Skip to content

Bump actions/upload-artifact from 4.6.2 to 7.0.1#5

Merged
d0cd merged 1 commit into
mainfrom
dependabot/github_actions/actions/upload-artifact-7.0.0
May 29, 2026
Merged

Bump actions/upload-artifact from 4.6.2 to 7.0.1#5
d0cd merged 1 commit into
mainfrom
dependabot/github_actions/actions/upload-artifact-7.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 1, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/upload-artifact from 4.6.2 to 7.0.1.

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

... (truncated)

Commits
  • 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
  • 634250c Include changes in typespec/ts-http-runtime 0.3.5
  • e454baa Readme: bump all the example versions to v7 (#796)
  • 74fad66 Update the readme with direct upload details (#795)
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 1, 2026
@dependabot dependabot Bot requested a review from d0cd as a code owner April 1, 2026 19:37
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 1, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/upload-artifact-7.0.0 branch from a84449d to 14f90c1 Compare April 2, 2026 13:56
@d0cd

d0cd commented May 29, 2026

Copy link
Copy Markdown
Owner

@dependabot rebase

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...043fb46)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump actions/upload-artifact from 4.6.2 to 7.0.0 Bump actions/upload-artifact from 4.6.2 to 7.0.1 May 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/upload-artifact-7.0.0 branch from 14f90c1 to 8f26482 Compare May 29, 2026 00:18
@d0cd d0cd merged commit a80b5c9 into main May 29, 2026
15 checks passed
@d0cd d0cd deleted the dependabot/github_actions/actions/upload-artifact-7.0.0 branch May 29, 2026 00:39
d0cd added a commit that referenced this pull request Jun 10, 2026
# Feedback addressed

The latest external feedback file rewrites the open-items list. Two
items are brig-side:

Issue #2 — cpus: <int> in yaml raises 'argument of type int is not
iterable':
  Regression from the v2 generic yaml-merge. Yaml's 'cpus: 4' parses
  as int, slips through validation (validator accepts int/float/str),
  reaches the subprocess args, and _redact_cmd's 'arg in flag-set'
  membership check explodes when arg is an int.

  Fix: CellSpec.__post_init__ coerces cpus/memory to str if given as
  int/float. The boundary that declares cpus: str now actually
  enforces it. New tests pin the regression.

Issue #1 — Workspace symlink escape (LIVE exploit):
  External team demonstrated the attack works end-to-end: cell drops
  ln -sf /etc/passwd /work/foo.txt, asks a host-side worker to read
  /Users/<user>/.brig/state/<name>/workspace/foo.txt, host follows
  the symlink and leaks /etc/passwd. Bypasses gVisor by asking the
  host to read on the cell's behalf.

  Verified empirically: podman 4.9 in our VM doesn't support
  nosymfollow on bind mounts (both -v syntax and --mount syntax
  rejected with 'invalid option'). Mount-side fix really isn't
  available right now. Strengthened docs/reference/cell-metadata.md
  to spell out the threat at the top with a generic reproducer and
  the empirically-confirmed reason mount-side defense is roadmapped.

Issues #3, #4, #5 are cell-side / already-doc'd / already-fixed.

# Generic-ification

brig is a general tool; source and brig-owned docs should not name
a specific external project. Scrubbed every project-specific name
from src/, tests/, and brig-owned docs. The actual external project
directories under cells/ (which are gitignored anyway) are untouched.

659 unit tests pass. Per-module coverage gates green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
d0cd added a commit that referenced this pull request Jun 10, 2026
Three items that close the brig-feedback.md punch list:

1. **Feedback #3 — auto-grant host_services from cell yaml.** When yaml's
   `policy.allow` lists `<svc>.host.brig` for a globally-registered
   service, `brig run` now adds it to the per-cell ACL automatically:

     auto-granted: aitelier → litellm (declared in cell yaml,
     registered globally). Revoke: brig policy set aitelier
     --remove-host-service litellm

   Loud log line with revoke pointer so operators see the grant.
   Wildcards (*.host.brig) are NOT auto-granted — only literal names
   the operator declared explicitly. Opt-out:
       brig config set auto_grant_host_services false

2. **Feedback #5 — brig cell network includes ingress hits.** Today
   ingress.py logged to mitmproxy stderr only; debugging inbound
   failures meant `limactl shell brig sudo podman logs warden`. Now:

   - ingress.py sets flow.metadata["cell"] so the logger keys entries
     to the target cell's log file
   - logger.py writes ingress_route + ingress_src_ip into each entry
   - brig cell network tags ingress lines `INGRESS: <src> -> ...
     (route=<name>)` and egress lines `OUT:` — grep-able

3. **host_sockets e2e shell test.** tests/test_host_sockets_e2e.sh
   stands up a socat-echo host service, runs preflight, starts cell,
   exec's socat-client inside, verifies bytes round-trip the bridge,
   confirms cleanup on rm. Gated on Darwin+socat+brig — exits 2 with
   SKIP message in unsupported environments (Linux CI safe).

Tests: 9 new unit (6 auto-grant + 3 network-cmd-ingress) + 1 e2e shell.
Suite 771 passing.

The feedback.md punch list is now empty other than the host_services
flattening refactor (explicitly deferred — separate scope).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
d0cd added a commit that referenced this pull request Jun 10, 2026
Three aitelier-feedback items in one coherent change:

1. Warden CA auto-mount (#1, top adoption ask).
   Cells need to trust Warden's MITM cert to make HTTPS work; today
   every consumer rediscovers the workaround (extract CA, concat onto
   system roots, export SSL_CERT_FILE / REQUESTS_CA_BUNDLE / etc.).
   Brig now stages a combined bundle inside the VM at
   /state/<cell>/ca-bundle.crt and bind-mounts it read-only at
   /run/brig/ca-bundle.crt, plus sets the four common env vars unless
   the cell already declared them. Opt out per cell with
   trust_warden_ca: false (e.g. cells with strict pinning).

   Defense in depth: bundle re-extracted from the Warden container on
   every cell start (source of truth is the container, not the
   untrusted state dir); staged inside the VM (trust boundary);
   read-only mount; cell-set env wins; airgapped cells skip the mount
   entirely.

2. DNS-rebinding check defer (#5).
   server_connected's rebinding block depended on a latent
   mitmproxy-API bug: data.server.close() no longer exists on >= 10
   (AttributeError masked the would-be kill) and data.flow was None
   so host_service / ingress exemptions were a no-op. Anyone fixing
   close() would silently break those flows. Removed the dead block;
   responseheaders is now the single enforcement point and has the
   metadata populated by then. Coverage absorbed into
   TestResponseHeadersDnsRebinding (now 9 cases incl. all IP families).

3. Ingress-token naming docs (#6).
   `brig run --help` epilog now mentions <cell-name>-ingress-token and
   policy.tls_passthrough; docs/design/cell-definition.md expands the
   token-secret naming convention (preferred per-cell, fallback shared,
   hard error when missing).

868 pass + 10 skip clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
d0cd added a commit that referenced this pull request Jun 10, 2026
Five items from ~/tools/hermes-agent/plans/brig-feedback.md, prioritized
by what brig (not the consumer cell) can change.

#1 Read-only /workspace mount (MEDIUM-HIGH).
   Root cause was the SA cell yaml's missing `workspace_mount: /workspace`
   — default is `/work`, so writes to /workspace/* hit the read-only
   rootfs. Doc fix in troubleshooting.md spells out the three options
   (align cell yaml, align app, last-resort writable_rootfs) so the
   next consumer doesn't waste a debugging session.

#3 Long-life cell pattern undocumented (MEDIUM).
   The `command: ["sleep", "infinity"]` workaround was buried in
   host-an-agent.md but not in troubleshooting. Added an explicit
   "Cell flips to stopped immediately" entry that calls it out,
   alongside the other common immediate-exit causes.

#4 Cell logs empty for file-based loggers (LOW-MEDIUM).
   cmd_logs now detects the empty-output case (snapshot mode only —
   follow mode keeps TTY passthrough) and prints an inline hint
   pointing at `brig cell exec` / `brig cell read` for file-based
   logs. Plus a troubleshooting entry that explains the contract.

#5 Telemetry domains blocked but non-fatal (LOW).
   Documented the three common ones aitelier hit (Datadog log shipping,
   mcp-proxy, platform.claude.com) with the agent's typical behavior
   and the allow/silence options.

Not addressed:
#2 Hermes cell entrypoint writes malformed config.yaml — this is a
   bug in ~/tools/hermes-agent/cells/hermes/entrypoint.sh, not brig
   itself. Flagged to the hermes team.

Longer-term wishlist (per-cell credential rotation, inter-cell
routing, cross-source audit query, nosymfollow) intentionally
deferred — each needs its own design discussion.

940 pass + 10 skip. Ruff + mypy + ast green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant