Skip to content

Update agent-sh/agnix action to v0.37.5#78

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/agent-sh-agnix-0.x
Open

Update agent-sh/agnix action to v0.37.5#78
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/agent-sh-agnix-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
agent-sh/agnix action minor v0.36.2v0.37.5

Release Notes

agent-sh/agnix (agent-sh/agnix)

v0.37.5

Compare Source

Fixed
  • Crates.io package completeness. Ship the removed-rule lifecycle index inside agnix-core and mirror it from knowledge-base/removed-rules.json, so published agnix-core tarballs verify outside the workspace and downstream crates can publish cleanly.

v0.37.4

Compare Source

Added
  • Issue batch: diagnostics, config UX, lifecycle, security taxonomy, and CI portability (closes #​1151, #​1159, #​1160, #​1161, #​1162, #​1163, #​1164). CI now runs the workspace test suite on Linux, Windows, and macOS; Windows-sensitive tests normalize CRLF and canonical paths. Diagnostics now carry optional ranges, text output shows code frames, JSON/SARIF/LSP/WASM preserve spans, SARIF includes fixes, and --format github emits GitHub Actions annotations. Added agnix explain <RULE> with text/JSON output. .agnix.toml now supports extend, [rules.severity] per-rule overrides, and inline suppressions (agnix: noqa, agnix-disable-next-line). Rule lifecycle policy is documented, removed AS-* rule IDs warn in config, and 37 security-facing rules now carry CWE/OWASP/vulnerability-class metadata that SARIF exports as taxonomies.

v0.37.3

Compare Source

Added
  • Release provenance attestations. Release archive builds now generate GitHub artifact attestations with job-scoped OIDC and attestation permissions, while release publishing keeps write access isolated to the release job.
Fixed
  • Markdown import scanner performance. Avoided repeated prefix rescans when extracting @import references from large non-code spans, keeping dense-at-sign inputs linear while preserving UTF-8 behavior.
  • Rule suppression config warnings. Recognized every shipped rule-prefix namespace in .agnix.toml validation, avoiding spurious core.config.unknown_rule warnings when disabling valid rules.
  • Windows checkout line endings. Added repository attributes that keep source files LF-normalized across platforms while preserving CRLF for Windows command and PowerShell scripts.
  • npm installer checksum verification. The npm postinstall downloader now verifies release archive SHA-256 sidecars before extraction, binds sidecar entries to the expected archive filename, streams archive hashing, and cleans temporary artifacts after failed installs.
  • Stale version references in documentation. Updated project instructions and configuration docs to consistently reference the current release version, so release guidance and user-facing docs match the published version.
  • Security follow-ups (closes #​1149, #​1150, #​1154, #​1155, #​1156, #​1157, #​1158). Hardened MCP validation against handler panics and absolute-path disclosure, extended panic isolation to project-level checks, bound shell checksum parsing to the selected artifact filename, added VS Code release-download redirect host validation, corrected the YAML parser safety comment, and documented the remaining deprecated transitive serde_yaml dependency from rust-i18n.
  • CLI config and autofix safety followups (closes #​1152, #​1153, #​1165, #​1166, #​1167). The CLI now fails non-zero when a discovered or explicitly passed .agnix.toml cannot be parsed instead of validating with defaults, skill frontmatter now reports duplicate top-level YAML keys instead of silently applying last-wins parsing, telemetry storage failures are logged at debug level, agnix-lsp initializes stderr tracing for startup/config-load visibility, bare agnix --fix / --dry-run now apply or preview only safe fixes unless --fix-unsafe is explicitly selected, and the rule-doc parity test now catches stale inline/table rule IDs such as the removed AS-010 and AS-014 references.

v0.37.2

Compare Source

Fixed
  • Supply-chain hygiene (closes #​1144). Removed stale cargo audit ignores for advisories whose crates are no longer in Cargo.lock, realigned the audit and cargo-deny advisory policies with docs/RUSTSEC-ADVISORIES.md, and moved agnix's direct YAML/frontmatter parser dependency to the maintained serde_norway fork while keeping the internal serde_yaml crate alias stable. Added regression coverage so the advisory lists and YAML parser package cannot drift silently.
  • Docs website deployment payload. Reduced the GitHub Pages deploy window from six to three docs versions while keeping all versioned snapshots in the repository, so release docs publish with a smaller Pages artifact and avoid repeated syncing_files deployment failures.
  • Security: MCP path confinement and panic hardening. The MCP validate_file and validate_project tools now reject client-supplied paths that canonicalize outside the server working directory. Completion helpers clamp raw byte offsets to UTF-8 character boundaries before slicing, project validation converts per-file validator panics into diagnostics, and release builds keep unwinding enabled so one bad file cannot abort an entire scan.
  • Release download integrity and publish gating. The GitHub Action installer, VS Code extension, JetBrains plugin, and Zed extension now verify release SHA-256 sidecars before using downloaded agnix/agnix-lsp artifacts. Release tags now run fmt, clippy, and workspace tests before GitHub releases, crates.io publish, or VS Code Marketplace publish can proceed.

v0.37.1

Compare Source

Fixed
  • HetCreep validation issue batch (closes #​1121 through #​1140). Fixed LSP UTF-16 position/range handling for non-BMP characters, stricter .agnix.toml unknown-key rejection with explicit legacy no-op compatibility, character-based skill length checks, lossy non-ASCII AS-004 fix suppression, deterministic diagnostic ordering, and i18n tests that no longer mutate global locale state. Regenerated .agnix.toml schemas, added schema/rule-count CI gates, corrected stale rule/version/package/config docs, updated plugin contact metadata, and made rules.json / VALIDATION-RULES.md parity bidirectional.
  • JetBrains plugin LSP binary path validation. The LSP binary path setting now rejects relative values like agnix-lsp.exe and tells users to provide the full absolute executable path, so locked-down Windows users do not silently fall back to the blocked auto-downloaded binary.

v0.37.0

Compare Source

Added
  • Claude Code hook schema refresh for v2.1.198 (closes #​1106). The Claude hooks validator now recognizes the current hook event set, including UserPromptExpansion, PermissionDenied, and PostToolBatch; treats PermissionDenied as a tool/matcher event; supports the current prompt/agent hook event matrix; and validates documented event-specific matcher values. Notification matchers now accept the new agent_needs_input and agent_completed values. Agent hooks use the current 60-second default timeout threshold, while prompt hooks keep the 30-second threshold. Rule count remains 432.
Changed
  • Tool baselines: triaged the current release-watch batch and bumped amp custom-agents -> read-bigger-threads, claude-code v2.1.195 -> v2.1.198, cline cli-v3.0.31 -> v4.0.6, codex rust-v0.142.3 -> rust-v0.142.5, cursor 3.9.8 -> 3.9.16, and opencode v1.17.11 -> v1.17.13 (closes #​1104, #​1105, #​1107, #​1108, #​1109). Aside from the Claude hook schema changes above, the releases were triaged as model/runtime/UI/provider/news changes outside agnix's current validated config surfaces. .github/tool-release-baselines.json, knowledge-base/RESEARCH-TRACKING.md, hook rule metadata, generated rule docs, and locales were updated.
Fixed
  • Dead documentation host in shipped rule-doc URLs (refs #​1099). The docs site is served at https://agent-sh.github.io/agnix/ (HTTP 200), but several user-facing rule-doc links still hard-coded the pre-migration https://avifenesh.github.io/agnix host, which now returns 404. Updated the live host in the LSP diagnostic code_description (clickable rule links in IDEs), the SARIF helpUri emitted for every rule (CI integrations), the VS Code showRules/showRuleDoc actions, the Neovim AgnixShowRuleDoc command and rule pickers, the npm/VS Code/agnix-rules READMEs, and the Docusaurus url/organizationName/JSON-LD and robots.txt sitemap. Historical website/versioned_docs/** snapshots and past changelog entries are intentionally left untouched. This is the same broken-doc-link class as the JetBrains Marketplace Documentation resource link in #​1099 (that link is corrected in the Marketplace web admin, not in-repo).
  • JetBrains plugin: actionable notification when the OS blocks agnix-lsp execution (refs #​1102). On locked-down/managed Windows (AppLocker, Windows Defender Application Control, EDR, or antivirus), the OS can refuse to execute the auto-downloaded agnix-lsp.exe from its user-writable plugin directory, surfacing as CreateProcess error=5, Access is denied. Previously this appeared only as a raw CannotStartProcessException stack trace. The plugin now detects access-denied launch failures (locale-independent: matches the Win32 error=5 / POSIX errno=13/EACCES codes, not localized text) and shows an explanatory notification with "Set Binary Path" and "Troubleshooting" actions, since upgrading the IDE does not resolve an OS-level execution block. The original exception is re-thrown so LSP4IJ's lifecycle handling is unchanged. Documented the workaround in editors/jetbrains/README.md and docs/EDITOR-SETUP.md.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@yegor256

yegor256 commented Jul 3, 2026

Copy link
Copy Markdown
Member

@rultor please, try to merge, since 9 checks have passed

@rultor

rultor commented Jul 3, 2026

Copy link
Copy Markdown

@rultor please, try to merge, since 9 checks have passed

@yegor256 Unfortunately, either you or I don't have 'write' permissions to the repository, so I can't do what you're asking. Try to add me as a collaborator with 'write' access.

@renovate renovate Bot force-pushed the renovate/agent-sh-agnix-0.x branch from e0db621 to 378e566 Compare July 4, 2026 16:55
@renovate renovate Bot changed the title Update agent-sh/agnix action to v0.37.0 Update agent-sh/agnix action to v0.37.2 Jul 4, 2026
@renovate renovate Bot force-pushed the renovate/agent-sh-agnix-0.x branch from 378e566 to 8539886 Compare July 4, 2026 21:15
@renovate renovate Bot changed the title Update agent-sh/agnix action to v0.37.2 Update agent-sh/agnix action to v0.37.3 Jul 4, 2026
@renovate renovate Bot force-pushed the renovate/agent-sh-agnix-0.x branch from 8539886 to ee64795 Compare July 5, 2026 01:04
@renovate renovate Bot changed the title Update agent-sh/agnix action to v0.37.3 Update agent-sh/agnix action to v0.37.5 Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants