Pin bundled install snippets to zero-install uvx/pipx run#166
Open
pengfei-threemoonslab wants to merge 2 commits into
Open
Pin bundled install snippets to zero-install uvx/pipx run#166pengfei-threemoonslab wants to merge 2 commits into
pengfei-threemoonslab wants to merge 2 commits into
Conversation
The bundled adoption-kit/skill install steps recommended a bare `pipx install agents-shipgate`, which is a no-op when an older build is already on PATH. A coding agent could then silently run a stale release (we have seen 0.8.0) that has no `verify` subcommand and writes no verifier.json, breaking the merge gate. Lead the install/quickstart steps with a pinned, zero-install runner (`uvx agents-shipgate@0.11.0` / `pipx run agents-shipgate==0.11.0`) that fetches the exact version regardless of any global install, and make the remaining pip/pipx install fallback assert `>=0.11.0` and fail loudly. Applied across the 3 byte-identical copies of add-shipgate-to-repo.md and decide-shipgate-relevance.md (prompts/, skills/, adoption-kits/); render-hash snapshot bumped and outgoing hashes appended to prior_render_sha256 (bootstrap_legacy untouched). Pin literals equal the pyproject version (0.11.0). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address PR review feedback: - add-shipgate-to-repo.md: define one pinned runner variable in step 1 (SG="uvx agents-shipgate@0.11.0" / "pipx run agents-shipgate==0.11.0") and route every command block through $SG, so copying the prompt verbatim can't fall through to a stale PATH binary. The install-onto- PATH fallback sets SG=agents-shipgate only after the version floor is confirmed. - decide-shipgate-relevance.md: the decision flow now always runs detect through the pinned runner; a bare `agents-shipgate detect` is gated on `agents-shipgate --version` confirming >=0.11.0, closing the path where a stale installed 0.8.0 answered unguarded. - test_public_surface_contract.py: add UVX_PIN_PATTERN + test_uvx_pins_match_pyproject_version so `uvx agents-shipgate@X.Y.Z` literals can't go stale on a pyproject bump, and add decide-shipgate-relevance.md (prompts/ + skills/) to ACTION_PIN_FILES. Re-synced all 3 byte-identical copies and bumped the render-hash snapshot. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
uvx agents-shipgate@0.11.0/pipx run agents-shipgate==0.11.0) so a coding agent can never silently run a stale PyPI/pipx build. We have seen a global0.8.0shadow newer releases — that build has noverifysubcommand and writes noverifier.json, which silently breaks the merge gate.pip install/pipx installfallback assert>=0.11.0and fail loudly (STOP if this prints < 0.11.0), since a plainpipx installis a no-op when an older build already exists.prompts/add-shipgate-to-repo.md(the bootstrap "Install the tool" step) andprompts/decide-shipgate-relevance.md(itspipx installmention), kept byte-identical across all 3 copies (prompts/,skills/agents-shipgate/prompts/,adoption-kits/claude-code-skill/prompts/).EXPECTED_CLAUDE_CODE_SKILL_RENDER_SHA256entries and appended the outgoing render hashes toprior_render_sha256in the kit metadata (bootstrap_legacy_sha256left frozen). Pin literals equal the pyproject version (0.11.0), so the Action/pip pin contract tests stay green.Type
Verification
CI is authoritative for
python -m ruff check .,python -m compileall -q src tests, andpython -m pytest.Additional local checks run (
.venvinterpreter +PYTHONPATH=<worktree>/src):tests/test_prompt_parity.py,tests/test_agent_instructions_renderers.py,tests/test_public_surface_contract.py→ exit 0tests/test_agent_instructions_apply.py,tests/test_packaging.py→ exit 0ruff check tests/test_agent_instructions_renderers.py→ cleanRelease-readiness notes
docs/checks.md— n/a, no check IDs changedSTABILITY.md— n/a, no schema change🤖 Generated with Claude Code