From e3c862a99f9b633ca288306eae8a8c3a900590ee Mon Sep 17 00:00:00 2001 From: Edmund Hung Date: Thu, 28 May 2026 16:33:07 +0100 Subject: [PATCH 1/4] Revert "Version Packages" (#14087) --- .changeset/add-web-search-binding.md | 29 +++++ .changeset/bump-rosie-skills.md | 5 + .changeset/dependabot-update-14060.md | 12 ++ .changeset/disable-sentry-by-default.md | 7 ++ .changeset/fix-autoconfig-vite-no-config.md | 9 ++ .changeset/fix-miniflare-pnp-sourcemap.md | 7 ++ .../fix-open-in-browser-enoent-headless.md | 9 ++ ...x-secrets-store-value-length-validation.md | 5 + .changeset/nine-mangos-camp.md | 7 ++ .changeset/pipeline-stream-rename.md | 37 ++++++ .changeset/proxied-durable-object-rpc.md | 7 ++ .changeset/quiet-birds-fly.md | 10 ++ .changeset/resolve-pipeline-names.md | 5 + .changeset/secret-bulk-delete-support.md | 11 ++ packages/cli/CHANGELOG.md | 7 -- packages/cli/package.json | 2 +- packages/miniflare/CHANGELOG.md | 74 ------------ packages/miniflare/package.json | 2 +- packages/pages-shared/CHANGELOG.md | 7 -- packages/pages-shared/package.json | 2 +- packages/vite-plugin-cloudflare/CHANGELOG.md | 14 --- packages/vite-plugin-cloudflare/package.json | 2 +- packages/vitest-pool-workers/CHANGELOG.md | 12 -- packages/vitest-pool-workers/package.json | 2 +- packages/workers-utils/CHANGELOG.md | 68 ----------- packages/workers-utils/package.json | 2 +- packages/wrangler/CHANGELOG.md | 107 ------------------ packages/wrangler/package.json | 2 +- 28 files changed, 167 insertions(+), 296 deletions(-) create mode 100644 .changeset/add-web-search-binding.md create mode 100644 .changeset/bump-rosie-skills.md create mode 100644 .changeset/dependabot-update-14060.md create mode 100644 .changeset/disable-sentry-by-default.md create mode 100644 .changeset/fix-autoconfig-vite-no-config.md create mode 100644 .changeset/fix-miniflare-pnp-sourcemap.md create mode 100644 .changeset/fix-open-in-browser-enoent-headless.md create mode 100644 .changeset/fix-secrets-store-value-length-validation.md create mode 100644 .changeset/nine-mangos-camp.md create mode 100644 .changeset/pipeline-stream-rename.md create mode 100644 .changeset/proxied-durable-object-rpc.md create mode 100644 .changeset/quiet-birds-fly.md create mode 100644 .changeset/resolve-pipeline-names.md create mode 100644 .changeset/secret-bulk-delete-support.md diff --git a/.changeset/add-web-search-binding.md b/.changeset/add-web-search-binding.md new file mode 100644 index 0000000000..0ed5773f85 --- /dev/null +++ b/.changeset/add-web-search-binding.md @@ -0,0 +1,29 @@ +--- +"miniflare": minor +"wrangler": minor +"@cloudflare/workers-utils": minor +--- + +Add support for the new `web_search` binding kind. + +Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in `wrangler.jsonc`: + +```jsonc +{ + "web_search": { "binding": "WEBSEARCH" }, +} +``` + +There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single `search()` method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global `fetch()` API against the result's `url`. + +The binding is **always remote** in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the `websearch.run` OAuth scope to `wrangler login`. + +Also adds a `wrangler websearch search` command for running ad-hoc queries from the CLI: + +```sh +npx wrangler websearch search "cloudflare workers" +npx wrangler websearch search "cloudflare workers" --limit 5 +npx wrangler websearch search "cloudflare workers" --json +``` + +`--limit` is optional (defaults to 10, capped at 20). `--json` prints the raw response; without it the results render as a pretty table. diff --git a/.changeset/bump-rosie-skills.md b/.changeset/bump-rosie-skills.md new file mode 100644 index 0000000000..0d5104b7bd --- /dev/null +++ b/.changeset/bump-rosie-skills.md @@ -0,0 +1,5 @@ +--- +"wrangler": patch +--- + +Bump `rosie-skills` package from 0.6.3 to 0.7.6 diff --git a/.changeset/dependabot-update-14060.md b/.changeset/dependabot-update-14060.md new file mode 100644 index 0000000000..ee078d8d50 --- /dev/null +++ b/.changeset/dependabot-update-14060.md @@ -0,0 +1,12 @@ +--- +"miniflare": patch +"wrangler": patch +--- + +Update dependencies of "miniflare", "wrangler" + +The following dependency versions have been updated: + +| Dependency | From | To | +| ---------- | ------------ | ------------ | +| workerd | 1.20260526.1 | 1.20260527.1 | diff --git a/.changeset/disable-sentry-by-default.md b/.changeset/disable-sentry-by-default.md new file mode 100644 index 0000000000..a1946ffcff --- /dev/null +++ b/.changeset/disable-sentry-by-default.md @@ -0,0 +1,7 @@ +--- +"wrangler": patch +--- + +Disable Sentry error reporting by default + +`WRANGLER_SEND_ERROR_REPORTS` now defaults to `false` instead of prompting on every error. The current prompt produces too many false-positive reports. Users can still opt in explicitly by setting `WRANGLER_SEND_ERROR_REPORTS=true`. diff --git a/.changeset/fix-autoconfig-vite-no-config.md b/.changeset/fix-autoconfig-vite-no-config.md new file mode 100644 index 0000000000..0d743e4b73 --- /dev/null +++ b/.changeset/fix-autoconfig-vite-no-config.md @@ -0,0 +1,9 @@ +--- +"wrangler": patch +--- + +Fix `wrangler setup` failing for Vite projects without a config file + +`wrangler setup` (and `wrangler deploy --experimental-autoconfig`) crashed with "Could not find Vite config file to modify" for Vite projects that don't have a `vite.config.js` or `vite.config.ts`. This affected 6 of the 16 `create-vite` templates: `vanilla`, `vanilla-ts`, `react-swc`, `react-swc-ts`, `lit`, and `lit-ts`. + +Autoconfig now creates a minimal Vite config with the Cloudflare plugin when no config file exists, instead of failing. The file extension (`.ts` or `.js`) is chosen based on whether the project has a `tsconfig.json`. diff --git a/.changeset/fix-miniflare-pnp-sourcemap.md b/.changeset/fix-miniflare-pnp-sourcemap.md new file mode 100644 index 0000000000..0aff01958b --- /dev/null +++ b/.changeset/fix-miniflare-pnp-sourcemap.md @@ -0,0 +1,7 @@ +--- +"miniflare": patch +--- + +Fix `wrangler dev` crash under Yarn PnP when the worker emits a structured log or the inspector forwards a stack trace. + +`getFreshSourceMapSupport` was unconditionally indexing `require.cache`, but when `miniflare` is `import`ed from ESM under Yarn PnP, Node's ESM->CJS bridge (`loadCJSModule` in `node:internal/modules/esm/translators`) hands the wrapped CJS module a re-invented `require` that only carries `.resolve` and `.main`, with no `.cache`. Fall back to `createRequire(__filename)` in that case so the fresh-load cache-swap keeps working. diff --git a/.changeset/fix-open-in-browser-enoent-headless.md b/.changeset/fix-open-in-browser-enoent-headless.md new file mode 100644 index 0000000000..8546b79128 --- /dev/null +++ b/.changeset/fix-open-in-browser-enoent-headless.md @@ -0,0 +1,9 @@ +--- +"wrangler": patch +--- + +Show helpful message with URL when browser cannot be opened in headless/container environments + +Previously, running `wrangler login` (or any command that opens a browser) in headless Linux environments without `xdg-open` installed would crash with a confusing "A file or directory could not be found — Missing file or directory: xdg-open" error. + +Now wrangler catches the error and prints a clear warning with the URL so users can copy-paste it into a browser manually. diff --git a/.changeset/fix-secrets-store-value-length-validation.md b/.changeset/fix-secrets-store-value-length-validation.md new file mode 100644 index 0000000000..7fa773668f --- /dev/null +++ b/.changeset/fix-secrets-store-value-length-validation.md @@ -0,0 +1,5 @@ +--- +"wrangler": patch +--- + +`wrangler secrets-store secret create` and `secret update` now reject secret values larger than 64 KiB (65,536 bytes) with a clear error before calling the Cloudflare API. Previously the CLI accepted them, the secret appeared in `secret list`, and the failure surfaced later (and confusingly) at worker deploy time as a "secret doesn't exist" error against the binding. 