Consolidate all open PRs: docs, CI fixes, Node.js 24, SHA pinning, training health#173
Conversation
…, SHA pinning, training health fix Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
There was a problem hiding this comment.
Hi @Copilot! 👋
Your private repo does not have access to Sourcery.
Please upgrade to continue using Sourcery ✨
|
|
||
| - name: Lint Markdown files | ||
| uses: DavidAnson/markdownlint-cli2-action@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20 | ||
| uses: DavidAnson/markdownlint-cli2-action@v23 |
There was a problem hiding this comment.
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
🍰 Fixed in commit 371b4d2 🍰
| response = requests.post( | ||
| f"{BASE_URL}/api/aria/execute", | ||
| json={"command": command, "auto_execute": True, "use_llm": False}, | ||
| timeout=30, | ||
| ) | ||
| timeout=30) |
There was a problem hiding this comment.
There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.
🥳 Fixed in commit 50d3222 🥳
| response = requests.post( | ||
| f"{BASE_URL}/api/aria/execute", | ||
| json={"command": command, "auto_execute": False, "use_llm": False}, | ||
| timeout=30, | ||
| ) | ||
| timeout=30) |
There was a problem hiding this comment.
There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.
🚀 Fixed in commit 50d3222 🚀
There was a problem hiding this comment.
Hi @Bryan-Roe! 👋
Your private repo does not have access to Sourcery.
Please upgrade to continue using Sourcery ✨
|
@copilot resolve the merge conflicts in this pull request |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 85b92c4316
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -1,4 +1,3 @@ | |||
| -r requirements.txt | |||
| pytest>=7.0.0 | |||
There was a problem hiding this comment.
Restore base dependency include in requirements-dev.txt
Dropping -r requirements.txt from the dev requirements breaks workflows that install only requirements-dev.txt: for example, .github/workflows/llm-maker-tests.yml installs only that file, but ai-projects/llm-maker/src/tool_validator.py imports yaml, which is supplied by requirements.txt (PyYAML). In a clean CI environment this causes ModuleNotFoundError: No module named 'yaml', so the llm-maker test job can fail before running meaningful assertions.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR consolidates multiple outstanding improvements across the repo, focusing on CI/workflow reliability and security hardening, training-health reporting correctness, and documentation alignment for prompt/agent behavior.
Changes:
- Hardens GitHub Actions workflows by SHA-pinning many third-party actions and opts key workflows into Node.js 24 for upcoming migration.
- Fixes training health reporting to distinguish “no data” from “degraded,” including an optional seed run to bootstrap status on fresh checkouts.
- Aligns Copilot/agent/prompt documentation around internal vs. user-visible reasoning behavior.
Reviewed changes
Copilot reviewed 45 out of 45 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/test_orchestrator_health_integration.py | Prevents leaking a partially-loaded function_app into sys.modules on import failure. |
| tests/test_orchestrator_health_in_status_endpoint.py | Same sys.modules cleanup for the status endpoint test loader. |
| requirements-dev.txt | Adjusts dev dependency list (notably removes including requirements.txt). |
| apps/aria/test_auto_execute.py | Minor request formatting tweak in auto-execute test helper. |
| README.md | Removes Codespaces Prebuilds badge reference. |
| .devcontainer/devcontainer.json | Ensures devcontainer installs requirements.txt before requirements-dev.txt. |
| .github/prompts/agi.prompt.md | Updates prompt metadata to clarify internal-only chain-of-thought behavior. |
| .github/copilot-instructions.md | Aligns agent/prompt descriptions with internal vs. exposed reasoning behavior. |
| .github/agents/agi-reasoning.agent.md | Updates agent description and trigger phrases to reflect internal-only reasoning output. |
| .github/COPILOT_SETUP_GUIDE.md | Updates setup guide prompt descriptions/examples for internal reasoning. |
| .github/workflows/workflow-validation.yml | Pins core actions to SHAs for workflow validation jobs. |
| .github/workflows/training-health-report.yml | Adds seed training + no_data output and refines degraded criteria/issue text. |
| .github/workflows/test-watcher.yml | Pins checkout/setup-python actions to SHAs. |
| .github/workflows/telemetry-trigger.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/site-bundle-validation.yml | Pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/secrets-scan.yml | Pins checkout and gitleaks action to SHAs. |
