Skip to content

Commit 7ed861d

Browse files
committed
fix: harden release and demo workflows
Fixes all Clawpatch findings by removing shared demo PATH shims, making installers replace binaries atomically, tightening workflow validation, and isolating integration test config roots. Prepares release metadata for v0.9.3.
1 parent 08beefe commit 7ed861d

29 files changed

Lines changed: 147 additions & 92 deletions

.github/workflows/ci.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
run: cargo clippy --all-targets --all-features -- -D warnings
3838

3939
- name: Run cargo check
40-
run: cargo check --locked
40+
run: cargo check --workspace --all-targets --locked
4141

4242
- name: Run tests
43-
run: cargo test -q --locked
43+
run: cargo test --workspace --all-targets --locked

.github/workflows/coverage.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
uses: Swatinem/rust-cache@v2
3030

3131
- name: Install cargo-llvm-cov
32-
run: cargo install cargo-llvm-cov --locked
32+
run: cargo install cargo-llvm-cov --version 0.8.7 --locked
3333

3434
- name: Generate coverage report
3535
run: cargo llvm-cov --workspace --all-features --lcov --output-path lcov.info

.github/workflows/npm-publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ permissions:
1313
id-token: write
1414

1515
concurrency:
16-
group: npm-publish-${{ github.workflow }}-${{ github.ref }}
16+
group: npm-publish-${{ github.workflow }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.ref }}
1717
cancel-in-progress: true
1818

1919
jobs:

.github/workflows/release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ permissions:
1515
contents: write
1616

1717
concurrency:
18-
group: release-${{ github.workflow }}-${{ github.ref }}
18+
group: release-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}
1919
cancel-in-progress: false
2020

2121
jobs:
@@ -44,7 +44,7 @@ jobs:
4444
run: |
4545
cargo fmt --check
4646
cargo clippy --all-targets --all-features -- -D warnings
47-
cargo test -q --locked
47+
cargo test --workspace --all-targets --locked
4848
4949
build:
5050
needs: verify

.github/workflows/security.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ on:
1010

1111
permissions:
1212
contents: read
13-
security-events: write
1413

1514
concurrency:
1615
group: security-${{ github.workflow }}-${{ github.ref }}
@@ -32,7 +31,7 @@ jobs:
3231
uses: Swatinem/rust-cache@v2
3332

3433
- name: Install cargo-audit
35-
run: cargo install cargo-audit --locked
34+
run: cargo install cargo-audit --version 0.22.2 --locked
3635

3736
- name: Audit dependencies
3837
run: cargo audit

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11

22
# ── local workflow / agent state ──
3+
.clawpatch/
4+
.workflow/
35
.gsd/
46
.artifacts/
57
.bg-shell/

CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,16 @@ Before `1.0.0`, breaking changes may still ship in minor releases.
77

88
## [Unreleased]
99

10+
## [0.9.3]
11+
12+
### Fixed
13+
14+
- Hardened demo scripts so they no longer use a predictable shared `/tmp` PATH shim before running authenticated `kagi` commands.
15+
- Made Unix and PowerShell installers replace existing binaries through staged same-directory writes instead of overwriting the installed binary directly.
16+
- Tightened release, publish, security, coverage, CI, and Makefile checks for more reproducible and complete release validation.
17+
- Isolated integration test home and XDG directories so local user config cannot leak into test runs.
18+
- Reduced default CLI failure output to a single user-facing diagnostic.
19+
1020
## [0.9.2]
1121

1222
### Added

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "kagi"
3-
version = "0.9.2"
3+
version = "0.9.3"
44
edition = "2024"
55
description = "Agent-native CLI for Kagi subscribers with JSON-first search output"
66
license = "MIT"

Makefile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build:
44
cargo build --release
55

66
test:
7-
cargo test -q --locked
7+
cargo test --workspace --all-targets --locked
88

99
fmt:
1010
cargo fmt --check
@@ -16,7 +16,7 @@ check: fmt lint test
1616

1717
coverage:
1818
rustup component add llvm-tools-preview
19-
cargo install cargo-llvm-cov --locked
19+
cargo install cargo-llvm-cov --version 0.8.7 --locked
2020
cargo llvm-cov --workspace --all-features --lcov --output-path lcov.info
2121

2222
setup-hooks:

0 commit comments

Comments
 (0)