64 KiB is the cap enforced by the API; the CLI now enforces it at the same boundary. diff --git a/.changeset/nine-mangos-camp.md b/.changeset/nine-mangos-camp.md new file mode 100644 index 0000000000..9a5cf618e4 --- /dev/null +++ b/.changeset/nine-mangos-camp.md @@ -0,0 +1,7 @@ +--- +"wrangler": minor +--- + +Add confirmation prompt to `wrangler containers images delete` + +Previously, running `wrangler containers images delete IMAGE:TAG` would delete the image immediately with no confirmation. The command now prompts for confirmation before deleting. Use `-y` or `--skip-confirmation` to bypass the prompt in non-interactive or scripted environments. diff --git a/.changeset/pipeline-stream-rename.md b/.changeset/pipeline-stream-rename.md new file mode 100644 index 0000000000..8f564ed6e5 --- /dev/null +++ b/.changeset/pipeline-stream-rename.md @@ -0,0 +1,37 @@ +--- +"wrangler": minor +"@cloudflare/workers-utils": minor +"miniflare": minor +--- + +Rename `pipeline` field to `stream` in pipeline bindings configuration + +The `pipeline` field inside `pipelines` bindings has been renamed to `stream` to align with the updated API wire format. The old `pipeline` field is still accepted but deprecated and will emit a warning. + +Before: + +```jsonc +// wrangler.json +{ + "pipelines": [ + { + "binding": "MY_PIPELINE", + "pipeline": "my-stream-name", + }, + ], +} +``` + +After: + +```jsonc +// wrangler.json +{ + "pipelines": [ + { + "binding": "MY_PIPELINE", + "stream": "my-stream-name", + }, + ], +} +``` diff --git a/.changeset/proxied-durable-object-rpc.md b/.changeset/proxied-durable-object-rpc.md new file mode 100644 index 0000000000..17c20fcb89 --- /dev/null +++ b/.changeset/proxied-durable-object-rpc.md @@ -0,0 +1,7 @@ +--- +"@cloudflare/vitest-pool-workers": patch +--- + +Fix Durable Object RPC dispatch for constructors that return proxies + +Durable Object RPC methods mediated by a returned `Proxy` are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides. diff --git a/.changeset/quiet-birds-fly.md b/.changeset/quiet-birds-fly.md new file mode 100644 index 0000000000..cc07c816f6 --- /dev/null +++ b/.changeset/quiet-birds-fly.md @@ -0,0 +1,10 @@ +--- +"@cloudflare/vite-plugin": patch +"@cloudflare/workers-utils": patch +--- + +Filter compatibility date fallback warning when no update is available + +The compatibility date warning from workerd (e.g., "The latest compatibility date supported by the installed Cloudflare Workers Runtime is...") is now only shown when a newer version of `@cloudflare/vite-plugin` is available. This matches the behavior in Wrangler and reduces noise when the user is already on the latest version. + +The update-check logic has been extracted to `@cloudflare/workers-utils` so it can be shared across packages. diff --git a/.changeset/resolve-pipeline-names.md b/.changeset/resolve-pipeline-names.md new file mode 100644 index 0000000000..2539668f1c --- /dev/null +++ b/.changeset/resolve-pipeline-names.md @@ -0,0 +1,5 @@ +--- +"wrangler": minor +--- + +Allow pipeline, stream, and sink commands to resolve resources by name with pagination-aware lookups. diff --git a/.changeset/secret-bulk-delete-support.md b/.changeset/secret-bulk-delete-support.md new file mode 100644 index 0000000000..9fc7c63e2c --- /dev/null +++ b/.changeset/secret-bulk-delete-support.md @@ -0,0 +1,11 @@ +--- +"wrangler": minor +--- + +Support deleting secrets via `wrangler secret bulk` + +You can now delete secrets in bulk by setting their value to `null` in the JSON input file: + +```json +{ "SECRET_TO_DELETE": null, "SECRET_TO_UPDATE": "new-value" } +``` diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md index 9baf8fd360..d9c505af80 100644 --- a/packages/cli/CHANGELOG.md +++ b/packages/cli/CHANGELOG.md @@ -1,12 +1,5 @@ # @cloudflare/cli -## 0.1.5 - -### Patch Changes - -- Updated dependencies [[`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74), [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777), [`d4177ce`](https://github.com/cloudflare/workers-sdk/commit/d4177ce1ba23e67cfe8cbc6a181ac6b2c510d1e9)]: - - @cloudflare/workers-utils@0.22.0 - ## 0.1.4 ### Patch Changes diff --git a/packages/cli/package.json b/packages/cli/package.json index c6d720f51c..67a4d893b3 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/cli-shared-helpers", - "version": "0.1.5", + "version": "0.1.4", "description": "Internal shared CLI helpers for workers-sdk. Not intended for external use — APIs may change without notice.", "keywords": [ "cli", diff --git a/packages/miniflare/CHANGELOG.md b/packages/miniflare/CHANGELOG.md index a9391f6f2d..0bdd0e00bd 100644 --- a/packages/miniflare/CHANGELOG.md +++ b/packages/miniflare/CHANGELOG.md @@ -1,79 +1,5 @@ # miniflare -## 4.20260527.0 - -### Minor Changes - -- [#13955](https://github.com/cloudflare/workers-sdk/pull/13955) [`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74) Thanks [@G4brym](https://github.com/G4brym)! - Add support for the new `web_search` binding kind. - - Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in `wrangler.jsonc`: - - ```jsonc - { - "web_search": { "binding": "WEBSEARCH" } - } - ``` - - There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single `search()` method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global `fetch()` API against the result's `url`. - - The binding is **always remote** in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the `websearch.run` OAuth scope to `wrangler login`. - - Also adds a `wrangler websearch search` command for running ad-hoc queries from the CLI: - - ```sh - npx wrangler websearch search "cloudflare workers" - npx wrangler websearch search "cloudflare workers" --limit 5 - npx wrangler websearch search "cloudflare workers" --json - ``` - - `--limit` is optional (defaults to 10, capped at 20). `--json` prints the raw response; without it the results render as a pretty table. - -- [#13860](https://github.com/cloudflare/workers-sdk/pull/13860) [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777) Thanks [@oliy](https://github.com/oliy)! - Rename `pipeline` field to `stream` in pipeline bindings configuration - - The `pipeline` field inside `pipelines` bindings has been renamed to `stream` to align with the updated API wire format. The old `pipeline` field is still accepted but deprecated and will emit a warning. - - Before: - - ```jsonc - // wrangler.json - { - "pipelines": [ - { - "binding": "MY_PIPELINE", - "pipeline": "my-stream-name" - } - ] - } - ``` - - After: - - ```jsonc - // wrangler.json - { - "pipelines": [ - { - "binding": "MY_PIPELINE", - "stream": "my-stream-name" - } - ] - } - ``` - -### Patch Changes - -- [#14062](https://github.com/cloudflare/workers-sdk/pull/14062) [`ce4eb20`](https://github.com/cloudflare/workers-sdk/commit/ce4eb20884d350ac68237fe833a1582dcb9f15fc) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - Update dependencies of "miniflare", "wrangler" - - The following dependency versions have been updated: - - | Dependency | From | To | - | ---------- | ------------ | ------------ | - | workerd | 1.20260526.1 | 1.20260527.1 | - -- [#13968](https://github.com/cloudflare/workers-sdk/pull/13968) [`0ce88ea`](https://github.com/cloudflare/workers-sdk/commit/0ce88eaddd7d3329ceee3b796d90e8711e48a34f) Thanks [@danieltroger](https://github.com/danieltroger)! - Fix `wrangler dev` crash under Yarn PnP when the worker emits a structured log or the inspector forwards a stack trace. - - `getFreshSourceMapSupport` was unconditionally indexing `require.cache`, but when `miniflare` is `import`ed from ESM under Yarn PnP, Node's ESM->CJS bridge (`loadCJSModule` in `node:internal/modules/esm/translators`) hands the wrapped CJS module a re-invented `require` that only carries `.resolve` and `.main`, with no `.cache`. Fall back to `createRequire(__filename)` in that case so the fresh-load cache-swap keeps working. - ## 4.20260526.0 ### Patch Changes diff --git a/packages/miniflare/package.json b/packages/miniflare/package.json index db550011ae..42f747e821 100644 --- a/packages/miniflare/package.json +++ b/packages/miniflare/package.json @@ -1,6 +1,6 @@ { "name": "miniflare", - "version": "4.20260527.0", + "version": "4.20260526.0", "description": "Fun, full-featured, fully-local simulator for Cloudflare Workers", "keywords": [ "cloudflare", diff --git a/packages/pages-shared/CHANGELOG.md b/packages/pages-shared/CHANGELOG.md index 13a2598f7b..b56f78fe04 100644 --- a/packages/pages-shared/CHANGELOG.md +++ b/packages/pages-shared/CHANGELOG.md @@ -1,12 +1,5 @@ # @cloudflare/pages-shared -## 0.13.141 - -### Patch Changes - -- Updated dependencies [[`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74), [`ce4eb20`](https://github.com/cloudflare/workers-sdk/commit/ce4eb20884d350ac68237fe833a1582dcb9f15fc), [`0ce88ea`](https://github.com/cloudflare/workers-sdk/commit/0ce88eaddd7d3329ceee3b796d90e8711e48a34f), [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777)]: - - miniflare@4.20260527.0 - ## 0.13.140 ### Patch Changes diff --git a/packages/pages-shared/package.json b/packages/pages-shared/package.json index 03f6c7f74f..6c38872a1e 100644 --- a/packages/pages-shared/package.json +++ b/packages/pages-shared/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/pages-shared", - "version": "0.13.141", + "version": "0.13.140", "repository": { "type": "git", "url": "https://github.com/cloudflare/workers-sdk.git", diff --git a/packages/vite-plugin-cloudflare/CHANGELOG.md b/packages/vite-plugin-cloudflare/CHANGELOG.md index fb9a73506e..5b8c8ed3c5 100644 --- a/packages/vite-plugin-cloudflare/CHANGELOG.md +++ b/packages/vite-plugin-cloudflare/CHANGELOG.md @@ -1,19 +1,5 @@ # @cloudflare/vite-plugin -## 1.39.1 - -### Patch Changes - -- [#12400](https://github.com/cloudflare/workers-sdk/pull/12400) [`d4177ce`](https://github.com/cloudflare/workers-sdk/commit/d4177ce1ba23e67cfe8cbc6a181ac6b2c510d1e9) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - Filter compatibility date fallback warning when no update is available - - The compatibility date warning from workerd (e.g., "The latest compatibility date supported by the installed Cloudflare Workers Runtime is...") is now only shown when a newer version of `@cloudflare/vite-plugin` is available. This matches the behavior in Wrangler and reduces noise when the user is already on the latest version. - - The update-check logic has been extracted to `@cloudflare/workers-utils` so it can be shared across packages. - -- Updated dependencies [[`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74), [`2c1d8b2`](https://github.com/cloudflare/workers-sdk/commit/2c1d8b23dcf666a5626e389e37d027d71a56e5e3), [`ce4eb20`](https://github.com/cloudflare/workers-sdk/commit/ce4eb20884d350ac68237fe833a1582dcb9f15fc), [`5fa3de6`](https://github.com/cloudflare/workers-sdk/commit/5fa3de663217683d59c9a0fc95d99b616d558619), [`37176e5`](https://github.com/cloudflare/workers-sdk/commit/37176e523055da69b56d0306b2d272a45d6e3b27), [`0ce88ea`](https://github.com/cloudflare/workers-sdk/commit/0ce88eaddd7d3329ceee3b796d90e8711e48a34f), [`66d86ba`](https://github.com/cloudflare/workers-sdk/commit/66d86baf52fb62bbae9e04d2b0cd3809625fcca0), [`9dee4cc`](https://github.com/cloudflare/workers-sdk/commit/9dee4ccac78a5027fccc7dbef9e39fae25a681df), [`f623ae4`](https://github.com/cloudflare/workers-sdk/commit/f623ae4360b24708fdc2687b168c1f70954d321d), [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777), [`39d8717`](https://github.com/cloudflare/workers-sdk/commit/39d8717208feab9801b73a8ef781e181c258a6f6), [`ee56ec0`](https://github.com/cloudflare/workers-sdk/commit/ee56ec0b823f761afd4bc2012594f3739948a904)]: - - miniflare@4.20260527.0 - - wrangler@4.96.0 - ## 1.39.0 ### Minor Changes diff --git a/packages/vite-plugin-cloudflare/package.json b/packages/vite-plugin-cloudflare/package.json index 8a7e49d0b5..22b8af701a 100644 --- a/packages/vite-plugin-cloudflare/package.json +++ b/packages/vite-plugin-cloudflare/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/vite-plugin", - "version": "1.39.1", + "version": "1.39.0", "description": "Cloudflare plugin for Vite", "keywords": [ "cloudflare", diff --git a/packages/vitest-pool-workers/CHANGELOG.md b/packages/vitest-pool-workers/CHANGELOG.md index cae7364e47..d699d32163 100644 --- a/packages/vitest-pool-workers/CHANGELOG.md +++ b/packages/vitest-pool-workers/CHANGELOG.md @@ -1,17 +1,5 @@ # @cloudflare/vitest-pool-workers -## 0.16.11 - -### Patch Changes - -- [#14070](https://github.com/cloudflare/workers-sdk/pull/14070) [`96ae856`](https://github.com/cloudflare/workers-sdk/commit/96ae85681b5e24baf10078480651228fc84ed727) Thanks [@dmmulroy](https://github.com/dmmulroy)! - Fix Durable Object RPC dispatch for constructors that return proxies - - Durable Object RPC methods mediated by a returned `Proxy` are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides. - -- Updated dependencies [[`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74), [`2c1d8b2`](https://github.com/cloudflare/workers-sdk/commit/2c1d8b23dcf666a5626e389e37d027d71a56e5e3), [`ce4eb20`](https://github.com/cloudflare/workers-sdk/commit/ce4eb20884d350ac68237fe833a1582dcb9f15fc), [`5fa3de6`](https://github.com/cloudflare/workers-sdk/commit/5fa3de663217683d59c9a0fc95d99b616d558619), [`37176e5`](https://github.com/cloudflare/workers-sdk/commit/37176e523055da69b56d0306b2d272a45d6e3b27), [`0ce88ea`](https://github.com/cloudflare/workers-sdk/commit/0ce88eaddd7d3329ceee3b796d90e8711e48a34f), [`66d86ba`](https://github.com/cloudflare/workers-sdk/commit/66d86baf52fb62bbae9e04d2b0cd3809625fcca0), [`9dee4cc`](https://github.com/cloudflare/workers-sdk/commit/9dee4ccac78a5027fccc7dbef9e39fae25a681df), [`f623ae4`](https://github.com/cloudflare/workers-sdk/commit/f623ae4360b24708fdc2687b168c1f70954d321d), [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777), [`39d8717`](https://github.com/cloudflare/workers-sdk/commit/39d8717208feab9801b73a8ef781e181c258a6f6), [`ee56ec0`](https://github.com/cloudflare/workers-sdk/commit/ee56ec0b823f761afd4bc2012594f3739948a904)]: - - miniflare@4.20260527.0 - - wrangler@4.96.0 - ## 0.16.10 ### Patch Changes diff --git a/packages/vitest-pool-workers/package.json b/packages/vitest-pool-workers/package.json index 841d11180b..c0c1ba2477 100644 --- a/packages/vitest-pool-workers/package.json +++ b/packages/vitest-pool-workers/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/vitest-pool-workers", - "version": "0.16.11", + "version": "0.16.10", "description": "Workers Vitest integration for writing Vitest unit and integration tests that run inside the Workers runtime", "keywords": [ "cloudflare", diff --git a/packages/workers-utils/CHANGELOG.md b/packages/workers-utils/CHANGELOG.md index 5fca3865bd..6da6542d14 100644 --- a/packages/workers-utils/CHANGELOG.md +++ b/packages/workers-utils/CHANGELOG.md @@ -1,73 +1,5 @@ # @cloudflare/workers-utils -## 0.22.0 - -### Minor Changes - -- [#13955](https://github.com/cloudflare/workers-sdk/pull/13955) [`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74) Thanks [@G4brym](https://github.com/G4brym)! - Add support for the new `web_search` binding kind. - - Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in `wrangler.jsonc`: - - ```jsonc - { - "web_search": { "binding": "WEBSEARCH" } - } - ``` - - There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single `search()` method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global `fetch()` API against the result's `url`. - - The binding is **always remote** in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the `websearch.run` OAuth scope to `wrangler login`. - - Also adds a `wrangler websearch search` command for running ad-hoc queries from the CLI: - - ```sh - npx wrangler websearch search "cloudflare workers" - npx wrangler websearch search "cloudflare workers" --limit 5 - npx wrangler websearch search "cloudflare workers" --json - ``` - - `--limit` is optional (defaults to 10, capped at 20). `--json` prints the raw response; without it the results render as a pretty table. - -- [#13860](https://github.com/cloudflare/workers-sdk/pull/13860) [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777) Thanks [@oliy](https://github.com/oliy)! - Rename `pipeline` field to `stream` in pipeline bindings configuration - - The `pipeline` field inside `pipelines` bindings has been renamed to `stream` to align with the updated API wire format. The old `pipeline` field is still accepted but deprecated and will emit a warning. - - Before: - - ```jsonc - // wrangler.json - { - "pipelines": [ - { - "binding": "MY_PIPELINE", - "pipeline": "my-stream-name" - } - ] - } - ``` - - After: - - ```jsonc - // wrangler.json - { - "pipelines": [ - { - "binding": "MY_PIPELINE", - "stream": "my-stream-name" - } - ] - } - ``` - -### Patch Changes - -- [#12400](https://github.com/cloudflare/workers-sdk/pull/12400) [`d4177ce`](https://github.com/cloudflare/workers-sdk/commit/d4177ce1ba23e67cfe8cbc6a181ac6b2c510d1e9) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - Filter compatibility date fallback warning when no update is available - - The compatibility date warning from workerd (e.g., "The latest compatibility date supported by the installed Cloudflare Workers Runtime is...") is now only shown when a newer version of `@cloudflare/vite-plugin` is available. This matches the behavior in Wrangler and reduces noise when the user is already on the latest version. - - The update-check logic has been extracted to `@cloudflare/workers-utils` so it can be shared across packages. - ## 0.21.1 ### Patch Changes diff --git a/packages/workers-utils/package.json b/packages/workers-utils/package.json index 3c83df5ca1..4128a1e5aa 100644 --- a/packages/workers-utils/package.json +++ b/packages/workers-utils/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/workers-utils", - "version": "0.22.0", + "version": "0.21.1", "description": "Internal utility package for workers-sdk. Not intended for external use — APIs may change without notice.", "homepage": "https://github.com/cloudflare/workers-sdk/tree/main/packages/workers-utils#readme", "bugs": { diff --git a/packages/wrangler/CHANGELOG.md b/packages/wrangler/CHANGELOG.md index 8da95b164d..553e3351c9 100644 --- a/packages/wrangler/CHANGELOG.md +++ b/packages/wrangler/CHANGELOG.md @@ -1,112 +1,5 @@ # wrangler -## 4.96.0 - -### Minor Changes - -- [#13955](https://github.com/cloudflare/workers-sdk/pull/13955) [`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74) Thanks [@G4brym](https://github.com/G4brym)! - Add support for the new `web_search` binding kind. - - Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in `wrangler.jsonc`: - - ```jsonc - { - "web_search": { "binding": "WEBSEARCH" } - } - ``` - - There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single `search()` method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global `fetch()` API against the result's `url`. - - The binding is **always remote** in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the `websearch.run` OAuth scope to `wrangler login`. - - Also adds a `wrangler websearch search` command for running ad-hoc queries from the CLI: - - ```sh - npx wrangler websearch search "cloudflare workers" - npx wrangler websearch search "cloudflare workers" --limit 5 - npx wrangler websearch search "cloudflare workers" --json - ``` - - `--limit` is optional (defaults to 10, capped at 20). `--json` prints the raw response; without it the results render as a pretty table. - -- [#14071](https://github.com/cloudflare/workers-sdk/pull/14071) [`f623ae4`](https://github.com/cloudflare/workers-sdk/commit/f623ae4360b24708fdc2687b168c1f70954d321d) Thanks [@sherryliu-lsy](https://github.com/sherryliu-lsy)! - Add confirmation prompt to `wrangler containers images delete` - - Previously, running `wrangler containers images delete IMAGE:TAG` would delete the image immediately with no confirmation. The command now prompts for confirmation before deleting. Use `-y` or `--skip-confirmation` to bypass the prompt in non-interactive or scripted environments. - -- [#13860](https://github.com/cloudflare/workers-sdk/pull/13860) [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777) Thanks [@oliy](https://github.com/oliy)! - Rename `pipeline` field to `stream` in pipeline bindings configuration - - The `pipeline` field inside `pipelines` bindings has been renamed to `stream` to align with the updated API wire format. The old `pipeline` field is still accepted but deprecated and will emit a warning. - - Before: - - ```jsonc - // wrangler.json - { - "pipelines": [ - { - "binding": "MY_PIPELINE", - "pipeline": "my-stream-name" - } - ] - } - ``` - - After: - - ```jsonc - // wrangler.json - { - "pipelines": [ - { - "binding": "MY_PIPELINE", - "stream": "my-stream-name" - } - ] - } - ``` - -- [#13960](https://github.com/cloudflare/workers-sdk/pull/13960) [`39d8717`](https://github.com/cloudflare/workers-sdk/commit/39d8717208feab9801b73a8ef781e181c258a6f6) Thanks [@cmackenzie1](https://github.com/cmackenzie1)! - Allow pipeline, stream, and sink commands to resolve resources by name with pagination-aware lookups. - -- [#14019](https://github.com/cloudflare/workers-sdk/pull/14019) [`ee56ec0`](https://github.com/cloudflare/workers-sdk/commit/ee56ec0b823f761afd4bc2012594f3739948a904) Thanks [@danielrs](https://github.com/danielrs)! - Support deleting secrets via `wrangler secret bulk` - - You can now delete secrets in bulk by setting their value to `null` in the JSON input file: - - ```json - { "SECRET_TO_DELETE": null, "SECRET_TO_UPDATE": "new-value" } - ``` - -### Patch Changes - -- [#14068](https://github.com/cloudflare/workers-sdk/pull/14068) [`2c1d8b2`](https://github.com/cloudflare/workers-sdk/commit/2c1d8b23dcf666a5626e389e37d027d71a56e5e3) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - Bump `rosie-skills` package from 0.6.3 to 0.7.6 - -- [#14062](https://github.com/cloudflare/workers-sdk/pull/14062) [`ce4eb20`](https://github.com/cloudflare/workers-sdk/commit/ce4eb20884d350ac68237fe833a1582dcb9f15fc) Thanks [@dario-piotrowicz](https://github.com/dario-piotrowicz)! - Update dependencies of "miniflare", "wrangler" - - The following dependency versions have been updated: - - | Dependency | From | To | - | ---------- | ------------ | ------------ | - | workerd | 1.20260526.1 | 1.20260527.1 | - -- [#13815](https://github.com/cloudflare/workers-sdk/pull/13815) [`5fa3de6`](https://github.com/cloudflare/workers-sdk/commit/5fa3de663217683d59c9a0fc95d99b616d558619) Thanks [@penalosa](https://github.com/penalosa)! - Disable Sentry error reporting by default - - `WRANGLER_SEND_ERROR_REPORTS` now defaults to `false` instead of prompting on every error. The current prompt produces too many false-positive reports. Users can still opt in explicitly by setting `WRANGLER_SEND_ERROR_REPORTS=true`. - -- [#14074](https://github.com/cloudflare/workers-sdk/pull/14074) [`37176e5`](https://github.com/cloudflare/workers-sdk/commit/37176e523055da69b56d0306b2d272a45d6e3b27) Thanks [@MattieTK](https://github.com/MattieTK)! - Fix `wrangler setup` failing for Vite projects without a config file - - `wrangler setup` (and `wrangler deploy --experimental-autoconfig`) crashed with "Could not find Vite config file to modify" for Vite projects that don't have a `vite.config.js` or `vite.config.ts`. This affected 6 of the 16 `create-vite` templates: `vanilla`, `vanilla-ts`, `react-swc`, `react-swc-ts`, `lit`, and `lit-ts`. - - Autoconfig now creates a minimal Vite config with the Cloudflare plugin when no config file exists, instead of failing. The file extension (`.ts` or `.js`) is chosen based on whether the project has a `tsconfig.json`. - -- [#14026](https://github.com/cloudflare/workers-sdk/pull/14026) [`66d86ba`](https://github.com/cloudflare/workers-sdk/commit/66d86baf52fb62bbae9e04d2b0cd3809625fcca0) Thanks [@matingathani](https://github.com/matingathani)! - Show helpful message with URL when browser cannot be opened in headless/container environments - - Previously, running `wrangler login` (or any command that opens a browser) in headless Linux environments without `xdg-open` installed would crash with a confusing "A file or directory could not be found — Missing file or directory: xdg-open" error. - - Now wrangler catches the error and prints a clear warning with the URL so users can copy-paste it into a browser manually. - -- [#14020](https://github.com/cloudflare/workers-sdk/pull/14020) [`9dee4cc`](https://github.com/cloudflare/workers-sdk/commit/9dee4ccac78a5027fccc7dbef9e39fae25a681df) Thanks [@shiminshen](https://github.com/shiminshen)! - `wrangler secrets-store secret create` and `secret update` now reject secret values larger than 64 KiB (65,536 bytes) with a clear error before calling the Cloudflare API. Previously the CLI accepted them, the secret appeared in `secret list`, and the failure surfaced later (and confusingly) at worker deploy time as a "secret doesn't exist" error against the binding. 64 KiB is the cap enforced by the API; the CLI now enforces it at the same boundary. - -- Updated dependencies [[`a2ef1a3`](https://github.com/cloudflare/workers-sdk/commit/a2ef1a323bfe0052b53f5eddb302bd6bd0d45a74), [`ce4eb20`](https://github.com/cloudflare/workers-sdk/commit/ce4eb20884d350ac68237fe833a1582dcb9f15fc), [`0ce88ea`](https://github.com/cloudflare/workers-sdk/commit/0ce88eaddd7d3329ceee3b796d90e8711e48a34f), [`c8c7ec0`](https://github.com/cloudflare/workers-sdk/commit/c8c7ec0bde012ffe9fefe01cb15c7b0d030a6777)]: - - miniflare@4.20260527.0 - ## 4.95.0 ### Minor Changes diff --git a/packages/wrangler/package.json b/packages/wrangler/package.json index 0f360eb8dd..007ce37dbc 100644 --- a/packages/wrangler/package.json +++ b/packages/wrangler/package.json @@ -1,6 +1,6 @@ { "name": "wrangler", - "version": "4.96.0", + "version": "4.95.0", "description": "Command-line interface for all things Cloudflare Workers", "keywords": [ "assembly", From 967f18fe5481fcb86aca4596548349667b16581a Mon Sep 17 00:00:00 2001 From: Dario Piotrowicz Date: Thu, 28 May 2026 17:46:54 +0100 Subject: [PATCH 2/4] Add `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"` to changesets.yml to avoid unnecessary playwright browser downloads (#14088) --- .github/workflows/changesets.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 24487a4200..9e623b64bb 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -10,6 +10,11 @@ permissions: contents: read # note: no write permissions are needed since the workflow uses GH_ACCESS_TOKEN instead of GITHUB_TOKEN +env: + # This workflow only builds and publishes — it never runs Playwright tests. + # Skip the browser download to avoid the postinstall script hanging in CI. + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1" + jobs: release: if: ${{ github.repository_owner == 'cloudflare' }} From 8efb713b48a7253d810cc4c0498ea516012ecc22 Mon Sep 17 00:00:00 2001 From: Ben <4991309+NuroDev@users.noreply.github.com> Date: Thu, 28 May 2026 18:13:43 +0100 Subject: [PATCH 3/4] ci: harden actions (#14047) --- .github/workflows/README.md | 15 ++++++++ .github/workflows/auto-assign-issues.yml | 6 ++-- .github/workflows/bonk-pr-review.yml | 10 +++--- .github/workflows/bonk.yml | 14 +++++--- .../c3-dependabot-versioning-prs.yml | 12 ++++--- .github/workflows/c3-e2e.yml | 14 ++++---- .github/workflows/changeset-review.yml | 3 +- .github/workflows/changesets.yml | 5 +-- .github/workflows/codeowners.yml | 5 +-- .github/workflows/dependabot-auto-merge.yml | 2 +- .github/workflows/deploy-previews.yml | 3 +- .github/workflows/e2e-local-explorer-ui.yml | 5 +-- .github/workflows/e2e-project-cleanup.yml | 3 +- .github/workflows/e2e-vite.yml | 5 +-- .github/workflows/e2e-wrangler.yml | 5 +-- .github/workflows/hotfix-release.yml | 21 ++++++++--- .github/workflows/issues.yml | 10 +++--- .../miniflare-dependabot-versioning-prs.yml | 12 ++++--- .github/workflows/prerelease.yml | 3 +- .../workflows/rerun-codeowners-privileged.yml | 2 +- .github/workflows/rerun-codeowners.yml | 4 ++- .github/workflows/rerun-remote-tests.yml | 5 +-- .../workflows/run-ci-for-external-forks.yml | 3 +- .github/workflows/semgrep.yml | 5 +-- .../workflows/test-and-check-other-node.yml | 16 ++++++--- .github/workflows/test-and-check.yml | 12 ++++--- .github/workflows/triage-issue.yml | 35 +++++++++++-------- .github/workflows/validate-pr-description.yml | 3 +- .github/workflows/vite-plugin-playgrounds.yml | 6 ++-- ...nd-preview-testing-env-deploy-and-test.yml | 3 +- .../workers-shared-deploy-production.yml | 3 +- .../workers-shared-deploy-staging.yml | 3 +- 32 files changed, 166 insertions(+), 87 deletions(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 7959d53d26..ff975ee05e 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -4,6 +4,21 @@ See below for a summary of this repo's Actions - _Actions marked with "⚠️" are expected to sometimes fail._ +## Security auditing + +We use [`zizmor`](https://docs.zizmor.sh/) to audit GitHub Actions workflow definitions and keep CI workflows as safe as possible. When changing files in this directory, run: + +```sh +zizmor .github/workflows/*.yml +``` + +Workflow changes should avoid unsuppressed `zizmor` findings. In particular: + +- Pin external actions to immutable commit SHAs, not tags. +- Use `actions/checkout` v6 or newer so persisted credentials are stored under `$RUNNER_TEMP`; set `persist-credentials: false` when a job does not need follow-up authenticated Git operations. +- Pass GitHub expression values into shell steps through `env` instead of expanding `${{ ... }}` directly inside `run` blocks. +- Treat privileged triggers such as `pull_request_target` and `workflow_run` as security-sensitive. If a privileged trigger is required, document the safety model and add a targeted `zizmor` ignore with a reason. + ## PR related actions ### Tests + Checks (test-and-check.yml) diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml index cbcebe3c2e..16f24788a5 100644 --- a/.github/workflows/auto-assign-issues.yml +++ b/.github/workflows/auto-assign-issues.yml @@ -14,10 +14,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 # need this version for `Set` methods diff --git a/.github/workflows/bonk-pr-review.yml b/.github/workflows/bonk-pr-review.yml index 6219f76cd0..dfeb0c5413 100644 --- a/.github/workflows/bonk-pr-review.yml +++ b/.github/workflows/bonk-pr-review.yml @@ -26,20 +26,22 @@ jobs: STATUS=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /orgs/cloudflare/members/${{ github.event.pull_request.user.login }} \ + "/orgs/cloudflare/members/${PR_AUTHOR}" \ --silent -i 2>/dev/null | head -1 | awk '{print $2}') || true if [ "$STATUS" != "204" ]; then - echo "User ${{ github.event.pull_request.user.login }} is not a member of the Cloudflare organization" + echo "User ${PR_AUTHOR} is not a member of the Cloudflare organization" exit 1 fi - echo "User ${{ github.event.pull_request.user.login }} is a Cloudflare org member" + echo "User ${PR_AUTHOR} is a Cloudflare org member" env: GH_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }} + PR_AUTHOR: ${{ github.event.pull_request.user.login }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 30 + persist-credentials: false - name: Load review prompt id: prompt diff --git a/.github/workflows/bonk.yml b/.github/workflows/bonk.yml index ded54c3c53..3309116ef0 100644 --- a/.github/workflows/bonk.yml +++ b/.github/workflows/bonk.yml @@ -26,20 +26,22 @@ jobs: STATUS=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /orgs/cloudflare/members/${{ github.event.comment.user.login }} \ + "/orgs/cloudflare/members/${COMMENT_AUTHOR}" \ --silent -i 2>/dev/null | head -1 | awk '{print $2}') || true if [ "$STATUS" != "204" ]; then - echo "User ${{ github.event.comment.user.login }} is not a member of the Cloudflare organization" + echo "User ${COMMENT_AUTHOR} is not a member of the Cloudflare organization" exit 1 fi - echo "User ${{ github.event.comment.user.login }} is a Cloudflare org member" + echo "User ${COMMENT_AUTHOR} is a Cloudflare org member" env: GH_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }} + COMMENT_AUTHOR: ${{ github.event.comment.user.login }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Build prompt with triggering comment id: prompt @@ -47,7 +49,7 @@ jobs: { DELIMITER=$(openssl rand -hex 16) echo "value<<$DELIMITER" - echo "You were invoked by @${{ github.event.comment.user.login }} on ${{ github.event.comment.html_url }}" + echo "You were invoked by @${COMMENT_AUTHOR} on ${COMMENT_URL}" echo "" echo "Their comment:" echo '```' @@ -58,7 +60,9 @@ jobs: echo "$DELIMITER" } >> "$GITHUB_OUTPUT" env: + COMMENT_AUTHOR: ${{ github.event.comment.user.login }} COMMENT_BODY: ${{ github.event.comment.body }} + COMMENT_URL: ${{ github.event.comment.html_url }} - name: Run Bonk uses: ask-bonk/ask-bonk/github@c39e982defd0114385df54e72012a3fc4333c4d4 diff --git a/.github/workflows/c3-dependabot-versioning-prs.yml b/.github/workflows/c3-dependabot-versioning-prs.yml index df73b455fb..9e1964abe3 100644 --- a/.github/workflows/c3-dependabot-versioning-prs.yml +++ b/.github/workflows/c3-dependabot-versioning-prs.yml @@ -1,6 +1,6 @@ name: "C3 - Generate changesets for dependabot PRs" on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] dependabot-only job requires write access to push generated changesets; checkout v6 persists credentials under RUNNER_TEMP paths: - "packages/create-cloudflare/src/frameworks/package.json" @@ -13,12 +13,14 @@ jobs: generate-changeset: runs-on: ubuntu-slim if: | - github.event.pull_request.user.login == 'dependabot[bot]' + github.event.pull_request.user.login == 'dependabot[bot]' && + github.event.pull_request.head.repo.full_name == github.repository steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: true ref: ${{ github.head_ref }} token: ${{ secrets.GH_ACCESS_TOKEN }} @@ -32,4 +34,6 @@ jobs: - name: Generate C3 changesets # Keep the final param (the changeset prefix: `c3-frameworks-update`) in sync with the filter in the `.github/workflows/c3-e2e-dependabot.yml` workflow. - run: node -r esbuild-register tools/dependabot/generate-dependabot-pr-changesets.ts ${{ github.event.number }} create-cloudflare packages/create-cloudflare/src/frameworks/package.json c3-frameworks-update + run: node -r esbuild-register tools/dependabot/generate-dependabot-pr-changesets.ts "$PR_NUMBER" create-cloudflare packages/create-cloudflare/src/frameworks/package.json c3-frameworks-update + env: + PR_NUMBER: ${{ github.event.number }} diff --git a/.github/workflows/c3-e2e.yml b/.github/workflows/c3-e2e.yml index a48e8dbd0f..544f20b327 100644 --- a/.github/workflows/c3-e2e.yml +++ b/.github/workflows/c3-e2e.yml @@ -44,9 +44,10 @@ jobs: runs-on: ${{ matrix.os.name }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes @@ -95,7 +96,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} # Needed for begit to clone the repo in the e2e tests for solid-start - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ !cancelled() && steps.changes.outputs.everything_but_markdown == 'true' }} with: name: ${{ format('e2e-logs-{0}-{1}-{2}-{3}', matrix.pm.name, matrix.os.description, matrix.experimental && 'experimental' || 'normal', matrix.filter) }} @@ -103,7 +104,7 @@ jobs: include-hidden-files: true - name: Upload Turbo Summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ !cancelled() && steps.changes.outputs.everything_but_markdown == 'true' }} with: name: ${{ format('turbo-runs-{0}-{1}-{2}-{3}', matrix.pm.name, matrix.os.description, matrix.experimental && 'experimental' || 'normal', matrix.filter) }} @@ -132,9 +133,10 @@ jobs: runs-on: ${{ matrix.os.name }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes @@ -209,7 +211,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - name: Upload Logs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ !cancelled() && steps.check-frameworks.outputs.run_frameworks == 'true' && steps.changes.outputs.everything_but_markdown == 'true' }} with: name: ${{ format('e2e-logs-{0}-{1}-{2}-frameworks', matrix.pm.name, matrix.os.description, matrix.experimental && 'experimental' || 'normal') }} @@ -217,7 +219,7 @@ jobs: include-hidden-files: true - name: Upload Turbo Summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ !cancelled() && steps.check-frameworks.outputs.run_frameworks == 'true' && steps.changes.outputs.everything_but_markdown == 'true' }} with: name: ${{ format('turbo-runs-{0}-{1}-{2}-frameworks', matrix.pm.name, matrix.os.description, matrix.experimental && 'experimental' || 'normal') }} diff --git a/.github/workflows/changeset-review.yml b/.github/workflows/changeset-review.yml index 6bf7eef090..d32daaad4e 100644 --- a/.github/workflows/changeset-review.yml +++ b/.github/workflows/changeset-review.yml @@ -21,9 +21,10 @@ jobs: if: github.event.pull_request.head.repo.full_name == github.repository steps: - name: Checkout changesets - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false sparse-checkout: | .changeset .github/opencode.json diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 9e623b64bb..488448d7dc 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -22,10 +22,11 @@ jobs: runs-on: macos-latest-large steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # See https://github.com/changesets/action/issues/187 token: ${{ secrets.GH_ACCESS_TOKEN }} + persist-credentials: true # Pull in more history to cover the changeset commits fetch-depth: 500 @@ -71,7 +72,7 @@ jobs: # builds native modules (tree-sitter) that are not compatible with # Node 24's C++20 requirement for V8 headers. - name: Switch to Node 22 for non-npm package deployments - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index c04fb0eeea..6f298e4391 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -9,7 +9,7 @@ name: "Code Owners" # - PR head commits are fetched as git objects only (never checked out or executed) # - The action only reads config files and calls the GitHub API on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] checks base branch ownership rules and fetches PR head for diff computation without executing PR code types: [opened, reopened, synchronize, ready_for_review, labeled, unlabeled] concurrency: @@ -28,9 +28,10 @@ jobs: steps: - name: "Checkout Base Branch" if: github.event.pull_request.head.ref != 'changeset-release/main' - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: "Fetch PR Head (for diff computation)" if: github.event.pull_request.head.ref != 'changeset-release/main' diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index fabdeaaa23..775142b047 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -22,7 +22,7 @@ name: "Dependabot - auto-merge workerd updates" # those tokens is the standard pwn vector. on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] intentionally privileged metadata-only workflow; it never checks out or executes PR code types: [opened, reopened, synchronize, ready_for_review] permissions: diff --git a/.github/workflows/deploy-previews.yml b/.github/workflows/deploy-previews.yml index 0100d5f8ab..b18b420581 100644 --- a/.github/workflows/deploy-previews.yml +++ b/.github/workflows/deploy-previews.yml @@ -36,9 +36,10 @@ jobs: runs-on: macos-latest-large steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Install Dependencies uses: ./.github/actions/install-dependencies diff --git a/.github/workflows/e2e-local-explorer-ui.yml b/.github/workflows/e2e-local-explorer-ui.yml index 322b97c762..31786d61eb 100644 --- a/.github/workflows/e2e-local-explorer-ui.yml +++ b/.github/workflows/e2e-local-explorer-ui.yml @@ -21,9 +21,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes @@ -62,7 +63,7 @@ jobs: - name: Upload turbo logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: turbo-runs path: .turbo/runs diff --git a/.github/workflows/e2e-project-cleanup.yml b/.github/workflows/e2e-project-cleanup.yml index c74c6e57a2..e5d6306b3d 100644 --- a/.github/workflows/e2e-project-cleanup.yml +++ b/.github/workflows/e2e-project-cleanup.yml @@ -18,9 +18,10 @@ jobs: runs-on: ubuntu-slim steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Install Dependencies uses: ./.github/actions/install-dependencies diff --git a/.github/workflows/e2e-vite.yml b/.github/workflows/e2e-vite.yml index 7ed1f7e799..d46a80cc6b 100644 --- a/.github/workflows/e2e-vite.yml +++ b/.github/workflows/e2e-vite.yml @@ -28,9 +28,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes @@ -72,7 +73,7 @@ jobs: - name: Upload turbo logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: turbo-runs-${{ matrix.os }} path: .turbo/runs diff --git a/.github/workflows/e2e-wrangler.yml b/.github/workflows/e2e-wrangler.yml index 78d97f3416..8a375dec8c 100644 --- a/.github/workflows/e2e-wrangler.yml +++ b/.github/workflows/e2e-wrangler.yml @@ -31,9 +31,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes @@ -87,7 +88,7 @@ jobs: - name: Upload turbo logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: turbo-runs-${{ matrix.os }}-shard-${{ matrix.shard }} path: .turbo/runs diff --git a/.github/workflows/hotfix-release.yml b/.github/workflows/hotfix-release.yml index 3a3ae45de1..c80c6511ad 100644 --- a/.github/workflows/hotfix-release.yml +++ b/.github/workflows/hotfix-release.yml @@ -18,6 +18,7 @@ on: permissions: contents: read + id-token: write jobs: hotfix-release: @@ -26,9 +27,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Check user for team affiliation uses: tspascoal/get-user-teams-membership@ba78054988f58bea69b7c6136d563236f8ed2fc0 # v2 @@ -45,9 +47,15 @@ jobs: exit 1 - name: "Checkout PR" - run: gh pr checkout ${{ inputs.pr-number }} + run: | + if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then + echo "::error::PR number must be numeric" + exit 1 + fi + gh pr checkout "$PR_NUMBER" env: GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + PR_NUMBER: ${{ inputs.pr-number }} - name: Install Dependencies # Defense in depth: do not pass Turbo remote cache