chore(deps): bump peter-evans/create-pull-request from 6 to 8 by dependabot[bot] · Pull Request #47 · podonos/onepin-python

dependabot · 2026-06-15T07:24:35Z

Bumps peter-evans/create-pull-request from 6 to 8.

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.0.0

What's new in v8

Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner for Node 24 support.

What's Changed

chore: Update checkout action version to v6 by @yonas in peter-evans/create-pull-request#4258

Update actions/checkout references to @v6 in docs by @Copilot in peter-evans/create-pull-request#4259

feat: v8 by @peter-evans in peter-evans/create-pull-request#4260

New Contributors

@yonas made their first contribution in peter-evans/create-pull-request#4258

@Copilot made their first contribution in peter-evans/create-pull-request#4259

Full Changelog: peter-evans/create-pull-request@v7.0.11...v8.0.0

Create Pull Request v7.0.11

What's Changed

fix: restrict remote prune to self-hosted runners by @peter-evans in peter-evans/create-pull-request#4250

Full Changelog: peter-evans/create-pull-request@v7.0.10...v7.0.11

Create Pull Request v7.0.10

⚙️ Fixes an issue where updating a pull request failed when targeting a forked repository with the same owner as its parent.

What's Changed

build(deps): bump the github-actions group with 2 updates by @dependabot[bot] in peter-evans/create-pull-request#4235

build(deps-dev): bump prettier from 3.6.2 to 3.7.3 in the npm group by @dependabot[bot] in peter-evans/create-pull-request#4240

fix: provider list pulls fallback for multi fork same owner by @peter-evans in peter-evans/create-pull-request#4245

New Contributors

@obnyis made their first contribution in peter-evans/create-pull-request#4064

Full Changelog: peter-evans/create-pull-request@v7.0.9...v7.0.10

Create Pull Request v7.0.9

⚙️ Fixes an incompatibility with the recently released actions/checkout@v6.

What's Changed

~70 dependency updates by @dependabot

docs: fix workaround description about ready_for_review by @ybiquitous in peter-evans/create-pull-request#3939

Docs: add-paths default behavior by @joeflack4 in peter-evans/create-pull-request#3928

docs: update to create-github-app-token v2 by @Goooler in peter-evans/create-pull-request#4063

Fix compatibility with actions/checkout@v6 by @ericsciple in peter-evans/create-pull-request#4230

New Contributors

@joeflack4 made their first contribution in peter-evans/create-pull-request#3928

@Goooler made their first contribution in peter-evans/create-pull-request#4063

@ericsciple made their first contribution in peter-evans/create-pull-request#4230

... (truncated)

Commits

5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
0041819 build(deps): bump picomatch (#4339)
b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
a45d1fb build(deps): bump @tootallnate/once and jest-environment-jsdom (#4323)
3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
3f3b473 build(deps): bump minimatch (#4311)
6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Typer CLI skeleton, pyproject.toml (hatchling + PEP 639), py.typed markers, full CI matrix (3.10-3.13 x 3 OS), OIDC publish workflow, release-please config, commitlint, RUNBOOK, and test suite stubs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Fern-generated SDK code at src/onepin/ (everything except _cli/) is owned by Fern and not subject to this project's style rules. Generated code uses patterns ruff rejects (E721 type comparisons, F841 unused vars in core/ serialization.py, etc.) — running ruff against it fails CI on every regen. Narrow lint scope to: - src/onepin/_cli/ (hand-rolled Typer CLI) - tests/ And narrow coverage scope to --cov=onepin._cli so the threshold reflects hand-rolled coverage only; generated code is opaque to our tests by design. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

- src/onepin/_cli/main.py: stop importing __version__ from the package root (Fern's regen overwrites src/onepin/__init__.py and drops our version helper). Use importlib.metadata directly inside the CLI module. - pyproject.toml: pytest `testpaths = ["tests"]` so collection ignores src/onepin/tests/ that Fern ships with unregistered markers. - pyproject.toml: ruff `extend-exclude = ["src/onepin"]` for the same reason the CI lint step explicitly targets src/onepin/_cli. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…rwrite) Fern regen replaces src/onepin/__init__.py and drops any project-specific exports. Both main.py and _http.py imported `from onepin import __version__` which broke once a real Fern-generated client landed. Move the version helper to src/onepin/_cli/__init__.py (hand-rolled scope, Fern never touches) and import from there in both modules. Verified: local pytest green, 83.87% coverage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…19ad52e34e (#2) Co-authored-by: kj-podonos <263298736+kj-podonos@users.noreply.github.com>

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

release-please created `onepin-v0.2.0` (default for single-package repos: {component}-v{version}). The publish.yml trigger only matched plain `v*.*.*` so the tag push didn't fire the publish workflow. Two fixes: 1. publish.yml now accepts BOTH formats (`v*.*.*` and `onepin-v*.*.*`) so existing tag re-push triggers correctly. 2. release-please-config.json adds `include-component-in-tag: false` so future releases use plain `v0.X.Y` shape (cleaner for single-package repo). Also adds `workflow_dispatch` input for manual republishing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…tpypi-smoke

… on TestPyPI

## Summary - Adds repo-root `AGENTS.md` covering the Fern-generated vs hand-rolled boundary, dev commands and lint scoping, test layout, comment conventions, release flow, and common gotchas. Cross-tool readable (Claude Code, Cursor, Codex, Copilot all auto-discover `AGENTS.md`). - Adds `.claude/settings.json` + `.claude/hooks/post-edit-format.py` — a PostToolUse hook that runs `ruff check --fix` + `ruff format` on Python edits made by Claude Code. Scope is restricted to `src/onepin/_cli/` and `tests/` so the Fern-generated tree is never touched. Silent-fail; anchors on `__file__` rather than cwd; redirects stdin to `DEVNULL` to prevent inheritance hangs. - Scopes `make lint` to `src/onepin/_cli tests` to match CI. The prior unscoped `ruff check .` silently skipped `_cli/` because of the `tool.ruff.extend-exclude = [\"src/onepin\"]` setting in `pyproject.toml`, so local lint runs under-linted the hand-rolled CLI. - Adds `.omc/` and `agentdb.rvf*` to `.gitignore` (per-machine agent tooling artifacts). ## Review - Pre-landing review run via `/oh-my-claudecode:code-review`. Initial verdict was REQUEST CHANGES on 2 HIGH + 4 MEDIUM + 3 LOW findings; all 9 were addressed before commit. Hook tested across 5 scenarios (in-scope `.py`, in-scope `.pyi`, out-of-scope generated tree, malformed stdin JSON, cwd outside repo). - Public-repo sanitization swept: no internal secret names, Slack channels, internal infra URLs, or attribution to peer SDK repos appear in any shipped file. ## Test plan - [x] `make test` — 62 passed - [x] `make lint` — clean (33 files formatted) - [x] Hook end-to-end tested: in-scope edits trigger ruff; out-of-scope generated files skipped; malformed stdin and runtime errors silently no-op - [x] Hook works with cwd outside the repo (anchored on `__file__`) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

## Summary Hardens the repo ahead of the public-flip: - **SECURITY.md** — supported-version policy, private vuln-report channel (GitHub security advisories + `security@onepin.ai` fallback), scope, and 90-day coordinated disclosure timeline. - **.github/CODEOWNERS** — auto-requests review on PRs touching `.github/`, `scripts/`, release config, the hand-rolled CLI under `src/onepin/_cli/`, `tests/`, and the documentation surface. - **.github/dependabot.yml** — weekly updates for GitHub Actions and pip dependencies, with grouped minor + patch bumps split runtime vs dev to keep PR volume low. ## Repo settings applied via `gh api` (no files needed) These are now live on the repo directly: | Setting | Was | Now | |---------|-----|-----| | Merge strategies | merge + squash + rebase | squash-only | | Auto-merge | off | on | | Allow update branch | off | on | | Delete branch on merge | off | on | | Squash PR title format | commit messages | PR title / PR body | | Wiki | on | off | | Homepage URL | empty | `https://onepin.ai` | | `default_workflow_permissions` | write | read | | Workflows can approve PRs | yes | no | | Secret scanning | off | on | | Secret-scanning push protection | off | on | | Secret-scanning non-provider patterns | off | on | | Dependabot security updates | off | on | | `main` branch protection | none | required PR, 13 required status checks (test matrix 3.10-3.13 × {ubuntu, macos, windows} + fresh-venv-smoke), strict (up-to-date), linear history, conversation resolution required, no force-push, no deletion | Code-scanning (CodeQL) requires Advanced Security on private repos, so it stays off until the public flip — at which point it becomes free and should be enabled. ## Held back pending explicit confirmation - **Visibility flip PRIVATE → PUBLIC** — not done; needs separate go-ahead. ## Test plan - [x] `gh api repos/podonos/onepin-python/branches/main/protection` returns the new protection rules - [x] `gh api repos/podonos/onepin-python --jq '.security_and_analysis'` shows secret scanning + push protection + dependabot security updates enabled - [x] Branch protection required status checks match the actual CI workflow job names - [x] Secret scan of full git history: clean (no AKIA, ghp_, sk-, xox*, PEM blocks, or hardcoded password/secret literals) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

## Summary Removes organization-internal references that should not appear in the public-facing repo: - **RUNBOOK.md** — rewritten. Drops internal alerting channel (`#alert-onepin-sdk`), organization secret variable names (`ONEPIN_DEV_API_KEY`, `SLACK_WEBHOOK_ONEPIN_SDK`), upstream-spec repo references (`onepin-sdks`, `donut-be`), and hosting-platform specifics (Cloudflare Pages). What remains is the public-relevant rollback flow: `twine yank`, bad tag, bad release-please PR, regression revert, CI failure triage. - **`src/onepin/_cli/_ctx.py`** — the `NotImplementedError` message no longer names the private upstream-spec repository. - **`.github/workflows/ci.yml` + `.github/workflows/publish.yml`** — Slack notification step now references a generically named `SLACK_WEBHOOK_URL` secret instead of `SLACK_WEBHOOK_ONEPIN_SDK`. ## Required org-side follow-up This PR is safe to land *before* the org secret is renamed: the existing `if: env.SLACK_WEBHOOK_URL != ''` guard skips the Slack step gracefully when the secret is unset. To restore Slack notifications: 1. In GitHub org / repo secrets, create a new `SLACK_WEBHOOK_URL` secret with the same value as the old `SLACK_WEBHOOK_ONEPIN_SDK`. 2. Once verified working, delete the old `SLACK_WEBHOOK_ONEPIN_SDK` secret. ## Out of scope (separate decision) Git commit-message history still contains references to `onepin-sdks@<sha>` on four prior SDK-regen commits already merged to `main`. Rewriting that history requires a force-push to `main` (now protected) and breaks any existing clones. Recommend leaving as-is; the existence of a private upstream spec repo named `onepin-sdks` is low-sensitivity. ## Test plan - [x] Repo-wide grep for `ONEPIN_DEV_API_KEY`, `SLACK_WEBHOOK_ONEPIN_SDK`, `alert-onepin`, `donut-be`, `Cloudflare`, `onepin-sdks` returns zero hits in the working tree - [x] `uv run pytest -q tests/cli tests/unit` — 62 pass (verifies `_ctx.py` change doesn't break tests) - [x] Workflow yaml still valid (rename is a string substitution; no schema changes) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

