chore(deps): bump actions/checkout from 4.2.2 to 7.0.0#3
Closed
dependabot[bot] wants to merge 56 commits into
Closed
chore(deps): bump actions/checkout from 4.2.2 to 7.0.0#3dependabot[bot] wants to merge 56 commits into
dependabot[bot] wants to merge 56 commits into
Conversation
….9.1 Extracts the design and media production steps from lorecraft-io/cli-maxxing at tag v1.9.1. Includes step-4 (design/UI MCPs and skills) and step-5 (video/audio production tools), README, CLAUDE.md, CI workflows, SECURITY.md, and install/uninstall scripts.
…nstall idempotency - .gitignore: remove Obsidian/2ndBrain-specific comments (wrong repo context) - README.md: add exact 'Prereq: cli-maxxing' callout line - install.sh: add marker-file idempotency guard - uninstall.sh: clean up marker file on uninstall
- Add update.sh that re-runs the installer from latest GitHub main - Fix README install/uninstall URLs (raw.githubusercontent.com, not github.com) - Add Update section with one-liner to README - Document ~/.claude/.creativity-maxxing-installed idempotency marker
install.sh: detect bash <(curl) pipe context via BASH_SOURCE; clone repo to tmpdir when step-4 scripts aren't present alongside the script. Preserves idempotency marker guard for fresh installs. update.sh: clone fresh from GitHub and run step-4/step-5 directly, bypassing the idempotency marker so updates always re-run idempotent step scripts.
- install.sh: escape $HOME in error message (was literal ~ in double quotes) - uninstall.sh: remove unused RED color variable Unblocks Lint Shell Scripts workflow on main.
The ludeeus/action-shellcheck@94e0aab0 action does not accept an ignore_paths input. Valid inputs: additional_files, ignore, severity, check_together, scandir, disable_matcher, format. Previous runs emitted '##[warning]Unexpected input(s) ignore_paths' on every execution in both lint.yml and security.yml. Renaming to the correct 'ignore' key silences the warning and actually applies terminal-academy/node_modules exclusion.
Prior pin (94e0aab) was tagged v2.0.0 in comment but is actually the v1.1.0 SHA, which uses the deprecated ::set-output GitHub Actions command. Upgrade to the real v2.0.0 SHA (00cae500) which writes to $GITHUB_OUTPUT and adds ignore_names / ignore_paths inputs alongside the legacy ignore.
- lint.yml: skip push runs on **.md / docs/** / README* - lint.yml + security.yml: concurrency group cancels in-flight runs on the same ref to halve wasted CI during push bursts. pull_request triggers unchanged — docs still lint on PRs.
…/Seedance - README: Nate-voice rewrite, banner at top, Quick Navigation table, cheat sheet link, taste pack dropped from "marquee" framing, per-tool paragraphs, OAuth callout, trilogy points to cli-maxxing + task-maxxing only - rename step-4/ → design/, step-5/ → media/, strip step-N language - add Canva MCP install (remote, OAuth on first use) to design module - add Higgsfield / Seedance 2.0 15-skill prompt pack to media module (clones beshuaxian/higgsfield-seedance2-jineng, copies SKILL.md files) - taste skill: use correct installed frontmatter names (design-taste-frontend, high-end-visual-design, minimalist-ui, industrial-brutalist-ui, redesign-existing-projects, stitch-design-taste, full-output-enforcement, gpt-taste) across install checks, uninstaller, README, cheat sheet - CHEAT-SHEET.md: slash commands for all 8 taste variants + 15 video prompt skills + transcription + Canva + Remotion workflows - .gitignore: test artifacts (.agents/, skills/, skills-lock.json) - banner: creativitymaxxing.png committed at repo root Self-tested: 13/13 install tests pass, idempotent, shellcheck clean at warning + error severity.
…draw/Gamma connectors
…at gets installed' table with Kind=claude.ai connector
…k + fix Kind column
…ai hosted) - design/install.sh: add generic install_remote_http_mcp() helper + figma/excalidraw/gamma wrappers - Wire install_figma_mcp/install_excalidraw_mcp/install_gamma_mcp into main() - Banner updated: 'UI/UX Pro Max + Taste Skills + Magic + Canva + Figma + Excalidraw + Gamma' - README: Kind column flipped 'MCP server (claude.ai hosted)' -> 'MCP server (HTTP, OAuth)'; footer note updated — they're installed locally now, OAuth on first call (not 'enable on claude.ai') URLs used: mcp.figma.com/mcp, mcp.excalidraw.com/mcp, mcp.gamma.app/mcp
…ead of word-boundary regex
- Replace non-existent actions/checkout@v6 with SHA-pinned v4.2.2 (11bd71901bbe5b1630ceea73d27597364c9af683) - Add timeout-minutes: 15 to all jobs (was missing in both workflows) - Add paths-ignore to pull_request trigger in lint.yml so doc-only PRs skip shellcheck
…mma MCP tests - Raise all taste_installed_count thresholds from 7 to 8 (install, self-test, summary) - Add self-test checks for Figma, Excalidraw, and Gamma MCPs (warn-not-fail) - Add Figma, Excalidraw, and Gamma to print_summary install status table - Add OAuth-on-first-use instructions for Figma, Excalidraw, and Gamma to summary output
…thresholds, Figma/Excalidraw/Gamma coverage
Scripts:
- install.sh: add banner + what-gets-installed summary at top, styled completion message
- update.sh: add what-gets-installed summary matching install.sh
- design/install.sh: bump all taste-skill thresholds from 7→8 (idempotency, self-test,
summary); add Figma/Excalidraw/Gamma to self-test, print_summary installed table,
and manual follow-ups section
- media/install.sh: fix SC2015 (A&&B||C not if/else) in whisper-cpp source build;
replace stray .agents/skills/ relative paths with $HOME/.claude/skills/ in both
install and self-test
- uninstall.sh: fix comment "7 Taste Skill variants" → 8; add remove_figma_mcp,
remove_excalidraw_mcp, remove_gamma_mcp functions and wire into main()
Docs:
- README.md: Quick Nav "7 variants" → 8; add Figma/Excalidraw/Gamma to Manual steps
OAuth table; add all three to uninstall description
- CHEAT-SHEET.md: add Figma, Excalidraw, Gamma MCP sections under Design
- SECURITY.md: replace stale step-{4,5}/step-*-install.sh path with correct
design/install.sh + media/install.sh references
Replace info()/success() with removed_one()/skipped_one() in the Magic, Canva, Figma, Excalidraw, and Gamma MCP removal blocks so uninstall output matches the rest of the script's reporting style.
install.sh: add YELLOW follow-up section after completion reminding users that 21st.dev Magic needs a manual API key and that Canva/Figma/Excalidraw/Gamma use OAuth on first tool call. media/install.sh: fix missing -e in set -uo pipefail → set -euo pipefail so the media module exits on error consistent with the rest of the repo. shellcheck passes on all four scripts.
…rity check design/install.sh: install_uiux_skill() was fetching from the mutable nextlevelbuilder/ui-ux-pro-max-skill main branch with no integrity check. A compromised or deleted upstream commit would silently install arbitrary skill content into ~/.claude/skills. Fix: pin to commit b7e3af8, verify SHA-256 digest before mv to final path, reject and soft_fail on mismatch. Use a tmp file so a failed download never leaves a partial file in place. SECURITY.md: add supply-chain pinning section documenting the pattern and update instructions for maintainers rotating the pin.
cskip is the daily-driver launch command and the most important alias for users of this repo — it was missing from the CLI shortcuts section. Also annotate cbrain with its 2ndBrain-mogging requirement so the section is self-contained without needing to cross-reference cli-maxxing.
