sync-preview: merge main into preview (conflicts)#1239
Closed
agentcore-devx-automation[bot] wants to merge 18 commits into
Closed
sync-preview: merge main into preview (conflicts)#1239agentcore-devx-automation[bot] wants to merge 18 commits into
agentcore-devx-automation[bot] wants to merge 18 commits into
Conversation
Replace secrets.PAT_TOKEN and secrets.AUTOMATION_ACCOUNT_PAT_TOKEN with short-lived tokens generated by the agentcore-devx-automation GitHub App (ID: 3637953) via actions/create-github-app-token@v1. This improves security by using ephemeral tokens scoped to the installation rather than long-lived personal access tokens. Requires adding repo variable APP_ID=3637953 and repo secret APP_PRIVATE_KEY with the app's RSA private key.
Add telemetry recording to the create command in both CLI and TUI paths: - CLI: wrap handleCreateCLI with runCliCommand to emit CreateAttrs on success/failure - TUI: wrap useCreateFlow's run() with withCommandRunTelemetry - Add telemetry assertions to existing integration tests (frameworks + edge cases)
Replaces all occurrences of \${{ github.token }} and \${{ secrets.GITHUB_TOKEN }}
across .github/workflows/ with a per-job GitHub App token generated via
actions/create-github-app-token@v1 using vars.APP_ID and secrets.APP_PRIVATE_KEY.
fix: bump versions to resolve security audit failure
…-token chore: replace all github.token/GITHUB_TOKEN with GitHub App token
* feat(evaluator): Add kmsKeyArn support for custom evaluator * fix: sync package-lock.json with package.json The lock file was out of sync after dependency bumps on main were merged, causing npm ci to fail in CI. * fix: revert unrelated dep bumps and fix formatting Reverts @opentelemetry/exporter-metrics-otlp-http ^0.217.0 back to ^0.214.0 and secretlint ^13.0.0 back to ^12.2.0 — these were accidentally included in the feature commit from unmerged dependabot PRs and introduce high-severity protobufjs vulnerabilities. Restores fast-xml-parser and @aws-sdk/xml-builder overrides that were also inadvertently removed. Fixes Prettier formatting on agentcore-project.ts import lines. * fix: sync package-lock.json with updated dependencies --------- Co-authored-by: notgitika <gitijh@gmail.com>
…1125) * refactor: unify result types with discriminated Result<T, E> union Introduce a shared Result<T, E> type (inspired by Rust's Result) that replaces ad-hoc { success: boolean; error?: string } patterns across the codebase. Key changes: - Add src/lib/types.ts with Result<T, E> discriminated union type - Add toError() helper in src/cli/errors.ts for catch blocks - Migrate all command, operation, and primitive result types to Result<T> - Error field is now Error (not string) on the failure branch - Data fields only exist on the success branch (proper narrowing) - Update all consumers to narrow before accessing branch-specific fields - Update test assertions to match new Error objects and add narrowing * docs: update AGENTS.md and telemetry README to reflect Result<T, E> type
) * feat: record command attrs on telemetry failure via fallbackAttrs Add optional fallbackAttrs parameter to client.withCommandRun so command-specific attributes are recorded even when the callback throws. - client.ts: accept fallbackAttrs, use on failure instead of {} - client.ts: run resilientParse on all non-empty attrs (not just success) - cli-command-run.ts: withCommandRunTelemetry passes attrs as fallbackAttrs - cli-command-run.ts: runCliCommand accepts optional knownAttrs param - command.tsx: extract knownAttrs upfront, pass to runCliCommand - client.test.ts: add unit tests for fallbackAttrs behavior - create-edge-cases.test.ts: assert attrs present on failure entry * chore: rebase onto mainline
#1078) * fix: sync-preview workflow restores version instead of ignoring files Instead of keeping preview's entire package.json/package-lock.json (which discards new deps, scripts, etc. from main), accept main's content and surgically restore only the version field to preview's value after merge. * fix: push directly to preview on clean merge via GitHub App bypass Use agentcore-devx-automation app token to bypass branch protection and push directly when the merge is clean (or only version conflicts). Only creates a PR when there are real conflicts in other files. * chore: use app-slug instead of app-id for token generation * fix: address review feedback on sync-preview workflow - Pass PREVIEW_VERSION via env var instead of string interpolation in node -e scripts (safer against special chars) - Make git add of package-lock.json conditional on file existence to match the earlier -f guard - Replace loose title search for dedup with headRefName prefix filter to avoid false positives from unrelated PRs - Clarify why package.json/package-lock.json are special-cased (preview carries a different version string that needs preserving) * fix: restore preview-owned files after sync merge Adds a step to restore schemas/agentcore.schema.v1.json and CHANGELOG.md to preview's versions after merging main. These files are auto-generated during preview releases — schema-check CI rejects direct modifications to schemas/, and CHANGELOG.md tracks preview releases separately. * fix: use app-id instead of app-slug for GitHub App token Aligns with the pattern in PR #1210 and ci-failure-issue.yml.
After 'git remote add public' fetches the same branches that already exist
on origin, 'git checkout <branch>' becomes ambiguous and fails with:
fatal: 'preview' matched multiple (2) remote tracking branches
Both sync jobs now use 'git checkout -B <branch> origin/<branch>' which
explicitly resets the local branch from origin's tracking ref, removing
the ambiguity and combining the previous 'checkout + reset --hard' into
one step.
Last 4 scheduled runs of 'Sync from Public Repo' all failed with this
error; the workflow has been silently broken since the public/origin
branches collided.
fix: disambiguate sync-from-public branch checkout
…er patterns (#1163) * fix(schema): relax request header allowlist validation per AWS docs Relaxes header allowlist to accept any valid HTTP header name (alphanumeric, hyphens, underscores) that isn't structurally reserved (x-amz-*, x-amzn-* except Runtime-Custom-*), per the AWS AgentCore Runtime documentation. - Updates schema refine to validate character pattern + block reserved prefixes - Updates normalizeHeaderName to pass through X-* headers unchanged - Adds case-insensitive deduplication - Adds tests for X-Api-Key, X-Custom-Signature, restricted prefix rejection Refs #1151 * fix(tui): update header allowlist help text to reflect relaxed validation Updates CLI flag description and TUI hints to show examples of newly-accepted header names (X-Api-Key, X-Custom-Signature) and clarify when auto-prefixing applies. Refs #1151 * fix(schema): per-branch error messages and remove dead-code prefix check Addresses review feedback on PR #1163: - Schema now returns specific error per violated rule (character pattern, x-amz- reserved, x-amzn- reserved-except-Custom-) instead of a single three-rule string. Easier to act on for users. - Removes dead-code clause '&& !lower.startsWith('x-amzn-')' on the x-amz- check; 'x-amz-' and 'x-amzn-' are disjoint prefixes (position 5 differs: '-' vs 'n'), so the carve-out is unnecessary. - Extracts checkAllowlistHeader() in agent-env.ts as the single source of truth; header-utils.ts now consumes it instead of duplicating the rules. - Adds test pinning the documented suffix-preservation behavior of normalizeHeaderName() for the Runtime-Custom- branch. - Updates --request-header-allowlist flag help to clarify X-prefixed names pass through unchanged. Refs #1151
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The automated sync could not cleanly merge
mainintopreview.This PR contains conflict markers. To resolve:
cc @aidandaly24
Opened automatically by the sync-preview workflow.