From fac897ae29152f2f45a8ad755db95a8fc5242553 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 01:32:16 +0800 Subject: [PATCH 01/15] chore(deps): update github/gh-aw action to v0.62.0 (#6551) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/pr-ai-slop-review.lock.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml index feceb466e..ef876d454 100644 --- a/.github/workflows/pr-ai-slop-review.lock.yml +++ b/.github/workflows/pr-ai-slop-review.lock.yml @@ -61,7 +61,7 @@ jobs: title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9758a19d946df81723a0938eb0b4e41236bab981 # v0.61.0 + uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 with: destination: /opt/gh-aw/actions - name: Generate agentic run info @@ -272,7 +272,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9758a19d946df81723a0938eb0b4e41236bab981 # v0.61.0 + uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -950,7 +950,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9758a19d946df81723a0938eb0b4e41236bab981 # v0.61.0 + uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1059,7 +1059,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@9758a19d946df81723a0938eb0b4e41236bab981 # v0.61.0 + uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact From 27217a4b762b24aad6e8e5eacb942d48ec0302af Mon Sep 17 00:00:00 2001 From: oomeow Date: Fri, 20 Mar 2026 01:39:44 +0800 Subject: [PATCH 02/15] fix: tray not update when delete profile (#6549) --- .gitignore | 1 + src-tauri/src/cmd/profile.rs | 7 ++++++ src-tauri/src/config/profiles.rs | 40 ++++++++++++++------------------ 3 files changed, 25 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 9b8304016..7268b6233 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ scripts/_env.sh target CLAUDE.md .vfox.toml +.vfox/ diff --git a/src-tauri/src/cmd/profile.rs b/src-tauri/src/cmd/profile.rs index a2bc99b04..d23e90ce2 100644 --- a/src-tauri/src/cmd/profile.rs +++ b/src-tauri/src/cmd/profile.rs @@ -173,6 +173,13 @@ pub async fn delete_profile(index: String) -> CmdResult { // 使用Send-safe helper函数 let should_update = profiles_delete_item_safe(&index).await.stringify_err()?; profiles_save_file_safe().await.stringify_err()?; + if let Err(e) = Tray::global().update_tooltip().await { + logging!(warn, Type::Cmd, "Warning: 异步更新托盘提示失败: {e}"); + } + + if let Err(e) = Tray::global().update_menu().await { + logging!(warn, Type::Cmd, "Warning: 异步更新托盘菜单失败: {e}"); + } if should_update { Config::profiles().await.apply(); match CoreManager::global().update_config().await { diff --git a/src-tauri/src/config/profiles.rs b/src-tauri/src/config/profiles.rs index 21c5b22e8..9592cf848 100644 --- a/src-tauri/src/config/profiles.rs +++ b/src-tauri/src/config/profiles.rs @@ -263,16 +263,20 @@ impl IProfiles { pub async fn delete_item(&mut self, uid: &String) -> Result { let current = self.current.as_ref().unwrap_or(uid); let current = current.clone(); - let (merge_uid, script_uid, rules_uid, proxies_uid, groups_uid) = { + let delete_uids = { let item = self.get_item(uid)?; let option = item.option.as_ref(); - ( - option.and_then(|e| e.merge.clone()), - option.and_then(|e| e.script.clone()), - option.and_then(|e| e.rules.clone()), - option.and_then(|e| e.proxies.clone()), - option.and_then(|e| e.groups.clone()), - ) + option.map_or(Vec::new(), |op| { + [ + op.merge.clone(), + op.script.clone(), + op.rules.clone(), + op.proxies.clone(), + op.groups.clone(), + ] + .into_iter() + .collect::>() + }) }; let mut items = self.items.take().unwrap_or_default(); @@ -281,22 +285,12 @@ impl IProfiles { let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; } - // remove related extension items (merge, script, rules, proxies, groups) - if let Some(file) = Self::take_item_file_by_uid(&mut items, merge_uid.as_deref()) { - let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; - } - if let Some(file) = Self::take_item_file_by_uid(&mut items, script_uid.as_deref()) { - let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; - } - if let Some(file) = Self::take_item_file_by_uid(&mut items, rules_uid.as_deref()) { - let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; - } - if let Some(file) = Self::take_item_file_by_uid(&mut items, proxies_uid.as_deref()) { - let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; - } - if let Some(file) = Self::take_item_file_by_uid(&mut items, groups_uid.as_deref()) { - let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; + for delete_uid in delete_uids { + if let Some(file) = Self::take_item_file_by_uid(&mut items, delete_uid.as_deref()) { + let _ = dirs::app_profiles_dir()?.join(file.as_str()).remove_if_exists().await; + } } + // delete the original uid if current == *uid { self.current = None; From 2c3255a596dacfc9e5b7cf9979f36b61d52c5705 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 17:46:13 +0800 Subject: [PATCH 03/15] chore(deps): update github/gh-aw action to v0.62.3 (#6558) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/pr-ai-slop-review.lock.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml index ef876d454..35ed210ad 100644 --- a/.github/workflows/pr-ai-slop-review.lock.yml +++ b/.github/workflows/pr-ai-slop-review.lock.yml @@ -61,7 +61,7 @@ jobs: title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 + uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 with: destination: /opt/gh-aw/actions - name: Generate agentic run info @@ -272,7 +272,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 + uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -950,7 +950,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 + uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1059,7 +1059,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@f1633bcc50ad7480f44d25961863c36fadd787ec # v0.62.0 + uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 with: destination: /opt/gh-aw/actions - name: Download agent output artifact From 848a3effcf4bbe8cb25d52441189534c88247abb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 02:21:07 +0800 Subject: [PATCH 04/15] chore(deps): update github/gh-aw action to v0.62.4 (#6571) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/pr-ai-slop-review.lock.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml index 35ed210ad..b134ce3ed 100644 --- a/.github/workflows/pr-ai-slop-review.lock.yml +++ b/.github/workflows/pr-ai-slop-review.lock.yml @@ -61,7 +61,7 @@ jobs: title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 + uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 with: destination: /opt/gh-aw/actions - name: Generate agentic run info @@ -272,7 +272,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 + uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -950,7 +950,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 + uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1059,7 +1059,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@458e90f2d0aa4842aa3fb4999d7663bce8b57dd4 # v0.62.3 + uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 with: destination: /opt/gh-aw/actions - name: Download agent output artifact From 248d464ad3ca8f9f1ca514529ce66d49b91eaaa1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 15:31:44 +0800 Subject: [PATCH 05/15] chore(deps): update github/gh-aw action to v0.62.5 (#6573) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/pr-ai-slop-review.lock.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml index b134ce3ed..7669396b5 100644 --- a/.github/workflows/pr-ai-slop-review.lock.yml +++ b/.github/workflows/pr-ai-slop-review.lock.yml @@ -61,7 +61,7 @@ jobs: title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 + uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 with: destination: /opt/gh-aw/actions - name: Generate agentic run info @@ -272,7 +272,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 + uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -950,7 +950,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 + uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1059,7 +1059,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@a898ed7b8f8238a30d9c9f560813547e695cfb0a # v0.62.4 + uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact From 85eb3b48c2a32b03638d9f0619e5a933277a6053 Mon Sep 17 00:00:00 2001 From: Tunglies <77394545+Tunglies@users.noreply.github.com> Date: Sat, 21 Mar 2026 17:02:54 +0800 Subject: [PATCH 06/15] chore: bump version to 2.4.8 --- Cargo.lock | 2 +- Changelog.md | 25 +------------------------ docs/Changelog.history.md | 37 +++++++++++++++++++++++++++++++++++++ package.json | 2 +- src-tauri/Cargo.toml | 2 +- src-tauri/tauri.conf.json | 2 +- 6 files changed, 42 insertions(+), 28 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d06690220..541488755 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1124,7 +1124,7 @@ checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9" [[package]] name = "clash-verge" -version = "2.4.7" +version = "2.4.8" dependencies = [ "aes-gcm", "anyhow", diff --git a/Changelog.md b/Changelog.md index a84dc4222..d9c2ceacd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,15 +1,7 @@ -## v2.4.7 +## v2.4.8 ### 🐞 修复问题 -- 修复 Windows 管理员身份运行时开关 TUN 模式异常 -- 修复静默启动与自动轻量模式存在冲突 -- 修复进入轻量模式后无法返回主界面 -- 切换配置文件偶尔失败的问题 -- 修复节点或模式切换出现极大延迟的回归问题 -- 修复代理关闭的情况下,网站测试依然会走代理的问题 -- 修复 Gemini 解锁测试不准确的情况 -
✨ 新增功能 @@ -18,19 +10,4 @@
🚀 优化改进 -- 优化订阅错误通知,仅在手动触发时 -- 隐藏日志中的订阅信息 -- 优化部分界面文案文本 -- 优化切换节点时的延迟 -- 优化托盘退出快捷键显示 -- 优化首次启动节点信息刷新 -- Linux 默认使用内置窗口控件 -- 实现排除自定义网段的校验 -- 移除冗余的自动备份触发条件 -- 恢复内置编辑器对 mihomo 配置的语法提示 -- 网站测试使用真实 TLS 握手延迟 -- 系统代理指示器(图标)使用真实代理状态 -- 系统代理开关指示器增加校验是否指向 Verge -- 系统代理开关修改为乐观更新模式,提升用户体验 -
diff --git a/docs/Changelog.history.md b/docs/Changelog.history.md index c3e7bfe54..159109f61 100644 --- a/docs/Changelog.history.md +++ b/docs/Changelog.history.md @@ -1,3 +1,40 @@ +## v2.4.7 + +### 🐞 修复问题 + +- 修复 Windows 管理员身份运行时开关 TUN 模式异常 +- 修复静默启动与自动轻量模式存在冲突 +- 修复进入轻量模式后无法返回主界面 +- 切换配置文件偶尔失败的问题 +- 修复节点或模式切换出现极大延迟的回归问题 +- 修复代理关闭的情况下,网站测试依然会走代理的问题 +- 修复 Gemini 解锁测试不准确的情况 + +
+ ✨ 新增功能 + +
+ +
+ 🚀 优化改进 + +- 优化订阅错误通知,仅在手动触发时 +- 隐藏日志中的订阅信息 +- 优化部分界面文案文本 +- 优化切换节点时的延迟 +- 优化托盘退出快捷键显示 +- 优化首次启动节点信息刷新 +- Linux 默认使用内置窗口控件 +- 实现排除自定义网段的校验 +- 移除冗余的自动备份触发条件 +- 恢复内置编辑器对 mihomo 配置的语法提示 +- 网站测试使用真实 TLS 握手延迟 +- 系统代理指示器(图标)使用真实代理状态 +- 系统代理开关指示器增加校验是否指向 Verge +- 系统代理开关修改为乐观更新模式,提升用户体验 + +
+ ## v(2.4.6) > [!IMPORTANT] diff --git a/package.json b/package.json index 9ac6a4e35..d9be7feb8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "clash-verge", - "version": "2.4.7", + "version": "2.4.8", "license": "GPL-3.0-only", "scripts": { "prepare": "husky || true", diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml index 0c930f1fd..638660137 100755 --- a/src-tauri/Cargo.toml +++ b/src-tauri/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "clash-verge" -version = "2.4.7" +version = "2.4.8" description = "clash verge" authors = ["zzzgydi", "Tunglies", "wonfen", "MystiPanda"] license = "GPL-3.0-only" diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json index 2a8e54689..97dd6f59f 100755 --- a/src-tauri/tauri.conf.json +++ b/src-tauri/tauri.conf.json @@ -1,5 +1,5 @@ { - "version": "2.4.7", + "version": "2.4.8", "$schema": "../node_modules/@tauri-apps/cli/config.schema.json", "bundle": { "active": true, From 70a86b05c52843c77e860c804e6735207129e428 Mon Sep 17 00:00:00 2001 From: Tunglies <77394545+Tunglies@users.noreply.github.com> Date: Sat, 21 Mar 2026 18:38:49 +0800 Subject: [PATCH 07/15] fix: align draft commit/save semantics - use committed profiles snapshot for lifecycle saves (avoid persisting uncommitted drafts) - remove apply/discard calls after profiles with_data_modify helpers - persist profiles metadata explicitly in create_profile - apply clash draft before saving mode changes - surface deep-link profile save failures via logging --- src-tauri/src/cmd/clash.rs | 6 +++--- src-tauri/src/cmd/profile.rs | 22 ++++++---------------- src-tauri/src/feat/clash.rs | 6 ++++-- src-tauri/src/utils/resolve/scheme.rs | 4 ++-- 4 files changed, 15 insertions(+), 23 deletions(-) diff --git a/src-tauri/src/cmd/clash.rs b/src-tauri/src/cmd/clash.rs index 1a8a1282e..c0cbddd37 100644 --- a/src-tauri/src/cmd/clash.rs +++ b/src-tauri/src/cmd/clash.rs @@ -46,7 +46,7 @@ pub async fn change_clash_core(clash_core: String) -> CmdResult> match CoreManager::global().change_core(&clash_core).await { Ok(_) => { - logging_error!(Type::Core, Config::profiles().await.latest_arc().save_file().await); + logging_error!(Type::Core, Config::profiles().await.data_arc().save_file().await); // 切换内核后重启内核 match CoreManager::global().restart_core().await { @@ -86,7 +86,7 @@ pub async fn start_core() -> CmdResult { /// 关闭核心 #[tauri::command] pub async fn stop_core() -> CmdResult { - logging_error!(Type::Core, Config::profiles().await.latest_arc().save_file().await); + logging_error!(Type::Core, Config::profiles().await.data_arc().save_file().await); let result = CoreManager::global().stop_core().await.stringify_err(); if result.is_ok() { handle::Handle::refresh_clash(); @@ -97,7 +97,7 @@ pub async fn stop_core() -> CmdResult { /// 重启核心 #[tauri::command] pub async fn restart_core() -> CmdResult { - logging_error!(Type::Core, Config::profiles().await.latest_arc().save_file().await); + logging_error!(Type::Core, Config::profiles().await.data_arc().save_file().await); let result = CoreManager::global().restart_core().await.stringify_err(); if result.is_ok() { handle::Handle::refresh_clash(); diff --git a/src-tauri/src/cmd/profile.rs b/src-tauri/src/cmd/profile.rs index d23e90ce2..827496699 100644 --- a/src-tauri/src/cmd/profile.rs +++ b/src-tauri/src/cmd/profile.rs @@ -116,11 +116,9 @@ pub async fn reorder_profile(active_id: String, over_id: String) -> CmdResult { match profiles_reorder_safe(&active_id, &over_id).await { Ok(_) => { logging!(info, Type::Cmd, "重新排序配置文件"); - Config::profiles().await.apply(); Ok(()) } Err(err) => { - Config::profiles().await.discard(); logging!(error, Type::Cmd, "重新排序配置文件失败: {}", err); Err(format!("重新排序配置文件失败: {}", err).into()) } @@ -133,21 +131,18 @@ pub async fn reorder_profile(active_id: String, over_id: String) -> CmdResult { pub async fn create_profile(item: PrfItem, file_data: Option) -> CmdResult { match profiles_append_item_with_filedata_safe(&item, file_data).await { Ok(_) => { + profiles_save_file_safe().await.stringify_err()?; // 发送配置变更通知 if let Some(uid) = &item.uid { logging!(info, Type::Cmd, "[创建订阅] 发送配置变更通知: {}", uid); handle::Handle::notify_profile_changed(uid); } - Config::profiles().await.apply(); Ok(()) } - Err(err) => { - Config::profiles().await.discard(); - match err.to_string().as_str() { - "the file already exists" => Err("the file already exists".into()), - _ => Err(format!("add profile error: {err}").into()), - } - } + Err(err) => match err.to_string().as_str() { + "the file already exists" => Err("the file already exists".into()), + _ => Err(format!("add profile error: {err}").into()), + }, } } @@ -155,12 +150,8 @@ pub async fn create_profile(item: PrfItem, file_data: Option) -> CmdResu #[tauri::command] pub async fn update_profile(index: String, option: Option) -> CmdResult { match feat::update_profile(&index, option.as_ref(), true, true, true).await { - Ok(_) => { - let _: () = Config::profiles().await.apply(); - Ok(()) - } + Ok(_) => Ok(()), Err(e) => { - Config::profiles().await.discard(); logging!(error, Type::Cmd, "{}", e); Err(e.to_string().into()) } @@ -181,7 +172,6 @@ pub async fn delete_profile(index: String) -> CmdResult { logging!(warn, Type::Cmd, "Warning: 异步更新托盘菜单失败: {e}"); } if should_update { - Config::profiles().await.apply(); match CoreManager::global().update_config().await { Ok(_) => { handle::Handle::refresh_clash(); diff --git a/src-tauri/src/feat/clash.rs b/src-tauri/src/feat/clash.rs index 09f879e6b..909cfbb04 100644 --- a/src-tauri/src/feat/clash.rs +++ b/src-tauri/src/feat/clash.rs @@ -78,10 +78,12 @@ pub async fn change_clash_mode(mode: String) { match handle::Handle::mihomo().await.patch_base_config(&json_value).await { Ok(_) => { // 更新订阅 - Config::clash().await.edit_draft(|d| d.patch_config(&mapping)); + let clash = Config::clash().await; + clash.edit_draft(|d| d.patch_config(&mapping)); + clash.apply(); // 分离数据获取和异步调用 - let clash_data = Config::clash().await.data_arc(); + let clash_data = clash.data_arc(); if clash_data.save_config().await.is_ok() { handle::Handle::refresh_clash(); logging_error!(Type::Tray, tray::Tray::global().update_menu().await); diff --git a/src-tauri/src/utils/resolve/scheme.rs b/src-tauri/src/utils/resolve/scheme.rs index f5ba6fe26..c28bec5d8 100644 --- a/src-tauri/src/utils/resolve/scheme.rs +++ b/src-tauri/src/utils/resolve/scheme.rs @@ -9,7 +9,7 @@ use crate::{ config::{Config, PrfItem, profiles}, core::{CoreManager, handle}, }; -use clash_verge_logging::{Type, logging}; +use clash_verge_logging::{Type, logging, logging_error}; pub(super) async fn resolve_scheme(param: &str) -> Result<()> { logging!(info, Type::Config, "received deep link: {param}"); @@ -94,7 +94,7 @@ async fn import_subscription(url: &str, name: Option<&String>) { } Config::profiles().await.apply(); - let _ = Config::profiles().await.data_arc().save_file().await; + logging_error!(Type::Config, Config::profiles().await.data_arc().save_file().await); handle::Handle::notice_message( "import_sub_url::ok", "", // 空 msg 传入,我们不希望导致 后端-前端-后端 死循环,这里只做提醒。 From fa868295d84903014dbe2e49b98cd74c9e618f79 Mon Sep 17 00:00:00 2001 From: Tunglies <77394545+Tunglies@users.noreply.github.com> Date: Sat, 21 Mar 2026 19:19:01 +0800 Subject: [PATCH 08/15] fix: update script paths in PR AI Slop Review workflow --- .github/aw/actions-lock.json | 10 + .github/workflows/pr-ai-slop-review.lock.yml | 480 ++++++++----------- 2 files changed, 211 insertions(+), 279 deletions(-) diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index dfa506eb7..02500ceb2 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -1,5 +1,15 @@ { "entries": { + "actions/github-script@v8": { + "repo": "actions/github-script", + "version": "v8", + "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" + }, + "github/gh-aw-actions/setup@v0.62.5": { + "repo": "github/gh-aw-actions/setup", + "version": "v0.62.5", + "sha": "dc50be57c94373431b49d3d0927f318ac2bb5c4c" + }, "github/gh-aw/actions/setup@v0.58.3": { "repo": "github/gh-aw/actions/setup", "version": "v0.58.3", diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml index 7669396b5..643d33abe 100644 --- a/.github/workflows/pr-ai-slop-review.lock.yml +++ b/.github/workflows/pr-ai-slop-review.lock.yml @@ -1,19 +1,18 @@ -# -# ___ _ _ -# / _ \ | | (_) -# | |_| | __ _ ___ _ __ | |_ _ ___ +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ # | _ |/ _` |/ _ \ '_ \| __| |/ __| -# | | | | (_| | __/ | | | |_| | (__ +# | | | | (_| | __/ | | | |_| | (__ # \_| |_/\__, |\___|_| |_|\__|_|\___| # __/ | -# _ _ |___/ +# _ _ |___/ # | | | | / _| | # | | | | ___ _ __ _ __| |_| | _____ ____ # | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.58.3). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.62.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -25,26 +24,26 @@ # signs of one-shot AI-generated changes, then posts a maintainer-focused # comment when the risk is high enough to warrant follow-up. # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"3d4fd9eaa234e0aad443087c472ec9d7cc64fb0af9698f9acdaa9ced370bf9f5","compiler_version":"v0.58.3","strict":true} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3d4fd9eaa234e0aad443087c472ec9d7cc64fb0af9698f9acdaa9ced370bf9f5","compiler_version":"v0.62.5","strict":true,"agent_id":"copilot"} -name: 'PR AI Slop Review' -'on': +name: "PR AI Slop Review" +"on": pull_request_target: types: - - opened - - reopened - - synchronize - - edited + - opened + - reopened + - synchronize + - edited # roles: all # Roles processed as role check in pre-activation job workflow_dispatch: permissions: {} concurrency: - group: 'gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}' + group: "gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}" cancel-in-progress: true -run-name: 'PR AI Slop Review' +run-name: "PR AI Slop Review" jobs: activation: @@ -53,44 +52,47 @@ jobs: contents: read outputs: body: ${{ steps.sanitized.outputs.body }} - comment_id: '' - comment_repo: '' + comment_id: "" + comment_repo: "" + lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }} model: ${{ steps.generate_aw_info.outputs.model }} secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} text: ${{ steps.sanitized.outputs.text }} title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 + uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 with: - destination: /opt/gh-aw/actions + destination: ${{ runner.temp }}/gh-aw/actions - name: Generate agentic run info id: generate_aw_info env: - GH_AW_INFO_ENGINE_ID: 'copilot' - GH_AW_INFO_ENGINE_NAME: 'GitHub Copilot CLI' + GH_AW_INFO_ENGINE_ID: "copilot" + GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI" GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} - GH_AW_INFO_VERSION: '' - GH_AW_INFO_AGENT_VERSION: 'latest' - GH_AW_INFO_CLI_VERSION: 'v0.58.3' - GH_AW_INFO_WORKFLOW_NAME: 'PR AI Slop Review' - GH_AW_INFO_EXPERIMENTAL: 'false' - GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: 'true' - GH_AW_INFO_STAGED: 'false' + GH_AW_INFO_VERSION: "" + GH_AW_INFO_AGENT_VERSION: "latest" + GH_AW_INFO_CLI_VERSION: "v0.62.5" + GH_AW_INFO_WORKFLOW_NAME: "PR AI Slop Review" + GH_AW_INFO_EXPERIMENTAL: "false" + GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" + GH_AW_INFO_STAGED: "false" GH_AW_INFO_ALLOWED_DOMAINS: '["defaults"]' - GH_AW_INFO_FIREWALL_ENABLED: 'true' - GH_AW_INFO_AWF_VERSION: 'v0.24.1' - GH_AW_INFO_AWMG_VERSION: '' - GH_AW_INFO_FIREWALL_TYPE: 'squid' - GH_AW_COMPILED_STRICT: 'true' + GH_AW_INFO_FIREWALL_ENABLED: "true" + GH_AW_INFO_AWF_VERSION: "v0.24.5" + GH_AW_INFO_AWMG_VERSION: "" + GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { main } = require('/opt/gh-aw/actions/generate_aw_info.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs'); await main(core, context); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + run: ${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Checkout .github and .agents folders @@ -105,21 +107,21 @@ jobs: - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - GH_AW_WORKFLOW_FILE: 'pr-ai-slop-review.lock.yml' + GH_AW_WORKFLOW_FILE: "pr-ai-slop-review.lock.yml" with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: sanitized uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/compute_text.cjs'); await main(); - name: Create prompt with built-in context env: @@ -134,15 +136,15 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /opt/gh-aw/actions/create_prompt_first.sh + bash ${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh { cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF - cat "/opt/gh-aw/prompts/xpia.md" - cat "/opt/gh-aw/prompts/temp_folder_prompt.md" - cat "/opt/gh-aw/prompts/markdown.md" - cat "/opt/gh-aw/prompts/safe_outputs_prompt.md" + cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" + cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" + cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" + cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' Tools: add_comment, missing_tool, missing_data, noop @@ -174,8 +176,9 @@ jobs: - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ {{/if}} - + GH_AW_PROMPT_EOF + cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" cat << 'GH_AW_PROMPT_EOF' GH_AW_PROMPT_EOF @@ -189,9 +192,9 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 @@ -207,11 +210,11 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - + + const substitutePlaceholders = require('${{ runner.temp }}/gh-aw/actions/substitute_placeholders.cjs'); + // Call the substitution function return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, @@ -229,11 +232,11 @@ jobs: - name: Validate prompt placeholders env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + run: bash ${RUNNER_TEMP}/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /opt/gh-aw/actions/print_prompt_summary.sh + run: bash ${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh - name: Upload activation artifact if: success() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 @@ -253,13 +256,10 @@ jobs: pull-requests: read env: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - GH_AW_ASSETS_ALLOWED_EXTS: '' - GH_AW_ASSETS_BRANCH: '' + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json GH_AW_WORKFLOW_ID_SANITIZED: praislopreview outputs: checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} @@ -272,15 +272,24 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 + uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 with: - destination: /opt/gh-aw/actions + destination: ${{ runner.temp }}/gh-aw/actions + - name: Set runtime paths + run: | + echo "GH_AW_SAFE_OUTPUTS=${RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_CONFIG_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" >> "$GITHUB_ENV" + echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json" >> "$GITHUB_ENV" - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash ${RUNNER_TEMP}/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Configure gh CLI for GitHub Enterprise + run: bash ${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh + env: + GH_TOKEN: ${{ github.token }} - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -296,170 +305,55 @@ jobs: - name: Checkout PR branch id: checkout-pr if: | - (github.event.pull_request) || (github.event.issue.pull_request) + github.event.pull_request || github.event.issue.pull_request uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh latest + run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest env: GH_HOST: github.com - name: Install AWF binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.24.1 + run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.24.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.1 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.1 ghcr.io/github/gh-aw-firewall/squid:0.24.1 ghcr.io/github/gh-aw-mcpg:v0.1.15 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine + run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.24.5 ghcr.io/github/gh-aw-firewall/api-proxy:0.24.5 ghcr.io/github/gh-aw-firewall/squid:0.24.5 ghcr.io/github/gh-aw-mcpg:v0.1.20 ghcr.io/github/github-mcp-server:v0.32.0 node:lts-alpine - name: Write Safe Outputs Config run: | - mkdir -p /opt/gh-aw/safeoutputs + mkdir -p ${RUNNER_TEMP}/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /opt/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/config.json << 'GH_AW_SAFE_OUTPUTS_CONFIG_EOF' {"add_comment":{"max":1},"mentions":{"enabled":false},"missing_data":{},"missing_tool":{},"noop":{"max":1}} GH_AW_SAFE_OUTPUTS_CONFIG_EOF - name: Write Safe Outputs Tools run: | - cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' - [ - { - "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "body": { - "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation. CONSTRAINTS: The complete comment (your body text + automatically added footer) must not exceed 65536 characters total. Maximum 10 mentions (@username), maximum 50 links (http/https URLs). A footer (~200-500 characters) is automatically appended with workflow attribution, so leave adequate space. If these limits are exceeded, the tool call will fail with a detailed error message indicating which constraint was violated.", - "type": "string" - }, - "integrity": { - "description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").", - "type": "string" - }, - "item_number": { - "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). Can also be a temporary_id (e.g., 'aw_abc123') from a previously created issue in the same workflow run. If omitted, the tool auto-targets the issue, PR, or discussion that triggered this workflow. Auto-targeting only works for issue, pull_request, discussion, and comment event triggers — it does NOT work for schedule, workflow_dispatch, push, or workflow_run triggers. For those trigger types, always provide item_number explicitly, or the tool call will fail with an error.", - "type": [ - "number", - "string" - ] - }, - "secrecy": { - "description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").", - "type": "string" - }, - "temporary_id": { - "description": "Unique temporary identifier for this comment. Format: 'aw_' followed by 3 to 12 alphanumeric characters (e.g., 'aw_abc1', 'aw_Test123'). Auto-generated if not provided. The temporary ID is returned in the tool response so you can reference this comment later.", - "pattern": "^aw_[A-Za-z0-9]{3,12}$", - "type": "string" - } - }, - "required": [ - "body" - ], - "type": "object" - }, - "name": "add_comment" + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/tools_meta.