diff --git a/.github/actions/setup-go/action.yml b/.github/actions/setup-go/action.yml index 256fbdc..1b38f3e 100644 --- a/.github/actions/setup-go/action.yml +++ b/.github/actions/setup-go/action.yml @@ -7,7 +7,7 @@ inputs: runs: using: composite steps: - - uses: stainless-api/retrieve-github-access-token@v1 + - uses: stainless-api/retrieve-github-access-token@1f03f929b746c5b03dcdafa2bebbb18ca5672e1a # v1.0.0 if: github.repository == 'stainless-sdks/anthropic-cli' id: get_token with: @@ -17,10 +17,12 @@ runs: - name: Configure Git for access to the Go SDK's staging repo if: github.repository == 'stainless-sdks/anthropic-cli' shell: bash - run: git config --global url."https://x-access-token:${{ steps.get_token.outputs.github_access_token }}@github.com/stainless-sdks/anthropic-go".insteadOf "https://github.com/stainless-sdks/anthropic-go" + run: git config --global url."https://x-access-token:${STEPS_GET_TOKEN_OUTPUTS_GITHUB_ACCESS_TOKEN}@github.com/stainless-sdks/anthropic-go".insteadOf "https://github.com/stainless-sdks/anthropic-go" + env: + STEPS_GET_TOKEN_OUTPUTS_GITHUB_ACCESS_TOKEN: ${{ steps.get_token.outputs.github_access_token }} - name: Setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: ./go.mod diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1a18aa..028dc32 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,9 @@ on: - 'stl-preview-head/**' - 'stl-preview-base/**' +permissions: + contents: read + env: GOPRIVATE: github.com/anthropics/anthropic-sdk-go,github.com/stainless-sdks/anthropic-go @@ -25,16 +28,20 @@ jobs: if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup-go with: - stainless-api-key: ${{ secrets.STAINLESS_API_KEY }} + stainless-api-key: ${{ secrets.STAINLESS_API_KEY }} # zizmor: ignore[secrets-outside-env] — CI jobs run on every push/PR and cannot use deployment environments - name: Link staging branch if: github.repository == 'stainless-sdks/anthropic-cli' + env: + REF_NAME: ${{ github.ref_name }} run: | - ./scripts/link 'github.com/stainless-sdks/anthropic-go@${{ github.ref_name }}' || go mod edit -dropreplace='github.com/stainless-sdks/anthropic-go' + ./scripts/link "github.com/stainless-sdks/anthropic-go@${REF_NAME}" || go mod edit -dropreplace='github.com/stainless-sdks/anthropic-go' - name: Bootstrap run: ./scripts/bootstrap @@ -51,22 +58,26 @@ jobs: runs-on: ${{ github.repository == 'stainless-sdks/anthropic-cli' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }} if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup-go with: - stainless-api-key: ${{ secrets.STAINLESS_API_KEY }} + stainless-api-key: ${{ secrets.STAINLESS_API_KEY }} # zizmor: ignore[secrets-outside-env] — CI jobs run on every push/PR and cannot use deployment environments - name: Link staging branch if: github.repository == 'stainless-sdks/anthropic-cli' + env: + REF_NAME: ${{ github.ref_name }} run: | - ./scripts/link 'github.com/stainless-sdks/anthropic-go@${{ github.ref_name }}' || go mod edit -dropreplace='github.com/stainless-sdks/anthropic-go' + ./scripts/link "github.com/stainless-sdks/anthropic-go@${REF_NAME}" || go mod edit -dropreplace='github.com/stainless-sdks/anthropic-go' - name: Bootstrap run: ./scripts/bootstrap - name: Run goreleaser - uses: goreleaser/goreleaser-action@v6.1.0 + uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 with: version: latest args: release --snapshot --clean --skip=publish @@ -78,7 +89,7 @@ jobs: github.repository == 'stainless-sdks/anthropic-cli' && !startsWith(github.ref, 'refs/heads/stl/') id: github-oidc - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: core.setOutput('github_token', await core.getIDToken()); @@ -93,7 +104,7 @@ jobs: run: ./scripts/utils/upload-artifact.sh - name: Upload cdp-darwin-arm64 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cdp-darwin-arm64 path: dist/macos_darwin_arm64*/cdp @@ -101,7 +112,7 @@ jobs: if-no-files-found: ignore - name: Upload cdp-darwin-amd64 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cdp-darwin-amd64 path: dist/macos_darwin_amd64*/cdp @@ -109,7 +120,7 @@ jobs: if-no-files-found: ignore - name: Upload cdp-linux-amd64 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cdp-linux-amd64 path: dist/linux_linux_amd64*/cdp @@ -117,7 +128,7 @@ jobs: if-no-files-found: ignore - name: Upload cdp-linux-arm64 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cdp-linux-arm64 path: dist/linux_linux_arm64*/cdp @@ -125,7 +136,7 @@ jobs: if-no-files-found: ignore - name: Upload cdp-windows-amd64 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cdp-windows-amd64 path: dist/windows_windows_amd64*/cdp.exe @@ -133,7 +144,7 @@ jobs: if-no-files-found: ignore - name: Upload cdp-windows-arm64 - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cdp-windows-arm64 path: dist/windows_windows_arm64*/cdp.exe @@ -146,16 +157,20 @@ jobs: runs-on: ${{ github.repository == 'stainless-sdks/anthropic-cli' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }} if: github.event_name == 'push' || github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup-go with: - stainless-api-key: ${{ secrets.STAINLESS_API_KEY }} + stainless-api-key: ${{ secrets.STAINLESS_API_KEY }} # zizmor: ignore[secrets-outside-env] — CI jobs run on every push/PR and cannot use deployment environments - name: Link staging branch if: github.repository == 'stainless-sdks/anthropic-cli' + env: + REF_NAME: ${{ github.ref_name }} run: | - ./scripts/link 'github.com/stainless-sdks/anthropic-go@${{ github.ref_name }}' || go mod edit -dropreplace='github.com/stainless-sdks/anthropic-go' + ./scripts/link "github.com/stainless-sdks/anthropic-go@${REF_NAME}" || go mod edit -dropreplace='github.com/stainless-sdks/anthropic-go' - name: Bootstrap run: ./scripts/bootstrap diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml deleted file mode 100644 index a4c8f6a..0000000 --- a/.github/workflows/claude-code-review.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Claude Code Review - -on: - pull_request: - types: [opened, synchronize] - # Optional: Only run on specific file changes - # paths: - # - "src/**/*.ts" - # - "src/**/*.tsx" - # - "src/**/*.js" - # - "src/**/*.jsx" - -jobs: - claude-review: - # Optional: Filter by PR author - # if: | - # github.event.pull_request.user.login == 'external-contributor' || - # github.event.pull_request.user.login == 'new-developer' || - # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' - - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: read - issues: read - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - - name: Run Claude Code Review - id: claude-review - uses: anthropics/claude-code-action@v1 - with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - prompt: | - REPO: ${{ github.repository }} - PR NUMBER: ${{ github.event.pull_request.number }} - - Please review this pull request and provide feedback on: - - Code quality and best practices - - Potential bugs or issues - - Performance considerations - - Security concerns - - Test coverage - - Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. - - Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. - - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md - # or https://code.claude.com/docs/en/cli-reference for available options - claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"' - diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml deleted file mode 100644 index 79fe056..0000000 --- a/.github/workflows/claude.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Claude Code - -on: - issue_comment: - types: [created] - pull_request_review_comment: - types: [created] - issues: - types: [opened, assigned] - pull_request_review: - types: [submitted] - -jobs: - claude: - if: | - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: read - issues: read - id-token: write - actions: read # Required for Claude to read CI results on PRs - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - - name: Run Claude Code - id: claude - uses: anthropics/claude-code-action@v1 - with: - anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - - # This is an optional setting that allows Claude to read CI results on PRs - additional_permissions: | - actions: read - - # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. - # prompt: 'Update the pull request description to include a summary of changes.' - - # Optional: Add claude_args to customize behavior and configuration - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md - # or https://code.claude.com/docs/en/cli-reference for available options - # claude_args: '--allowed-tools Bash(gh pr:*)' - diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 64a0eca..631ef06 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -39,11 +39,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: "go.mod" + cache: false - name: Run GoReleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml index 3fc80f8..270d47a 100644 --- a/.github/workflows/release-doctor.yml +++ b/.github/workflows/release-doctor.yml @@ -5,6 +5,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: release_doctor: name: release doctor @@ -13,7 +16,9 @@ jobs: if: github.repository == 'anthropics/anthropic-cli' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || startsWith(github.head_ref, 'release-please') || github.head_ref == 'next') steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Check release environment run: |