Skip to content

deps: bump actions/download-artifact from 7 to 8#38

Open
dependabot[bot] wants to merge 279 commits into
masterfrom
dependabot/github_actions/actions/download-artifact-8
Open

deps: bump actions/download-artifact from 7 to 8#38
dependabot[bot] wants to merge 279 commits into
masterfrom
dependabot/github_actions/actions/download-artifact-8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/download-artifact from 7 to 8.

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

root and others added 30 commits May 14, 2026 17:10
在 command.Deps 中添加 VisionConfig 字段,使 vision 伪命令能接收
provider 配置。App.New 解析视觉 provider(独立或回退到主 provider)
并传递。同时在 App.Close 中添加伪命令的 Close() 调用,修复
hasVisionTool 优先检查 registry.Has。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
新增 vision 配置门控、web_fetch/web_search 始终注册、核心工具过滤、
伪命令 Close() 生命周期等测试,适配 initCommandRegistry 新签名。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
添加四个新工具包的副作用导入,更新 embed_test.go 期望值从 6 到 12。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
这些伪命令现在通过 bash 执行,专用的 summarizeToolArguments
case 已成为死代码,由 default 处理器覆盖。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
文档化 web_search、web_fetch、vision、parse_results、filter_results
等实用伪命令,新增执行环境、后台模式和数据回传章节。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
防止生成的模板数据在未显式设置构建标签时被编译,保持默认构建精简。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
将 e2e 测试从 scanner.NewScannerRegistry 迁移到 command.NewRegistry,
更新 Register 调用添加分类参数,使用 RegisterTool 注册 agent 工具。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…st, and e2e harness

Split monolithic e2e tests into respective packages (command, agent) and
keep only the binary-level test behind //go:build e2e with a dedicated
harness. Introduce a full CI job DAG: lint (golangci-lint) and tidy
(go mod tidy check) run independently as fast gates, unit tests with
race+coverage depend on tidy, generated_templates tests run go generate
then validate the template pipeline, e2e builds the binary and exercises
it, and goreleaser snapshot validates cross-compilation.

Also fix the stale go generate path in .goreleaser.yml (pkg/scanner/resources
was renamed to pkg/tools/resources).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…les, simplify abstractions

Major architectural changes:
- Extract pipeline dispatch engine to scan/pipeline/ sub-package with Event interface
  (no generics, compatible with Go 1.17+)
- Merge engine/ + engines/ into unified scan/engine/ sub-package
- Move resources package from pkg/tools/resources/ to pkg/resources/

File consolidation (25 → 13 source files + 2 sub-packages):
- Merge finding.go + priority.go + event.go → event.go (unified domain model)
- Merge stats.go + projector.go + scan_data.go → collector.go
- Merge derive.go + adapters.go → adapter.go
- Merge profile.go → scan_options.go
- Merge verification_defaults.go → options.go
- Merge shared.go → input.go
- Rename scan_format.go → report.go, agent_verify.go → verify.go
- Split sdk_stage.go → engine/{gogo,spray,zombie,neutron}.go

Simplifications:
- Remove capabilitySpec abstraction layer — build capabilities inline
- Remove eventSink interface — use concrete collector
- Remove outputOptions struct — replace with bool parameter
- Remove serviceResult/webProbeResult/weakpassResult wrapper types
- Remove dead code (isSprayCapability) and unused pipeline constant aliases
- Decouple input parsing from collector (callback instead of *collector param)
- Add bridge.go for centralized scan↔pipeline type assertions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
browser 包添加 //go:build browser tag,默认编译不包含 go-rod 依赖。
template.go 移除 generated_templates tag,作为必要的自动生成文件始终编译,
同步清理 embedded_stub.go、CI、lint、goreleaser 中的相关引用。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…重构及 CI 流水线

feat: 新增 Vision/WebFetch/WebSearch/CyberhubSearch 工具及 Bash 重构
Consolidate swarm L2 protocol into a standalone pkg/swarm package,
decoupling IOA communication from agent execution via TaskHandler
and HeartbeatFunc callbacks. Key fixes:

- Store root message ID after announceProfile (was discarded with _)
- Add root-message-based routing: refs.messages containing the node's
  root message ID now correctly routes tasks to that node
- Three routing modes: node-directed, root-message-directed, broadcast

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The LLM agent can now create/list/delete recurring tasks at runtime
by calling the `cron` tool. No CLI flags or hardcoded schedules —
the LLM decides what to schedule based on semantic understanding.

Heartbeat remains as the built-in bootstrap cron via --heartbeat.
All other scheduled tasks are created dynamically through tool calls.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rding

- Add general structured output mechanism at provider layer (ResponseFormat)
- Add agent-level skill execution (pkg/agent/skill.go) with JSON parsing
- Unify scan AI capabilities (verify, sniper) as pluggable AISkill entries
- Replace per-skill boilerplate (VerifyFunc/SniperFunc/configs) with single AIFunc
- Add AI-powered report generation via report skill with write tool
- Add JSONL recording (-f) capturing scan events + AI turns
- Add -F viewer with terminal colored and markdown rendering (-o markdown)
- Extend read tool with local-first embed fallback for skill files
- Extend glob tool with VirtualGlobber for embedded file discovery
- Embed all files in skills/ directory (not just SKILL.md)

New skills: verify, sniper, report
CLI: --ai (all skills), --sniper (individual), --report --ai (AI report)
View: aiscan -F record.jsonl [-o markdown] [-f output.md]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use published module versions for parsers, sdk, and spray instead of
local path replacements that break CI/goreleaser builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The field was referenced in adapter.go but missing from the struct
definition, causing build failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The old buildScanVerifySystemPrompt was renamed and simplified; update
the test to match the current API.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove unused writeOutputFile function and dead imports
- Add services section to markdown render output
- Fix nilerr: return errors from fs.ReadFile and json.Unmarshal
- Suppress gosec/errcheck for intentional scanner behavior
- Check error returns in recorder writes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove hasFlag, outputScope, gogoResultSource, sprayProbeSource,
findingKey, and oneLine. Suppress nilerr in skill fallback path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use json.Valid pre-check and inverted condition to avoid the
error-is-not-nil-but-returns-nil pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add mutex to swarm Node for rootMessageID and processed map to fix
  data races in TestE2ETwoSwarmNodesCoordinated, TestNodeAnnouncesSwarmProfile,
  and TestNodeDynamicCrons.
- Use NewLogger instead of GlobalLogger in cmd tests to avoid racing on
  the global logs.Log variable.
- Track skills/spray/SKILL.md by narrowing .gitignore spray pattern to
  root-only, fixing TestAgentConsoleRegistersSkillsAsSlashCommands.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Filter non-confirmed AI skill results in collector to fix
  TestAgentVerifyCapabilityAcceptsFocusFingerprint.
- Remove ai-skills count from summary line to fix
  TestScanSummaryUsesStructuredFields.
- Write plain text to output file after scan to fix
  TestScanOutputFileWritesPlainTextWithoutChangingStdout.
- Remove duplicate EnableLogsDebug call in spray engine and use
  sync.Once to prevent concurrent global logger mutation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…via proxyclient

Repurpose --proxy from LLM to scanner proxy covering gogo, spray,
zombie, neutron, scan pipeline, and bash subprocesses. Agent mode is
fully transparent — no need to pass --proxy to individual tools.

- --proxy: scanner exit proxy (gogo/spray inject args, zombie/neutron
  set global dialers, scan pipeline sets all globals, bash tool injects
  ALL_PROXY/HTTP_PROXY/HTTPS_PROXY env vars)
- --llm-proxy: LLM API proxy (covers main provider + vision fallback)
- --vision-proxy: optional vision-only override
- All three use proxyclient for socks4/socks5/http/https support

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
M09Ic and others added 28 commits June 20, 2026 05:51
Implement a complete remote PTY system enabling browser-based terminal
access to aiscan agents through WebSocket relay.

Architecture:
- pkg/remotepty: net.Conn-based PTY protocol layer (Frame routing,
  session lifecycle, singleton support, panic recovery)
- pkg/webproto: Message↔Frame serialization boundary for WebSocket
- pkg/webagent: agent-side WebSocket connection with PTY router
- pkg/web: transparent terminal relay (zero parsing, backpressure
  handling) between browser and agent WebSockets
- pkg/tui: writer-injected console supporting both local TTY and
  remote byte-stream transport

Key changes:
- Replace 4 platform-specific PTY files with single go-pty wrapper
- Extract finishSession() to deduplicate supervise logic in tmux manager
- Simplify IOA functions from 8 exports to 4 (unified writer params)
- Remove redundant Message→Frame→Message double conversion in web relay
- Add DecodePTYPayload error propagation
- Frontend: AgentTerminal with xterm.js, singleton REPL, task PTY panel

Tests:
- Unit: Router (net.Pipe/TCP/Unix), webproto round-trip, panic recovery
- Integration: WebSocket terminal relay, session lifecycle, singleton,
  buffer pressure
- E2E: go-rod browser tests (open→type→output→close, resize)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Point replace directives to github.com/chainreactors/malice-network
remote commit instead of local path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move PTY core (Manager, Router, Frame protocol, OutputBuffer, go-pty
wrapper) to the shared utils/pty module. aiscan now imports the shared
library instead of maintaining its own copy.

Changes:
- Delete pkg/remotepty/ entirely (types, router, openers, tests)
- Delete pkg/agent/tmux/ internals (buffer, pty, shell, signal files)
- Rewrite pkg/agent/tmux/manager.go as thin wrapper embedding *pty.Manager
  with aiscan-specific additions (Command interface, RunCommand, eventbus)
- Update all imports: remotepty.* → pty.*, tmux types via aliases
- pkg/webproto, pkg/webagent, core/runner: use pty.Frame/Router directly

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…mmand interface

Replace per-command io.Writer parameter with a global commands.Output
writer managed by the registry. Command.Execute now returns only error;
all output flows through fmt.Fprint(commands.Output, ...).

The registry configures Output before each execution (Reset/Captured),
enabling both streaming and batch output without per-command boilerplate.
Also adds SetExecHooks to tmux.Manager to break the import cycle, removes
the FetchTool wrapper (fetch is now a direct Command), converts fetch from
RegisterTool to Register, and adds -vv verbosity to disable TUI output
truncation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…echanisms

- Unify frontend static assets into web/static/ with shared embed (web/embed.go),
  eliminating duplicate copies in cmd/web/static/ and pkg/web/e2e_static/
- Replace 120-line hand-written YAML parser with gopkg.in/yaml.v3 (already a dependency)
- Migrate handler.go from manual path-segment matching to Go 1.22+ ServeMux patterns
- Make WebSocket origin check configurable (default same-origin, "*" in debug mode)
- Add 64KB buffer limit + flush to streamWriter to prevent unbounded memory growth
- Use exponential backoff (1s→10s) for agent WebSocket reconnection
- Split 843-line AgentTerminal.tsx into 5 files under components/terminal/
- Replace 14-case frameTypeFromMessage switch with map lookup
- Reuse bytes.Buffer in remoteTerminalWriter to reduce allocations
- Consolidate duplicate stripANSI into output.StripANSI delegation
- Simplify spaFileServer from struct to HandlerFunc closure
- Merge dual task maps (activeTasks + taskCancels) into single map
- Replace complex PTY debounce timer with ticker + dirty flag pattern
- Remove dead CommandNames() stub, increase PTY channel buffer 64→256

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- agent_scanner_test: add missing SetExecHooks so pseudo-command output
  is redirected to session writer instead of io.Discard
- agent_tmux_test: same SetExecHooks fix for both MultiRound and CtrlC tests
- remote_repl_test: use \n instead of \r as line terminator — fast input
  mode uses ReadString('\n') which never matches \r-only input; also set
  AISCAN_REPL=fast to bypass readline for pipe-based transport

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- arsenal_tool.go: check os.MkdirAll error, suppress fmt.Fprint returns,
  use tagged switch on version string
- cmd_test.go: remove unused captureStdoutForTest and dead imports
- tui/output.go: remove unused canHyperlink and hyperlinkSummary methods
- tui/render.go: remove unused hyperlink and pathHyperlink functions
- go.sum: run go mod tidy to remove stale entries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat(pty): remote PTY mechanism with web terminal integration
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Close WebSocket dial response bodies (bodyclose)
- Suppress nilerr on intentional context-cancel returns
- Remove redundant embedded field selectors (QF1008)
- Remove unused stdoutMarkdownEnabled/stdoutDeltaStreamingEnabled
- Add nolint:gosec for intentional text/markdown response

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…, remote PTY

release: v0.2.4 — arsenal tool manager, TUI redesign, agent retry fix
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…sed)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add SVG logo (chainreactors network topology style)
- Fix license badge with static AGPL-3.0 label (avoids shields.io cache)
- Add IOA repo link in features, Mode 3 section, and Links

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaces the green/cyan logo with chainreactors brand identity:
- Dark red gradient (#800000 → #ff4d4d) matching wiki logo
- Center radar with concentric rings + crosshair + scan sweep arc
- 8 hexagonal satellite nodes in chain-arc ring
- Dashed radial scan lines, glow filters, white node highlights

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Default English README, link to README_CN.md for Chinese
- Features split into: Scan / Agent / IOA / Built-in Toolset
- Tools organized as sub-lists by category (scanners, browser & recon, utilities)
- Remove generic "multi LLM support" — covered in config section
- Merge Mode sections and Architecture into compact Usage section

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…tecture

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v7...v8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant