Skip to content

chore(deps): bump actions/github-script from 7 to 9#6

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/github-script-9
Open

chore(deps): bump actions/github-script from 7 to 9#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/github-script-9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 24, 2026

Copy link
Copy Markdown

Bumps actions/github-script from 7 to 9.

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v7.1.0

What's Changed

... (truncated)

Commits
  • 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
  • ca10bbd fix: use @​octokit/core/types import for v7 compatibility
  • 86e48e2 merge: incorporate main branch changes
  • c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
  • afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
  • ff8117e ci: fix user-agent test to handle orchestration ID
  • 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
  • 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
  • c17d55b ci: add getOctokit integration test job
  • a047196 test: add getOctokit integration tests via callAsyncFunction
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v7...v9)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github May 24, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: automated, ci. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@vercel

vercel Bot commented May 24, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
civia Ready Ready Preview, Comment May 24, 2026 7:19pm

andrei1000z added a commit that referenced this pull request May 25, 2026
…h wire

#11 Auth event tracking expandat:
- AuthProvider.signInWithEmail: track auth-magic-link-sent la submit OTP
  success (separat de auth-signin care fires după verify pe callback)
- AuthProvider.signInWithOAuth: track auth-oauth-initiated cu provider
  ca să măsurăm conversion Google vs Apple
- AuthProvider.signOut: track auth-signout-clicked înainte de actual
  Supabase call (capturează intent vs success — onAuthStateChange
  tracks succesul)
- onAuthStateChange existing wire (signin/signout/password-reset) păstrat

#4 GDPR Art. 17 right-to-erasure pentru analytics:
- /api/profile/delete extins cu purgeAnalyticsForUser() helper care
  șterge userMeta/userRoutes/userCountries/userDays + ZREM topUsers
  + SREM excluded. Best-effort: Redis down NU blochează DB cascade.
- /api/admin/analytics/user/[userId] NEW — endpoint dedicat admin pentru
  purge specific user (când user cere fără să-și șteargă contul, sau
  pentru post-incident cleanup). Returns deleted count pentru audit.

#6 Pagină Romanian-language /legal/analiza-trafic:
- 8 secțiuni: ce nu facem / cum derivăm visitor ID / câmpuri capturate
  / retention periods / bot filter / opt-out / cadru legal / GDPR contact
- Wording match cu Art. 4(5) Legea 506/2004 + EDPB + CNIL Sheet 16
- Defensive structural în fața ANSPDCP — orice inquiry poate fi rezolvată
  prin trimitere la această pagină + docs/privacy/* (TODO)
- Link adăugat în Footer sub „Politica de cookies"

759/759 teste pass. TS clean.

Sursă:
- https://www.cnil.fr/en/sheet-ndeg16
- https://legislatie.just.ro/Public/DetaliiDocument/56973 (L506/2004)
- EDPB Guidelines 2/2023
andrei1000z added a commit that referenced this pull request May 29, 2026
5 imbunatatiri P0/P1 din audit improvements.md:

1. **mig 086 REVOKE exec_sql** (P0 #6 security critical)
   - REVOKE EXECUTE de la PUBLIC + anon + authenticated
   - GRANT explicit doar la service_role
   - Daca SERVICE_ROLE_KEY leak, nu mai e RCE pe DB via RPC

2. **sanitize-headers.ts** (P1 #30 security high)
   - sanitizeFromName(): strip CR/LF + control chars + quote escape
   - buildFromHeader(): RFC 5322-compliant From header
   - sanitizeSubject(): strip control chars + cap 200
   - Anti header injection (Bcc/Reply-To via newline)

3. **buildFromHeader applied in 3 routes**:
   - /api/sesizari/[code]/send-via-civia
   - /api/sesizari/[code]/resend-via-civia
   - /api/sesizari/[code]/escalate-avp
   - Toate au folosit interpolation raw → injection surface

4. **requireAdmin() helper** (P0 #9 security high)
   - src/lib/auth/require-admin.ts cu 2 functii
   - requireAdmin() pentru API routes admin (session-based)
   - requireAdminSecret() pentru cron/internal calls (Bearer)
   - Foundation pentru refactor 17 routes hand-rolled

5. **Fix 2 lint errors blocking CI** (P1 #26)
   - src/app/admin/feedback/page.tsx: prefer-const redisEntries
   - src/app/api/resend/webhook/route.ts: prefer-const extraFields
   - Dependabot PRs deblocate

Tsc OK.
andrei1000z added a commit that referenced this pull request May 29, 2026
…olding + roadmaps)

P0/P1 improvements + Big feature #1 SHIPPED + scaffolding pentru restul:

## Batch 6: DB migrations (mig 088 is_admin)
- supabase/migrations/088_is_admin_function.sql
- Function `is_admin()` STABLE SECURITY DEFINER pentru RLS
- Function `current_user_id()` wrapper pentru auth.uid()
- Foundation pentru refactor 14 inline subqueries → is_admin()
- 5-50x speedup pe queries cu RLS

## Batch 7: Observability (TaggedErrorBoundary)
- src/components/error/TaggedErrorBoundary.tsx
- Class component cu Sentry.captureException(tags: { surface })
- Foundation pentru tagging per surface (sesizari/petitii/stiri/admin)

## Batch 8: Big Feature #1 SHIPPED + 6 plan
- 🟢 Agent AI Insistent (FULL implementation):
  • src/app/api/cron/agent-insistent/route.ts (3 stage pipeline)
  • supabase/migrations/089_agent_insistent_schema.sql
  • Stage 1 (zi 30): Reamintire la primarie cu citare OG 27/2002 art. 8
  • Stage 2 (zi 45): Notificare AVP + Prefectura judet
  • Stage 3 (zi 60): Template plangere contencios la cetatean (PDF text)
  • Audit trail in sesizare_escalations table
- 📐 Plan draft pentru restul 6: docs/big-features-roadmap.md
  • #3 Stream consiliu — blocked cost ($5+/luna)
  • #4 Buget „pe banii MEI" — Q2 ready
  • #5 Initiative OTP SMS — blocked legal+cost
  • #8 Compass UE — Q2-Q3
  • #9 Verificare avere — Q3-Q4 (legal review)
  • #10 Decizii Deschise — Q2-Q3

## Batch 9: Medium features
- 🟢 #7 Streak (scaffolded cron placeholder)
- 📐 Plan draft pentru restul 10: docs/medium-features-roadmap.md
  • #1 Search semantic AI (pgvector)
  • #3 Calendar civic
  • #6 Profil public opt-in
  • #8 Newsletter personalizat
  • #9 Voice input
  • #10 Heatmap intensitate
  • #12 Embed widget presa
  • #13 Push intreruperi
  • #14 Counter „Azi rezolvate"
  • #17 Multilang RO/HU/UK

## Total commits batch 1-9
- 3e03eb9 Batch 1 security P0
- 4605ecc Batch 3 email infra + mig 087
- 6d6e764 Batch 5 perf (React cache + ISR)
- THIS: Batch 6+7+8+9 (mig 088, ErrorBoundary, BIG #1, scaffolds)

## Files shipped total
- 7 new files src/ (route handlers, lib, components)
- 4 new migrations (086-089)
- 1 GH Actions workflow (backup-supabase.yml)
- 2 roadmap docs

## Post-deploy steps required
1. npm run migrate (aplica 086-089)
2. Schedule cron agent-insistent zilnic 09:00
3. Schedule cron sesizari-retry-bounce la 4h
4. Configure GH Actions secrets (R2 + SUPABASE_DB_URL)
5. Migrate RLS policies cu is_admin() in viitoare migration

Tsc OK.
andrei1000z added a commit that referenced this pull request May 29, 2026
Mega push consolidat: toate features-uri aprobate de user implementate.

═══════════════════════════════════════════════════════════════════
🚀 BIG FEATURES (7 din 7 aprobate)
═══════════════════════════════════════════════════════════════════

✅ #1 Agent AI Insistent (deja shipped in commit anterior)

✅ #3 Consultatii publice / Agenda consiliu (lite version)
   - Table consultatii_publice in mig 090
   - Integrare in Calendar civic la /calendar
   (Stream full requires CF Stream + Whisper $$$ → Q4+)

✅ #4 Buget „Pe banii MEI"
   - src/lib/buget/calculator.ts (formule fiscale RO 2026)
   - src/app/buget/personal/page.tsx + BugetCalculatorClient.tsx
   - User input salariu net + judet → cota anuala primarie + distributie
     pe 9 categorii (salarizare, investitii, invatamant, etc.)

✅ #5 Inițiative cetatenesti OTP
   - src/app/initiative/page.tsx (lista publica)
   - src/app/api/initiative/sign-otp/route.ts (Twilio SMS + Redis OTP TTL 10min)
   - Tables initiative + initiative_signatures cu privacy (phone_hash, cnp_hash)
   - Anti-fraud: rate limit, unique constraint, OTP 6 cifre

✅ #8 Compass Finanțare UE
   - src/app/compass-ue/page.tsx
   - Table ue_programs cu embedding pgvector pentru match AI
   - Filter expiring soon (badge rosu pentru <7 zile)

✅ #9 Verificare avere demnitari (ANI)
   - src/app/verificare-avere/page.tsx
   - Table demnitari_avere cu suspicious_jump_pct
   - Disclaimer clar + link integritate.eu
   - LEGAL REVIEW required inainte de scraping live

✅ #10 Decizii Deschise consilii locale
   - src/app/decizii-deschise/page.tsx
   - Tables consiliu_propuneri + consiliu_propunere_comments
   - AI summary pe propunere + spatiu comments cetatenesti

═══════════════════════════════════════════════════════════════════
🎁 MEDIUM FEATURES (11 din 11 aprobate)
═══════════════════════════════════════════════════════════════════

✅ #1 Search semantic AI cu pgvector
   - /api/search/semantic cu Cloudflare AI embedding (bge-small-en-v1.5)
   - Fallback ILIKE keyword search graceful
   - Function similar_sesizari in mig 090

✅ #3 Calendar civic
   - src/app/calendar/page.tsx
   - Aggregator proteste + consultatii publice
   - /api/calendar/export.ics — RFC 5545 compliant iCal export

✅ #6 Profil public opt-in
   - src/app/u/[slug]/page.tsx
   - Columns profiles.public_profile_enabled/slug/bio in mig 090
   - Badge-uri civice computed (Power Contributor, etc.)
   - JSON-LD + OG meta pentru SEO

✅ #7 Civic Streak (full impl partial)
   - Table civic_streak cu RLS public read
   - Cron skeleton in commit anterior

✅ #8 Newsletter săptămânal personalizat
   - /api/newsletter/subscribe + /api/newsletter/unsubscribe (1-click GDPR)
   - Table newsletter_subscriptions cu unsubscribe_token
   - Confirmare email via Resend

✅ #9 Voice input (Web Speech API)
   - src/components/VoiceInput.tsx
   - Fallback graceful daca iOS Safari (no SR available)
   - Real-time partial transcript

✅ #10 Heatmap intensitate sesizari
   - /api/heatmap/sesizari API
   - Materialized view sesizari_heatmap in mig 090
   - Bucket-uire lat/lng la 3 decimals (~100m precision)

✅ #12 Embed widget jurnalisti
   - /embed/sesizari/[judet]?count=5
   - Iframe-friendly, CSS izolat, CORS-open
   - Per judet generateStaticParams

✅ #13 Push lucrari programate
   - /api/push/subscribe (existent)
   - mig 090 adauga topic + active columns

✅ #14 Counter „Azi rezolvate"
   - src/components/TodayCounter.tsx (live update 30s)
   - View today_civic_stats in mig 090
   - /api/stats/today endpoint
   - CountUp animation easeOutCubic

✅ #17 Multilang RO/HU/UK
   - src/lib/i18n/messages.ts (lightweight i18n, no deps)
   - src/components/LocaleSwitcher.tsx (cookie-based)
   - 16 strings traduse Romanian/Hungarian/Ukrainian

═══════════════════════════════════════════════════════════════════
📊 SCHEMA: mig 090 (10 tables + 1 view + 1 matview + 2 functions)
═══════════════════════════════════════════════════════════════════

Tables noi:
- newsletter_subscriptions
- civic_streak
- buget_primarii_annual
- initiative + initiative_signatures
- ue_programs + ue_program_subscriptions
- demnitari_avere
- consiliu_propuneri + consiliu_propunere_comments
- consultatii_publice

Columns adăugate:
- profiles: 7 noi (public_profile_*, preferred_locale, notify_intreruperi_*, newsletter_pref)
- push_subscriptions: topic + active
- sesizari/petitii/stiri: embedding vector(384)

Indexes (HNSW pentru embedding):
- 4x HNSW vector cosine_ops pentru semantic search
- 5x partial indexes pe queries hot

RLS:
- 11 policies noi pentru tabele cu read public + insert/all auth
- Foloseste is_admin() helper din mig 088

═══════════════════════════════════════════════════════════════════
🔧 POST-DEPLOY STEPS NECESARE
═══════════════════════════════════════════════════════════════════

1. npm run migrate (aplica mig 090)
2. ENV vars de configurat:
   - TWILIO_ACCOUNT_SID + TWILIO_AUTH_TOKEN + TWILIO_FROM_NUMBER (Initiative OTP)
   - CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_AI_TOKEN (semantic search free tier)
   - PHONE_HASH_SALT (random 32-byte hex pentru hashing telefon)
3. Schedule pg_cron pentru:
   - refresh_sesizari_heatmap weekly
   - newsletter delivery luni 09:00
4. Add navigation links la /buget/personal, /initiative, /compass-ue,
   /verificare-avere, /decizii-deschise, /calendar, /u/[slug]
5. Add LocaleSwitcher in Footer

Tsc OK. Files: 22 new files, ~3400 lines.
andrei1000z added a commit that referenced this pull request Jun 6, 2026
…rofiles

Audit P0 #1 + #2 — ultimele 2 holdout-uri Upstash (suspendat billing).

#1 vision-routing.ts: cache-ul vision (7 zile) migrat @upstash/redis → D1
(analyticsD1 get/set JSON). Fără el, fiecare poză = apel Groq Vision scump.

#2 hidden-users.ts: flagul „ascunde numele" citea/scria Upstash SET-uri
(smismember pe cont mort = fail silent → numele utilizatorilor care au optat
pentru anonimat apăreau în comentarii). SURSA DE ADEVĂR e profiles.hide_name
(migrarea 015) — acum citim/scriem direct profiles via admin client. Fallback
in-memory pentru dev/test (fără service key). getHiddenEmails → no-op (profiles
n-are coloană email + feed-ul nu-l mai apelează). Zero pierdere de date.

=> ZERO dependență Upstash în cod (rate-limit/cache/analytics/budget erau deja
pe D1). Contul Upstash poate fi anulat liniștit.

NB audit: #3 (BCC) = fals-pozitiv (BCC e privat, nu se scurge la TO); #4
(webhook HMAC) deja implementat (doar setează RESEND_WEBHOOK_SECRET); #6
(indexuri 50k) prematur (feed are 62 rânduri).

Verificat: tsc curat, 491 teste.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
andrei1000z added a commit that referenced this pull request Jul 2, 2026
… + matching + stări + reziliență AI)

SECURITATE
- BLOCKER #1: auto-apply cerea încredere din From-ul spoofabil + poarta DKIM/
  DMARC era opțională → oricine putea falsifica office@primarie.ro + cod PUBLIC
  și marca sesizarea altui cetățean. Acum auto-apply cere DOVADĂ: match token/
  threading (secret) SAU DKIM/DMARC aliniat (authenticity.auth_aligned)
- #20/#22 worker: păstrăm PRIMA apariție Authentication-Results (cea a Cloudflare),
  nu ultima → atacatorul nu mai injectează un A-R fals mai jos în mesaj
- #19: scoreAiAuthenticity folosește cascada groqText (nu Groq brut) → 429 nu mai
  colapsează la 50 (care bloca auto-apply pt. senderi gov reali)

MATCHING
- #6 gardă N3: cod din sursă slabă fără coroborare (domeniu/sursă robustă) → medium
  nu high; cod care leagă o sesizare netrimisă/creată-după-reply → nu se leagă
- #8 N4: fereastră 180z + order + limit server-side (nu mai lovea plafonul 1000)
- #25/#32 extract-code: scos regex-ul care prindea primul token al oricărui
  Message-ID terț; nr. de înregistrare 12345/2026 nu mai e confundat cu cod
- #26: content_score medium doar pe câștigător strict (fără tie arbitrar)

STĂRI
- #11/#13: ignorat (marcaj administrativ) nu mai înghite răspunsuri reale — orice
  status de răspuns îl supersedează
- #12: mișcări laterale în tier activ (in-lucru->interventie) = progres, nu drop
- #29: redirectionata poate supersedea inregistrata (redirect după înregistrare)
- #30 auto-status: nu mai marchează ignorat sesizări niciodată-trimise (scos nou);
  cronometrează de la sent_at, nu created_at

NOTIFICĂRI
- #5: push-ul reflectă statusul CHIAR aplicat, nu clasificarea (gata Rezolvată fals)
- #7: push doar pe match high-confidence (medium putea notifica alt cetățean = PII)
- #15: auto_applied=true doar când un status se aplică efectiv (nu scapă din digest)

REZILIENȚĂ AI
- #27: cascada nu mai moare dacă lipsește GROQ_API_KEY (sare la Gemini/CF)
- #10: timeout intern pe callGemini (18s) + pe SDK-ul PDF (25s)
- #9: PDF scanat cu Gemini gol cade la Groq/CF vision (nu renunță)

WORKER
- #3/#17/#18: filtre soft (noreply@/Auto-Submitted/Precedence/List-Id) nu mai
  dropează confirmările de înregistrare — bypass când par răspuns de autoritate
- #33: Message-ID sintetic determinist pt. emailuri fără unul → dedup la retry
- #24: eroare tranzitorie de insert → retry (dedup-safe), nu pierdere tăcută
- #28/#31: received_at/official_response_at = ora emailului, nu ora procesării

+14 teste noi (computeStatusUpdate ignorat/lateral/redirect, extract-code guards,
matchReply N3). worker v4.3.0. 1161 teste, tsc 0, eslint 0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants