
#
|
||||
# Gated on CODEX_TRIGGER_TOKEN: the agent ignores @mentions from the
|
||||
# github-actions bot, so dispatch posts as a real user (a PAT). No token → no-op.
|
||||
|
||||
on:
|
||||
workflow_dispatch: {}
|
||||
# PAUSED 2026-07-12: automatic schedule disabled while the team does focused
|
||||
# 1:1 fixes. Still runnable on demand via workflow_dispatch. Re-enable by
|
||||
# uncommenting the schedule below.
|
||||
# schedule:
|
||||
# - cron: "0 7 * * *"
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
|
||||
concurrency:
|
||||
group: loop-coherence
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
dispatch:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4 # needed to read the prompt file
|
||||
- name: Dispatch coherence
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN || github.token }}
|
||||
HAS_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN != '' }}
|
||||
REPO: ${{ github.repository }}
|
||||
RUN_NUMBER: ${{ github.run_number }}
|
||||
run: |
|
||||
if [ "$HAS_TOKEN" != "true" ]; then
|
||||
echo "CODEX_TRIGGER_TOKEN is not set — skipping (the agent ignores bot @mentions)."
|
||||
exit 0
|
||||
fi
|
||||
PROMPT=".github/loop/prompts/coherence.md"
|
||||
if [ ! -f "$PROMPT" ]; then
|
||||
echo "missing $PROMPT — run 'micro loop init'." >&2
|
||||
exit 1
|
||||
fi
|
||||
ISSUE_URL=$(gh issue create --repo "$REPO" \
|
||||
--title "Loop: coherence review #$RUN_NUMBER" \
|
||||
--body "Autonomous coherence pass. Direction: .github/loop/NORTH_STAR.md; queue: .github/loop/PRIORITIES.md.")
|
||||
ISSUE_NUM="${ISSUE_URL##*/}"
|
||||
echo "Opened issue #$ISSUE_NUM — dispatching coherence."
|
||||
# The prompt file is the policy; strip its editorial <!-- --> header and
|
||||
# substitute the tracking issue number (__ISSUE__) at runtime.
|
||||
{
|
||||
echo "@codex"
|
||||
echo
|
||||
sed -e '/<!--/,/-->/d' -e "s/__ISSUE__/$ISSUE_NUM/g" "$PROMPT"
|
||||
} > "$RUNNER_TEMP/loop-body.md"
|
||||
gh issue comment "$ISSUE_NUM" --repo "$REPO" --body-file "$RUNNER_TEMP/loop-body.md"
|
||||
@@ -0,0 +1,63 @@
|
||||
name: "Loop: Planner"
|
||||
|
||||
# Generated by `micro loop init`. A dispatch role of the autonomous loop: on a
|
||||
# cadence it opens a fresh tracking issue and posts the instruction in
|
||||
# .github/loop/prompts/planner.md to the agent (@codex).
|
||||
#
|
||||
# The workflow is the MECHANISM; that prompt file is the editable POLICY —
|
||||
# change what this role does by editing the prompt, not this YAML. A FRESH
|
||||
# issue per run is deliberate: agents derive the PR branch name from the
|
||||
# triggering issue, so reusing one tracker collapses every run onto one branch.
|
||||
#
|
||||
# Gated on CODEX_TRIGGER_TOKEN: the agent ignores @mentions from the
|
||||
# github-actions bot, so dispatch posts as a real user (a PAT). No token → no-op.
|
||||
|
||||
on:
|
||||
workflow_dispatch: {}
|
||||
# PAUSED 2026-07-12: automatic schedule disabled while the team does focused
|
||||
# 1:1 fixes. Still runnable on demand via workflow_dispatch. Re-enable by
|
||||
# uncommenting the schedule below.
|
||||
# schedule:
|
||||
# - cron: "59 * * * *"
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
|
||||
concurrency:
|
||||
group: loop-planner
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
dispatch:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4 # needed to read the prompt file
|
||||
- name: Dispatch planner
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN || github.token }}
|
||||
HAS_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN != '' }}
|
||||
REPO: ${{ github.repository }}
|
||||
RUN_NUMBER: ${{ github.run_number }}
|
||||
run: |
|
||||
if [ "$HAS_TOKEN" != "true" ]; then
|
||||
echo "CODEX_TRIGGER_TOKEN is not set — skipping (the agent ignores bot @mentions)."
