Skip to content

Commit 3fe297e

Browse files
committed
chore(release): gemini 1.7.18 (other)
1 parent fcc9bb8 commit 3fe297e

19 files changed

Lines changed: 126 additions & 32 deletions

.gemini/hooks/session_start_context.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ if [[ -f "$script_dir/../VERSION" ]]; then
99
elif [[ -f "$script_dir/../../VERSION" ]]; then
1010
export RLDYOUR_ANTIGRAVITY_ADAPTER_VERSION="$(<"$script_dir/../../VERSION")"
1111
else
12-
export RLDYOUR_ANTIGRAVITY_ADAPTER_VERSION="1.7.17"
12+
export RLDYOUR_ANTIGRAVITY_ADAPTER_VERSION="1.7.18"
1313
fi
1414
printf '%s\n' "rldyour-antigravity-cli SessionStart hook received input" >&2
1515

@@ -18,7 +18,7 @@ import json
1818
import os
1919
2020
_ = os.environ.get("RLDYOUR_GEMINI_HOOK_INPUT", "")
21-
version = os.environ.get("RLDYOUR_ANTIGRAVITY_ADAPTER_VERSION", "1.7.17")
21+
version = os.environ.get("RLDYOUR_ANTIGRAVITY_ADAPTER_VERSION", "1.7.18")
2222
message = (
2323
f"rldyour-antigravity-cli adapter={version} runtime=antigravity-cli@1.0.16; "
2424
"standard mode is owner-led; cmux orchestration is visible-terminal-only; "

.gemini/policies/rldyour-browser-routing.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name = "rldyour-browser-routing"
2-
version = "1.7.17"
2+
version = "1.7.18"
33
scope = "antigravity-adapter"
44

55
[providers]

.gemini/policies/rldyour-git-safety.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name = "rldyour-git-safety"
2-
version = "1.7.17"
2+
version = "1.7.18"
33
scope = "antigravity-adapter"
44

55
[rules]

.gemini/policies/rldyour-project-policy.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name = "rldyour-project-policy"
2-
version = "1.7.17"
2+
version = "1.7.18"
33
scope = "antigravity-adapter"
44

55
[execution]

.github/workflows/actionlint.yml

Lines changed: 47 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,24 @@
11
name: Actionlint
22

3+
# Lints GitHub Actions workflow YAML for syntax errors, expression typos,
4+
# unused vars, and deprecated patterns, then validates remote action pins.
5+
36
on:
47
push:
58
branches: [main]
9+
paths:
10+
- '.github/workflows/**'
11+
- '.github/actions/**'
12+
- 'scripts/validate_action_pins.py'
613
pull_request:
714
branches: [main]
15+
paths:
16+
- '.github/workflows/**'
17+
- '.github/actions/**'
18+
- 'scripts/validate_action_pins.py'
819
workflow_dispatch:
920

10-
permissions:
11-
contents: read
21+
permissions: {}
1222

1323
concurrency:
1424
group: actionlint-${{ github.workflow }}-${{ github.ref }}
@@ -19,9 +29,42 @@ jobs:
1929
name: Actionlint
2030
runs-on: ubuntu-latest
2131
timeout-minutes: 10
32+
permissions:
33+
contents: read
2234
steps:
35+
- name: Harden runner (egress block + explicit allowlist)
36+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
37+
with:
38+
egress-policy: block
39+
allowed-endpoints: >
40+
agent.api.stepsecurity.io:443
41+
api.github.com:443
42+
github.com:443
43+
codeload.github.com:443
44+
objects.githubusercontent.com:443
45+
release-assets.githubusercontent.com:443
46+
2347
- name: Checkout
2448
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
25-
- name: Validate action pins
26-
run: python3 scripts/validate_action_pins.py
49+
with:
50+
persist-credentials: false
2751

52+
- name: Download actionlint (pinned + checksum-verified)
53+
run: |
54+
set -euo pipefail
55+
# actionlint v1.7.12 - Linux amd64 tarball SHA256 from upstream
56+
# https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt
57+
ACTIONLINT_VERSION='1.7.12'
58+
ACTIONLINT_SHA256='8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8'
59+
curl -fsSL -o /tmp/actionlint.tar.gz \
60+
"https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
61+
echo "${ACTIONLINT_SHA256} /tmp/actionlint.tar.gz" | sha256sum -c -
62+
tar -xzf /tmp/actionlint.tar.gz -C /tmp actionlint
63+
install -m 0755 /tmp/actionlint /usr/local/bin/actionlint
64+
actionlint --version
65+
66+
- name: Run actionlint on all workflows
67+
run: actionlint -color
68+
69+
- name: Validate remote action pins
70+
run: python3 scripts/validate_action_pins.py

.github/workflows/codeql.yml

Lines changed: 25 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,28 +5,47 @@ on:
55
branches: [main]
66
pull_request:
77
branches: [main]
8+
schedule:
9+
- cron: "31 2 * * 1"
810
workflow_dispatch:
911

10-
permissions:
11-
contents: read
12-
security-events: write
12+
permissions: {}
1313

1414
concurrency:
1515
group: codeql-${{ github.workflow }}-${{ github.ref }}
1616
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
1717

1818
jobs:
1919
codeql:
20-
name: CodeQL
20+
name: CodeQL (${{ matrix.language }})
2121
runs-on: ubuntu-latest
2222
timeout-minutes: 20
23+
permissions:
24+
actions: read
25+
contents: read
26+
security-events: write
27+
strategy:
28+
fail-fast: false
29+
matrix:
30+
language: [python, actions]
2331
steps:
32+
- name: Harden runner
33+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
34+
with:
35+
egress-policy: audit
36+
2437
- name: Checkout
2538
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
39+
with:
40+
persist-credentials: false
41+
2642
- name: Initialize CodeQL
2743
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
2844
with:
29-
languages: python
45+
languages: ${{ matrix.language }}
46+
queries: security-and-quality
47+
3048
- name: Analyze
3149
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
32-
50+
with:
51+
category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,14 @@ jobs:
1818
runs-on: ubuntu-latest
1919
timeout-minutes: 10
2020
steps:
21+
- name: Harden runner
22+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
23+
with:
24+
egress-policy: audit
2125
- name: Checkout
2226
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
27+
with:
28+
persist-credentials: false
2329
- name: Dependency review
2430
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
2531

.github/workflows/pytest.yml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,31 @@ jobs:
2020
runs-on: ubuntu-latest
2121
timeout-minutes: 20
2222
steps:
23+
- name: Harden runner
24+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
25+
with:
26+
egress-policy: audit
27+
2328
- name: Checkout
2429
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
30+
with:
31+
persist-credentials: false
32+
2533
- name: Set up Python
2634
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
2735
with:
2836
python-version: "3.13"
29-
- name: Install pytest runtime
30-
run: python3 -m pip install pytest pytest-cov
37+
38+
- name: Install pytest runtime (pinned)
39+
run: python3 -m pip install "pytest==9.1.1" "pytest-cov==7.1.0"
40+
3141
- name: Run pytest
32-
run: python3 -m pytest -q
42+
run: |
43+
python3 -m pytest -q \
44+
--junitxml=pytest.xml \
45+
--cov=scripts \
46+
--cov-report=xml:coverage.xml
47+
3348
- name: Upload reports
3449
if: always()
3550
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1

.github/workflows/release.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,7 @@ on:
1212
type: string
1313

1414
permissions:
15-
contents: write
16-
id-token: write
17-
attestations: write
15+
contents: read
1816

1917
concurrency:
2018
group: release-${{ github.workflow }}-${{ github.ref }}
@@ -25,15 +23,23 @@ jobs:
2523
name: Release
2624
runs-on: ubuntu-latest
2725
timeout-minutes: 20
26+
permissions:
27+
contents: write
28+
id-token: write
29+
attestations: write
2830
steps:
31+
- name: Harden runner
32+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
33+
with:
34+
egress-policy: audit
2935
- name: Checkout
3036
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3137
- name: Set up Python
3238
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
3339
with:
3440
python-version: "3.13"
3541
- name: Install validation dependencies
36-
run: python3 -m pip install --user pytest pytest-cov
42+
run: python3 -m pip install --user "pytest==9.1.1" "pytest-cov==7.1.0"
3743
- name: Resolve release version
3844
env:
3945
INPUT_VERSION: ${{ inputs.version }}

.github/workflows/secret-scan.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,10 +22,15 @@ jobs:
2222
runs-on: ubuntu-latest
2323
timeout-minutes: 10
2424
steps:
25+
- name: Harden runner
26+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
27+
with:
28+
egress-policy: audit
2529
- name: Checkout
2630
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2731
with:
2832
fetch-depth: 0
33+
persist-credentials: false
2934
- name: Run gitleaks detect
3035
run: |
3136
set -euo pipefail

0 commit comments

Comments
 (0)