From 685730b4b206f1fbba94fa66c599c89cbde25f79 Mon Sep 17 00:00:00 2001 From: Ian Jhumel Bautista Date: Tue, 9 Jun 2026 01:03:53 +0800 Subject: [PATCH 1/2] build(action): adopt the Node.js 24 runtime ahead of Node 20 deprecation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub deprecates the Node 20 Actions runtime — runners default to Node 24 on 2026-06-16 and Node 20 is removed on 2026-09-16. Move `runs.using` to node24 now. No behavior change: the bundled `dist/` is byte-identical. Build CI and the `engines` field bump to Node 24 to match the runtime. Release v0.3.1. --- .github/workflows/build-check.yml | 4 ++-- CHANGELOG.md | 11 +++++++++++ README.md | 4 ++-- action.yml | 2 +- capabilities.md | 2 +- package-lock.json | 4 ++-- package.json | 4 ++-- 7 files changed, 21 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-check.yml b/.github/workflows/build-check.yml index 67c51ae..3a47dcb 100644 --- a/.github/workflows/build-check.yml +++ b/.github/workflows/build-check.yml @@ -15,13 +15,13 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: - node-version: 20 + node-version: 24 cache: npm - run: npm ci - run: npm run typecheck - run: npm test - run: npm run build - # A node20 action runs dist/index.js straight from the consumer's checkout, + # A node24 action runs dist/index.js straight from the consumer's checkout, # so a stale committed bundle ships stale code. Fail if the freshly built # dist/ differs from what's committed. - name: Verify dist/ is up to date diff --git a/CHANGELOG.md b/CHANGELOG.md index 67eced5..26c5eba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,17 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.3.1] — 2026-06-09 + +### Changed + +- **Runtime is now Node.js 24** (`runs.using: node24`). GitHub is deprecating the + Node 20 Actions runtime (runners default to Node 24 on 2026-06-16; Node 20 is + removed on 2026-09-16), so this moves ahead of the removal. No behavior change — + the bundled `dist/` is identical; the build CI and the `engines` field bump to + Node 24 to match the runtime. + + ## [0.3.0] — 2026-06-09 Tracks trustabl engine **v0.1.4**: consumes the new finding line-range shape and diff --git a/README.md b/README.md index 13a218a..0606b32 100644 --- a/README.md +++ b/README.md @@ -178,7 +178,7 @@ After a run, open the run page and find the **`trustabl-scan-results`** artifact ## Development -This is a node20 TypeScript action bundled to `dist/` with +This is a node24 TypeScript action bundled to `dist/` with [`ncc`](https://github.com/vercel/ncc). ```bash @@ -189,7 +189,7 @@ npm run build # bundle to dist/index.js (commit the result) npm run all # all of the above ``` -`dist/` is committed because a node20 action runs `dist/index.js` directly from +`dist/` is committed because a node24 action runs `dist/index.js` directly from the consumer's checkout of the release tag. The **Build check** workflow fails a PR whose `dist/` is stale, so always `npm run build` and commit after changing `src/`. diff --git a/action.yml b/action.yml index dcd2a8b..e3c3cf8 100644 --- a/action.yml +++ b/action.yml @@ -136,5 +136,5 @@ outputs: description: Whether the SARIF was accepted by Code Scanning (true/false). runs: - using: node20 + using: node24 main: dist/index.js diff --git a/capabilities.md b/capabilities.md index 796c795..54b07db 100644 --- a/capabilities.md +++ b/capabilities.md @@ -7,7 +7,7 @@ dependencies against a pinned OSV snapshot and reports known CVEs as findings, so they ride every surface (score, gate, annotations, Security tab) alongside a dependencies-scanned / known-vulnerabilities headline. -- **node20 TypeScript action, cross-platform** — `ubuntu-*`, `macos-*`, +- **node24 TypeScript action, cross-platform** — `ubuntu-*`, `macos-*`, `windows-*` on x64/arm64; the binary is tool-cached so reruns are fast, and is **sha256-verified** against the release `checksums.txt` before it runs. - **Inline PR annotations + GitHub Security tab** — findings are uploaded to Code diff --git a/package-lock.json b/package-lock.json index 4cda1bb..9168156 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "trustabl-action", - "version": "0.3.0", + "version": "0.3.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "trustabl-action", - "version": "0.3.0", + "version": "0.3.1", "license": "Apache-2.0", "dependencies": { "@actions/artifact": "^2.1.11", diff --git a/package.json b/package.json index 052f366..2553b48 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "trustabl-action", - "version": "0.3.0", + "version": "0.3.1", "private": true, "description": "Static reliability/safety scanner for AI agent repos (Claude, OpenAI, Google ADK, MCP) — GitHub Action.", "main": "dist/index.js", @@ -12,7 +12,7 @@ }, "license": "Apache-2.0", "engines": { - "node": ">=20" + "node": ">=24" }, "dependencies": { "@actions/artifact": "^2.1.11", From fe74efab97e78b4ea34f7d8e919ff964d1e65c6c Mon Sep 17 00:00:00 2001 From: Ian Jhumel Bautista Date: Tue, 9 Jun 2026 01:10:04 +0800 Subject: [PATCH 2/2] docs: document full SDK coverage, vuln-scan, and detector tokens README + capabilities list the full analyzed surface (Claude/OpenAI/Google ADK/ LangChain/CrewAI/Pydantic AI/Vercel AI/AutoGen SDKs, MCP servers, and Claude subagents & skills), add a how-it-works note for the opt-in --vuln-scan, expand the detectors token list to the engine's full set, and bump install pins to v0.3.1. --- CHANGELOG.md | 7 +++++++ README.md | 16 +++++++++++----- action.yml | 2 +- capabilities.md | 7 ++++--- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26c5eba..04a7993 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,13 @@ versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html). the bundled `dist/` is identical; the build CI and the `engines` field bump to Node 24 to match the runtime. +### Docs + +- README + capabilities now document the full SDK coverage (LangChain, CrewAI, + Pydantic AI, Vercel AI, AutoGen, MCP servers, and Claude subagents & skills), + the opt-in dependency CVE scan, and the complete `detectors` token list; install + pins bumped to `v0.3.1`. + ## [0.3.0] — 2026-06-09 diff --git a/README.md b/README.md index 0606b32..7dff378 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,9 @@ # Trustabl Action A GitHub Action that runs [trustabl](https://github.com/trustabl/trustabl) — the -static reliability/safety analyzer for agent-SDK repos (Claude Agent SDK, OpenAI -Agents SDK, Google ADK, MCP) — and surfaces the results where you work: +static reliability/safety analyzer for agent repos (Claude Agent SDK, OpenAI +Agents SDK, Google ADK, LangChain, CrewAI, Pydantic AI, Vercel AI, AutoGen, MCP +servers, and Claude subagents & skills) — and surfaces the results where you work: - **Inline PR annotations + the Security tab.** Findings are uploaded to GitHub Code Scanning, so they appear on the changed lines in the PR diff and in the @@ -89,7 +90,7 @@ jobs: ## Pinned + gated ```yaml -- uses: trustabl/trustabl-action@v0.3.0 +- uses: trustabl/trustabl-action@v0.3.1 with: version: v0.5.0 detectors: claude_sdk,openai_sdk @@ -104,7 +105,7 @@ jobs: |---|---|---| | `target` | `.` | Path or GitHub URL to scan. | | `version` | `latest` | trustabl release tag (e.g. `v0.5.0`) or `latest`. | -| `detectors` | _(all)_ | Comma-separated subset: `claude_sdk,openai_sdk,google_adk,openshell`. | +| `detectors` | _(all)_ | Comma-separated SDK subset: `claude_sdk`, `openai_sdk`, `google_adk`, `openshell`, `mcp`, `langchain`, `crewai`, `pydantic_ai`, `vercel_ai`, `autogen`. | | `strict` | `false` | Pass `--strict` (fail on any finding). | | `vuln-scan` | `false` | Match dependencies against a pinned OSV snapshot; report known CVEs as findings. | | `rules-ref` | _(default)_ | Pin a `trustabl-rules` git ref. | @@ -146,6 +147,11 @@ jobs: one analysis pass produces both artifacts. Older engines fall back to two scans automatically (and the headroom ladder is hidden, since it needs the engine's `projected_scores`). Use `version: latest` to get the fast path. +- **Dependency CVE scan (opt-in).** With `vuln-scan: true`, declared dependencies + are matched against a pinned OSV snapshot; each known CVE becomes a finding (so + it counts toward the score, gate, annotations, and Security tab), plus a + dependencies-scanned / known-vulnerabilities line in every report. The OSV + database is fetched once on first use, then cached. - **Honest gating.** A failed or empty scan errors the job rather than reporting a clean score. The gate decision is exit-code/threshold-based, surfaced in the Step Summary and the PR comment. @@ -165,7 +171,7 @@ After a run, open the run page and find the **`trustabl-scan-results`** artifact ## Versioning -- Pin a release: `uses: trustabl/trustabl-action@v0.3.0`. +- Pin a release: `uses: trustabl/trustabl-action@v0.3.1`. - Or track the line: `uses: trustabl/trustabl-action@v0` (the moving major tag). ## Notes diff --git a/action.yml b/action.yml index e3c3cf8..2880516 100644 --- a/action.yml +++ b/action.yml @@ -19,7 +19,7 @@ inputs: required: false default: latest detectors: - description: Comma-separated SDK detectors (claude_sdk,openai_sdk,google_adk,openshell). Empty = all. + description: Comma-separated SDK detectors (claude_sdk,openai_sdk,google_adk,openshell,mcp,langchain,crewai,pydantic_ai,vercel_ai,autogen). Empty = all. required: false default: "" strict: diff --git a/capabilities.md b/capabilities.md index 54b07db..8887e14 100644 --- a/capabilities.md +++ b/capabilities.md @@ -1,8 +1,9 @@ ### Trustabl Action — capabilities -- **Static reliability/safety scan** for agent-SDK repos (Claude Agent SDK, - OpenAI Agents SDK, Google ADK, MCP) — runs the upstream `trustabl` binary over - your checkout, no daemon or hosted service. +- **Static reliability/safety scan** for agent repos (Claude Agent SDK, OpenAI + Agents SDK, Google ADK, LangChain, CrewAI, Pydantic AI, Vercel AI, AutoGen, MCP + servers, and Claude subagents & skills) — runs the upstream `trustabl` binary + over your checkout, no daemon or hosted service. - **Optional dependency CVE scan** (`vuln-scan: true`) — matches declared dependencies against a pinned OSV snapshot and reports known CVEs as findings, so they ride every surface (score, gate, annotations, Security tab) alongside a