## Summary Adds the standard GitHub community health set ahead of the public flip: - **CONTRIBUTING.md** — dev setup (uv), the generated vs hand-rolled boundary, scoped lint/test commands, Conventional Commits requirement (enforced by `commitlint`), and the PR flow. - **CODE_OF_CONDUCT.md** — Contributor Covenant 2.1; reports go to `conduct@onepin.ai`. - **.github/ISSUE_TEMPLATE/** — `bug_report.yml` + `feature_request.yml` forms, plus `config.yml` that disables blank issues and routes security reports to private advisories. - **.github/pull_request_template.md** — checklist mirroring the CI gates and the squash-title Conventional Commit requirement. ## Follow-up Two onepin.ai addresses are now referenced in docs and need to resolve to a real inbox before/at public flip: - `security@onepin.ai` (SECURITY.md, already merged) - `conduct@onepin.ai` (CODE_OF_CONDUCT.md, this PR) ## Test plan - [x] All three issue-template YAML files parse with `yaml.safe_load` - [x] Sanitization sweep: no internal names, paths, or secret refs in any new file - [x] config.yml routes security reports to the private advisory form Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…CI, regen guard) (#17) ## Tier 1 — pre-launch polish (zero-risk) Part 1 of a two-PR audit follow-up. Docs + tooling only — **no runtime behavior changes**. ### Changes - **docs:** README shows only the commands/flags that work today (`login`/`whoami`/`logout` + `--api-key`/`--base-url`/`--json`); status corrected to "published on PyPI — v0.2.0". Removed the stale `[Unreleased]` changelog block (those items already shipped in 0.1.0/0.2.0). - **ci / typing:** added a `mypy --strict` gate over `onepin._cli` (generated SDK tree excluded from gating), wired into CI and a `make typecheck` target; added Python 3.14 to the CI matrix to match the advertised classifier. One return annotation added so `_cli` passes strict. - **test:** new build guard asserting the hand-rolled `_cli/` package and both `py.typed` markers survive an SDK regeneration sync — the only other guard lives outside this repo. ### Verification - `mypy --strict` (`onepin._cli`): clean - `ruff check` + `ruff format --check`: clean - `pytest`: all green, coverage **83.87%** (gate ≥80%) - `onepin --version` / `onepin --help`: OK ### Not in this PR Follow-up PR2 wires the currently-inert global flags (`--no-color`, `--debug`, `--verbose`, `--workspace`) and implements `build_client()`. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

## Summary Adds `pull-requests: read` to `release-please-validate.yml` so the dry-run can query PR/release state. With the org-wide default workflow token now read-only and the workflow declaring only `contents: read`, the dry-run failed with `Resource not accessible by integration`. ## Context (the release baseline fix) release-please had proposed an incorrect **0.3.0** (PR #3) instead of **0.2.1**. Root cause was twofold and **already resolved out-of-band**: 1. The 0.2.0 GitHub release was a **draft** → release-please ignores drafts → saw 0 releases. **Fixed:** published the release (now Latest). No new tag pushed, so `publish.yml` was not triggered. 2. The dry-run couldn't query the API to find the release due to the missing permission above. **Fixed by this PR.** With both fixed, release-please finds the 0.2.0 baseline (via the manifest) and computes the next version from commits since (one `fix:` → **0.2.1**). ## Tag scheme Kept `include-component-in-tag: false` (unchanged). The next release tags as `v0.2.1`. The one-time legacy `onepin-v0.2.0` tag is harmless — `publish.yml` triggers on both `v*.*.*` and `onepin-v*.*.*`. ## Test plan - [x] dry-run passes on this PR - [x] Net diff is a single line (`pull-requests: read`); no config/version change - [ ] Post-merge: release-please re-titles PR #3 from 0.3.0 → 0.2.1

…2f6ce6469b (#21) Auto-regenerated by `onepin-sdks` publish-sdks workflow. **Source:** podonos/onepin-sdks@15fc744 **Workflow run:** https://github.com/podonos/onepin-sdks/actions/runs/26625877169 Review the diff, let CI run, then merge to ship the new SDK surface. The hand-rolled CLI under `src/onepin/_cli/` is preserved; only Fern-owned files in `src/onepin/` are touched. --------- Co-authored-by: kj-podonos <263298736+kj-podonos@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

## Problem release-please keeps proposing **0.3.0** when the next version should be **0.2.1**. Proof from the run log: `✔ Considering: 32 commits`. The config is component-less (`include-component-in-tag: false`), so release-please looks for a `v0.2.0` tag — but the release actually shipped as `onepin-v0.2.0`. It never finds the boundary, re-scans all 32 commits from the repo root, hits the original `feat(cli): implement auth commands` (which shipped *in* 0.2.0), and bumps minor → 0.3.0. We deliberately keep the bare `v*` tag scheme, so we can't switch to component tags, and we can't create a `v0.2.0` tag (that would re-trigger `publish.yml` and fail re-uploading the already-published 0.2.0 to PyPI). ## Fix Set top-level `last-release-sha` to the 0.2.0 commit (`4b2769382852f63f5786244b8a7d69a93210bac0`, where `onepin-v0.2.0` points). Schema: *"For any release, only consider as far back as this commit SHA."* release-please now ignores everything at/before 0.2.0 and counts only commits since: - 1 `fix:` + docs/chore → **patch** → `0.2.1` - tags stay bare `v*` → next tag `v0.2.1` Once `v0.2.1` is tagged, release-please anchors on it natively; the floor remains harmless. ## Expected after merge release-please updates the open release PR (#20) from `0.3.0` to **`0.2.1`**. ## Test plan - [x] `last-release-sha` confirmed as a valid top-level field in the release-please config schema - [x] JSON valid; SHA matches `onepin-v0.2.0` - [x] Commits since `4b27693` = 1 fix + docs/chore (no `feat`) → 0.2.1 - [ ] Post-merge: PR #20 re-titles to `release 0.2.1`

