Skip to content

Commit ddd088c

Browse files
committed
chore(runtime): update Codex baseline to 0.137.0
1 parent bb30337 commit ddd088c

26 files changed

Lines changed: 60 additions & 58 deletions

File tree

.github/workflows/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ runner labels and keep third-party actions pinned to full commit SHAs.
1111
| --- | --- |
1212
| `validate.yml` | Fast validation and optional runtime/release/MCP scopes on Ubuntu standard runners. |
1313
| `cross-platform.yml` | Lightweight metadata/path smoke on standard Ubuntu, Windows, and macOS public runners. |
14-
| `security-static.yml` | Action pin validation, actionlint, text security scan, ShellCheck, Pyright, Semgrep. |
14+
| `security-static.yml` | Action pin validation, actionlint, text security scan, ShellCheck, and Pyright. |
1515
| `secret-scan.yml` | Gitleaks history scan for accidental secrets. |
1616
| `codeql.yml` | CodeQL code scanning for the adapter source surface. |
1717
| `dependency-review.yml` | Pull-request dependency diff review. |

.github/workflows/security-static.yml

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -56,14 +56,3 @@ jobs:
5656
. config/mcp-runtime-versions.env
5757
PYRIGHT_PYTHON_FORCE_VERSION=latest \
5858
uv run --with "pyright==1.1.409" --with "mcp==${MCP_PYTHON_SDK_VERSION}" --with pyyaml python -m pyright --project pyrightconfig.json
59-
60-
- name: Semgrep CLI
61-
run: |
62-
# shellcheck source=config/mcp-runtime-versions.env
63-
. config/mcp-runtime-versions.env
64-
uvx "semgrep==${SEMGREP_CLI_VERSION}" \
65-
--config auto \
66-
--exclude-rule bash.lang.security.ifs-tampering.ifs-tampering \
67-
--error \
68-
--timeout 60 \
69-
.

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ The format follows Keep a Changelog, and marketplace/plugin versions follow Sema
77
## [Unreleased]
88

99

10+
## [1.1.24] - 2026-06-04
11+
12+
### Changed
13+
14+
- Sync upstream runtime baselines and remove active Semgrep usage.
15+
1016
## [1.1.23] - 2026-06-02
1117

1218
### Changed

CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ All pull requests run the following workflows automatically:
5050

5151
- `validate`: Ubuntu-hosted fast/runtime/release/MCP scopes, MCP runtime pin freshness (advisory only on pull requests), and MCP safe-call smoke.
5252
- `cross-platform`: lightweight metadata/path smoke on standard Ubuntu, Windows, and macOS public runners.
53-
- `security-static`: action pins, actionlint, text security scan, ShellCheck, Pyright, Semgrep CLI. Also runs on a weekly schedule.
53+
- `security-static`: action pins, actionlint, text security scan, ShellCheck, and Pyright. Also runs on a weekly schedule.
5454
- `codeql`: GitHub CodeQL analysis for Python and GitHub Actions with `security-and-quality` queries. Also runs on a weekly schedule.
5555
- `dependency-review`: blocks merges that introduce dependencies with high-severity vulnerabilities or licenses outside the AGPL-3.0-or-later compatible allow-list.
5656
- `labeler`: applies area labels based on changed paths.

README.md

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,22 @@ scripts/install_system_codex.sh --apply
6969
scripts/doctor_system_codex.sh
7070
```
7171

72+
The Codex CLI runtime baseline is `0.137.0`. On machines that need a runtime
73+
install or update, use the official non-interactive installer or the explicit
74+
npm stable pin before running the repository config installer:
75+
76+
```bash
77+
curl -fsSL https://chatgpt.com/codex/install.sh | CODEX_NON_INTERACTIVE=1 sh
78+
npm install -g @openai/codex@0.137.0
79+
codex --version
80+
codex doctor
81+
codex plugin list --json
82+
```
83+
84+
`scripts/ry_repair_sync.py --plan --apply-system --latest-from-github --json`
85+
plans these installed-runtime diagnostics and reports `NOT PROVEN` when `codex`
86+
is not available locally.
87+
7288
The default install posture is owner-standard full-auto:
7389
`~/.codex/config.toml` receives the active owner defaults, and
7490
`~/.codex/rldyour-yolo.config.toml` is the explicit `--profile rldyour-yolo`
@@ -194,7 +210,7 @@ GitHub Actions run automatically on this public repository:
194210

195211
- `validate.yml`: on every push to `main` and every pull request targeting `main`, runs Ubuntu-hosted fast validation, optional runtime/release/MCP scopes, MCP runtime pin freshness, and MCP safe-call smoke. `workflow_dispatch` is available for narrower scopes.
196212
- `cross-platform.yml`: runs lightweight metadata/path smoke on standard Ubuntu, Windows, and macOS public runners.
197-
- `security-static.yml`: on push to `main`, pull requests, and weekly schedule, runs action pin validation, actionlint, repository text security scan, ShellCheck, Pyright, and Semgrep CLI without paid GitHub Code Security.
213+
- `security-static.yml`: on push to `main`, pull requests, and weekly schedule, runs action pin validation, actionlint, repository text security scan, ShellCheck, and Pyright without paid GitHub Code Security.
198214
- `codeql.yml`: on push to `main`, pull requests, and weekly schedule, runs GitHub CodeQL analysis with `security-and-quality` queries for Python and GitHub Actions.
199215
- `dependency-check.yml`: on daily schedule and on push to MCP runtime pin sources, checks pinned MCP runtime versions through `scripts/check_mcp_runtime_versions.py --fail-on-outdated`. Surfaces stale pins as a maintainer-visible signal without blocking pull requests.
200216
- `release.yml`: on push of a SemVer tag matching `X.Y.Z[-pre]`, validates `VERSION` and `CHANGELOG.md`, builds a deterministic bundle, generates a release manifest and SPDX 2.3 SBOM, exports the GitHub dependency-graph SBOM when available, attaches artifact attestations, and publishes the GitHub Release. `workflow_dispatch` remains available as a fallback.

SECURITY.md

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ historical patch in the line.
1212

1313
| Version | Supported |
1414
| --- | --- |
15-
| Current exact tag `1.1.23` | Yes |
15+
| Current exact tag `1.1.24` | Yes |
1616
| Older `1.1.*` tags | No; upgrade to current exact tag |
1717
| Older minor / major lines | No |
1818

@@ -58,8 +58,7 @@ These targets are best-effort and not contractual.
5858
Scanning Push Protection and related live repository settings are required
5959
public-adapter controls and are verified from the private root control plane
6060
when an owner token is available.
61-
- No-paid static security gates use ShellCheck, Pyright, Semgrep CLI, action pin validation, repository text security scanning, and custom repository validators.
62-
- Semgrep excludes only the `bash.lang.security.ifs-tampering.ifs-tampering` rule because the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue and validates shell scripts separately with ShellCheck.
61+
- No-paid static security gates use ShellCheck, Pyright, action pin validation, repository text security scanning, CodeQL, Gitleaks, dependency review, and custom repository validators.
6362
- Release bundles use deterministic archives, release manifests, generated SPDX 2.3 SBOMs, GitHub artifact attestations, and (when available) GitHub dependency-graph SBOM export.
6463
- `scripts/scan_text_security.py` scans tracked text and agent-only paths for credential patterns and hidden Unicode controls without printing matched values.
6564
- The full git history was scanned with `gitleaks` (8.30.1) before the public release; 190 commits, 0 leaks found.

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.1.23
1+
1.1.24

config/mcp-runtime-versions.env

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ DART_FLUTTER_MCP_RUNTIME=external-local-dart-sdk
55
NODE_MAJOR_VERSION=24
66
BUN_VERSION=1.3.14
77
DART_SDK_VERSION=3.12.0
8-
CODEX_CLI_VERSION=0.136.0
8+
CODEX_CLI_VERSION=0.137.0
99
GITHUB_MCP_SERVER_VERSION=1.1.2
1010
MCP_PYTHON_SDK_VERSION=1.27.2
1111
SERENA_AGENT_VERSION=1.5.3
@@ -14,6 +14,3 @@ PLAYWRIGHT_MCP_VERSION=0.0.75
1414
CHROME_DEVTOOLS_MCP_VERSION=1.1.1
1515
CONTEXT7_MCP_VERSION=3.1.0
1616
SHADCN_VERSION=4.10.0
17-
18-
# CI-only security scanner pin. This is not an MCP runtime dependency.
19-
SEMGREP_CLI_VERSION=1.164.0

docs/adr/0002-testing-and-ci-quality-gates.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,8 @@ The repository had a strong smoke/static validation gate but no conventional uni
2121
- Split manual CI into fast, runtime, release, MCP, and full scopes with Ubuntu
2222
as the heavy runtime runner, and add lightweight standard public Ubuntu,
2323
Windows, and macOS smoke for path/archive/metadata portability.
24-
- Keep the no-paid static security workflow manual-only, using ShellCheck, Pyright, Semgrep CLI, action SHA-pin validation, and text security scanning.
25-
- Exclude Semgrep's global `IFS` tampering rule from the no-paid gate because the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue and relies on ShellCheck plus project validators for shell safety.
24+
- Keep the no-paid static security workflow manual-only, using ShellCheck, Pyright, action SHA-pin validation, and text security scanning.
25+
- Keep shell safety covered through ShellCheck plus project validators; the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue.
2626
- Keep the upstream repository public and standard-runner-only so normal push,
2727
PR, scheduled, CodeQL, Scorecard, and dependency-review workflows stay in the
2828
free public-repository GitHub Actions policy.

plugins/rldyour-browser/.codex-plugin/plugin.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "rldyour-browser",
3-
"version": "1.1.23",
3+
"version": "1.1.24",
44
"description": "Браузерная проверка и debug для Playwright/DevTools. EN: Browser validation and debugging workflows.",
55
"author": {
66
"name": "Danil Silantyev (github:rldyourmnd), CEO NDDev",

0 commit comments

Comments
 (0)