bump to 0.8 #47
bump to 0.8 #47
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![mesa-dot-dev[bot]](https://avatars.githubusercontent.com/in/1050077?s=60&v=4){kind=small}
There was a problem hiding this comment.
What Changed
This PR bumps the kernel (Python) and @onkernel/sdk (TypeScript) dependencies to version 0.8.0 across all project templates. The most significant change is the introduction of a new nightly GitHub Actions workflow and a Python script (scripts/update_versions.py) to automate these version bumps going forward. This new automation will check for new package versions daily and open a PR with the necessary updates.
Risks / Concerns
This is a great addition for keeping templates up-to-date. However, there are a couple of risks to consider with the new automation. First, the use of secrets.GITHUB_TOKEN in the nightly workflow at .github/workflows/nightly-version-bump.yml:17 might prevent CI from running on the auto-generated PRs. Second, changing the dependency constraint to >=0.8.0 in package.json and pyproject.toml files could introduce future breaking changes (e.g., from a 1.0.0 release), potentially causing instability in projects generated from these templates.
11 files reviewed | 2 comments | Review on Mesa | Edit Reviewer Settings
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Using secrets.GITHUB_TOKEN here may cause permission issues. The default GITHUB_TOKEN has limited permissions and PRs created with it typically don't trigger other workflows (like CI). Consider using a personal access token or GitHub App token stored as a secret (e.g., secrets.PAT_TOKEN) if you need the created PR to trigger other workflows.
Type: Logic | Severity: Medium
| }, | ||
| "dependencies": { | ||
| "@onkernel/sdk": "^0.6.0", | ||
| "@onkernel/sdk": ">=0.8.0", |
There was a problem hiding this comment.
The change from ^0.6.0 to >=0.8.0 significantly relaxes the version constraint. ^0.6.0 follows semver and only allows compatible changes within 0.6.x, while >=0.8.0 allows any future version including potentially breaking changes (0.9.0, 1.0.0, etc.).
While this aligns with the automated nightly bump strategy, consider if this could introduce instability in template projects. You might want to either:
- Use
^0.8.0to maintain semver compatibility, or - Add an upper bound like
>=0.8.0 <1.0.0to prevent major version jumps
Type: Logic | Severity: Medium
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
and a 100% vibe-coded script / github action to do this nightly
TL;DR
Bumped
kerneland@onkernel/sdkversions to0.8.0across all templates and introduced a nightly GitHub Action to automate future version updates.Why we made these changes
To ensure all project templates consistently use the latest SDK versions, providing users with the most current features and bug fixes without manual intervention.
What changed?
nightly-version-bump.ymlGitHub Actions workflow to run a newupdate_versions.pyscript daily.update_versions.pyscript fetches the latestkernel(PyPI) and@onkernel/sdk(npm) versions and updatespyproject.tomlandpackage.jsonfiles accordingly.kerneldependency to>=0.8.0in Pythonpyproject.tomlfiles and@onkernel/sdkdependency to>=0.8.0in TypeScriptpackage.jsonfiles across all relevant templates.Validation
kerneland@onkernel/sdkversions are correctly updated to0.8.0in all template files.update_versions.pyscript correctly identifies and updates versions locally.nightly-version-bump.ymlworkflow triggers and executes the script as expected (manual run or observation of first nightly run).