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v8.0.0</h2> <h2>v8 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.</p> </blockquote> <blockquote> <p>[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).</p> </blockquote> <h3>Direct downloads</h3> <p>To support direct uploads in <code>actions/upload-artifact</code>, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the <code>Content-Type</code> header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new <code>skip-decompress</code> parameter to <code>true</code>.</p> <h3>Enforced checks (breaking)</h3> <p>A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the <code>digest-mismatch</code> parameter. To be secure by default, we are now defaulting the behavior to <code>error</code> which will fail the workflow run.</p> <h3>ESM</h3> <p>To support new versions of the @actions/* packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Don't attempt to un-zip non-zipped downloads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li> <li>Add a setting to specify what to do on hash mismatch and default it to <code>error</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p> <h2>v7.0.0</h2> <h2>v7 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (<code>runs.using: node24</code>) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>Node.js 24</h3> <p>This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.</p> <h2>What's Changed</h2> <ul> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/440">actions/download-artifact#440</a></li> <li>Download Artifact Node24 support by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/415">actions/download-artifact#415</a></li> <li>fix: update <code>@actions/artifact</code> to fix Node.js 24 punycode deprecation by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/451">actions/download-artifact#451</a></li> <li>prepare release v7.0.0 for Node.js 24 support by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/452">actions/download-artifact#452</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> made their first contribution in <a href="https://redirect.github.com/actions/download-artifact/pull/440">actions/download-artifact#440</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/download-artifact/pull/415">actions/download-artifact#415</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v6.0.0...v7.0.0">https://github.com/actions/download-artifact/compare/v6.0.0...v7.0.0</a></p> <h2>v6.0.0</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"><code>3e5f45b</code></a> Add regression tests for CJK characters (<a href="https://redirect.github.com/actions/download-artifact/issues/471">#471</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/e6d03f67377d4412c7aa56a8e2e4988e6ec479dd"><code>e6d03f6</code></a> Add a regression test for artifact name + content-type mismatches (<a href="https://redirect.github.com/actions/download-artifact/issues/472">#472</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a> from actions/danwkennedy/digest-mismatch-behavior</li> <li><a href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a> Add change docs</li> <li><a href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a> Fix linting issues</li> <li><a href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a> Add a setting to specify what to do on hash mismatch and default it to <code>error</code></li> <li><a href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a> from actions/danwkennedy/download-no-unzip</li> <li><a href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a> Add note about package bumps</li> <li><a href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a> Bump the version to <code>v8</code> and add release notes</li> <li><a href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a> Update test names to make it clearer what they do</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/v4...v8">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## What Adds `.github/workflows/pr-slack-notify.yml` — posts a Slack card when a PR is **opened**, **marked ready for review**, or **reopened** (drafts skipped). Card layout: > 🔀 **New PR #142** > **fix(publish): retry TestPyPI upload on 503** ← clickable → PR > by `kj-podonos` in `podonos/onepin-python` ## Why public-repo safe - **One secret only**: `SLACK_WEBHOOK_URL`, kept in repo Settings → Secrets — never committed, redacted from logs, and **not injected into fork PRs** (GitHub withholds secrets there). - Workflow references only `${{ secrets.SLACK_WEBHOOK_URL }}` (a name, not the value). - Destination channel is encoded **inside** the webhook URL → no channel ID in code. - No bot token, no Linear key, no user-map, no peer-repo references. - Fork PRs hit the empty-secret guard → skip quietly (`exit 0`, no error, no leak). ## Required before this works (one-time, manual) 1. Slack → create an **Incoming Webhook** bound to the target channel; copy the `https://hooks.slack.com/services/...` URL. 2. `gh secret set SLACK_WEBHOOK_URL --repo podonos/onepin-python` (paste the URL). Until the secret is set, the job runs and skips with a notice — no failures. ## Verification - Open a non-draft PR from an in-repo branch → card lands in the channel. - Open a draft PR → no card; mark "ready for review" → card posts. - Fork PR → job logs the skip notice and exits 0. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 1 to 3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/releases">slackapi/slack-github-action's releases</a>.</em></p> <blockquote> <h2>Slack GitHub Action v3.0.0</h2> <blockquote> <p>The <code>@v3.0.0</code> release had a hiccup on publish and we recommend using <a href="https://github.com/slackapi/slack-github-action/releases/tag/v3.0.1"><strong><code>@v3.0.1</code></strong></a> or a more recent version when updating! Oops!</p> </blockquote> <p>🎽 <strong>Running Slack CLI commands and the active Node runtime, both included in this release</strong> 👟 ✨</p> <h3>⚠️ Breaking change: Node.js 24 the runtime</h3> <p>This major version updates the GitHub Actions required runtime to <a href="https://nodejs.org/en/about/previous-releases"><strong>Node.js 24</strong>.</a> Most <a href="https://github.com/actions/runner-images?tab=readme-ov-file#software-and-image-support">GitHub-hosted runners</a> already include this, but self-hosted runners may need to be updated ahead of <a href="https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/">planned deprecations of Node 20 on GitHub Actions runners</a>.</p> <h3>📺 Enhancement: Run Slack CLI commands</h3> <p>This release introduces a new technique for running <a href="https://docs.slack.dev/tools/slack-cli">Slack CLI</a> commands directly in GitHub Actions workflows. Use this to install the latest version (or a specific one) of the CLI and execute commands like <code>deploy</code> for merges to main, <code>manifest validate</code> with tests, and other <a href="https://docs.slack.dev/tools/slack-cli/reference/commands/slack">commands</a>.</p> <p>Gather a token using the following CLI command to store with repo secrets, then get started with an example below:</p> <pre><code>$ slack auth token </code></pre> <h3>🧪 Validate an app manifest on pull requests</h3> <p>Check that your app manifest is valid before merging changes:</p> <p>🔗 <a href="https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest">https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest</a></p> <pre lang="yaml"><code>- name: Validate the manifest uses: slackapi/slack-github-action/cli@v3.0.0 with: command: "manifest validate --app ${{ vars.SLACK_APP_ID }}" token: ${{ secrets.SLACK_SERVICE_TOKEN }} </code></pre> <h3>🚀 Deploy your app on push to main</h3> <p>Automate deployments whenever changes land on your main branch:</p> <p>🔗 <a href="https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/deploy-an-app">https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/deploy-an-app</a></p> <pre lang="yaml"><code>- name: Deploy the app uses: slackapi/slack-github-action/cli@v3.0.0 with: command: "deploy --app ${{ vars.SLACK_APP_ID }} --force" token: ${{ secrets.SLACK_SERVICE_TOKEN }} </code></pre> <p>Any Slack CLI command can be passed through the <code>command</code> option without the "slack" prefix 🍀</p> <p>The <code>token</code> input accepts a <a href="https://docs.slack.dev/authentication/tokens/#service">service token</a> for authentication. You can gather this token by running <a href="https://docs.slack.dev/tools/slack-cli/reference/commands/slack_auth_token"><code>slack auth token</code></a> with the Slack CLI and storing the value as a repository secret.</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md">slackapi/slack-github-action's changelog</a>.</em></p> <blockquote> <h1>slack-github-action</h1> <h2>3.0.3</h2> <h3>Patch Changes</h3> <ul> <li>66834e4: feat: add instrumentation to address error rates</li> </ul> <h2>3.0.2</h2> <h3>Patch Changes</h3> <ul> <li>79529d7: fix: resolve url.parse deprecation warning for webhook techniques</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/slackapi/slack-github-action/commit/45a88b9581bfab2566dc881e2cd66d334e621e2c"><code>45a88b9</code></a> chore: release</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/1c0bcf08feaa559a9bcfcc249184e13b136ffa55"><code>1c0bcf0</code></a> chore: release (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/606">#606</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/66834e4b0cad4cbf09ca680587ad8af71d615d4b"><code>66834e4</code></a> feat: add instrumentation to address error rates (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/600">#600</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/0fe0f902b9f8da107ca0e1314a388c0f57e20d48"><code>0fe0f90</code></a> build(deps): bump <code>@actions/github</code> from 9.0.0 to 9.1.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/605">#605</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/c5e70597945c255539c5218d4178ed3c7d8188be"><code>c5e7059</code></a> build(deps): bump <code>@slack/web-api</code> from 7.15.0 to 7.15.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/604">#604</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/0325526875571a27abcfd2b302453a90871abbff"><code>0325526</code></a> build(deps-dev): bump <code>@biomejs/biome</code> from 2.4.10 to 2.4.13 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/601">#601</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/900cd3e6fa9d6eacd8a5512ecff230d08e65aec7"><code>900cd3e</code></a> build(deps-dev): bump <code>@types/node</code> from 24.12.0 to 24.12.2 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/603">#603</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/53fdcffeb6e4d34cbdf3276f7beadb0ecc7c9fcd"><code>53fdcff</code></a> build(deps): bump <code>@actions/core</code> from 3.0.0 to 3.0.1 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/602">#602</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/26856cc7fb2c1c2951483645f5fdc3643dbe96eb"><code>26856cc</code></a> build(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/596">#596</a>)</li> <li><a href="https://github.com/slackapi/slack-github-action/commit/feba1e29702383a5a3cd5136af0559ba10859b04"><code>feba1e2</code></a> ci: skip publish step if no release is needed (<a href="https://redirect.github.com/slackapi/slack-github-action/issues/599">#599</a>)</li> <li>Additional commits viewable in <a href="https://github.com/slackapi/slack-github-action/compare/v1...v3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=slackapi/slack-github-action&package-manager=github_actions&previous-version=1&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Summary Replaces the 4 stubbed command groups (`workflows`/`templates`/`uploads`/`voices`) with the **complete ~65-command OnePin CLI surface** wired to the Fern-generated SDK, via a declarative `TABLE` + a synthesized-`inspect.Signature` Typer dispatcher (**no new dependency**). Agent-first (primary consumer = AI agents): machine-readable `onepin schema` manifest, structured JSON errors on every failure path, and `onepin workflows definition-schema`. Groups: `workflows` (+`runs` subgroup), `templates`, `voices`, `uploads`, `workspace` (+`members`/`stats`), `usage`, `provider-keys`, `nodes`, `health`. Curated subset of the SDK; `api_keys`/`dictionary`/`users`/`billing`/`webhooks` intentionally excluded. ## Test Coverage - **218 tests**, **93% coverage** on `onepin._cli`; `mypy --strict` + `ruff` clean. - Dispatcher (single point of failure) covered heaviest: every transform/type, unwrap mode, `--json`, conditional keyword-only `workspace_id`, `limit<1`, error mapping. - Contract test auto-derived from `TABLE` (every SDK method + declared params resolve). respx integration for real SDK serialization. Composite tests (watch timeout/interrupt, upload error paths, download TOCTOU). Fast-startup assert (no SDK import on `--help`). ## Reviews Eng review ×3 (clean) + Codex ×2 — all findings fixed: destructive `--json` confirm is JSON-safe (no stdout prompt), base_url precedence (env honored with flag api-key), `whoami --json` structured errors, `ParsingError`→`INVALID_RESPONSE`, download atomic O_EXCL guard, provider-keys secret redaction, bool-default options not forwarded. ## Notes - Versioning handled by **release-please** (`feat` → minor bump). No manual `VERSION`/`CHANGELOG` edits. - Follow-ups (out of scope): README SDK/CLI section refresh, upstream spec example enrichment, `docs.onepin.ai` deploy (404/500). ## Test plan - [x] `uv run pytest` — 218 passed - [x] `uv run mypy -p onepin._cli` — strict, no issues - [x] `uv run ruff check/format --check` — clean - [x] fast-startup: `import onepin._cli.main` does not import `onepin.client` - [x] `onepin schema --json` (65 commands) + `workflows definition-schema --json` valid 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

🤖 I have created a release *beep* *boop* --- ## [0.3.0](v0.2.0...v0.3.0) (2026-06-02) ### Features * **cli:** full command surface over the Fern SDK ([#24](#24)) ([162d805](162d805)) ### Bug Fixes * **publish:** scope attestation verify to --repo, not --owner ([a1ea74c](a1ea74c)) * **release:** anchor release-please at the 0.2.0 commit ([#22](#22)) ([ca2dc22](ca2dc22)) ### Documentation * add AGENTS.md and Claude Code hooks ([#6](#6)) ([0551199](0551199)) * add community health files ([#15](#15)) ([3da0abf](3da0abf)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

## Problem The `Publish` workflow's `build` job fails at `check-wheel-contents dist/*.whl` with **W002 (duplicate files)** — it flags the Fern-generated SDK's empty package `__init__.py` markers (`api_keys`, `billing`, `webhooks`, `workspace_*`, …) as duplicates. They're legitimately byte-identical empties. This **blocked the v0.3.0 publish** (build failed before reaching PyPI; 0.3.0 is not on PyPI). ## Fix Add `[tool.check-wheel-contents] ignore = ["W002"]` to `pyproject.toml`. `twine check --strict`, classifier validation, and `tests/build/test_dist_contents.py` still run. ## Verified locally (on the 0.3.0 tree) - `python -m build` → ok - `check-wheel-contents dist/*.whl` → **OK** (W002 gone) - `twine check --strict dist/*` → PASSED (wheel + sdist) ## Re-release after merge v0.3.0 still needs publishing. Once this lands on `main`, re-point the `v0.3.0` tag to the fixed `main` HEAD and push it (the tag-push path builds the tag tree with this fix → PyPI). The release-please tag was created by `GITHUB_TOKEN`, which doesn't trigger `publish.yml`; pushing the tag with a normal credential (or a PAT/App on release-please) does. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

## Problem The v0.3.0 publish failed in the `build` job at `pytest tests/build/test_dist_contents.py` with `ModuleNotFoundError: No module named 'onepin'`. The autouse `_reset_cli_state` fixture in `tests/conftest.py` imports `onepin._cli` for **every** test, but the publish build job installs only build tooling (no `onepin`) → collection error, build fails before PyPI. ## Fix Guard the import in the fixture; the CLI-state reset is a no-op when `onepin` isn't importable (the build-artifact tests don't need it). ## Verified - onepin-free venv (mirrors the publish build job): `pytest tests/build/test_dist_contents.py` → **1 passed** (was ModuleNotFoundError). - Full suite with onepin: **222 passed**. ruff/mypy clean. Second of the publish-pipeline fixes (after #25's W002). Unblocks the v0.3.0 build. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

## Summary Adds an open [Agent Skills](https://agentskills.io) `SKILL.md` bundle that wraps the `onepin` CLI, plus an `onepin skill install / path / uninstall` command group that materializes it into each AI coding tool's skills directory. Yields a bare `/onepin` in Claude Code; the same skill activates by relevance in Cursor, OpenAI Codex, Gemini CLI, and Copilot. - `onepin skill install` auto-detects installed tools (`--tool` / `--all` / `--project` / `--force`); writes per-tool dirs (Claude `~/.claude/skills/onepin`, Cursor/Codex/Copilot/Gemini their own; project mode shares `.agents/skills`). - Pure-filesystem, **SDK-free** (preserves fast CLI startup); skill ships as wheel data via `force-include`. - Extracts the atomic-write helper into `_fsutil` (shared with run downloads). Closes POD-194. ## Test coverage - New: `tests/cli/test_cli_skill.py` (install / path / uninstall, per-tool + project dedupe, clobber/force, no-auth, dir-creation failure), `tests/unit/test_skill.py` (tool selection, target dirs, bundled payload, rmtree leaf-guard, error mapping). - Extended: registry, manifest snapshot (regenerated), dist-contents (wheel + sdist). - Full suite: **266 passing** · ruff · ruff format · mypy --strict · fast-startup · `python -m build` clean. ## Reviews - **Claude** (`/code-review`): caught + fixed a CRITICAL wheel-build collision (`force-include` re-adding `__init__.py`) and a HIGH skill doc bug (errors go to stderr, not stdout). - **Codex** (`/codex review`, gpt-5.5): caught + fixed a P1 (Windows-CI path portability in a test) and a P2 (`mkdir` `OSError` not mapped to `WRITE_FAILED`). Re-review: PASS. - 0% finding overlap — the two reviews were fully complementary. ## Notes - Versioning is release-please-managed; the `feat:` commit drives the next release (no manual VERSION/CHANGELOG edit). 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…d950f3a06c (#29) Auto-regenerated by `onepin-sdks` publish-sdks workflow. **Source:** podonos/onepin-sdks@b76d67a **Workflow run:** https://github.com/podonos/onepin-sdks/actions/runs/26936045276 Review the diff, let CI run, then merge to ship the new SDK surface. The hand-rolled CLI under `src/onepin/_cli/` is preserved; only Fern-owned files in `src/onepin/` are touched. Co-authored-by: kj-podonos <263298736+kj-podonos@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.4.0](v0.3.0...v0.4.0) (2026-06-05) ### Features * **cli:** cross-tool onepin agent skill + skill install command ([#31](#31)) ([3ce5dba](3ce5dba)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: kj-podonos <kj@podonos.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

## What onepin-python now **self-generates** its SDK from the shaped OnePin API OpenAPI spec instead of receiving generated code from a separate repo. Replaces the old cross-repo rsync with native `.fernignore` preservation of the hand-rolled CLI. ## Changes - `fern/{fern.config.json,generators.yml}` — in-repo Fern config. **Vanilla** generate — the spec ships pre-shaped (`x-fern` + `servers`). - `.github/workflows/regen.yml` — on dispatch (or manual): mint a GitHub App token, fetch the shaped spec at a pinned commit, `fern generate --local`, run the CLI-preservation + shape guards, and open a regen PR. A **prod** dispatch opens the PR; a **dev** dispatch is a generation smoke-check only, so `main` never leads prod. `release-please` + `publish.yml` unchanged. - `src/onepin/.fernignore` — preserves `_cli/` + `py.typed` across regen (Fern auto-discovers it in the local output dir). - Docs/test updated. ## Config required for the live regen - GitHub App + org secrets `PIPELINE_APP_ID` / `PIPELINE_APP_PRIVATE_KEY`. - Repo variable `SPEC_REPO` = the backend repo that publishes the OpenAPI spec. ## Tests - `tests/build` green (CLI-preserve guard); ruff + format clean. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…33) ## Summary release-please tags releases with the default `GITHUB_TOKEN`, which **cannot trigger another workflow** (GitHub's anti-recursion rule). So `publish.yml`'s `push: tags` trigger never fired — every release tag landed but **nothing reached PyPI** automatically (each version, incl. 0.4.0, was published by a manual `workflow_dispatch`). This makes release → publish automatic, and fixes latent bugs in the manual-dispatch and attestation paths. ## Changes - **`release-please.yml`** — pass `token: ${{ secrets.RELEASE_PAT || github.token }}`. With a PAT the release tag push is a "real" push that fires `publish.yml`. Falls back to `github.token` when the secret is unset → **non-breaking**: release-please keeps working, auto-publish just stays off until the secret exists. - **`publish.yml` (dispatch)** — the `workflow_dispatch` path derived the version from `GITHUB_REF_NAME` (the *branch* on dispatch, not the tag) and ignored `inputs.tag`, so a manual dispatch from `main` built a bogus version and failed at `testpypi-smoke` (hit this publishing 0.4.0). Now validates the tag input, checks out `refs/tags/<tag>`, **and** versions from `inputs.tag`, falling back to the ref on a tag push. - **`publish.yml` (attestation)** — add `actions/attest-build-provenance@v2` before upload. `pypa/gh-action-pypi-publish` only writes PEP 740 attestations to PyPI, but the `Verify provenance attestation` step queries GitHub's attestation store, so without this it found nothing and the job failed (green upload / red job for 0.4.0). Now the verify step passes. - **`RUNBOOK.md`** — document the `RELEASE_PAT` scope + the `--ref main -f tag=` manual-dispatch fallback. ## Required manual step ⚠️ Add a repo secret **`RELEASE_PAT`** — a fine-grained PAT scoped to `podonos/onepin-python` only, with **`contents: write`** (push the release tag → fires `publish.yml`) **and `pull requests: write`** (release-please uses this token for all its calls, incl. creating/updating the release PR; a `contents`-only PAT fails the next release-please run). Set an expiry. Until the secret exists, auto-publish stays off (tag lands, nothing publishes); merging this PR alone is safe. ## Context 0.4.0 was published manually and is live on PyPI. This PR makes the *next* release (0.5.0, already queued as a release-please PR) publish on its own. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

🤖 I have created a release *beep* *boop* --- ## [0.5.0](v0.4.0...v0.5.0) (2026-06-09) ### Features * **ci:** self-generate the SDK in-repo via Fern + .fernignore ([#30](#30)) ([16ebc24](16ebc24)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

## Summary `actions/attest-build-provenance@v2` (added in #33) requires a **public repo or a paid org plan**. On this private repo the attest step hard-fails with *"Feature not available for the podonos organization"* — and because it runs **before** the PyPI upload, it blocked the publish outright: **0.5.0 was tagged and GitHub-released but never reached PyPI** (real PyPI is still at 0.4.0; TestPyPI got 0.5.0 before the block). ## Change Gate both the **Attest** and **Verify** steps on `${{ !github.event.repository.private }}`: - While the repo is **private** → both steps skip cleanly, the upload proceeds, releases publish. - Once the repo is **public** → both light up automatically, no further edits. PyPI **trusted publishing (OIDC)** still proves the artifacts came from this workflow in the meantime; the GitHub attestation is defense-in-depth that returns when the repo is public. ## Recovery After this merges, 0.5.0 is republished via `gh workflow run publish.yml --ref main -f tag=v0.5.0` (TestPyPI step already sets `skip-existing: true`). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

## Problem The `notify-failure` Slack step pins `slackapi/slack-github-action@v3` but is configured the **v1 way** — webhook URL via the `SLACK_WEBHOOK_URL` env var + a bare `payload`. v2+ changed the webhook contract, so the step crashed on the `v0.5.0` publish failure with: ``` Missing input! The webhook type must be 'incoming-webhook' or 'webhook-trigger'. ``` Result: publish failures sent **no** Slack alert, and the broken notifier added a second red job to the run. ## Fix Per the v3 `action.yml`: pass the URL via the **`webhook`** input and set **`webhook-type: incoming-webhook`** (our secret is a classic Incoming Webhook). Keep the `env`-based `if:` guard so the step still no-ops when `SLACK_WEBHOOK_URL` is unset. actionlint passes. Not runtime-verified (would need a real publish failure to fire the webhook). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

…logs) (#36) Follow-up to #30. `regen.yml` runs in a **public** repo and Actions **variables render unmasked** in run logs, so `vars.SPEC_REPO` would print the backend repo name publicly. Switch to `secrets.SPEC_REPO` (masked) for the App-token scope + spec fetch. The `SPEC_REPO` secret is already set on the repo. Merging this unblocks `regen.yml` (currently failing with `SPEC_REPO is not set` because it reads a variable that doesn't exist). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

….44.6) (#38) Follow-up — the first live `regen.yml` run got past the SPEC_REPO fix (App token + spec fetch ✓) but **`fern check` failed**: the `fernapi/fern-python-sdk` (`version: latest`) generator now requires Fern CLI **≥ 5.44.6**, and we pinned **5.38.0**. Bumps `fern.config.json` + the `regen.yml` install pin to **5.45.3**. Verified by dispatching `regen.yml` from this branch before merge. (TODO still open: pin the generator to a concrete version so a `latest` bump can't break regen again.) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…766db264 (spec vn/a) (#39) Auto-regenerated from the shaped OnePin API OpenAPI spec. - **Spec commit:** `471927d282b1f6f88449cc7825d41952766db264` - **Spec version:** `n/a` - **Trigger env:** `manual` The hand-rolled CLI under `src/onepin/_cli/` is preserved via `.fernignore`. Review the diff, let CI run, then merge to ship the new SDK surface. Co-authored-by: kj-podonos <263298736+kj-podonos@users.noreply.github.com>

## Summary Add the description of the workflow generation. Add the role of each node, what is possible, what is not possible, what is generally preferred. ## Type of change - [ ] `fix:` — bug fix (patch) - [ ] `feat:` — new feature (minor) - [x] `docs:` / `chore:` / `refactor:` / `test:` / `ci:` / `build:` - [ ] Breaking change (`!` or `BREAKING CHANGE:` footer) ## Checklist - [x] Change is scoped to hand-rolled code (`src/onepin/_cli/`, `tests/`), not the generated SDK under `src/onepin/` - [x] `make lint` passes - [x] `make test` passes - [ ] Added/updated tests for the change (regression test for bug fixes) - [x] PR title is a valid Conventional Commit - [x] Did **not** hand-edit `CHANGELOG.md` or the version (release automation owns both) ## Notes for reviewers

…d-gated per-sha promote (#40) ## Summary Reworks how the SDK is versioned and published. - **Dynamic version** (hatch-vcs, no-local-version): release tags build a clean `X.Y.Z`; intermediate commits build `X.Y.(Z+1).devN`. - **Two-lane publish:** `publish.yml` is now **TestPyPI-only** (continuous); a new **`promote-prod.yml`** owns the **public PyPI** publish, fired only by a backend production-deploy dispatch (or a manual run from `main`). - **Per-sha pinning:** a prod promote publishes the newest release whose recorded source-spec commit is at-or-before the deployed spec — never one ahead of prod — with a fail-closed preflight against the immutable index. - `regen.yml` records the source spec commit (`.spec-sha`) and opens its PR as `feat:`; release-please switches to `simple` (the version is dynamic now). ## Review - Eng review CLEAR; independent review 3× codex + 3× Opus across the pipeline — per-sha resolver direction, fail-closed paths, and "no wrong/duplicate publish to the immutable index" verified. All findings addressed. - `actionlint` clean; build-guard tests pass; `uv build` → clean dynamic version. ## Prereqs to go live (operational) - GitHub App + secrets; PyPI Trusted Publisher pointed at `promote-prod.yml` + `pypi` environment (locked to `main` + reviewers). - First prod promote uses the manual `workflow_dispatch -f tag=vX.Y.Z` (existing tags predate `.spec-sha`). ## Test plan - [x] actionlint clean on all workflows - [x] `uv build` → clean `0.5.1.devN` (no local segment) - [x] build-guard tests pass - [ ] live `workflow_dispatch` dry-run once the App exists 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…368a67c (spec v0.37.7) (#43) Auto-regenerated from the shaped OnePin API OpenAPI spec. - **Spec commit:** `9fe47587946f7ab984ac1dd701c85c15c368a67c` - **Spec version:** `0.37.7` - **Trigger env:** `prod` The hand-rolled CLI under `src/onepin/_cli/` is preserved via `src/onepin/.fernignore`. Review the diff, let CI run, then merge to ship the new SDK surface. Co-authored-by: onepin-pipeline-bot[bot] <290953255+onepin-pipeline-bot[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.6.0](v0.5.0...v0.6.0) (2026-06-15) ### Features * regenerate SDK from API spec [@9fe47587946f7ab984ac1dd701c85c15c368a67](https://github.com/9fe47587946f7ab984ac1dd701c85c15c368a67)c (spec v0.37.7) ([#43](#43)) ([f429244](f429244)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

## Summary Makes release-please CHANGELOGs readable. - **Regen commit subject** → `feat: sync SDK to OnePin API vX.Y.Z` (was `feat: regenerate SDK from API spec @<40-char-sha> (spec v…)`). The sha stays in the PR body + `.spec-sha` for traceability — it just leaves the changelog line. - **`changelog-sections`** → only `Features` / `Bug Fixes` / `Performance` render; `chore`/`ci`/`docs`/`test`/`build`/`refactor`/`style` are hidden. ## Effect Takes effect on the **next regen + release**. Doesn't touch the current `0.6.0` release PR — hand-edit that one's `CHANGELOG.md` if you want nicer wording now. ## Test plan - [x] actionlint clean (regen.yml) - [x] release-please-config.json valid JSON - [ ] next regen PR subject reads `sync SDK to OnePin API v…` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6 to 8. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@v6...v8) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-06-17T06:41:23Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

kj-podonos and others added 30 commits May 27, 2026 12:39

feat(cli): implement auth commands and package smoke fixes

dbc49d8

fix(cli): respect HOME on Windows credentials path

14e7519

ci: fetch full history so diff-cover can resolve origin/main

4299bf6

chore: regenerate SDK from onepin-sdks@babfb180c9f10bd3e41e7f774d9588…

702542a

…19ad52e34e (#2) Co-authored-by: kj-podonos <263298736+kj-podonos@users.noreply.github.com>

chore(main): release onepin 0.2.0 (#1)

1b44f23

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

fix(publish): install pytest in build job + wire build outputs to tes…

0a93407

…tpypi-smoke

fix(publish): strip onepin-v prefix in version output + skip-existing…

4b27693

… on TestPyPI

fix(publish): scope attestation verify to --repo, not --owner

a1ea74c

kj-podonos and others added 19 commits June 2, 2026 23:22

dependabot Bot added chore dependencies labels Jun 15, 2026

dependabot Bot requested a review from kj-podonos as a code owner June 15, 2026 07:24

dependabot Bot added chore dependencies labels Jun 15, 2026

kj-podonos closed this Jun 17, 2026

kj-podonos force-pushed the main branch from 0e1cb09 to a4c4365 Compare June 17, 2026 06:41

dependabot Bot deleted the dependabot/github_actions/peter-evans/create-pull-request-8 branch June 17, 2026 06:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump peter-evans/create-pull-request from 6 to 8#47

chore(deps): bump peter-evans/create-pull-request from 6 to 8#47
dependabot[bot] wants to merge 49 commits into
mainfrom
dependabot/github_actions/peter-evans/create-pull-request-8

dependabot Bot commented on behalf of github Jun 15, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot Bot commented on behalf of github Jun 15, 2026

Create Pull Request v8.0.0

What's new in v8

What's Changed

New Contributors

Create Pull Request v7.0.11

What's Changed

Create Pull Request v7.0.10

What's Changed

New Contributors

Create Pull Request v7.0.9

What's Changed

New Contributors

Uh oh!

dependabot Bot commented on behalf of github Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants