Skip to content

chore(release): prepare 0.25.0#14

Merged
elkaix merged 1 commit into
mainfrom
release/0.25.0
May 29, 2026
Merged

chore(release): prepare 0.25.0#14
elkaix merged 1 commit into
mainfrom
release/0.25.0

Conversation

@elkaix

@elkaix elkaix commented May 29, 2026

Copy link
Copy Markdown
Contributor

Prepare the pythinker-code 0.25.0 release.

What changed in this release

  • `Fetch` re-checks every redirect hop against the SSRF guard. Redirects were followed without re-validating the destination, so a public URL could redirect to a link-local address (e.g. a cloud metadata endpoint) and slip past the guard. Every hop is now re-validated, closing the public→link-local bypass.
  • Crash-consistent background tasks. Task state is serialised under a cross-process per-task lock, terminal agent-task updates route through a single finalizer, and recovery reconciles records left divergent by a crash or kill without clobbering a live agent. Bash output is capped (default 50 MiB), kills escalate SIGTERM→SIGKILL, and aged terminal tasks are pruned (default 7 days).
  • Calmer, more reliable TUI. No double todo render mid-turn, detached OAuth/feedback link launch, and terminal restore on `SIGTERM`/`SIGQUIT` and at exit.
  • Steadier agent loop. Bare-intent end-of-turn nudge, steering away from blocking on one background task while siblings run, and transparent parsing of JSON-string `SetTodoList` payloads.
  • Unified report rendering. Code review, verify, and security-review output share one standardized renderer, including `report` blocks from skills and agents.

Release mechanics

  • Version bumped `0.24.0` → `0.25.0` across the standard 18-file scope (pyproject, uv.lock pythinker-code block, README, docs, install scripts, homebrew/linux/windows packaging).
  • CHANGELOG / docs changelog / breaking-changes updated for 0.25.0.
  • Local release gates pass: version-tag check, README/CHANGELOG greps, dependency-version check, installation-docs + homebrew-formula tests.

Tagging `v0.25.0` after merge triggers `release-pythinker-cli.yml` (PyPI + TestPyPI + GitHub Release).

Summary by CodeRabbit

  • Chores

    • Bumped project version to 0.25.0 across configuration, install scripts, and CI workflow dispatch examples
  • Documentation

    • Added 0.25.0 release notes describing redirect handling, background-task finalization, TUI reliability, agent-loop steadiness, live tool feedback, and unified report rendering
    • Confirmed no breaking changes vs 0.24.0 and updated install/upgrade instructions

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

This PR bumps the project version from 0.24.0 to 0.25.0 across release notes, installer documentation, build workflows, and package metadata. The release notes for 0.25.0 are added and documented in changelogs and release-note pages.

Changes

Release 0.25.0 Version Bump

Layer / File(s) Summary
Version declaration and release notes
pyproject.toml, CHANGELOG.md, docs/en/release-notes/changelog.md, docs/en/release-notes/breaking-changes.md
Updates the canonical project version to 0.25.0 and adds comprehensive release notes documenting feature changes and backward compatibility with 0.24.0 across primary and docs changelogs.
Documentation and installation guides
README.md, docs/en/guides/getting-started.md, docs/public/install.ps1, docs/public/install.sh, scripts/install-native.sh, scripts/install.ps1, web/public/install.ps1, web/public/install.sh, packages/linux-installer/README.md, packages/homebrew-tap/generate-formula.py
Updates all installation examples, download URLs, artifact filenames, and builder documentation to reference version 0.25.0 for Windows, Linux, and macOS platforms.
Build workflow input descriptions
.github/workflows/homebrew-tap.yml, .github/workflows/linux-installer.yml, .github/workflows/windows-installer.yml
Updates workflow dispatch input example versions from 0.24.0 to 0.25.0 in manual release trigger metadata.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

dependencies

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed Title follows conventional commits format with type 'chore' and scope 'release', accurately describing the version bump objective.
Description check ✅ Passed Description comprehensively documents release changes, mechanics, and provides required checklist items with clear explanations of what changed.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release/0.25.0

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 16-18: Replace the placeholder header "## Unreleased" with the
concrete release header format and ensure there is only one header for this
release; specifically, change the current "## Unreleased" entry to the release
header for this cut (e.g., replace "## Unreleased" with "## 0.25.0 -
2026-05-29") so the CHANGELOG follows the required "[X.Y] - YYYY-MM-DD" naming
and does not duplicate the "## 0.25.0 (2026-05-29)" section.

In `@docs/en/release-notes/changelog.md`:
- Around line 20-31: The changelog section under the header "## 0.25.0
(2026-05-29)" was manually edited despite the embedded notice "Do not manually
edit this generated changelog page." — revert any manual edits to that generated
block and instead update the root CHANGELOG.md, then re-run the repo's changelog
sync script to regenerate the docs; remove the manual changes from this PR so
the file is produced by the sync step (verify the sync script ran successfully
and the regenerated content matches expectations).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 911f6f0d-0161-42e8-9aad-4a57bcb593a4

📥 Commits

Reviewing files that changed from the base of the PR and between 76b90e8 and 41c6408.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (17)
  • .github/workflows/homebrew-tap.yml
  • .github/workflows/linux-installer.yml
  • .github/workflows/windows-installer.yml
  • CHANGELOG.md
  • README.md
  • docs/en/guides/getting-started.md
  • docs/en/release-notes/breaking-changes.md
  • docs/en/release-notes/changelog.md
  • docs/public/install.ps1
  • docs/public/install.sh
  • packages/homebrew-tap/generate-formula.py
  • packages/linux-installer/README.md
  • pyproject.toml
  • scripts/install-native.sh
  • scripts/install.ps1
  • web/public/install.ps1
  • web/public/install.sh

Comment thread CHANGELOG.md
Comment thread docs/en/release-notes/changelog.md
Prepare pythinker-code 0.25.0 release.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
.github/workflows/homebrew-tap.yml (1)

28-28: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Pin third-party actions to full commit SHAs.

The workflow uses actions/checkout@v4 and actions/setup-python@v5 without pinning to full commit SHAs. This is a pre-existing issue not introduced by this PR, but should be addressed to prevent supply-chain attacks.

Example:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

As per coding guidelines: "Flag third-party actions that are not pinned to a full commit SHA."

Also applies to: 48-48

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/homebrew-tap.yml at line 28, Replace unpinned third-party
action tags with immutable commit SHAs: locate uses of actions/checkout@v4 and
actions/setup-python@v5 in the workflow and change them to the corresponding
full commit SHAs (for example actions/checkout@<full-commit-sha> and
actions/setup-python@<full-commit-sha>), ensuring both occurrences (the checkout
and the setup-python entries) are updated so the workflow pins to specific
commits rather than version tags.
.github/workflows/windows-installer.yml (1)

26-26: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Pin third-party actions to full commit SHAs.

The workflow uses several third-party actions without commit SHA pins:

  • actions/checkout@v4
  • actions/setup-python@v5
  • actions/upload-artifact@v4
  • softprops/action-gh-release@v2

This is a pre-existing issue not introduced by this PR, but should be addressed to prevent supply-chain attacks.

As per coding guidelines: "Flag third-party actions that are not pinned to a full commit SHA."

Also applies to: 44-44, 83-83, 92-92

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/windows-installer.yml at line 26, The workflow uses
unpinned marketplace action versions (actions/checkout@v4,
actions/setup-python@v5, actions/upload-artifact@v4,
softprops/action-gh-release@v2); replace those tag pins with the corresponding
full commit SHAs to mitigate supply-chain risk by finding each action's repo and
replacing e.g. actions/checkout@v4 with actions/checkout@<full-commit-sha>,
actions/setup-python@<full-commit-sha>,
actions/upload-artifact@<full-commit-sha>, and
softprops/action-gh-release@<full-commit-sha> (obtain SHAs from the upstream
action repo or GitHub Marketplace and update the workflow lines that reference
those action names).
.github/workflows/linux-installer.yml (1)

36-36: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Pin third-party actions to full commit SHAs.

The workflow uses several third-party actions without commit SHA pins:

  • actions/checkout@v4
  • docker/setup-qemu-action@v3
  • actions/setup-python@v5
  • actions/upload-artifact@v4
  • softprops/action-gh-release@v2

This is a pre-existing issue not introduced by this PR, but should be addressed to prevent supply-chain attacks.

As per coding guidelines: "Flag third-party actions that are not pinned to a full commit SHA."

Also applies to: 57-57, 63-63, 115-115, 126-126

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/linux-installer.yml at line 36, The workflow uses
third-party GitHub Actions pinned by tags (e.g., actions/checkout@v4,
docker/setup-qemu-action@v3, actions/setup-python@v5,
actions/upload-artifact@v4, softprops/action-gh-release@v2) which must be
replaced with their full commit SHAs; update each action reference in
.github/workflows/linux-installer.yml to the corresponding full commit SHA
(replace the `@vN` tags with @<full-commit-sha> for the listed actions) so that
actions/checkout, docker/setup-qemu-action, actions/setup-python,
actions/upload-artifact, and softprops/action-gh-release are all pinned to
immutable commits.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/homebrew-tap.yml:
- Line 28: Replace unpinned third-party action tags with immutable commit SHAs:
locate uses of actions/checkout@v4 and actions/setup-python@v5 in the workflow
and change them to the corresponding full commit SHAs (for example
actions/checkout@<full-commit-sha> and actions/setup-python@<full-commit-sha>),
ensuring both occurrences (the checkout and the setup-python entries) are
updated so the workflow pins to specific commits rather than version tags.

In @.github/workflows/linux-installer.yml:
- Line 36: The workflow uses third-party GitHub Actions pinned by tags (e.g.,
actions/checkout@v4, docker/setup-qemu-action@v3, actions/setup-python@v5,
actions/upload-artifact@v4, softprops/action-gh-release@v2) which must be
replaced with their full commit SHAs; update each action reference in
.github/workflows/linux-installer.yml to the corresponding full commit SHA
(replace the `@vN` tags with @<full-commit-sha> for the listed actions) so that
actions/checkout, docker/setup-qemu-action, actions/setup-python,
actions/upload-artifact, and softprops/action-gh-release are all pinned to
immutable commits.

In @.github/workflows/windows-installer.yml:
- Line 26: The workflow uses unpinned marketplace action versions
(actions/checkout@v4, actions/setup-python@v5, actions/upload-artifact@v4,
softprops/action-gh-release@v2); replace those tag pins with the corresponding
full commit SHAs to mitigate supply-chain risk by finding each action's repo and
replacing e.g. actions/checkout@v4 with actions/checkout@<full-commit-sha>,
actions/setup-python@<full-commit-sha>,
actions/upload-artifact@<full-commit-sha>, and
softprops/action-gh-release@<full-commit-sha> (obtain SHAs from the upstream
action repo or GitHub Marketplace and update the workflow lines that reference
those action names).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4a521da8-edf8-4080-a08a-be5beb3aa681

📥 Commits

Reviewing files that changed from the base of the PR and between 41c6408 and 1bd2fb5.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (17)
  • .github/workflows/homebrew-tap.yml
  • .github/workflows/linux-installer.yml
  • .github/workflows/windows-installer.yml
  • CHANGELOG.md
  • README.md
  • docs/en/guides/getting-started.md
  • docs/en/release-notes/breaking-changes.md
  • docs/en/release-notes/changelog.md
  • docs/public/install.ps1
  • docs/public/install.sh
  • packages/homebrew-tap/generate-formula.py
  • packages/linux-installer/README.md
  • pyproject.toml
  • scripts/install-native.sh
  • scripts/install.ps1
  • web/public/install.ps1
  • web/public/install.sh

@elkaix elkaix merged commit cbab4e6 into main May 29, 2026
47 checks passed
@elkaix elkaix deleted the release/0.25.0 branch May 29, 2026 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant