diff --git a/.github/workflows/build-dotnet.yml b/.github/workflows/build-dotnet.yml index 0fc6830fe..8e0a99c64 100644 --- a/.github/workflows/build-dotnet.yml +++ b/.github/workflows/build-dotnet.yml @@ -33,7 +33,7 @@ jobs: - name: Setup Git LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dorny/paths-filter@v3 id: filter continue-on-error: true @@ -56,7 +56,7 @@ jobs: package_json_file: ts/package.json - name: Setup Node.js if: ${{ github.event_name != 'pull_request' || steps.filter.outputs.dotnet != 'false' }} - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 22 cache: "pnpm" diff --git a/.github/workflows/build-package-shell.yml b/.github/workflows/build-package-shell.yml index b354b30bb..7a164f16b 100644 --- a/.github/workflows/build-package-shell.yml +++ b/.github/workflows/build-package-shell.yml @@ -41,7 +41,7 @@ jobs: - name: Setup Git LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dorny/paths-filter@v3 id: filter continue-on-error: true @@ -55,7 +55,7 @@ jobs: name: Install pnpm with: package_json_file: ts/package.json - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 if: ${{ github.event_name != 'pull_request' || steps.filter.outputs.ts != 'false' }} with: node-version: ${{ matrix.version }} @@ -93,7 +93,7 @@ jobs: shell: bash run: pnpm run shell:package - # - uses: actions/upload-artifact@v4 + # - uses: actions/upload-artifact@v5 # if: ${{ github.event_name != 'pull_request' || steps.filter.outputs.ts != 'false' }} # name: Upload build artifact # with: diff --git a/.github/workflows/build-ts.yml b/.github/workflows/build-ts.yml index 30fbb154b..47b5421d8 100644 --- a/.github/workflows/build-ts.yml +++ b/.github/workflows/build-ts.yml @@ -42,7 +42,7 @@ jobs: - name: Setup Git LF run: | git config --global core.autocrlf false - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: # Full history so the changed-files lint can diff against the base. fetch-depth: 0 @@ -59,7 +59,7 @@ jobs: name: Install pnpm with: package_json_file: ts/package.json - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 if: ${{ github.event_name != 'pull_request' || steps.filter.outputs.ts != 'false' }} with: node-version: ${{ matrix.version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e70dcce1a..a8d5d87e2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -4,11 +4,11 @@ # CodeQL advanced setup. # # Why this is not the stock single-file setup: -# Merging is gated by rulesets ("Require code scanning results" + "Require code -# quality results"). GitHub's CodeQL *default setup* — and any plain -# `on: pull_request` CodeQL workflow — cannot produce results for pull requests -# from FORKS, because fork-triggered runs get a read-only GITHUB_TOKEN and no -# secrets, so `analyze` cannot upload. Those PRs would then be blocked forever. +# Merging is gated by a ruleset ("Require code scanning results"). GitHub's +# CodeQL *default setup* - and any plain `on: pull_request` CodeQL workflow - +# cannot produce results for pull requests from FORKS, because fork-triggered +# runs get a read-only GITHUB_TOKEN and no secrets, so `analyze` cannot upload. +# Those PRs would then be blocked forever. # # To fix that safely, this workflow ANALYZES the code (including untrusted fork # code) in the unprivileged `pull_request` context and, for fork PRs, saves the @@ -66,7 +66,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: # For fork PRs, analyze the PR head commit so results map to the PR. # Otherwise use the default ref (merge ref for internal PRs, branch tip @@ -78,11 +78,15 @@ jobs: with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # Enable both the security ("code-scanning") and "code-quality" analyses - # so both ruleset rules can be satisfied. code-quality is currently a - # preview capability; if the analyze step rejects this input, remove the - # line and drop the "Require code quality results" rule from the ruleset. - analysis-kinds: code-scanning,code-quality + # This runs a code-scanning (security) analysis only. The experimental, + # GitHub-internal `analysis-kinds` input that previously also requested a + # "code-quality" analysis is no longer supported in custom workflows: + # passing multiple values, or any kind other than `code-scanning`, now + # warns and will become a fatal error. To also run the code-quality + # queries as part of code scanning, add `queries: code-quality` here -- + # that surfaces them as code-scanning alerts rather than a separate + # code-quality result, so also drop any "Require code quality results" + # rule from the branch ruleset. - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 @@ -96,7 +100,7 @@ jobs: - name: Stage SARIF for fork PR upload if: ${{ env.IS_FORK_PR == 'true' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: codeql-sarif-${{ matrix.language }} path: sarif-results diff --git a/.github/workflows/deploy-pages.yml b/.github/workflows/deploy-pages.yml index 526cec332..b3dd63267 100644 --- a/.github/workflows/deploy-pages.yml +++ b/.github/workflows/deploy-pages.yml @@ -42,10 +42,10 @@ jobs: steps: - name: Checkout Repository 🛎️ - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Node.js ⚙️ - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 22 diff --git a/.github/workflows/docs-pr-amend.yml b/.github/workflows/docs-pr-amend.yml index 27b3d8a60..282834b75 100644 --- a/.github/workflows/docs-pr-amend.yml +++ b/.github/workflows/docs-pr-amend.yml @@ -73,7 +73,7 @@ jobs: private-key: ${{ secrets.DEPENDABOT_APP_PRIVATE_KEY }} - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: ref: ${{ github.head_ref }} # Full history so the merge-base with the base branch resolves. diff --git a/.github/workflows/docs-refresh.yml b/.github/workflows/docs-refresh.yml index fbe14b037..aed043916 100644 --- a/.github/workflows/docs-refresh.yml +++ b/.github/workflows/docs-refresh.yml @@ -94,7 +94,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: # Full history so the --since baseline (last README.AUTOGEN.md # commit) resolves and the diff against it is complete. diff --git a/.github/workflows/fix-dependabot-alerts.yml b/.github/workflows/fix-dependabot-alerts.yml index 6da5c9925..5374618ec 100644 --- a/.github/workflows/fix-dependabot-alerts.yml +++ b/.github/workflows/fix-dependabot-alerts.yml @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 @@ -53,7 +53,7 @@ jobs: with: package_json_file: ts/package.json - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 with: node-version: 22 cache: "pnpm" diff --git a/.github/workflows/format-pr.yml b/.github/workflows/format-pr.yml index 04ce59a05..601a5cf45 100644 --- a/.github/workflows/format-pr.yml +++ b/.github/workflows/format-pr.yml @@ -52,7 +52,7 @@ jobs: private-key: ${{ secrets.DEPENDABOT_APP_PRIVATE_KEY }} - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: ref: ${{ github.head_ref }} fetch-depth: 0 @@ -66,7 +66,7 @@ jobs: with: package_json_file: ts/package.json - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 with: node-version: 22 cache: "pnpm" @@ -103,7 +103,7 @@ jobs: - name: Setup Git LF run: git config --global core.autocrlf false - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 @@ -115,7 +115,7 @@ jobs: with: package_json_file: ts/package.json - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 with: node-version: 22 cache: "pnpm" diff --git a/.github/workflows/release-py.yml b/.github/workflows/release-py.yml index f2bcf172c..e1a548d60 100644 --- a/.github/workflows/release-py.yml +++ b/.github/workflows/release-py.yml @@ -19,7 +19,7 @@ jobs: shell: bash working-directory: python/ta # your project subdir steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Set up Python uses: actions/setup-python@v5 @@ -38,7 +38,7 @@ jobs: run: make build # runs `uv build`, outputs to dist/ - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: dist path: python/ta/dist/ @@ -53,7 +53,7 @@ jobs: id-token: write # REQUIRED for Trusted Publishing (no tokens!) contents: read steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 with: name: dist path: dist diff --git a/.github/workflows/repo-policy-check.yml b/.github/workflows/repo-policy-check.yml index db7895c53..f82f6ee37 100644 --- a/.github/workflows/repo-policy-check.yml +++ b/.github/workflows/repo-policy-check.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: submodules: "false" # token: ${{ secrets.PAT_TOKEN }} diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml index a940fd160..68b7fcf17 100644 --- a/.github/workflows/smoke-tests.yml +++ b/.github/workflows/smoke-tests.yml @@ -72,7 +72,7 @@ jobs: git config --global core.autocrlf false - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: ref: ${{ github.event.pull_request.head.sha }} @@ -91,7 +91,7 @@ jobs: with: package_json_file: ts/package.json - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 if: ${{ steps.filter.outputs.ts != 'false' }} with: node-version: ${{ matrix.version }} diff --git a/ts/packages/defaultAgentProvider/test/translateTestCommon.ts b/ts/packages/defaultAgentProvider/test/translateTestCommon.ts index 2cb8fe7b7..47b0f0de1 100644 --- a/ts/packages/defaultAgentProvider/test/translateTestCommon.ts +++ b/ts/packages/defaultAgentProvider/test/translateTestCommon.ts @@ -467,10 +467,22 @@ function checkPossibleMatch( action: TypeAgentAction, possibleMatch: PossibleMatch, ) { + // action.entities is resolved-reference metadata the translator may or may + // not attach run-to-run (e.g. a "grocery" list entity whose items facet + // reflects the current, history-dependent list contents). It is not part of + // the translated action shape most cases care about, so only assert it when + // the expected action explicitly specifies entities (e.g. + // translate-image-history-e2e.json). Otherwise drop it so its + // non-determinism can't cause spurious toEqual mismatches. + let actual = action; + if (possibleMatch.action.entities === undefined && action.entities) { + actual = { ...action }; + delete actual.entities; + } if (possibleMatch.partial) { - expect(action).toMatchObject(possibleMatch.action); + expect(actual).toMatchObject(possibleMatch.action); } else { - expect(action).toEqual(possibleMatch.action); + expect(actual).toEqual(possibleMatch.action); } }