| .github/workflows/release.yml | Pins checkout action to SHA. |
| .github/workflows/quantum-orchestration.yml | Pins checkout and azure/login actions to SHAs. |
| .github/workflows/quantum-ai-smoke.yml | Pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/pr-tests.yml | Adds Node24 opt-in env; pins actions; installs requirements.txt before dev deps. |
| .github/workflows/pr-checks.yml | Adds Node24 opt-in env; pins checkout and labeler action to SHAs. |
| .github/workflows/platform-health-daily.yml | Pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/pages.yml | Pins Pages-related actions to SHAs. |
| .github/workflows/nightly-regression.yml | Adds Node24 opt-in env; pins actions to SHAs. |
| .github/workflows/markdown-quality.yml | Updates markdownlint action version reference. |
| .github/workflows/makecode.yml | Removes submodule recursion; pins checkout/setup-node actions to SHAs. |
| .github/workflows/llm-maker-tests.yml | Pins checkout/setup-python actions to SHAs. |
| .github/workflows/integration-contract-gate.yml | Adds Node24 opt-in env; pins checkout/upload-artifact to SHAs. |
| .github/workflows/experiment-runner.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/e2e-tests.yml | Pins checkout actions to SHAs. |
| .github/workflows/devcontainer-ci.yml | Pins checkout/devcontainers CI action to SHAs. |
| .github/workflows/dependency-review.yml | Pins checkout/dependency-review action to SHAs. |
| .github/workflows/dataset-integrity.yml | Pins checkout actions to SHAs. |
| .github/workflows/coverage-report.yml | Pins checkout/upload-artifact/github-script actions to SHAs. |
| .github/workflows/codeql.yml | Pins checkout and CodeQL actions to SHAs. |
| .github/workflows/code-quality.yml | Pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/ci-pipeline.yml | Adds Node24 opt-in env; pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/broken-links.yml | Removes invalid lychee flag; pins checkout action to SHA. |
| .github/workflows/azureml-train.yml | Pins checkout/azure actions to SHAs. |
| .github/workflows/autonomous-evolver.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/auto-validation.yml | Pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/artifact-lifecycle.yml | Pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/aria-tests.yml | Pins checkout/setup-python/upload/download actions to SHAs. |
| .github/workflows/api-health-smoke.yml | Adds Node24 opt-in env; pins checkout/upload-artifact actions to SHAs. |
| .github/workflows/actionlint.yml | Pins checkout action to SHA. |
…finish-all-pull-requests # Conflicts: # .github/prompts/agi.prompt.md # .github/workflows/pr-tests.yml # .github/workflows/training-health-report.yml Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Head branch was pushed to by a user without write access
Merge conflicts resolved in commit
|
…ed as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
…ed as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
…ed as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
…ed as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
|
@copilot resolve the merge conflicts in this pull request |
…e endings, and incorporate new commits Changes incorporated from main: - SQL fallback hardening (PR #194) - Auto-merge gates (PR #193) - Pre-commit hook scoped to changed files (PR #192) - Line ending normalization via .gitattributes Conflict resolution strategy: - GitHub Actions workflow files: kept our SHA-pinned versions - All other conflicted files: took main's version - Preserved our security fixes (raise_for_status, XSS fixes, permissions) Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Merge conflicts resolved in commit
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: be3e6f8e9a
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| api_key = os.getenv("OPENAI_API_KEY") | ||
| if not api_key: | ||
| print( | ||
| "Error: missing OPENAI_API_KEY environment variable.", | ||
| file=sys.stderr, | ||
| ) | ||
| return EXIT_AUTH |
There was a problem hiding this comment.
Preserve the no-argument app entrypoint
When users run the documented startup command python app.py / ./.venv/bin/python app.py (README and mount start scripts still do this without an API key or prompt), this new entrypoint now exits immediately with EXIT_AUTH before starting the existing Aria runtime or a local app. That breaks the repository's primary local/Space launch path in any environment that is not specifically configured as an OpenAI CLI invocation.
Useful? React with 👍 / 👎.
| sys.path.insert(0, p) | ||
|
|
||
| try: |
There was a problem hiding this comment.
Pass the computed max_tokens override
For /api/quantum-llm/chat requests that include max_tokens, the endpoint builds gen_kwargs but then calls pipeline.generate(...) without unpacking it, and the pipeline's provider resolution uses self.config.max_tokens instead. As a result, the documented per-request max_tokens field is silently ignored for real providers.
Useful? React with 👍 / 👎.
| ) | ||
| scripts_dir = Path(__file__).resolve().parent / "scripts" | ||
| for p in [str(quantum_ml_src), str(scripts_dir)]: | ||
| if p not in sys.path: | ||
| sys.path.insert(0, p) | ||
|
|
||
| try: |
There was a problem hiding this comment.
Yield SSE chunks as they arrive
In the quantum streaming endpoint, _collect() drains the entire async stream into a list before the response generator yields anything, so clients using /api/quantum-llm/stream receive no meta or delta events until the provider has completely finished; long or slow streams therefore appear hung and an unbounded stream never sends the initial events. The wrapper should yield each chunk from the async iterator instead of collecting the whole result first.
Useful? React with 👍 / 👎.
|
|
||
| try: | ||
| client = OpenAI(**client_kwargs) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.
You can view more details about this finding in the Semgrep AppSec Platform.
| from openai import ( | ||
| APIConnectionError, | ||
| APIError, | ||
| AuthenticationError, | ||
| OpenAI, | ||
| RateLimitError, |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.
You can view more details about this finding in the Semgrep AppSec Platform.
| result = subprocess.run( | ||
| cmd, | ||
| cwd=str(REPO_ROOT), | ||
| check=False, | ||
| ) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dangerous-subprocess-use-audit.
You can view more details about this finding in the Semgrep AppSec Platform.
| sys.path.insert(0, p) | ||
|
|
||
| try: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
function _drain is defined inside a function but never used
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by useless-inner-function.
You can view more details about this finding in the Semgrep AppSec Platform.
|
Semgrep found 16
Possibly found usage of AI: OpenAI |
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. OpenSSF Scorecard
Scanned Files
|
Summary
This PR consolidates the changes from all 18 open pull requests in the repository into a single coherent set of improvements.
Changes
Documentation (PRs #127, #128, #147, #164, #168)
copilot-instructions.mdagent table and prompt list to clarify thatagi.prompt.mduses hidden/internal chain-of-thought (not exposed to users), andreason.prompt.mdexposes reasoning stepsagi-reasoning.agent.mddescription to reflect internal self-reflection behavioragi.prompt.mdfront-matter to document hidden chain-of-thoughtCOPILOT_SETUP_GUIDE.mdto fix agi.prompt.md descriptionTraining Health Fix (PRs #140, #141, #165)
training-health-report.ymlwhen no training data exists (fresh checkouts with 0 cycles all showbest_acc=0.0 < 0.6)no_dataoutput to distinguish three states: Healthy / No Training Data / DEGRADEDCI Workflow Fixes (PR #149)
submodules: recursivepostCreateCommandnow installsrequirements.txttoorequirements.txtbeforerequirements-dev.txt--exclude-maillychee flagtest_orchestrator_health_integration.pyandtest_orchestrator_health_in_status_endpoint.pynow clean up partialfunction_appmodule fromsys.moduleson load failureCodespaces Prebuildsbadge from README (workflow no longer exists)-r requirements.txtinclude inrequirements-dev.txtto ensure base dependencies (e.g. PyYAML) are available in CI jobs that install only dev requirementsNode.js 24 Migration (PR #150)
Added
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: trueto 6 workflow files ahead of June 2026 forced migration:api-health-smoke.yml,ci-pipeline.yml,integration-contract-gate.yml,nightly-regression.yml,pr-checks.yml,pr-tests.ymlGitHub Actions SHA Pinning (PRs #157, #160, #162)
Pinned all third-party GitHub Actions across 35 workflow files to full 40-char commit SHAs to prevent supply chain attacks via mutable version tags.
Security Fixes
response.raise_for_status()after HTTP POST requests inapps/aria/test_auto_execute.py(plan_modeandexecute_mode) so HTTP errors are surfaced immediately rather than producing silent failuresPRs Superseded
The following PRs had their changes already incorporated in main before this PR:
Testing
except Exception: ... raisepattern in test files is intentional — catches all exceptions to clean upsys.modules, then always re-raises, so nothing is maskedChecklist