diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml index 2576d4f..4e2d94b 100644 --- a/.github/workflows/pr-validate.yml +++ b/.github/workflows/pr-validate.yml @@ -17,33 +17,45 @@ permissions: pull-requests: read jobs: - # Skip heavy CI when only docs change (README, CHANGELOG, docs/, etc.) - # Note: skills/**/*.md and patterns/**/*.md are runtime content with - # integrity tests — they must NOT be skipped. - changes: - name: Detect Changes + # Detect docs-only PRs to skip heavy CI (same pattern as hyperlight) + docs-pr: runs-on: ubuntu-latest outputs: - code: ${{ steps.filter.outputs.code }} + docs-only: ${{ steps.docs-only.outputs.result }} steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 2 - uses: dorny/paths-filter@v3 - id: filter + id: changes with: filters: | + docs: + - '**/*.md' code: - - '**' - - '!**/*.md' + - 'src/**' + - 'plugins/**' + - 'builtin-modules/**' + - 'tests/**' + - 'scripts/**' - 'skills/**' - 'patterns/**' + - 'package.json' + - 'package-lock.json' + - 'tsconfig.json' + - 'vitest.config.ts' + - 'Justfile' + - 'Dockerfile' + - '.github/workflows/**' + - uses: actions/github-script@v7 + id: docs-only + with: + script: | + return '${{ steps.changes.outputs.code }}' !== 'true'; + result-encoding: string # Lint, typecheck, and unit tests (needs KVM for sandbox tests) lint-and-test: name: Lint & Test - needs: [changes] - if: needs.changes.outputs.code == 'true' + needs: [docs-pr] + if: needs.docs-pr.outputs.docs-only != 'true' runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"] steps: - uses: actions/checkout@v6 @@ -73,8 +85,8 @@ jobs: # See: https://github.com/hyperlight-dev/hyperagent/issues/1 build-and-test: name: Build & Test (${{ matrix.hypervisor }}-${{ matrix.config }}) - needs: [changes] - if: needs.changes.outputs.code == 'true' + needs: [docs-pr] + if: needs.docs-pr.outputs.docs-only != 'true' strategy: fail-fast: false matrix: @@ -134,8 +146,8 @@ jobs: # Build Docker image (just setup clones deps so Dockerfile COPY works) build-docker: name: Build Docker Image - needs: [changes] - if: needs.changes.outputs.code == 'true' + needs: [docs-pr] + if: needs.docs-pr.outputs.docs-only != 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -170,7 +182,7 @@ jobs: # Gate PR merges on all jobs passing ci-status: name: CI Status - needs: [changes, lint-and-test, build-and-test, build-docker] + needs: [docs-pr, lint-and-test, build-and-test, build-docker] if: always() runs-on: ubuntu-latest steps: diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e35e03..76c4de3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [v0.1.4] - 2026-03-24 + +### Fixed + +- **Plugin schema extraction** — Schema extraction failed on compiled `.js` files, causing `applyInlineConfig` to find no recognised keys and `allowedDomains` to never be set. Now prefers `.ts` source for schema parsing (read-only) with TOCTOU-safe fallback to `.js` +- **Pre-approved plugin enable** — Fast-path (approved plugins skip audit) failed to call `loadSource()`, leaving `plugin.source` null. `verifySourceHash()` then returned false, silently disabling the plugin on sandbox rebuild +- **CI docs-only skip** — PR validation now skips heavy CI jobs (lint, build, test) when only markdown files change. `skills/**` and `patterns/**` are treated as code (they have integrity tests) + ## [v0.1.3] - 2026-03-24 ### Fixed @@ -98,6 +106,7 @@ Initial public release. - Path jailing for filesystem plugins - SSRF protection for fetch plugin (DNS + post-connect IP validation) +[v0.1.4]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.4 [v0.1.3]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.3 [v0.1.2]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.2 [v0.1.1]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.1