credentials and @@ -64,6 +72,11 @@ jobs: CI_OS: ${{ runner.os }} - name: Publish packages - run: pnpm publish -r --tag ${{ inputs.label }} --filter wrangler --filter miniflare --filter create-cloudflare + run: | + if ! [[ "$NPM_TAG" =~ ^[A-Za-z0-9][A-Za-z0-9._-]*$ ]]; then + echo "::error::npm dist-tag contains unsupported characters" + exit 1 + fi + pnpm publish -r --tag "$NPM_TAG" --filter wrangler --filter miniflare --filter create-cloudflare env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} + NPM_TAG: ${{ inputs.label }} diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 2037528569..cf10b49279 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -13,28 +13,28 @@ jobs: name: Add issue to project runs-on: ubuntu-slim steps: - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/cloudflare/projects/1 github-token: ${{ secrets.GH_ACCESS_TOKEN }} labeled: bug, enhancement label-operator: OR - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/cloudflare/projects/2 github-token: ${{ secrets.GH_ACCESS_TOKEN }} labeled: pages - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/cloudflare/projects/6 github-token: ${{ secrets.GH_ACCESS_TOKEN }} labeled: d1 - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/cloudflare/projects/12 github-token: ${{ secrets.GH_ACCESS_TOKEN }} labeled: c3 - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/cloudflare/projects/8 github-token: ${{ secrets.GH_ACCESS_TOKEN }} diff --git a/.github/workflows/miniflare-dependabot-versioning-prs.yml b/.github/workflows/miniflare-dependabot-versioning-prs.yml index c1fc5cb5b6..68f79b5f8d 100644 --- a/.github/workflows/miniflare-dependabot-versioning-prs.yml +++ b/.github/workflows/miniflare-dependabot-versioning-prs.yml @@ -1,7 +1,7 @@ name: "Miniflare - Generate changesets for dependabot PRs" on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] dependabot-only job requires write access to push generated changesets; checkout v6 persists credentials under RUNNER_TEMP paths: - "packages/miniflare/package.json" @@ -14,12 +14,14 @@ jobs: generate-changeset: runs-on: ubuntu-slim if: | - github.event.pull_request.user.login == 'dependabot[bot]' + github.event.pull_request.user.login == 'dependabot[bot]' && + github.event.pull_request.head.repo.full_name == github.repository steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + persist-credentials: true ref: ${{ github.head_ref }} token: ${{ secrets.GH_ACCESS_TOKEN }} @@ -39,7 +41,9 @@ jobs: # - Changeset prefix: The prefix to go on the front of the filename of the generated changeset run: >- node -r esbuild-register tools/dependabot/generate-dependabot-pr-changesets.ts - ${{ github.event.number }} + "$PR_NUMBER" miniflare,wrangler packages/miniflare/package.json dependabot-update + env: + PR_NUMBER: ${{ github.event.number }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index ee364c9e5d..d6e25a2f72 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -23,9 +23,10 @@ jobs: timeout-minutes: 30 steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Install Dependencies # Defense in depth: do not pass Turbo remote cache credentials and diff --git a/.github/workflows/rerun-codeowners-privileged.yml b/.github/workflows/rerun-codeowners-privileged.yml index a348cb07ae..1474bf7257 100644 --- a/.github/workflows/rerun-codeowners-privileged.yml +++ b/.github/workflows/rerun-codeowners-privileged.yml @@ -31,7 +31,7 @@ name: "Rerun Code Owners (Privileged)" # From the check run's details_url we extract the Actions job ID, then # re-run that specific job. on: - workflow_run: + workflow_run: # zizmor: ignore[dangerous-triggers] privileged companion reruns a fixed default-branch workflow using GitHub-provided workflow_run metadata only workflows: ["Rerun Code Owners"] types: [completed] diff --git a/.github/workflows/rerun-codeowners.yml b/.github/workflows/rerun-codeowners.yml index 7a9836317f..0d940a0eff 100644 --- a/.github/workflows/rerun-codeowners.yml +++ b/.github/workflows/rerun-codeowners.yml @@ -30,4 +30,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Log trigger - run: echo "Review event on ${{ github.event.pull_request.html_url }} — privileged rerun will follow." + run: echo "Review event on ${PR_URL}, privileged rerun will follow." + env: + PR_URL: ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/rerun-remote-tests.yml b/.github/workflows/rerun-remote-tests.yml index ef04b54734..5363437016 100644 --- a/.github/workflows/rerun-remote-tests.yml +++ b/.github/workflows/rerun-remote-tests.yml @@ -14,7 +14,7 @@ name: "Rerun Remote Tests" # runs code from the default branch — fork authors cannot modify it — and only # calls the Actions API (no checkout of untrusted code). on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] label-driven rerun workflow needs actions:write and does not check out or execute PR code types: [labeled, unlabeled] permissions: {} @@ -31,10 +31,11 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} + LABEL_NAME: ${{ github.event.label.name }} REPO: ${{ github.repository }} run: | # Determine which workflows to re-run based on the label. - if [ "${{ github.event.label.name }}" = "run-remote-tests" ]; then + if [ "$LABEL_NAME" = "run-remote-tests" ]; then WORKFLOWS="e2e-wrangler.yml e2e-vite.yml c3-e2e.yml" else WORKFLOWS="c3-e2e.yml" diff --git a/.github/workflows/run-ci-for-external-forks.yml b/.github/workflows/run-ci-for-external-forks.yml index 233ad2cd58..1d7e8e4d21 100644 --- a/.github/workflows/run-ci-for-external-forks.yml +++ b/.github/workflows/run-ci-for-external-forks.yml @@ -25,9 +25,10 @@ jobs: runs-on: ubuntu-slim steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: true token: ${{ secrets.GH_ACCESS_TOKEN }} - name: Check user for team affiliation diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 7bcb9d2a60..2e5e914b7c 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -16,11 +16,12 @@ jobs: name: semgrep-oss runs-on: ubuntu-slim steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - id: cache-semgrep - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.local key: semgrep-1.160.0-${{ runner.os }} diff --git a/.github/workflows/test-and-check-other-node.yml b/.github/workflows/test-and-check-other-node.yml index 306745cb10..8857cd6847 100644 --- a/.github/workflows/test-and-check-other-node.yml +++ b/.github/workflows/test-and-check-other-node.yml @@ -29,9 +29,10 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Filter changed paths uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 @@ -43,11 +44,16 @@ jobs: - name: Check if should run tests id: should_run + env: + CHANGES_EVERYTHING_BUT_MARKDOWN: ${{ steps.changes.outputs.everything_but_markdown }} + EXPECTED_TO_FAIL: ${{ matrix.expected_to_fail }} + HAS_TEST_ALL_NODE_VERSIONS_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'test all node versions') }} + HEAD_REF: ${{ github.event.pull_request.head.ref }} run: | - if [[ "${{ steps.changes.outputs.everything_but_markdown }}" == "true" ]] && \ - [[ "${{ matrix.expected_to_fail }}" != "true" || \ - "${{ github.event.pull_request.head.ref }}" == "changeset-release/main" || \ - "${{ contains(github.event.pull_request.labels.