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF' + { + "description_suffixes": { + "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added." }, - { - "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "alternatives": { - "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", - "type": "string" - }, - "integrity": { - "description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").", - "type": "string" - }, - "reason": { - "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", - "type": "string" - }, - "secrecy": { - "description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").", - "type": "string" - }, - "tool": { - "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", - "type": "string" - } - }, - "required": [ - "reason" - ], - "type": "object" - }, - "name": "missing_tool" - }, - { - "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "integrity": { - "description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").", - "type": "string" - }, - "message": { - "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", - "type": "string" - }, - "secrecy": { - "description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").", - "type": "string" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "name": "noop" - }, - { - "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", - "inputSchema": { - "additionalProperties": false, - "properties": { - "alternatives": { - "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", - "type": "string" - }, - "context": { - "description": "Additional context about the missing data or where it should come from (max 256 characters).", - "type": "string" - }, - "data_type": { - "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", - "type": "string" - }, - "integrity": { - "description": "Trustworthiness level of the message source (e.g., \"low\", \"medium\", \"high\").", - "type": "string" - }, - "reason": { - "description": "Explanation of why this data is needed to complete the task (max 256 characters).", - "type": "string" - }, - "secrecy": { - "description": "Confidentiality level of the message content (e.g., \"public\", \"internal\", \"private\").", - "type": "string" - } - }, - "required": [], - "type": "object" - }, - "name": "missing_data" - } - ] - GH_AW_SAFE_OUTPUTS_TOOLS_EOF - cat > /opt/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' + "repo_params": {}, + "dynamic_tools": [] + } + GH_AW_SAFE_OUTPUTS_TOOLS_META_EOF + cat > ${RUNNER_TEMP}/gh-aw/safeoutputs/validation.json << 'GH_AW_SAFE_OUTPUTS_VALIDATION_EOF' { "add_comment": { "defaultMax": 1, @@ -538,6 +432,7 @@ jobs: } } GH_AW_SAFE_OUTPUTS_VALIDATION_EOF + node ${RUNNER_TEMP}/gh-aw/actions/generate_safe_outputs_tools.cjs - name: Generate Safe Outputs MCP Server Config id: safe-outputs-config run: | @@ -545,25 +440,25 @@ jobs: # Mask immediately to prevent timing vulnerabilities API_KEY=$(openssl rand -base64 45 | tr -d '/+=') echo "::add-mask::${API_KEY}" - + PORT=3001 - + # Set outputs for next steps { echo "safe_outputs_api_key=${API_KEY}" echo "safe_outputs_port=${PORT}" } >> "$GITHUB_OUTPUT" - + echo "Safe Outputs MCP server will run on port ${PORT}" - + - name: Start Safe Outputs MCP HTTP Server id: safe-outputs-start env: DEBUG: '*' GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: ${{ runner.temp }}/gh-aw/safeoutputs/config.json GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs run: | # Environment variables are set above to prevent template injection @@ -573,20 +468,22 @@ jobs: export GH_AW_SAFE_OUTPUTS_TOOLS_PATH export GH_AW_SAFE_OUTPUTS_CONFIG_PATH export GH_AW_MCP_LOG_DIR - - bash /opt/gh-aw/actions/start_safe_outputs_server.sh - + + bash ${RUNNER_TEMP}/gh-aw/actions/start_safe_outputs_server.sh + - name: Start MCP Gateway id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }} + GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config - + # Export gateway environment variables for MCP config and gateway script export MCP_GATEWAY_PORT="80" export MCP_GATEWAY_DOMAIN="host.docker.internal" @@ -597,12 +494,12 @@ jobs: mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" export MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD="524288" export DEBUG="*" - + export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.15' - + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.20' + mkdir -p /home/runner/.copilot - cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + cat << GH_AW_MCP_CONFIG_EOF | bash ${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { @@ -613,6 +510,12 @@ jobs: "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", "GITHUB_READ_ONLY": "1", "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" + }, + "guard-policies": { + "allow-only": { + "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY", + "repos": "$GITHUB_MCP_GUARD_REPOS" + } } }, "safeoutputs": { @@ -620,6 +523,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, @@ -637,7 +547,8 @@ jobs: name: activation path: /tmp/gh-aw - name: Clean git credentials - run: bash /opt/gh-aw/actions/clean_git_credentials.sh + continue-on-error: true + run: bash ${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -646,7 +557,7 @@ jobs: set -o pipefail touch /tmp/gh-aw/agent-step-summary.md # shellcheck disable=SC1003 - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.1 --skip-pull --enable-api-proxy \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.5 --skip-pull --enable-api-proxy \ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -656,7 +567,7 @@ jobs: GH_AW_PHASE: agent GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_VERSION: v0.58.3 + GH_AW_VERSION: v0.62.5 GITHUB_API_URL: ${{ github.api_url }} GITHUB_AW: true GITHUB_HEAD_REF: ${{ github.head_ref }} @@ -674,7 +585,7 @@ jobs: id: detect-inference-error if: always() continue-on-error: true - run: bash /opt/gh-aw/actions/detect_inference_access_error.sh + run: bash ${RUNNER_TEMP}/gh-aw/actions/detect_inference_access_error.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -695,7 +606,7 @@ jobs: # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them SESSION_STATE_DIR="$HOME/.copilot/session-state" LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" - + if [ -d "$SESSION_STATE_DIR" ]; then echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" mkdir -p "$LOGS_DIR" @@ -712,15 +623,15 @@ jobs: MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} run: | - bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + bash ${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -730,7 +641,7 @@ jobs: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Append agent step summary if: always() - run: bash /opt/gh-aw/actions/append_agent_step_summary.sh + run: bash ${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh - name: Copy Safe Outputs if: always() run: | @@ -742,15 +653,15 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: 'api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' - GH_AW_ALLOWED_GITHUB_REFS: '' + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" + GH_AW_ALLOWED_GITHUB_REFS: "" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Parse agent logs for step summary if: always() @@ -759,18 +670,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_mcp_gateway_log.cjs'); await main(); - name: Print firewall logs if: always() @@ -840,14 +751,14 @@ jobs: if: always() && steps.detection_guard.outputs.run_detection == 'true' uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - WORKFLOW_NAME: 'PR AI Slop Review' + WORKFLOW_NAME: "PR AI Slop Review" WORKFLOW_DESCRIPTION: "Reviews incoming pull requests for missing issue linkage and high-confidence\nsigns of one-shot AI-generated changes, then posts a maintainer-focused\ncomment when the risk is high enough to warrant follow-up." HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs'); await main(); - name: Ensure threat-detection directory and log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -870,7 +781,7 @@ jobs: set -o pipefail touch /tmp/gh-aw/agent-step-summary.md # shellcheck disable=SC1003 - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.1 --skip-pull --enable-api-proxy \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --allow-domains "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org,telemetry.enterprise.githubcopilot.com" --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.24.5 --skip-pull --enable-api-proxy \ -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(wc)'\'' --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -878,7 +789,7 @@ jobs: COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} GH_AW_PHASE: detection GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_VERSION: v0.58.3 + GH_AW_VERSION: v0.62.5 GITHUB_API_URL: ${{ github.api_url }} GITHUB_AW: true GITHUB_HEAD_REF: ${{ github.head_ref }} @@ -897,9 +808,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() && steps.detection_guard.outputs.run_detection == 'true' @@ -934,7 +845,7 @@ jobs: - activation - agent - safe_outputs - if: (always()) && (needs.agent.result != 'skipped') + if: always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true') runs-on: ubuntu-slim permissions: contents: read @@ -942,7 +853,7 @@ jobs: issues: write pull-requests: write concurrency: - group: 'gh-aw-conclusion-pr-ai-slop-review' + group: "gh-aw-conclusion-pr-ai-slop-review" cancel-in-progress: false outputs: noop_message: ${{ steps.noop.outputs.noop_message }} @@ -950,9 +861,9 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 + uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 with: - destination: /opt/gh-aw/actions + destination: ${{ runner.temp }}/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -971,71 +882,73 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_NOOP_MAX: '1' - GH_AW_WORKFLOW_NAME: 'PR AI Slop Review' + GH_AW_NOOP_MAX: "1" + GH_AW_WORKFLOW_NAME: "PR AI Slop Review" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/noop.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: 'PR AI Slop Review' + GH_AW_WORKFLOW_NAME: "PR AI Slop Review" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/missing_tool.cjs'); await main(); - name: Handle Agent Failure id: handle_agent_failure + if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: 'PR AI Slop Review' + GH_AW_WORKFLOW_NAME: "PR AI Slop Review" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} - GH_AW_WORKFLOW_ID: 'pr-ai-slop-review' + GH_AW_WORKFLOW_ID: "pr-ai-slop-review" GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }} GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }} - GH_AW_GROUP_REPORTS: 'false' - GH_AW_FAILURE_REPORT_AS_ISSUE: 'true' - GH_AW_TIMEOUT_MINUTES: '20' + GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }} + GH_AW_GROUP_REPORTS: "false" + GH_AW_FAILURE_REPORT_AS_ISSUE: "true" + GH_AW_TIMEOUT_MINUTES: "20" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_agent_failure.cjs'); await main(); - name: Handle No-Op Message id: handle_noop_message uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: 'PR AI Slop Review' + GH_AW_WORKFLOW_NAME: "PR AI Slop Review" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }} - GH_AW_NOOP_REPORT_AS_ISSUE: 'true' + GH_AW_NOOP_REPORT_AS_ISSUE: "true" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/handle_noop_message.cjs'); await main(); safe_outputs: needs: agent - if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.agent.outputs.detection_success == 'true') + if: (!cancelled()) && needs.agent.result != 'skipped' && needs.agent.outputs.detection_success == 'true' runs-on: ubuntu-slim permissions: contents: read @@ -1044,10 +957,10 @@ jobs: pull-requests: write timeout-minutes: 15 env: - GH_AW_CALLER_WORKFLOW_ID: '${{ github.repository }}/pr-ai-slop-review' - GH_AW_ENGINE_ID: 'copilot' - GH_AW_WORKFLOW_ID: 'pr-ai-slop-review' - GH_AW_WORKFLOW_NAME: 'PR AI Slop Review' + GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/pr-ai-slop-review" + GH_AW_ENGINE_ID: "copilot" + GH_AW_WORKFLOW_ID: "pr-ai-slop-review" + GH_AW_WORKFLOW_NAME: "PR AI Slop Review" outputs: code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} @@ -1059,9 +972,9 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@48d8fdfddc8cad854ac0c70ceb573f09fb8f9c9b # v0.62.5 + uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 with: - destination: /opt/gh-aw/actions + destination: ${{ runner.temp }}/gh-aw/actions - name: Download agent output artifact id: download-agent-output continue-on-error: true @@ -1075,26 +988,35 @@ jobs: mkdir -p /tmp/gh-aw/ find "/tmp/gh-aw/" -type f -print echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_ENV" + - name: Configure GH_HOST for enterprise compatibility + shell: bash + run: | + # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct + # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op. + GH_HOST="${GITHUB_SERVER_URL#https://}" + GH_HOST="${GH_HOST#http://}" + echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_ALLOWED_DOMAINS: 'api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: '{"add_comment":{"hide_older_comments":true,"max":1},"missing_data":{},"missing_tool":{}}' + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":1},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('${{ runner.temp }}/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - - name: Upload Safe Output Items Manifest + - name: Upload safe output items if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: safe-output-items - path: /tmp/safe-output-items.jsonl - if-no-files-found: warn + path: /tmp/gh-aw/safe-output-items.jsonl + if-no-files-found: ignore + From 32a6de15d8b836a702670d05fe8a57754f70572c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 19:36:49 +0800 Subject: [PATCH 09/15] chore(deps): update github/gh-aw-actions digest to 853312c (#6579) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/pr-ai-slop-review.lock.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-ai-slop-review.lock.yml b/.github/workflows/pr-ai-slop-review.lock.yml index 643d33abe..8a2b5aeaf 100644 --- a/.github/workflows/pr-ai-slop-review.lock.yml +++ b/.github/workflows/pr-ai-slop-review.lock.yml @@ -61,7 +61,7 @@ jobs: title: ${{ steps.sanitized.outputs.title }} steps: - name: Setup Scripts - uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 + uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5 with: destination: ${{ runner.temp }}/gh-aw/actions - name: Generate agentic run info @@ -272,7 +272,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 + uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5 with: destination: ${{ runner.temp }}/gh-aw/actions - name: Set runtime paths @@ -861,7 +861,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 + uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5 with: destination: ${{ runner.temp }}/gh-aw/actions - name: Download agent output artifact @@ -972,7 +972,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw-actions/setup@dc50be57c94373431b49d3d0927f318ac2bb5c4c # v0.62.5 + uses: github/gh-aw-actions/setup@853312c41e88e0d6f51d0e4e0658f3ad7461366a # v0.62.5 with: destination: ${{ runner.temp }}/gh-aw/actions - name: Download agent output artifact From 603671717aaeadbff2115157db146b8901ef07ab Mon Sep 17 00:00:00 2001 From: wonfen Date: Sat, 21 Mar 2026 23:49:57 +0800 Subject: [PATCH 10/15] Release 2.4.7 --- Changelog.md | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/Changelog.md b/Changelog.md index d9c2ceacd..7a9448d39 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,13 +1,41 @@ ## v2.4.8 +> [!IMPORTANT] +> 继2.4.6以来继续优化修复问题,是 bug 问题最少的版本;建议所有用户立即升级。 +> 关于版本的说明:Clash Verge 版本号遵循 x.y.z:x 为重大架构变更,y 为功能新增,z 为 Bug 修复。 + ### 🐞 修复问题
✨ 新增功能 +- 修复 Windows 管理员身份运行时开关 TUN 模式异常 +- 修复静默启动与自动轻量模式存在冲突 +- 修复进入轻量模式后无法返回主界面 +- 切换配置文件偶尔失败的问题 +- 修复节点或模式切换出现极大延迟的回归问题 +- 修复代理关闭的情况下,网站测试依然会走代理的问题 +- 修复 Gemini 解锁测试不准确的情况 +- 修复删除订阅后状态栏未更新的问题 +- + +### ✨ 新增功能 + +- 升级 Mihomo 内核 + +### 🚀 优化改进
- -
- 🚀 优化改进 - -
+- 优化订阅错误通知,仅在手动触发时 +- 隐藏日志中的订阅信息 +- 优化部分界面文案文本 +- 优化切换节点时的延迟 +- 优化托盘退出快捷键显示 +- 优化首次启动节点信息刷新 +- Linux 默认使用内置窗口控件 +- 实现排除自定义网段的校验 +- 移除冗余的自动备份触发条件 +- 恢复内置编辑器对 mihomo 配置的语法提示 +- 网站测试使用真实 TLS 握手延迟 +- 系统代理指示器(图标)使用真实代理状态 +- 系统代理开关指示器增加校验是否指向 Verge +- 系统代理开关修改为乐观更新模式,提升用户体验 From 1d27bf96be433f1caa6dcadf7a48149d997a61a7 Mon Sep 17 00:00:00 2001 From: wonfen Date: Sat, 21 Mar 2026 22:28:27 +0800 Subject: [PATCH 11/15] fix: telegram html arsing failure --- scripts/telegram.mjs | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/scripts/telegram.mjs b/scripts/telegram.mjs index 6f35b5946..214b76695 100644 --- a/scripts/telegram.mjs +++ b/scripts/telegram.mjs @@ -82,8 +82,26 @@ async function sendTelegramNotification() { .replace(//g, '\n') } + // Strip HTML tags not supported by Telegram and escape stray angle brackets + function sanitizeTelegramHTML(content) { + // Telegram supports: b, strong, i, em, u, ins, s, strike, del, + // a, code, pre, blockquote, tg-spoiler, tg-emoji + const allowedTags = + /^\/?(b|strong|i|em|u|ins|s|strike|del|a|code|pre|blockquote|tg-spoiler|tg-emoji)(\s|>|$)/i + return content.replace(/<\/?[^>]*>/g, (tag) => { + const inner = tag.replace(/^<\/?/, '').replace(/>$/, '') + if (allowedTags.test(inner) || allowedTags.test(tag.slice(1))) { + return tag + } + // Escape unsupported tags so they display as text + return tag.replace(//g, '>') + }) + } + releaseContent = normalizeDetailsTags(releaseContent) - const formattedContent = convertMarkdownToTelegramHTML(releaseContent) + const formattedContent = sanitizeTelegramHTML( + convertMarkdownToTelegramHTML(releaseContent), + ) const releaseTitle = isAutobuild ? '滚动更新版发布' : '正式发布' const encodedVersion = encodeURIComponent(version) From 6a818bc2e7689b43decf7e8ca26a45f16558e9f2 Mon Sep 17 00:00:00 2001 From: wonfen Date: Sat, 21 Mar 2026 22:36:52 +0800 Subject: [PATCH 12/15] chore: add standalone telegram Notify workflow --- .github/workflows/telegram-notify.yml | 104 ++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 .github/workflows/telegram-notify.yml diff --git a/.github/workflows/telegram-notify.yml b/.github/workflows/telegram-notify.yml new file mode 100644 index 000000000..4c1284c0b --- /dev/null +++ b/.github/workflows/telegram-notify.yml @@ -0,0 +1,104 @@ +name: Telegram Notify + +on: + workflow_dispatch: + inputs: + version: + description: 'Version to notify (e.g. 2.4.7), defaults to package.json version' + required: false + type: string + build_type: + description: 'Build type' + required: false + default: 'release' + type: choice + options: + - release + - autobuild + +permissions: {} + +jobs: + notify-telegram: + name: Notify Telegram + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Fetch UPDATE logs + id: fetch_update_logs + run: bash ./scripts/extract_update_logs.sh + shell: bash + + - name: Install Node + uses: actions/setup-node@v6 + with: + node-version: '24.14.0' + + - uses: pnpm/action-setup@v5 + name: Install pnpm + with: + run_install: false + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Get Version and Release Info + run: | + if [ -n "${{ inputs.version }}" ]; then + VERSION="${{ inputs.version }}" + else + VERSION=$(jq -r '.version' package.json) + fi + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "DOWNLOAD_URL=https://github.com/clash-verge-rev/clash-verge-rev/releases/download/v${VERSION}" >> $GITHUB_ENV + echo "BUILDTIME=$(TZ=Asia/Shanghai date)" >> $GITHUB_ENV + + - name: Generate release.txt + run: | + if [ -z "$UPDATE_LOGS" ]; then + echo "No update logs found, using default message" + UPDATE_LOGS="More new features are now supported. Check for detailed changelog soon." + else + echo "Using found update logs" + fi + + cat > release.txt << EOF + $UPDATE_LOGS + + ## 下载地址 + + ### Windows (不再支持Win7) + #### 正常版本(推荐) + - [64位(常用)](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_x64-setup.exe) | [ARM64(不常用)](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_arm64-setup.exe) + + #### 内置Webview2版(体积较大,仅在企业版系统或无法安装webview2时使用) + - [64位](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_x64_fixed_webview2-setup.exe) | [ARM64](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_arm64_fixed_webview2-setup.exe) + + ### macOS + - [Apple M芯片](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_aarch64.dmg) | [Intel芯片](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_x64.dmg) + + ### Linux + #### DEB包(Debian系) 使用 apt ./路径 安装 + - [64位](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_amd64.deb) | [ARM64](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_arm64.deb) | [ARMv7](${{ env.DOWNLOAD_URL }}/Clash.Verge_${{ env.VERSION }}_armhf.deb) + + #### RPM包(Redhat系) 使用 dnf ./路径 安装 + - [64位](${{ env.DOWNLOAD_URL }}/Clash.Verge-${{ env.VERSION }}-1.x86_64.rpm) | [ARM64](${{ env.DOWNLOAD_URL }}/Clash.Verge-${{ env.VERSION }}-1.aarch64.rpm) | [ARMv7](${{ env.DOWNLOAD_URL }}/Clash.Verge-${{ env.VERSION }}-1.armhfp.rpm) + + ### FAQ + - [常见问题](https://clash-verge-rev.github.io/faq/windows.html) + + ### 稳定机场VPN推荐 + - [狗狗加速](https://verge.dginv.click/#/register?code=oaxsAGo6) + + Created at ${{ env.BUILDTIME }}. + EOF + + - name: Send Telegram Notification + run: node scripts/telegram.mjs + env: + TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }} + BUILD_TYPE: ${{ inputs.build_type }} + VERSION: ${{ env.VERSION }} + DOWNLOAD_URL: ${{ env.DOWNLOAD_URL }} From b885b96deb1632062e9f1a9eff21dc5caf39d549 Mon Sep 17 00:00:00 2001 From: wonfen Date: Sat, 21 Mar 2026 22:47:47 +0800 Subject: [PATCH 13/15] fix: tg HTML parsing failure --- scripts/telegram.mjs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/scripts/telegram.mjs b/scripts/telegram.mjs index 214b76695..45aeb3891 100644 --- a/scripts/telegram.mjs +++ b/scripts/telegram.mjs @@ -44,17 +44,23 @@ async function sendTelegramNotification() { // Markdown 转换为 HTML function convertMarkdownToTelegramHTML(content) { + // Strip stray HTML tags and markdown bold from heading text + const cleanHeading = (text) => + text + .replace(/<\/?[^>]+>/g, '') + .replace(/\*\*/g, '') + .trim() return content .split('\n') .map((line) => { if (line.trim().length === 0) { return '' } else if (line.startsWith('## ')) { - return `${line.replace('## ', '')}` + return `${cleanHeading(line.replace('## ', ''))}` } else if (line.startsWith('### ')) { - return `${line.replace('### ', '')}` + return `${cleanHeading(line.replace('### ', ''))}` } else if (line.startsWith('#### ')) { - return `${line.replace('#### ', '')}` + return `${cleanHeading(line.replace('#### ', ''))}` } else { let processedLine = line.replace( /\[([^\]]+)\]\(([^)]+)\)/g, From a2d66adceb8a192145d8ff009e65555c41648d58 Mon Sep 17 00:00:00 2001 From: wonfen Date: Sun, 22 Mar 2026 00:10:51 +0800 Subject: [PATCH 14/15] chore: update change log --- Changelog.md | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/Changelog.md b/Changelog.md index 7a9448d39..257260cad 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,41 +1,10 @@ ## v2.4.8 > [!IMPORTANT] -> 继2.4.6以来继续优化修复问题,是 bug 问题最少的版本;建议所有用户立即升级。 > 关于版本的说明:Clash Verge 版本号遵循 x.y.z:x 为重大架构变更,y 为功能新增,z 为 Bug 修复。 ### 🐞 修复问题 -
- ✨ 新增功能 -- 修复 Windows 管理员身份运行时开关 TUN 模式异常 -- 修复静默启动与自动轻量模式存在冲突 -- 修复进入轻量模式后无法返回主界面 -- 切换配置文件偶尔失败的问题 -- 修复节点或模式切换出现极大延迟的回归问题 -- 修复代理关闭的情况下,网站测试依然会走代理的问题 -- 修复 Gemini 解锁测试不准确的情况 -- 修复删除订阅后状态栏未更新的问题 -- - ### ✨ 新增功能 -- 升级 Mihomo 内核 - -### 🚀 优化改进 - -
-- 优化订阅错误通知,仅在手动触发时 -- 隐藏日志中的订阅信息 -- 优化部分界面文案文本 -- 优化切换节点时的延迟 -- 优化托盘退出快捷键显示 -- 优化首次启动节点信息刷新 -- Linux 默认使用内置窗口控件 -- 实现排除自定义网段的校验 -- 移除冗余的自动备份触发条件 -- 恢复内置编辑器对 mihomo 配置的语法提示 -- 网站测试使用真实 TLS 握手延迟 -- 系统代理指示器(图标)使用真实代理状态 -- 系统代理开关指示器增加校验是否指向 Verge -- 系统代理开关修改为乐观更新模式,提升用户体验 +### 🚀 优化改进 From 41ba5bf20318a6259258d8684c69511332bc49cb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 22 Mar 2026 13:25:06 +0800 Subject: [PATCH 15/15] chore(deps): update dependency react-i18next to v16.6.0 (#6581) * chore(deps): update dependency react-i18next to v16.6.0 * chore: .prettierignore --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Slinetrac --- .prettierignore | 1 + package.json | 2 +- pnpm-lock.yaml | 50 ++++++++++++++++++++++++------------------------- 3 files changed, 27 insertions(+), 26 deletions(-) diff --git a/.prettierignore b/.prettierignore index c317bde60..4d850583e 100644 --- a/.prettierignore +++ b/.prettierignore @@ -10,3 +10,4 @@ src-tauri/gen/ target Cargo.lock +.github/workflows/*.lock.yml diff --git a/package.json b/package.json index d9be7feb8..6a7cb85a8 100644 --- a/package.json +++ b/package.json @@ -71,7 +71,7 @@ "react-dom": "19.2.4", "react-error-boundary": "6.1.1", "react-hook-form": "^7.71.2", - "react-i18next": "16.5.8", + "react-i18next": "16.6.0", "react-markdown": "10.1.0", "react-router": "^7.13.1", "react-virtuoso": "^4.18.3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7129b846b..f744341e1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -120,8 +120,8 @@ importers: specifier: ^7.71.2 version: 7.71.2(react@19.2.4) react-i18next: - specifier: 16.5.8 - version: 16.5.8(i18next@25.8.18(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) + specifier: 16.6.0 + version: 16.6.0(i18next@25.8.18(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) react-markdown: specifier: 10.1.0 version: 10.1.0(@types/react@19.2.14)(react@19.2.4) @@ -759,8 +759,8 @@ packages: peerDependencies: '@babel/core': ^7.0.0-0 || ^8.0.0-0 <8.0.0 - '@babel/runtime@7.28.6': - resolution: {integrity: sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==} + '@babel/runtime@7.29.2': + resolution: {integrity: sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==} engines: {node: '>=6.9.0'} '@babel/template@7.28.6': @@ -3059,8 +3059,8 @@ packages: peerDependencies: react: ^16.8.0 || ^17 || ^18 || ^19 - react-i18next@16.5.8: - resolution: {integrity: sha512-2ABeHHlakxVY+LSirD+OiERxFL6+zip0PaHo979bgwzeHg27Sqc82xxXWIrSFmfWX0ZkrvXMHwhsi/NGUf5VQg==} + react-i18next@16.6.0: + resolution: {integrity: sha512-bxVftl2q/pfupKVmBH80ui1rHl3ia2sdcR0Yhn6cr0PyoHfO8JLZ19fccwOIH+0dMBCIkdO5gAmEQFCTAggeQg==} peerDependencies: i18next: '>= 25.6.2' react: '>= 16.8.0' @@ -4221,7 +4221,7 @@ snapshots: '@babel/types': 7.29.0 esutils: 2.0.3 - '@babel/runtime@7.28.6': {} + '@babel/runtime@7.29.2': {} '@babel/template@7.28.6': dependencies: @@ -4290,7 +4290,7 @@ snapshots: '@emotion/babel-plugin@11.13.5': dependencies: '@babel/helper-module-imports': 7.28.6 - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@emotion/hash': 0.9.2 '@emotion/memoize': 0.9.0 '@emotion/serialize': 1.3.3 @@ -4321,7 +4321,7 @@ snapshots: '@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@emotion/babel-plugin': 11.13.5 '@emotion/cache': 11.14.0 '@emotion/serialize': 1.3.3 @@ -4347,7 +4347,7 @@ snapshots: '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@emotion/babel-plugin': 11.13.5 '@emotion/is-prop-valid': 1.4.0 '@emotion/react': 11.14.0(@types/react@19.2.14)(react@19.2.4) @@ -4528,7 +4528,7 @@ snapshots: '@mui/icons-material@7.3.9(@mui/material@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@mui/material': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) react: 19.2.4 optionalDependencies: @@ -4536,7 +4536,7 @@ snapshots: '@mui/lab@7.0.0-beta.17(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@mui/material@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@mui/material': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) '@mui/system': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4) '@mui/types': 7.4.12(@types/react@19.2.14) @@ -4552,7 +4552,7 @@ snapshots: '@mui/material@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@mui/core-downloads-tracker': 7.3.9 '@mui/system': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4) '@mui/types': 7.4.12(@types/react@19.2.14) @@ -4573,7 +4573,7 @@ snapshots: '@mui/private-theming@7.3.9(@types/react@19.2.14)(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@mui/utils': 7.3.9(@types/react@19.2.14)(react@19.2.4) prop-types: 15.8.1 react: 19.2.4 @@ -4582,7 +4582,7 @@ snapshots: '@mui/styled-engine@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@emotion/cache': 11.14.0 '@emotion/serialize': 1.3.3 '@emotion/sheet': 1.4.0 @@ -4595,7 +4595,7 @@ snapshots: '@mui/system@7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@mui/private-theming': 7.3.9(@types/react@19.2.14)(react@19.2.4) '@mui/styled-engine': 7.3.9(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react@19.2.4))(react@19.2.4) '@mui/types': 7.4.12(@types/react@19.2.14) @@ -4611,13 +4611,13 @@ snapshots: '@mui/types@7.4.12(@types/react@19.2.14)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 optionalDependencies: '@types/react': 19.2.14 '@mui/utils@7.3.9(@types/react@19.2.14)(react@19.2.4)': dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@mui/types': 7.4.12(@types/react@19.2.14) '@types/prop-types': 15.7.15 clsx: 2.1.1 @@ -5244,7 +5244,7 @@ snapshots: ahooks@3.9.6(react-dom@19.2.4(react@19.2.4))(react@19.2.4): dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 '@types/js-cookie': 3.0.6 dayjs: 1.11.20 intersection-observer: 0.12.2 @@ -5286,7 +5286,7 @@ snapshots: babel-plugin-macros@3.1.0: dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 cosmiconfig: 7.1.0 resolve: 1.22.11 @@ -5482,7 +5482,7 @@ snapshots: dom-helpers@5.2.1: dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 csstype: 3.2.3 dompurify@3.2.7: @@ -6024,7 +6024,7 @@ snapshots: i18next@25.8.18(typescript@5.9.3): dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 optionalDependencies: typescript: 5.9.3 @@ -6662,9 +6662,9 @@ snapshots: dependencies: react: 19.2.4 - react-i18next@16.5.8(i18next@25.8.18(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3): + react-i18next@16.6.0(i18next@25.8.18(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3): dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 html-parse-stringify: 3.0.1 i18next: 25.8.18(typescript@5.9.3) react: 19.2.4 @@ -6705,7 +6705,7 @@ snapshots: react-transition-group@4.4.5(react-dom@19.2.4(react@19.2.4))(react@19.2.4): dependencies: - '@babel/runtime': 7.28.6 + '@babel/runtime': 7.29.2 dom-helpers: 5.2.1 loose-envify: 1.4.0 prop-types: 15.8.1