Conversation
- Merge main (v2.3.0 fixes) to establish common git history going forward - AnthropicProvider: remove spurious async/await, add copyright header, fix member ordering and trailing newline (SA1518, SA1204, CS1998) - OpenCodeProvider: sort using directives alphabetically, add copyright header (SA1210) - NoOpUsageAnalyticsService: add copyright header, expand one-liners for readability - AgentInfo: add copyright header, fix trailing newline (SA1518) - WpfTrayIconService: remove dead ParsePercent method and unused System.Globalization import Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…t version in release workflow - Delete AIUsageTracker.Infrastructure/Services/NoOpUsageAnalyticsService.cs — duplicate of the authoritative AIUsageTracker.UI.Slim/NoOpUsageAnalyticsService.cs that was already on develop from the release/2.3.0 branch - WpfTrayIconService: delegate sub-tray percentage formatting to ProviderUsageDetailValuePresentationCatalog.GetDisplayText, respecting the ShowUsedPercentages preference; guard on GetEffectiveUsedPercent instead of raw PercentageValue - release.yml: auto-detect when version files are already at the target version and skip the commit/push step automatically, removing the need to pass skip_file_updates=true manually for stable releases Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…frastructure - ResetTimeParser: extract Year2100UnixSeconds constant to eliminate SA1108 inline comment - MonitorLauncherStateResolver: split GetAgentStatusInfoAsync (79 lines) into private GetStatusFromHealthCheckAsync helper to satisfy MA0051; fix member ordering SA1202 - MonitorService: split CheckApiContractAsync (71 lines) into private ParseContractResponseAsync helper to satisfy MA0051; fix SA1202 by placing private method in private section; fix SA1116 by extracting status variables - ProviderBase: fix SA1201/SA1202 by reordering to fields → ctor → properties → public methods → protected static methods → protected instance methods - ProviderDefinition: fix SA1202 by moving private HandledProviderIdsSet property below all public properties (into private section before public methods) - AnthropicProvider: fix SA1201 (field after property) and SA1101 (missing this.) - NoOpDataExportService: fix SA1516 (elements not separated by blank lines) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Wrap Initialize() and UpdateProviderTrayIcons() in try/catch to prevent app crashes if tray icon creation or WPF rendering fails - Extract UpdateProviderTrayIconsCore private method (separates error boundary from implementation) - Add missing copyright header and fix SA1101 (this. prefix on all instance members) - Fix SA1210 (sort using directives alphabetically) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- AnthropicProvider: remove unused _logger field and ILogger constructor dep; simplify test to not require a mock logger - SA1507: remove extra blank line after copyright header in 10 Infrastructure providers - SA1124: remove #region/#endregion blocks from ClaudeCodeProviderTests, KimiProviderTests, and MinimaxProviderTests Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add workflow-security.yml: runs actionlint (workflow linting) and zizmor (GitHub Actions security analysis) on changes to .github/; scheduled weekly; zizmor results uploaded as SARIF to GitHub Security tab - release.yml: fix script injection by passing inputs.version/channel through env vars (INPUT_VERSION/INPUT_CHANNEL) rather than interpolating directly into shell — zizmor CWE-116 pattern - publish.yml: add explicit permissions: contents: write (was inheriting repo default which is ambiguous) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Pin every third-party action to a full 40-char commit SHA across all
17 workflows and the setup-dotnet-cache composite action
(checkout, setup-dotnet, upload/download-artifact, cache, github-script,
paths-filter, codecov, create-pull-request, action-gh-release,
winget-releaser, codeql-action/upload-sarif, actions-rs/toolchain)
- Rename vedantmgoyal2009/winget-releaser → vedantmgoyal9/winget-releaser
to track the repo's canonical name
- Add explicit `permissions:` blocks to every workflow that was missing
them, defaulting to the least-privilege needed by each job
- Fix script-injection risk in release.yml: move all `${{ inputs.* }}`
expansions into env vars consumed as shell variables (CWE-116)
- Add workflow-security.yml: weekly + on-push CI job running zizmor
(SARIF → GitHub Security tab) and actionlint (tarball download +
sha256sum verification, not curl-pipe-bash)
- Remove extra blank line (SA1507) in AntigravityProvider.cs
- Extend .gitignore with AI-tooling scratch files and stale /setup.iss
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The checksum file for actionlint releases is named `actionlint_<version>_checksums.txt`, not `checksums.txt`. Also add `--fail` to both curl calls so HTTP errors are surfaced immediately rather than saving an HTML error page. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without a config file actionlint surfaces all shellcheck severity levels (info, style, warning, error). The pre-existing workflows have SC2086/ SC2129 info/style findings unrelated to this PR. Restrict shellcheck reporting to error-level only so the gate catches real problems without blocking on pre-existing style noise. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use actionlint's -ignore flag to suppress pre-existing SC2086/SC2129 info and style level shellcheck findings that exist across multiple workflows predating this linter. Error and warning level findings are still caught. Also removes the unused .actionlint.yaml config file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
actionlint 1.7.4 does not know about the windows-2025 GitHub-hosted runner that was added after that release. Add it to the self-hosted- runner.labels list so actionlint does not flag it as unknown. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Auto-discovery was not picking up .actionlint.yaml; pass it explicitly via -config-file so the windows-2025 runner label override is applied. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- publish.yml: move contents:write from workflow level to only the create-release job that needs it; publish and generate-appcast jobs get contents:read (fixes zizmor failure-level finding) - Add persist-credentials: false to all checkout steps across 15 workflows that were missing it, reducing credential exposure window (fixes 34 zizmor warning-level findings) - dependency-updates.yml checkout intentionally left unchanged as it requires credentials for the create-pull-request commit step Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chore: port main-only files to develop and clean up code quality
Contributor
Build Performance Report⏱️ Build Time: 12 minutes 📊 Comparison with main branch:
✅ Within acceptable range This is an automated performance check |
Contributor
|
This PR contains 1597 lines changed across 52 files. Details:
Recommendation: This is an automated message. Feel free to ignore if this PR is intentionally large. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
persist-credentials: falseto all checkout stepscontents: writepermission scope in publish.yml (was workflow-level, now job-level)workflow-security.ymlto run zizmor + actionlint on workflow changeswindows-2025runner label in.actionlint.yamlTest plan
🤖 Generated with Claude Code