*.name, 'test all node versions') }}" == "true" ]]; then + if [[ "$CHANGES_EVERYTHING_BUT_MARKDOWN" == "true" ]] && \ + [[ "$EXPECTED_TO_FAIL" != "true" || \ + "$HEAD_REF" == "changeset-release/main" || \ + "$HAS_TEST_ALL_NODE_VERSIONS_LABEL" == "true" ]]; then echo "result=true" >> $GITHUB_OUTPUT else echo "result=false" >> $GITHUB_OUTPUT diff --git a/.github/workflows/test-and-check.yml b/.github/workflows/test-and-check.yml index 2bb4670273..bcb0935b9c 100644 --- a/.github/workflows/test-and-check.yml +++ b/.github/workflows/test-and-check.yml @@ -29,9 +29,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Install Dependencies uses: ./.github/actions/install-dependencies @@ -74,7 +75,7 @@ jobs: # Check for old Node.js version warnings and errors - name: Use Node.js v20 - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 @@ -109,9 +110,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - name: Filter changed paths uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 @@ -150,7 +152,7 @@ jobs: # `fixtures`. - name: Restore Chrome browser cache (Browser Run) if: steps.changes.outputs.everything_but_markdown == 'true' && (matrix.suite == 'packages-and-tools' || (matrix.suite == 'fixtures' && matrix.os != 'ubuntu-latest')) - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: # The Chrome version lives in # `packages/miniflare/src/plugins/browser-rendering/browser-version.ts`. @@ -201,7 +203,7 @@ jobs: - name: Upload turbo logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: turbo-runs-${{ matrix.os }}-${{ matrix.suite }} path: .turbo/runs diff --git a/.github/workflows/triage-issue.yml b/.github/workflows/triage-issue.yml index ed75380b62..2369843fed 100644 --- a/.github/workflows/triage-issue.yml +++ b/.github/workflows/triage-issue.yml @@ -31,16 +31,21 @@ jobs: steps: - name: Resolve issue number id: issue + env: + EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + EVENT_NAME: ${{ github.event_name }} + INPUT_ISSUE_NUMBER: ${{ inputs.issue-number }} run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "number=${{ inputs.issue-number }}" >> "$GITHUB_OUTPUT" + if [ "$EVENT_NAME" = "workflow_dispatch" ]; then + echo "number=${INPUT_ISSUE_NUMBER}" >> "$GITHUB_OUTPUT" else - echo "number=${{ github.event.issue.number }}" >> "$GITHUB_OUTPUT" + echo "number=${EVENT_ISSUE_NUMBER}" >> "$GITHUB_OUTPUT" fi - name: Checkout (sparse — just the skill and opencode config) - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: + persist-credentials: false sparse-checkout: | .github/skills .github/opencode.json @@ -53,24 +58,24 @@ jobs: - name: Fetch issue data env: GH_TOKEN: ${{ github.token }} + ISSUE: ${{ steps.issue.outputs.number }} + REPO: ${{ github.repository }} run: | - ISSUE=${{ steps.issue.outputs.number }} - mkdir -p data/${ISSUE} + mkdir -p "data/${ISSUE}" - gh issue view ${ISSUE} \ - --repo ${{ github.repository }} \ + gh issue view "$ISSUE" \ + --repo "$REPO" \ --json number,title,body,comments,createdAt,updatedAt,labels,state,author \ - > data/${ISSUE}/context.json + > "data/${ISSUE}/context.json" - name: Analyze issue with OpenCode env: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }} CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }} CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }} + ISSUE: ${{ steps.issue.outputs.number }} + REPO: ${{ github.repository }} run: | - ISSUE=${{ steps.issue.outputs.number }} - REPO=${{ github.repository }} - opencode run \ --print-logs \ "Analyze GitHub issue ${REPO}#${ISSUE} using the skill at .github/skills/issue-review.md. @@ -88,9 +93,9 @@ jobs: CF_ACCESS_CLIENT_ID: ${{ secrets.CF1_ACCESS_CLIENT_ID }} CF_ACCESS_CLIENT_SECRET: ${{ secrets.CF1_ACCESS_CLIENT_SECRET }} DASHBOARD_URL: ${{ secrets.REPORTS_DASHBOARD_URL }} + ISSUE: ${{ steps.issue.outputs.number }} + REPO: ${{ github.repository }} run: | - ISSUE=${{ steps.issue.outputs.number }} - # Check files were created if [ ! -f "data/${ISSUE}/report.md" ]; then echo "::error::report.md was not generated" @@ -114,7 +119,7 @@ jobs: # Build JSON payload PAYLOAD=$(jq -n \ --arg title "$TITLE" \ - --arg githubUrl "https://github.com/${{ github.repository }}/issues/${ISSUE}" \ + --arg githubUrl "https://github.com/${REPO}/issues/${ISSUE}" \ --arg recommendation "$RECOMMENDATION" \ --arg difficulty "$DIFFICULTY" \ --arg reasoning "$REASONING" \ diff --git a/.github/workflows/validate-pr-description.yml b/.github/workflows/validate-pr-description.yml index 36848678f3..0fb505d963 100644 --- a/.github/workflows/validate-pr-description.yml +++ b/.github/workflows/validate-pr-description.yml @@ -30,9 +30,10 @@ jobs: runs-on: ubuntu-slim steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes diff --git a/.github/workflows/vite-plugin-playgrounds.yml b/.github/workflows/vite-plugin-playgrounds.yml index 3de951b39e..a94d62b48c 100644 --- a/.github/workflows/vite-plugin-playgrounds.yml +++ b/.github/workflows/vite-plugin-playgrounds.yml @@ -32,7 +32,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Filter changed paths uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: changes @@ -92,7 +94,7 @@ jobs: CI_OS: ${{ matrix.os }} - name: Upload turbo logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: turbo-runs-${{ matrix.os }}-${{ matrix.vite }} path: .turbo/runs diff --git a/.github/workflows/worker-playground-preview-testing-env-deploy-and-test.yml b/.github/workflows/worker-playground-preview-testing-env-deploy-and-test.yml index 01c6c79f39..a7e61d4ffb 100644 --- a/.github/workflows/worker-playground-preview-testing-env-deploy-and-test.yml +++ b/.github/workflows/worker-playground-preview-testing-env-deploy-and-test.yml @@ -30,9 +30,10 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Install Dependencies uses: ./.github/actions/install-dependencies diff --git a/.github/workflows/workers-shared-deploy-production.yml b/.github/workflows/workers-shared-deploy-production.yml index 3ddf02b589..0eeb6ddd15 100644 --- a/.github/workflows/workers-shared-deploy-production.yml +++ b/.github/workflows/workers-shared-deploy-production.yml @@ -12,9 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Install Dependencies uses: ./.github/actions/install-dependencies diff --git a/.github/workflows/workers-shared-deploy-staging.yml b/.github/workflows/workers-shared-deploy-staging.yml index e1efb9f0df..f344541782 100644 --- a/.github/workflows/workers-shared-deploy-staging.yml +++ b/.github/workflows/workers-shared-deploy-staging.yml @@ -16,9 +16,10 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout repo" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 + persist-credentials: false - name: Install Dependencies uses: ./.github/actions/install-dependencies From d0f0159996aaee6d59f96c785c33a62628ef1108 Mon Sep 17 00:00:00 2001 From: Dario Piotrowicz Date: Thu, 28 May 2026 19:51:41 +0100 Subject: [PATCH 4/4] Bump playwright-chromium package from 1.56.1 to 1.60.0 (#14090) --- pnpm-lock.yaml | 26 +++++++++++++------------- pnpm-workspace.yaml | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2ce01f65f0..763aead0f8 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -46,8 +46,8 @@ catalogs: specifier: ^11.0.0 version: 11.0.0 playwright-chromium: - specifier: ^1.56.1 - version: 1.56.1 + specifier: ^1.60.0 + version: 1.60.0 signal-exit: specifier: ^3.0.7 version: 3.0.7 @@ -1463,7 +1463,7 @@ importers: version: 6.5.1 playwright-chromium: specifier: catalog:default - version: 1.56.1 + version: 1.60.0 typescript: specifier: catalog:default version: 5.8.3 @@ -1490,7 +1490,7 @@ importers: version: 22.15.17 playwright-chromium: specifier: catalog:default - version: 1.56.1 + version: 1.60.0 typescript: specifier: catalog:default version: 5.8.3 @@ -2020,7 +2020,7 @@ importers: version: 9.2.1 playwright-chromium: specifier: catalog:default - version: 1.56.1 + version: 1.60.0 typescript: specifier: catalog:default version: 5.8.3 @@ -2485,7 +2485,7 @@ importers: version: link:../../workers-tsconfig playwright-chromium: specifier: catalog:default - version: 1.56.1 + version: 1.60.0 semver: specifier: ^7.7.1 version: 7.7.3 @@ -12811,13 +12811,13 @@ packages: resolution: {integrity: sha512-8xCNE/aT/EXKenuMDZ+xTVwkT8gsoHN2z/Q29l80u0ppGEXVvsKRzNMbtKhg8LS8k1tJLAHHylf6p4VFmP6XUQ==} engines: {node: '>= 0.4.0'} - playwright-chromium@1.56.1: - resolution: {integrity: sha512-5TU+NMrofQg2j+DwIaQL/9eC84hs5YGz5Wng8OOdgq+kmu8usPLedxx2pJJ1Pb2TNFNiz3167RsUNFFvY3srNA==} + playwright-chromium@1.60.0: + resolution: {integrity: sha512-xxz9pc2HIxQW/Qg9ijG2fZOHRT//KhLo0KfvJRa45YYRrcA7ZONoilgJR40SW5pmecb6HkuROaeViXoCaXTZyQ==} engines: {node: '>=18'} hasBin: true - playwright-core@1.56.1: - resolution: {integrity: sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==} + playwright-core@1.60.0: + resolution: {integrity: sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==} engines: {node: '>=18'} hasBin: true @@ -23979,11 +23979,11 @@ snapshots: pkginfo@0.4.1: {} - playwright-chromium@1.56.1: + playwright-chromium@1.60.0: dependencies: - playwright-core: 1.56.1 + playwright-core: 1.60.0 - playwright-core@1.56.1: {} + playwright-core@1.60.0: {} pngjs@3.4.0: {} diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 13030e66f0..cf59b5ddd8 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -110,7 +110,7 @@ catalog: vite: "^8.0.12" "ws": "8.20.1" esbuild: "0.27.3" - playwright-chromium: "^1.56.1" + playwright-chromium: "^1.60.0" "@cloudflare/workers-types": "^4.20260528.1" workerd: "1.20260528.1" jsonc-parser: "^3.2.0"