|
||||
exit 0
|
||||
fi
|
||||
PROMPT=".github/loop/prompts/planner.md"
|
||||
if [ ! -f "$PROMPT" ]; then
|
||||
echo "missing $PROMPT — run 'micro loop init'." >&2
|
||||
exit 1
|
||||
fi
|
||||
ISSUE_URL=$(gh issue create --repo "$REPO" \
|
||||
--title "Loop: planning review #$RUN_NUMBER" \
|
||||
--body "Autonomous planner pass. Direction: .github/loop/NORTH_STAR.md; queue: .github/loop/PRIORITIES.md.")
|
||||
ISSUE_NUM="${ISSUE_URL##*/}"
|
||||
echo "Opened issue #$ISSUE_NUM — dispatching planner."
|
||||
# The prompt file is the policy; strip its editorial <!-- --> header and
|
||||
# substitute the tracking issue number (__ISSUE__) at runtime.
|
||||
{
|
||||
echo "@codex"
|
||||
echo
|
||||
sed -e '/<!--/,/-->/d' -e "s/__ISSUE__/$ISSUE_NUM/g" "$PROMPT"
|
||||
} > "$RUNNER_TEMP/loop-body.md"
|
||||
gh issue comment "$ISSUE_NUM" --repo "$REPO" --body-file "$RUNNER_TEMP/loop-body.md"
|
||||
@@ -0,0 +1,100 @@
|
||||
name: "Loop: Release"
|
||||
|
||||
# Generated by `micro loop init`. Cuts the next tag when the default branch has
|
||||
# new commits since the latest one, and pushes it with a PAT (CODEX_TRIGGER_TOKEN)
|
||||
# so any tag-triggered release workflow fires. The bump reflects what shipped,
|
||||
# read from the CHANGELOG [Unreleased] section: new features (Added/Changed) cut
|
||||
# a MINOR; fixes/docs only cut a PATCH; breaking changes are skipped so a MAJOR
|
||||
# stays a human decision.
|
||||
#
|
||||
# The tag MUST be pushed with a PAT, not the default GITHUB_TOKEN: a tag pushed
|
||||
# by GITHUB_TOKEN does not trigger other workflows (Actions blocks that recursion).
|
||||
|
||||
on:
|
||||
workflow_dispatch: {}
|
||||
# PAUSED 2026-07-12: automatic nightly release disabled while the team does
|
||||
# focused 1:1 fixes. Cut a release on demand via workflow_dispatch. Re-enable
|
||||
# by uncommenting the schedule below.
|
||||
# schedule:
|
||||
# - cron: "0 23 * * *"
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: loop-release
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
release:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0 # need full history + all tags
|
||||
# Do NOT persist the default GITHUB_TOKEN as a git credential: it would
|
||||
# be sent on the PAT push below and override it, so the tag push would
|
||||
# authenticate as github-actions[bot] and 403. Letting the PAT in the
|
||||
# push URL be the only credential is the whole point.
|
||||
persist-credentials: false
|
||||
- name: Cut the next patch tag if there are new commits
|
||||
env:
|
||||
RELEASE_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN }}
|
||||
REPO: ${{ github.repository }}
|
||||
run: |
|
||||
if [ -z "$RELEASE_TOKEN" ]; then
|
||||
echo "CODEX_TRIGGER_TOKEN is not set — skipping."
|
||||
exit 0
|
||||
fi
|
||||
git fetch --tags --force
|
||||
|
||||
LATEST=$(git tag --list 'v*.*.*' --sort=-v:refname | head -1)
|
||||
if [ -z "$LATEST" ]; then
|
||||
echo "no vMAJOR.MINOR.PATCH tag found — aborting so nothing weird gets tagged."
|
||||
exit 1
|
||||
fi
|
||||
echo "latest tag: $LATEST"
|
||||
|
||||
COUNT=$(git rev-list --count "$LATEST"..HEAD)
|
||||
echo "commits since $LATEST: $COUNT"
|
||||
if [ "$COUNT" -eq 0 ]; then
|
||||
echo "no new commits since $LATEST — no release."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
ver="${LATEST#v}"
|
||||
major="${ver%%.*}"
|
||||
rest="${ver#*.}"
|
||||
minor="${rest%%.*}"
|
||||
patch="${rest#*.}"
|
||||
case "$major.$minor.$patch" in
|
||||
[0-9]*.[0-9]*.[0-9]*) ;;
|
||||
*) echo "unexpected tag shape: $LATEST" ; exit 1 ;;
|
||||
esac
|
||||
|
||||
# Choose the bump from what actually shipped, read from the CHANGELOG
|
||||
# [Unreleased] section (kept current by the coherence role):
|
||||
# new features (### Added / ### Changed) -> MINOR
|
||||
# fixes/docs only -> PATCH
|
||||
# breaking (### Removed / "(breaking)") -> skip; a major is a human call
|
||||
UNRELEASED=""
|
||||
if [ -f CHANGELOG.md ]; then
|
||||
UNRELEASED=$(awk '/^## \[Unreleased\]/{f=1; next} /^## \[/{f=0} f' CHANGELOG.md)
|
||||
fi
|
||||
if printf '%s\n' "$UNRELEASED" | grep -qiE '^### Removed|^### Changed \(breaking\)|BREAKING'; then
|
||||
echo "CHANGELOG [Unreleased] contains breaking changes — a major release is a human decision. Skipping."
|
||||
exit 0
|
||||
elif printf '%s\n' "$UNRELEASED" | grep -qE '^### (Added|Changed)'; then
|
||||
NEXT="v${major}.$((minor + 1)).0"
|
||||
KIND="minor (new features)"
|
||||
else
|
||||
NEXT="v${major}.${minor}.$((patch + 1))"
|
||||
KIND="patch (fixes/docs only)"
|
||||
fi
|
||||
echo "cutting: $NEXT — $KIND ($COUNT commits since $LATEST)"
|
||||
|
||||
git config user.name "loop release bot"
|
||||
git config user.email "noreply@users.noreply.github.com"
|
||||
git tag -a "$NEXT" -m "Release $NEXT — automated $KIND ($COUNT commits since $LATEST)"
|
||||
git push "https://x-access-token:${RELEASE_TOKEN}@github.com/${REPO}.git" "$NEXT"
|
||||
echo "Pushed $NEXT."
|
||||
@@ -0,0 +1,63 @@
|
||||
name: "Loop: Security"
|
||||
|
||||
# Generated by `micro loop init`. A dispatch role of the autonomous loop: on a
|
||||
# cadence it opens a fresh tracking issue and posts the instruction in
|
||||
# .github/loop/prompts/security.md to the agent (@codex).
|
||||
#
|
||||
# The workflow is the MECHANISM; that prompt file is the editable POLICY —
|
||||
# change what this role does by editing the prompt, not this YAML. A FRESH
|
||||
# issue per run is deliberate: agents derive the PR branch name from the
|
||||
# triggering issue, so reusing one tracker collapses every run onto one branch.
|
||||
#
|
||||
# Gated on CODEX_TRIGGER_TOKEN: the agent ignores @mentions from the
|
||||
# github-actions bot, so dispatch posts as a real user (a PAT). No token → no-op.
|
||||
|
||||
on:
|
||||
workflow_dispatch: {}
|
||||
# PAUSED 2026-07-12: automatic schedule disabled while the team does focused
|
||||
# 1:1 fixes. Still runnable on demand via workflow_dispatch. Re-enable by
|
||||
# uncommenting the schedule below.
|
||||
# schedule:
|
||||
# - cron: "0 6 * * 1"
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
|
||||
concurrency:
|
||||
group: loop-security
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
dispatch:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4 # needed to read the prompt file
|
||||
- name: Dispatch security
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN || github.token }}
|
||||
HAS_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN != '' }}
|
||||
REPO: ${{ github.repository }}
|
||||
RUN_NUMBER: ${{ github.run_number }}
|
||||
run: |
|
||||
if [ "$HAS_TOKEN" != "true" ]; then
|
||||
echo "CODEX_TRIGGER_TOKEN is not set — skipping (the agent ignores bot @mentions)."
|
||||
exit 0
|
||||
fi
|
||||
PROMPT=".github/loop/prompts/security.md"
|
||||
if [ ! -f "$PROMPT" ]; then
|
||||
echo "missing $PROMPT — run 'micro loop init'." >&2
|
||||
exit 1
|
||||
fi
|
||||
ISSUE_URL=$(gh issue create --repo "$REPO" \
|
||||
--title "Loop: security review #$RUN_NUMBER" \
|
||||
--body "Autonomous security pass. Direction: .github/loop/NORTH_STAR.md; queue: .github/loop/PRIORITIES.md.")
|
||||
ISSUE_NUM="${ISSUE_URL##*/}"
|
||||
echo "Opened issue #$ISSUE_NUM — dispatching security."
|
||||
# The prompt file is the policy; strip its editorial <!-- --> header and
|
||||
# substitute the tracking issue number (__ISSUE__) at runtime.
|
||||
{
|
||||
echo "@codex"
|
||||
echo
|
||||
sed -e '/<!--/,/-->/d' -e "s/__ISSUE__/$ISSUE_NUM/g" "$PROMPT"
|
||||
} > "$RUNNER_TEMP/loop-body.md"
|
||||
gh issue comment "$ISSUE_NUM" --repo "$REPO" --body-file "$RUNNER_TEMP/loop-body.md"
|
||||
@@ -0,0 +1,61 @@
|
||||
name: "Loop: Triage"
|
||||
|
||||
# Generated by `micro loop init`. The feedback path of the evaluator: when a CI
|
||||
# workflow (Harness (E2E), Lint, Run Tests) fails on a non-PR run, dispatch the agent
|
||||
# (@codex) with the instruction in .github/loop/prompts/triage.md
|
||||
# to root-cause the failure and file scoped fix issues back into the queue — so
|
||||
# failures become fixes with no human in the middle. Gated on CODEX_TRIGGER_TOKEN.
|
||||
|
||||
on:
|
||||
workflow_dispatch: {}
|
||||
# PAUSED 2026-07-12: automatic CI-failure dispatch disabled while the team
|
||||
# does focused 1:1 fixes, so failures don't auto-spawn agent tasks. Re-enable
|
||||
# by uncommenting the workflow_run trigger below.
|
||||
# workflow_run:
|
||||
# workflows: ["Harness (E2E)", "Lint", "Run Tests", "govulncheck"]
|
||||
# types: [completed]
|
||||
|
||||
permissions:
|
||||
issues: write
|
||||
|
||||
concurrency:
|
||||
group: loop-triage
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
triage:
|
||||
# Only real failures on branch pushes/schedules — not PR-run failures, which
|
||||
# the PR author already sees.
|
||||
if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.event != 'pull_request' }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4 # needed to read the prompt file
|
||||
- name: Dispatch triage
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN || github.token }}
|
||||
HAS_TOKEN: ${{ secrets.CODEX_TRIGGER_TOKEN != '' }}
|
||||
REPO: ${{ github.repository }}
|
||||
RUN_ID: ${{ github.event.workflow_run.id }}
|
||||
RUN_URL: ${{ github.event.workflow_run.html_url }}
|
||||
WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
|
||||
run: |
|
||||
if [ "$HAS_TOKEN" != "true" ]; then
|
||||
echo "CODEX_TRIGGER_TOKEN is not set — skipping."
|
||||
exit 0
|
||||
fi
|
||||
PROMPT=".github/loop/prompts/triage.md"
|
||||
if [ ! -f "$PROMPT" ]; then
|
||||
echo "missing $PROMPT — run 'micro loop init'." >&2
|
||||
exit 1
|
||||
fi
|
||||
ISSUE_URL=$(gh issue create --repo "$REPO" \
|
||||
--title "Loop: triage failed run $RUN_ID ($WORKFLOW_NAME)" \
|
||||
--body "The '$WORKFLOW_NAME' workflow failed on a non-PR run: $RUN_URL")
|
||||
ISSUE_NUM="${ISSUE_URL##*/}"
|
||||
echo "Opened issue #$ISSUE_NUM — dispatching triage."
|
||||
{
|
||||
echo "@codex"
|
||||
echo
|
||||
sed -e '/<!--/,/-->/d' -e "s/__ISSUE__/$ISSUE_NUM/g" -e "s#__RUNURL__#$RUN_URL#g" "$PROMPT"
|
||||
} > "$RUNNER_TEMP/loop-body.md"
|
||||
gh issue comment "$ISSUE_NUM" --repo "$REPO" --body-file "$RUNNER_TEMP/loop-body.md"
|
||||
@@ -0,0 +1,51 @@
|
||||
name: goreleaser
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- 'v*.*.*'
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write
|
||||
packages: write
|
||||
attestations: write
|
||||
jobs:
|
||||
goreleaser:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
-
|
||||
name: Set up Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: stable
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
-
|
||||
name: Login to Docker Hub
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
-
|
||||
name: Login to GitHub Container Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
-
|
||||
name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@v7
|
||||
with:
|
||||
distribution: goreleaser
|
||||
version: '~> v2'
|
||||
args: release --clean
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
@@ -0,0 +1,75 @@
|
||||
name: Run Tests
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- "**"
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
- reopened
|
||||
- synchronize
|
||||
branches:
|
||||
- "**"
|
||||
jobs:
|
||||
unittests:
|
||||
name: Unit Tests
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: "1.25"
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: Get dependencies
|
||||
run: |
|
||||
go install github.com/kyoh86/richgo@latest
|
||||
go get -v -t -d ./...
|
||||
- name: Run tests
|
||||
id: tests
|
||||
run: richgo test -v -race -cover ./...
|
||||
env:
|
||||
IN_TRAVIS_CI: yes
|
||||
RICHGO_FORCE_COLOR: 1
|
||||
|
||||
etcd-integration:
|
||||
name: Etcd Integration Tests
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
services:
|
||||
etcd:
|
||||
image: quay.io/coreos/etcd:v3.5.2
|
||||
env:
|
||||
ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379
|
||||
ETCD_ADVERTISE_CLIENT_URLS: http://0.0.0.0:2379
|
||||
ports:
|
||||
- 2379:2379
|
||||
options: >-
|
||||
--health-cmd "etcdctl endpoint health"
|
||||
--health-interval 10s
|
||||
--health-timeout 5s
|
||||
--health-retries 5
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: "1.25"
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: Get dependencies
|
||||
run: |
|
||||
go install github.com/kyoh86/richgo@latest
|
||||
go get -v -t -d ./...
|
||||
- name: Wait for etcd
|
||||
run: |
|
||||
timeout 30 bash -c 'until curl -s http://localhost:2379/health; do sleep 1; done'
|
||||
- name: Run etcd integration tests
|
||||
run: richgo test -v -race ./registry/etcd/...
|
||||
env:
|
||||
ETCD_ADDRESS: localhost:2379
|
||||
IN_TRAVIS_CI: yes
|
||||
RICHGO_FORCE_COLOR: 1
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
|
||||
name: Deploy Jekyll with GitHub Pages dependencies preinstalled
|
||||
|
||||
on:
|
||||
# Runs on pushes targeting the default branch
|
||||
push:
|
||||
branches: ["master"]
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
|
||||
permissions:
|
||||
contents: read
|
||||
pages: write
|
||||
id-token: write
|
||||
|
||||
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
|
||||
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
|
||||
concurrency:
|
||||
group: "pages"
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
# Build job
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup Pages
|
||||
uses: actions/configure-pages@v5
|
||||
- name: Build with Jekyll
|
||||
uses: actions/jekyll-build-pages@v1
|
||||
with:
|
||||
source: ./internal/website
|
||||
destination: ./_site
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-pages-artifact@v3
|
||||
|
||||
# Deployment job
|
||||
deploy:
|
||||
environment:
|
||||
name: github-pages
|
||||
url: ${{ steps.deployment.outputs.page_url }}
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
steps:
|
||||
- name: Deploy to GitHub Pages
|
||||
id: deployment
|
||||
uses: actions/deploy-pages@v4
|
||||
Reference in New Issue
Block a user