From b7243d0a164b9eb725203da45db073809e1c39d8 Mon Sep 17 00:00:00 2001 From: Bryant Date: Thu, 2 Jul 2026 15:03:02 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=94=A7=20(meta):=20Point=20project=20?= =?UTF-8?q?URLs=20to=20canonical=20AI-agent-assembly=20org?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Homepage/Repository pointed at github.com/agent-assembly (nonexistent); the canonical GitHub org is AI-agent-assembly. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73 --- pyproject.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index a13539a..7d5004a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -45,8 +45,8 @@ all = ["agent-assembly[runtime]"] aasm = "agent_assembly.cli.main:main" [project.urls] -Homepage = "https://github.com/agent-assembly/python-sdk" -Repository = "https://github.com/agent-assembly/python-sdk" +Homepage = "https://github.com/AI-agent-assembly/python-sdk" +Repository = "https://github.com/AI-agent-assembly/python-sdk" [dependency-groups] dev = [ From 9abb4298398f1c4d4508d019f86bc21c4a7f4038 Mon Sep 17 00:00:00 2001 From: Bryant Date: Thu, 2 Jul 2026 15:03:03 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=97=91=EF=B8=8F=20(ci):=20Remove=20de?= =?UTF-8?q?ad=20commented=20@master=20reusable-workflow=20refs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deleted three commented-out placeholder job blocks that referenced unpinned @master reusable workflows for not-yet-implemented test types. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73 --- .github/workflows/rw_build_and_test.yaml | 35 ------------------------ 1 file changed, 35 deletions(-) diff --git a/.github/workflows/rw_build_and_test.yaml b/.github/workflows/rw_build_and_test.yaml index 15899b2..ed09670 100644 --- a/.github/workflows/rw_build_and_test.yaml +++ b/.github/workflows/rw_build_and_test.yaml @@ -65,28 +65,6 @@ jobs: secrets: e2e_test_api_token: ${{ secrets.e2e_test_api_token }} - # Contract test not implemented yet - # run_contract-test: - # # name: Run all contract test items - # uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_uv_run_test.yaml@master - # with: - # test_type: contract-test - # test_folder: './test/contract' - # install_dependency_with_group: 'dev' - # python-versions: '["3.13"]' - # operating-systems: '["ubuntu-latest", "ubuntu-22.04", "macos-latest", "macos-14"]' - - # CI script test not implemented yet - # run_script-test: - # # name: Run all contract test items - # uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_uv_run_test.yaml@master - # with: - # test_type: ci-script-test - # test_folder: './test/ci_script' - # install_dependency_with_group: 'dev' - # python-versions: '["3.13"]' - # operating-systems: '["ubuntu-latest", "ubuntu-22.04", "macos-latest", "macos-14"]' - unit-test_codecov: # name: For unit test, organize and generate the testing report and upload it to Codecov if: ${{ @@ -123,19 +101,6 @@ jobs: test_type: e2e-test source_folder: agent_assembly - # Contract test not implemented yet - # contract-test_codecov: - # # name: For end-to-end test, organize and generate the testing report and upload it to Codecov - # if: ${{ - # contains(fromJSON('["pull_request","workflow_dispatch","schedule"]'), github.event_name) || - # (github.event_name == 'push' && github.ref_name == 'master') - # }} - # needs: run_contract-test - # uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_organize_test_cov_reports.yaml@master - # with: - # test_type: contract-test - # source_folder: src - all_test_not_e2e_test_codecov: # name: Organize and generate the testing report and upload it to Codecov if: ${{ From c60233fd492efac82493447eff1d11d3221f8f70 Mon Sep 17 00:00:00 2001 From: Bryant Date: Thu, 2 Jul 2026 15:03:22 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20Pin=20official=20Git?= =?UTF-8?q?Hub=20Actions=20to=20full=20commit=20SHA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin actions/checkout@v7, actions/setup-python@v6, actions/upload-artifact@v7 and actions/download-artifact@v8 to their tag's 40-char commit SHA across all workflows so a moved tag cannot silently change the action run. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73 --- .github/workflows/benchmarks.yml | 4 +- .github/workflows/ci.yaml | 4 +- .github/workflows/docs-backfill.yaml | 2 +- .github/workflows/documentation.yaml | 10 ++-- .github/workflows/native-core-build.yml | 4 +- .github/workflows/native-pin-consistency.yml | 2 +- .../release-python-conversion-test.yml | 2 +- .github/workflows/release-python.yml | 46 +++++++++---------- .../workflows/rw_run_all_test_and_record.yaml | 4 +- .github/workflows/type-check.yml | 4 +- 10 files changed, 41 insertions(+), 41 deletions(-) diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 7c99ee0..0e267f5 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -29,7 +29,7 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'benchmark') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Install uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -58,7 +58,7 @@ jobs: - name: Upload benchmark results if: always() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: benchmark-results path: benchmark-results.json diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f89ae41..8688ee4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -87,8 +87,8 @@ jobs: name: Dependency advisory audit (pip-audit) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.12" - name: Install uv diff --git a/.github/workflows/docs-backfill.yaml b/.github/workflows/docs-backfill.yaml index 8506439..e54ece8 100644 --- a/.github/workflows/docs-backfill.yaml +++ b/.github/workflows/docs-backfill.yaml @@ -65,7 +65,7 @@ jobs: echo "Backfilling docs for release tag: ${RELEASE_TAG}" - name: Checkout (full history for mike + git-revision-date plugins) - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 ref: master diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index d30bce3..5e7c204 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -88,7 +88,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout (full history for mike + git-revision-date plugins) - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 @@ -125,7 +125,7 @@ jobs: pages: write steps: - name: Checkout (full history for mike + git-revision-date plugins) - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 @@ -177,7 +177,7 @@ jobs: pages: write steps: - name: Checkout (full history for mike + git-revision-date plugins) - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 ref: master @@ -187,7 +187,7 @@ jobs: # PEP-440 pyproject version, which loses the canonical tag form). Pull it # so the deploy script can label the frozen snapshot and pick the channel. - name: Download release-tag artifact from the release run - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: release-tag path: release-tag-artifact @@ -273,7 +273,7 @@ jobs: echo "Manual republish: target=${TARGET}, release_tag=${RELEASE_TAG_INPUT:-(n/a)}" - name: Checkout (full history for mike + git-revision-date plugins) - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 ref: master diff --git a/.github/workflows/native-core-build.yml b/.github/workflows/native-core-build.yml index 241250d..4f80e74 100644 --- a/.github/workflows/native-core-build.yml +++ b/.github/workflows/native-core-build.yml @@ -24,10 +24,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.13" diff --git a/.github/workflows/native-pin-consistency.yml b/.github/workflows/native-pin-consistency.yml index 6c77e27..f9fe02f 100644 --- a/.github/workflows/native-pin-consistency.yml +++ b/.github/workflows/native-pin-consistency.yml @@ -20,7 +20,7 @@ jobs: name: aa-* crates share one git rev runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Assert all agent-assembly git deps share one rev run: | manifest="native/aa-ffi-python/Cargo.toml" diff --git a/.github/workflows/release-python-conversion-test.yml b/.github/workflows/release-python-conversion-test.yml index 63470d7..b301fca 100644 --- a/.github/workflows/release-python-conversion-test.yml +++ b/.github/workflows/release-python-conversion-test.yml @@ -42,7 +42,7 @@ jobs: name: Run tag → PEP 440 fixture suite runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Lint conversion + test scripts run: | shellcheck .github/scripts/tag-to-pep440.sh diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 2140f22..0ce774f 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -65,7 +65,7 @@ jobs: # and its inverse (.github/scripts/pep440-to-tag.sh). Those scripts # are the single source of truth for the conversion, shared with the # AAASM-2863 / AAASM-2956 unit tests. - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - id: r env: EVENT_NAME: ${{ github.event_name }} @@ -157,8 +157,8 @@ jobs: needs: resolve runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install uv @@ -172,7 +172,7 @@ jobs: # JSON BOM of every installed distribution. run: uvx --from cyclonedx-bom==7.3.0 cyclonedx-py environment .venv --output-format JSON --output-file sbom.cdx.json - name: Upload SBOM artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: sbom path: sbom.cdx.json @@ -183,8 +183,8 @@ jobs: needs: resolve runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Pin aa-ffi git deps to released core (binary_source_tag) @@ -206,7 +206,7 @@ jobs: command: sdist args: --out dist - name: Upload sdist artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: wheels-sdist path: dist/*.tar.gz @@ -216,8 +216,8 @@ jobs: needs: resolve runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Stage aasm sidecar binary @@ -287,7 +287,7 @@ jobs: unzip -o /tmp/protoc.zip -d /usr/local >/dev/null protoc --version - name: Upload wheel artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: wheels-linux-x86_64 path: dist/*.whl @@ -297,8 +297,8 @@ jobs: needs: resolve runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Stage aasm sidecar binary @@ -358,7 +358,7 @@ jobs: unzip -o /tmp/protoc.zip -d /usr/local >/dev/null protoc --version - name: Upload wheel artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: wheels-linux-aarch64 path: dist/*.whl @@ -368,8 +368,8 @@ jobs: needs: resolve runs-on: macos-14 # Apple silicon runner steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Stage aasm sidecar binary @@ -412,7 +412,7 @@ jobs: command: build args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }} - name: Upload wheel artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: wheels-macos-arm64 path: dist/*.whl @@ -422,8 +422,8 @@ jobs: needs: resolve runs-on: macos-15-intel # Intel runner (macos-13 sunset 2025-09-19) steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Stage aasm sidecar binary @@ -466,7 +466,7 @@ jobs: command: build args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }} - name: Upload wheel artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: wheels-macos-x86_64 path: dist/*.whl @@ -492,7 +492,7 @@ jobs: id-token: write # OIDC token for Trusted Publisher steps: - name: Download all build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: wheels-* path: dist @@ -529,11 +529,11 @@ jobs: permissions: contents: write # create the git tag + GitHub Release steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Download CycloneDX SBOM # AAASM-3615: pull the SBOM built by the `sbom` job so it can be # attached to the Release below. - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: sbom - name: Create tag and GitHub Release @@ -613,7 +613,7 @@ jobs: printf '%s\n' "${RELEASE_TAG}" > release-tag.txt echo "Recorded release tag: ${RELEASE_TAG}" - name: Upload release-tag artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: release-tag path: release-tag.txt diff --git a/.github/workflows/rw_run_all_test_and_record.yaml b/.github/workflows/rw_run_all_test_and_record.yaml index 4704c98..3a24a36 100644 --- a/.github/workflows/rw_run_all_test_and_record.yaml +++ b/.github/workflows/rw_run_all_test_and_record.yaml @@ -166,13 +166,13 @@ jobs: needs: build-and-test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: # Required by SonarCloud to correctly compute PR/new-code deltas. fetch-depth: 0 - name: Download all-test coverage XML report - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: all-test_coverage_xml_report path: ./ diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml index db55ed9..da48b84 100644 --- a/.github/workflows/type-check.yml +++ b/.github/workflows/type-check.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Install uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -133,7 +133,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - name: Install uv uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 From 52317a11fbddc64c45e53283766df0eeba7c18d4 Mon Sep 17 00:00:00 2001 From: Bryant Date: Thu, 2 Jul 2026 15:03:38 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=F0=9F=94=A7=20(ci):=20Drop=20unused=20id-t?= =?UTF-8?q?oken:write=20in=20docs-backfill=20workflow?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The backfill job deploys docs via mike (git push to gh-pages, needs contents:write); it uses no OIDC, so id-token:write was unused. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73 --- .github/workflows/docs-backfill.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docs-backfill.yaml b/.github/workflows/docs-backfill.yaml index e54ece8..077d8e0 100644 --- a/.github/workflows/docs-backfill.yaml +++ b/.github/workflows/docs-backfill.yaml @@ -37,7 +37,6 @@ on: permissions: contents: write - id-token: write pages: write # Share the same concurrency group as the real docs pipeline so a backfill