Skip to content

sync-preview: merge main into preview (conflicts)#1239

Closed
agentcore-devx-automation[bot] wants to merge 18 commits into
previewfrom
sync-preview/merge-main-20260513-202903
Closed

sync-preview: merge main into preview (conflicts)#1239
agentcore-devx-automation[bot] wants to merge 18 commits into
previewfrom
sync-preview/merge-main-20260513-202903

Conversation

@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

The automated sync could not cleanly merge main into preview.

This PR contains conflict markers. To resolve:

  1. Check out this branch locally:
    gh pr checkout <this-pr-number>
  2. Search for conflict markers and resolve them:
    grep -rn '<<<<<<< HEAD' .
  3. Keep preview-specific values (package version, preview tests, etc.) — accept main's changes for everything else.
  4. Commit and push, then merge this PR.

cc @aidandaly24

Opened automatically by the sync-preview workflow.

Hweinstock and others added 18 commits May 11, 2026 13:56
Replace secrets.PAT_TOKEN and secrets.AUTOMATION_ACCOUNT_PAT_TOKEN with
short-lived tokens generated by the agentcore-devx-automation GitHub App
(ID: 3637953) via actions/create-github-app-token@v1.

This improves security by using ephemeral tokens scoped to the
installation rather than long-lived personal access tokens.

Requires adding repo variable APP_ID=3637953 and repo secret
APP_PRIVATE_KEY with the app's RSA private key.
Add telemetry recording to the create command in both CLI and TUI paths:
- CLI: wrap handleCreateCLI with runCliCommand to emit CreateAttrs on success/failure
- TUI: wrap useCreateFlow's run() with withCommandRunTelemetry
- Add telemetry assertions to existing integration tests (frameworks + edge cases)
Replaces all occurrences of \${{ github.token }} and \${{ secrets.GITHUB_TOKEN }}
across .github/workflows/ with a per-job GitHub App token generated via
actions/create-github-app-token@v1 using vars.APP_ID and secrets.APP_PRIVATE_KEY.
fix: bump versions to resolve security audit failure
…-token

chore: replace all github.token/GITHUB_TOKEN with GitHub App token
* feat(evaluator): Add kmsKeyArn support for custom evaluator

* fix: sync package-lock.json with package.json

The lock file was out of sync after dependency bumps on main were merged,
causing npm ci to fail in CI.

* fix: revert unrelated dep bumps and fix formatting

Reverts @opentelemetry/exporter-metrics-otlp-http ^0.217.0 back to
^0.214.0 and secretlint ^13.0.0 back to ^12.2.0 — these were
accidentally included in the feature commit from unmerged dependabot PRs
and introduce high-severity protobufjs vulnerabilities.

Restores fast-xml-parser and @aws-sdk/xml-builder overrides that were
also inadvertently removed.

Fixes Prettier formatting on agentcore-project.ts import lines.

* fix: sync package-lock.json with updated dependencies

---------

Co-authored-by: notgitika <gitijh@gmail.com>
…1125)

* refactor: unify result types with discriminated Result<T, E> union

Introduce a shared Result<T, E> type (inspired by Rust's Result) that
replaces ad-hoc { success: boolean; error?: string } patterns across
the codebase.

Key changes:
- Add src/lib/types.ts with Result<T, E> discriminated union type
- Add toError() helper in src/cli/errors.ts for catch blocks
- Migrate all command, operation, and primitive result types to Result<T>
- Error field is now Error (not string) on the failure branch
- Data fields only exist on the success branch (proper narrowing)
- Update all consumers to narrow before accessing branch-specific fields
- Update test assertions to match new Error objects and add narrowing

* docs: update AGENTS.md and telemetry README to reflect Result<T, E> type
)

* feat: record command attrs on telemetry failure via fallbackAttrs

Add optional fallbackAttrs parameter to client.withCommandRun so
command-specific attributes are recorded even when the callback throws.

- client.ts: accept fallbackAttrs, use on failure instead of {}
- client.ts: run resilientParse on all non-empty attrs (not just success)
- cli-command-run.ts: withCommandRunTelemetry passes attrs as fallbackAttrs
- cli-command-run.ts: runCliCommand accepts optional knownAttrs param
- command.tsx: extract knownAttrs upfront, pass to runCliCommand
- client.test.ts: add unit tests for fallbackAttrs behavior
- create-edge-cases.test.ts: assert attrs present on failure entry

* chore: rebase onto mainline
#1078)

* fix: sync-preview workflow restores version instead of ignoring files

Instead of keeping preview's entire package.json/package-lock.json
(which discards new deps, scripts, etc. from main), accept main's
content and surgically restore only the version field to preview's
value after merge.

* fix: push directly to preview on clean merge via GitHub App bypass

Use agentcore-devx-automation app token to bypass branch protection
and push directly when the merge is clean (or only version conflicts).
Only creates a PR when there are real conflicts in other files.

* chore: use app-slug instead of app-id for token generation

* fix: address review feedback on sync-preview workflow

- Pass PREVIEW_VERSION via env var instead of string interpolation in
  node -e scripts (safer against special chars)
- Make git add of package-lock.json conditional on file existence to
  match the earlier -f guard
- Replace loose title search for dedup with headRefName prefix filter
  to avoid false positives from unrelated PRs
- Clarify why package.json/package-lock.json are special-cased (preview
  carries a different version string that needs preserving)

* fix: restore preview-owned files after sync merge

Adds a step to restore schemas/agentcore.schema.v1.json and CHANGELOG.md
to preview's versions after merging main. These files are auto-generated
during preview releases — schema-check CI rejects direct modifications
to schemas/, and CHANGELOG.md tracks preview releases separately.

* fix: use app-id instead of app-slug for GitHub App token

Aligns with the pattern in PR #1210 and ci-failure-issue.yml.
After 'git remote add public' fetches the same branches that already exist
on origin, 'git checkout <branch>' becomes ambiguous and fails with:

    fatal: 'preview' matched multiple (2) remote tracking branches

Both sync jobs now use 'git checkout -B <branch> origin/<branch>' which
explicitly resets the local branch from origin's tracking ref, removing
the ambiguity and combining the previous 'checkout + reset --hard' into
one step.

Last 4 scheduled runs of 'Sync from Public Repo' all failed with this
error; the workflow has been silently broken since the public/origin
branches collided.
fix: disambiguate sync-from-public branch checkout
…er patterns (#1163)

* fix(schema): relax request header allowlist validation per AWS docs

Relaxes header allowlist to accept any valid HTTP header name (alphanumeric,
hyphens, underscores) that isn't structurally reserved (x-amz-*, x-amzn-*
except Runtime-Custom-*), per the AWS AgentCore Runtime documentation.

- Updates schema refine to validate character pattern + block reserved prefixes
- Updates normalizeHeaderName to pass through X-* headers unchanged
- Adds case-insensitive deduplication
- Adds tests for X-Api-Key, X-Custom-Signature, restricted prefix rejection

Refs #1151

* fix(tui): update header allowlist help text to reflect relaxed validation

Updates CLI flag description and TUI hints to show examples of newly-accepted
header names (X-Api-Key, X-Custom-Signature) and clarify when auto-prefixing
applies.

Refs #1151

* fix(schema): per-branch error messages and remove dead-code prefix check

Addresses review feedback on PR #1163:
- Schema now returns specific error per violated rule (character pattern,
  x-amz- reserved, x-amzn- reserved-except-Custom-) instead of a single
  three-rule string. Easier to act on for users.
- Removes dead-code clause '&& !lower.startsWith('x-amzn-')' on the x-amz-
  check; 'x-amz-' and 'x-amzn-' are disjoint prefixes (position 5 differs:
  '-' vs 'n'), so the carve-out is unnecessary.
- Extracts checkAllowlistHeader() in agent-env.ts as the single source of
  truth; header-utils.ts now consumes it instead of duplicating the rules.
- Adds test pinning the documented suffix-preservation behavior of
  normalizeHeaderName() for the Runtime-Custom- branch.
- Updates --request-header-allowlist flag help to clarify X-prefixed names
  pass through unchanged.

Refs #1151
@agentcore-devx-automation agentcore-devx-automation Bot requested a review from a team May 13, 2026 20:29
@notgitika notgitika closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants