setup-node with registry-url injects NODE_AUTH_TOKEN secret which is revoked.
Create .npmrc manually with empty _authToken to force OIDC authentication.
- Remove registry-url from setup-node (was injecting NODE_AUTH_TOKEN)
- Add npm version check and auto-upgrade for OIDC support (11.5.1+)
- Add explicit --registry flag to npm publish
- Remove empty NODE_AUTH_TOKEN/NPM_CONFIG_USERCONFIG env vars that were breaking OIDC
The repository owner (code-yeongyu) was not in the CLA allowlist,
causing CLA signature requirement on their own PRs.
Added code-yeongyu to the allowlist to skip CLA for owner commits.
Co-authored-by: 김연규 <yeongyu@mengmotaMacbookAir.local>
- Add zai-coding-plan provider with GLM 4.7 and GLM 4.6v models
- Add OpenAI provider with GPT-5.2 models
- Configure unspecified-low category to use zai-coding-plan/glm-4.7
- Auth is provided via OPENCODE_AUTH_JSON secret
Bun cross-compilation from Linux to Windows produces binaries that crash
with 'Segmentation fault at address 0xFFFFFFFFFFFFFFFF'.
Root cause: oven-sh/bun#18416
Solution:
- Use windows-latest runner for Windows platform in publish-platform.yml
- Set shell: bash for consistent behavior across runners
This is a simpler fix than PR #938 which modified publish.yml (wrong workflow).
The platform binaries are built and published by publish-platform.yml.
Fixes#873Fixes#844
Co-authored-by: justsisyphus <justsisyphus@users.noreply.github.com>
- publish.yml: main package only, triggers platform workflow on success
- publish-platform.yml: dedicated workflow with fresh OIDC token per run
- Fixes OIDC token expiration during large binary uploads (~40MB+)
- Platform workflow can also be triggered manually via workflow_dispatch
- Split monolithic publish into build + parallel publish-platform + publish-main + release jobs
- Each platform package gets its own OIDC token (fixes token expiration during large binary uploads)
- Add --prepare-only flag to publish.ts for build step version sync
- Matrix strategy: 7 parallel platform jobs
- publish-main waits for all platforms before publishing main package
- Fix 404 error handling: no longer incorrectly marks failed publishes as 'already published'
- Add REPUBLISH mode: allows re-publishing missing platform packages without version check
- Separate tag and branch push: tag push (critical) succeeds even if branch push fails
- Fix changelog for beta releases: compares against previous beta tag instead of latest stable
- Add checkPackageVersionExists for accurate E403 error handling
* fix(skill-mcp-manager): prevent memory leaks from orphaned MCP processes
- Close transport on connection failure to prevent zombie processes
- Add process exit handlers (SIGINT/SIGTERM) for graceful cleanup
- Use pendingConnections Map to prevent duplicate client spawns
Fixes#361🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
* fix(ci): replace deprecated rhysd/actionlint-action with direct installation
rhysd/actionlint-action repository was removed/archived.
Use official actionlint download script instead.
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
* fix(skill-mcp-manager): add transport.close() and idle timeout to fix memory leaks
Previously, disconnectSession() and disconnectAll() only called client.close() but NOT transport.close().
StdioClientTransport spawns child processes for MCP servers, and without transport.close(), these
processes remained orphaned and accumulated memory (6GB leak reported).
Changes:
- Added missing transport.close() calls in disconnectSession() and disconnectAll()
- Added idle timeout mechanism (5-minute timeout) with lastUsedAt tracking
- Added cleanup timer that runs every 60 seconds to remove idle clients
- Made signal handlers (SIGINT, SIGTERM, SIGBREAK) async to properly await cleanup
- Ensure proper cleanup order: clear from map first, then close client, then close transport
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
* fix(ci): pin actionlint download script to v1.7.10 for supply chain security
- Pin to specific release tag instead of 'main' branch
- Prevents potential supply chain attacks from upstream compromises
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
- Extract issue/PR title in Collect Context step
- Add CONTEXT_TITLE environment variable for Sisyphus prompt
- Include TITLE_PLACEHOLDER in dynamic prompt injection
- Enhance 'Read Full Conversation' section with ultrawork-style strict guidance:
* [CODE RED] MANDATORY CONTEXT READING header with zero tolerance policy
* Explicit list of what to extract from conversation (original description, attempts, decisions, feedback, references)
* 'FAILURE TO READ EVERYTHING = GUARANTEED FAILURE' warning to emphasize importance
* Clearer TODO creation instructions with requirement to summarize context first
This ensures Sisyphus agent has complete contextual information and explicitly emphasizes the critical importance of full conversation reading before any action.
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
PR #439 added ultrawork-mode content without proper YAML indentation.
In GitHub Actions run: | blocks, all lines must be indented at least
as much as the first content line. The unindented heredoc content
broke YAML parsing, causing 'workflow file issue' failures.
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
