chore: release v0.12.4 (apm-action v1.7.1 bump + audit-replay fix #1182)#1181
Merged
danielmeppiel merged 3 commits intomainfrom May 7, 2026
Merged
chore: release v0.12.4 (apm-action v1.7.1 bump + audit-replay fix #1182)#1181danielmeppiel merged 3 commits intomainfrom
danielmeppiel merged 3 commits intomainfrom
Conversation
Picks up the v0.12.3 strict-detection fix series: - #33 (apm-action): forwards target: input into the generated apm.yml in isolated mode (all four uses in shared/apm.md are isolated mode with target: all, so this is the relevant fix). - #33 (apm-action): pins the action's apm-version default to 0.12.3 instead of latest, removing the silent-breakage exposure that burned this repo when v0.12.3 shipped. - #34 (apm-action): strict allowlist validation on target: input. - #36 (apm-action): forwards --target to additive 'apm install' invocations (not used here today but ships with the bundle). Without this bump the lock'd v1.6.0 still resolves apm-version=latest, so every triage-panel / pr-review-panel run that hits the APM pack step would now fail with 'No harness detected' under v0.12.3. Lock-file refresh side effects (from gh aw compile v0.71.5): - github/gh-aw-actions/setup v0.71.2 -> v0.71.5 - new actions/github-script@v9.0.0 entry pulled in Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repo’s gh-aw APM workflow template and regenerated lock workflows to use microsoft/apm-action@v1.7.1, addressing isolated-mode target: propagation issues that break the pack/restore steps.
Changes:
- Bump
microsoft/apm-actionreferences in.github/workflows/shared/apm.mdfromv1.6.0tov1.7.1. - Regenerate
triage-panel.lock.ymlandpr-review-panel.lock.ymlso their pinned action SHAs includemicrosoft/apm-action@v1.7.1(and updated gh-aw compiler metadata). - Refresh
.github/aw/actions-lock.jsonwith the new action pins (notably addingactions/github-script@v9.0.0andmicrosoft/apm-action@v1.7.1).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/apm.md | Updates the reusable gh-aw APM template to use microsoft/apm-action@v1.7.1. |
| .github/workflows/triage-panel.lock.yml | Regenerated lock workflow with updated pinned SHAs (including apm-action@v1.7.1) and gh-aw compiler drift. |
| .github/workflows/pr-review-panel.lock.yml | Regenerated lock workflow with updated pinned SHAs (including apm-action@v1.7.1) and gh-aw compiler drift. |
| .github/aw/actions-lock.json | Adds/updates action-version-to-SHA entries used by the repo’s pinned-actions ecosystem. |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 1
Comment on lines
66
to
70
| # - maintainer # Roles processed as role check in pre-activation job | ||
| # - write # Roles processed as role check in pre-activation job | ||
| schedule: | ||
| - cron: "49 12 * * *" | ||
| - cron: "5 12 * * *" | ||
| # Friendly format: daily (scattered) |
Collaborator
Author
APM Self-Check statusThe APM Self-Check failure on this PR is pre-existing on
Root cause: a v0.12.3 audit-replay bug in the in-package asset link rewriter. On-disk SHA matches the lockfile SHA exactly; Filed as #1182 with diagnosis + fix sketch -- needs to ship in v0.12.4 with a bumped apm-action. This PR (apm-action |
…ng replay (#1182) The replay path of `apm audit --ci` deploys to a scratch tmpdir while `package_root` for self-packages still points at the real project tree. `os.path.relpath(candidate, target_location)` therefore produced a tmpdir traversal (e.g. `../../../../Users/.../MANIFESTO.md`) instead of the project-relative form real install writes (`../../MANIFESTO.md`), flagging every primitive with a `../<repo-root-file>` link as drifted. Detect the cross-frame case (candidate outside `base_dir`) in `_resolve_in_package_asset_link` and re-anchor `target_location` onto `package_root` so the rewrite mirrors install-time output. Dependency packages are unaffected (their `install_path` materialises inside the scratch tree, so candidate stays in-frame). Also lands the .agents/skills convergence: v0.12.3 made `.agents/skills/` the cross-client default, so the 10 self-package skill bundles move from `.github/skills/` -> `.agents/skills/`. The lockfile is regenerated to match. Running `apm install` then `apm audit --ci` against this branch is now a clean no-op. Bundled together with the `apm-action@v1.7.1` workflow bump from the prior commit because the audit gate (broken on `main` since v0.12.3) would otherwise stay red and the skills convergence cannot land without the bug fix above. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Cuts v0.12.4 with three things:
microsoft/apm-action@v1.6.0 -> v1.7.1in.github/workflows/shared/apm.md(4 occurrences) and recompile the lock workflows + actions-lock.json. Picks up the action's target-propagation fix.target_locationlived in the scratch tmpdir whilepackage_rootfor self-packages still pointed at the real repo. Result was tmpdir traversal links (e.g.../../../../Users/.../MANIFESTO.md) instead of the install-time form (../../MANIFESTO.md), which flagged every self-package primitive with a../<repo-root-file>link as drifted. Re-anchortarget_locationontopackage_rootwhen the candidate sits outsidebase_dir. Bug pre-dates this PR; reproduced on cleanmain.pyproject.toml0.12.3 -> 0.12.4 and roll[Unreleased]->[0.12.4]inCHANGELOG.md(fix(install): orphan cleanup runs when apm.yml is emptied + diff-aware test fixes #1173 orphan-cleanup + v0.12.3: audit-replay rewrites in-package asset links against scratch dir, producing false drift #1182 audit-replay).The skills convergence (
.github/skills/->.agents/skills/) is intentionally deferred to a follow-up PR: APM Self-Check on this PR runs the released CLI (currently v0.12.3 with the bug), so the skills migration cannot pass CI until v0.12.4 ships. Will land it right after this merges + releases.Validation
uv run apm install --force && uv run apm audit --ci-> 9/9 checks pass on this branch (verified locally; CI runs released v0.12.3 which still has the bug — this is the bypass scenario)uv run --extra dev ruff check src/ tests/+ruff format --check-> silentuv run pytest tests/unit/compilation/ tests/unit/install/test_drift.py -q-> 365 passedtests/unit/compilation/test_link_resolver.py::TestReplayFrameTranslationRisk
The link-resolver fix only triggers when
candidateis outsidebase_dir, which never happens during normal install (both self and dependency cases keep candidates in-frame). Replay of dependency packages also unchanged because theirinstall_pathmaterialises inside the scratch tree.Closes #1182.