…SECURITY.md accuracy - lint.yml + security.yml: deprecated `ignore:` → `ignore_paths:` for shellcheck action v2.0.0 - lint.yml: remove stale `terminal-academy` path (lives in cli-maxxing, not here) - install.sh: "2 tools" → "5 tools" in post-install footer (1 API key + 4 OAuth) - README: nav table "2-3 tools" → "5 tools"; yt-dlp CLI before MCP (dependency order); ffmpeg in uninstall list - SECURITY.md: set-euo-pipefail claim scoped correctly (design/install.sh soft-fail exception noted); SHA-pinning scoped to UI/UX Pro Max only (Higgsfield is floating HEAD)
Adds Microsoft's @playwright/mcp to the design install stack. Covers install_playwright() function with idempotency check, self-test, summary row, main() wiring, root install.sh banner, update.sh banner, README table + idempotency note, uninstall.sh remove_playwright_mcp(), and CHEAT-SHEET.md section.
design/install.sh was the only script in the repo still on `set -uo pipefail` — every other script (root install, update, uninstall, media install) runs `set -euo pipefail`. Flipping it now so the design module aborts on error consistent with the rest of the repo. media/install.sh has been running with -e since 7a009ae with zero fallout, so the same guarantee is safe here. Also: - Declare SKILL_DIR / UIUX_COMMIT / SKILL_URL / UIUX_SHA256 / SKILL_TMP / _sha as local inside install_uiux_skill so they stop leaking to global scope. - Scope TEST_PASS / TEST_FAIL as local inside run_self_test in both design/install.sh and media/install.sh. shellcheck 0.11.0 passes clean on all five scripts; `bash -n` passes on all five.
- lint.yml: new syntax-check job runs bash -n on every tracked .sh - lint.yml: new coverage-assertions job asserts design/install.sh installs Playwright MCP (install_playwright + @playwright/mcp anchors) and advertises the full design MCP suite (Canva, Figma, Excalidraw, Gamma, Playwright) - Matches pinned SHA conventions: checkout v4.2.2, shellcheck v2.0.0 (00cae500) Closes CI gap: previously nothing verified the design module still installs Playwright after the 2026-04-22 Playwright addition (commit c3ce421).
The excalidraw/excalidraw-mcp README cites the remote hosted endpoint as `https://mcp.excalidraw.com` (no `/mcp` suffix). The installer was using `https://mcp.excalidraw.com/mcp`, which does resolve but isn't the URL shape the maintainers document. Match the README exactly.
…ory-rewrite + social-strip notes
- Item 3: 21st.dev link updated to 21st.dev/mcp (the MCP dashboard) across design/install.sh + top-level wrapper. Homepage was dropping users into a generic landing flow with no clear "create API key" path. - Item 4: install_whisper_model_basen auto-fetches ~/.whisper/ggml-base.en.bin (~141MB) from huggingface.co with size-floor verification (>=100MB). Opt out via --no-whisper-model. Failed/truncated downloads remove the partial file and print the literal manual curl command. Eliminates the "first call fails silently" trap every WAGMI teammate hit. - Item 12: design + media install.sh both run preflight_npm_cache_ownership to detect root-owned ~/.npm before any npx call. Cross-repo wording matches 2ndBrain-mogging's preflight (consistent fix, single muscle memory). - Item 13: Gamma MCP moved to opt-in via --with-gamma flag. Default install no longer registers Gamma (it fails to connect without an API key, polluting the install summary). --with-gamma + an API key from gamma.app/api enables it. Top-level install.sh propagates "$@" to design/media so --with-gamma and --no-whisper-model reach the sub-installers. Source: project_wagmi_install_bugs_2026_04_22 + WAGMI install-call transcript
… (items 3, 4, 12, 13) - CHANGELOG.md: 4 [Unreleased] entries — 21st.dev/mcp URL fix, Whisper base.en auto-fetch with --no-whisper-model opt-out + size-floor verification, npm-cache root-owned preflight (cross-repo consistent with mogging), Gamma --with-gamma opt-in - tests/test_design_install.sh: +5 assertions — WITH_GAMMA declared, --with-gamma parsed, if-gate at install_gamma_mcp call site, preflight_npm_cache_ownership defined, 21st.dev/mcp URL referenced. 51/51 design tests now passing. Source: project_wagmi_install_bugs_2026_04_22 + WAGMI Apr-22 install-call transcript Code fixes themselves shipped in f35a828; this is the documentation + test-coverage gap-fill the previous session crashed before completing.
- .gitleaks.toml extends gitleaks default rules with project-specific allowlists for the 2026-04-25 redacted-token markers + intentional template placeholders. - scripts/install-pre-commit-hook.sh — idempotent local-hook installer. - README documents the hook + bypass. Source: #8 from project_repo_readme_polish_backlog + 2026-04-25 secret-scrub
…state (2026-05-04)
New third module alongside design + media. Installs the /copywriting skill — SKILL.md plus 19 reference files covering voice library, frameworks, headlines, body copy, CTAs, proposals, psych triggers, compression, humanization, proofreading, and quality gates. Trained on Bernbach, Hegarty, Abbott, Trott, Wieden, Sugarman, Sackheim, Schwartz, Bencivenga, Gossage, Krone, McElligott. Auto-activates on headline / hero / body / CTA / manifesto / proposal / landing-page / ad-copy / brand-voice / naming / 'rewrite this paragraph' requests. Suspended in regular chat by /concise from cli-maxxing — only takes over when the deliverable is going to a human audience. - copywriting-skill/ vendored at repo root (20 files, mirrors cli-maxxing's concise-skill/ pattern) - copywriting/install.sh: downloads from main with local fallback, idempotent, self-test verifies SKILL.md + voice-library + gates - install.sh + update.sh: third bash call after design + media, banner text updated - uninstall.sh: removes ~/.claude/skills/copywriting/ before the ffmpeg prompt - README.md: copywriting in feature list, install description, what-gets-installed table, dedicated 'How I use' subsection, uninstall ordering - CHEAT-SHEET.md: new Copywriting section with example prompts, process flow, reference-file map; install path added
…angelog Test harness now mirrors the new copywriting module: - tests/test_copywriting_install.sh (NEW, 61 assertions) — static contract for copywriting/install.sh (function list, BASE_URL, COPY_REF_FILES, LOCAL_SRC fallback, self-test wording, vendored copywriting-skill/ inventory), plus a behavioral probe that forces curl to fail so the local fallback path runs (lands 1 SKILL.md + 19 refs), confirms idempotency on re-run, and a prereq probe asserting non-zero exit when claude is absent - tests/test_root_install.sh — shims copywriting/install.sh in the sandbox, asserts root install.sh delegates to it, asserts the copywriting/install.sh reference is hard-coded in install.sh - tests/test_update.sh — same pattern: shims copywriting upstream, asserts update.sh re-runs it, asserts the reference is hard-coded - tests/test_uninstall.sh — copywriting added to REMOVE_FNS array, seeded into the fake skills tree, assertion confirms it's removed Suite is 6/6 green (test_design + test_media + test_root + test_uninstall + test_update + test_copywriting). CHANGELOG: full [Unreleased] entry for the new module under Added — voices it ships with, ref-file inventory, install/update/uninstall wiring, doc surfaces touched, and test coverage delta.
Fourth module alongside design/ + media/ + copywriting/. Drop any video URL (single video, full YouTube channel, or playlist) and Claude returns timestamped, frame-aware study notes. Pipeline: yt-dlp pulls the video, ffmpeg detects scene changes + extracts frames, captions (free, via yt-dlp) or local whisper.cpp (key-free, reusing the media module's ~/.whisper/ggml-base.en.bin) provides the transcript, and Claude reads every frame as an image to write a section-per-scene notes.md at ~/claude-watch/library/<slug>/. Channel mode loops the per-video pipeline (default 10 videos, override with --limit N) and writes a top-level index.md with a Cross-channel synthesis section — recurring hooks, thumbnail formulas, script structures, top 3 cloneable moves. Forked from devinilabs/claude-watch at lorecraft-io/claude-watch with upstream-worthy patches: local whisper.cpp shell-out backend, channel detection via yt-dlp --flat-playlist --dump-single-json, and a setup.py fallback that recognizes the media module's whisper model path so the two installers share one ~141MB file. 15 files vendored at claude-watch-skill/: SKILL.md + 11 scripts/*.py + commands/claude-watch.md + hooks/hooks.json + hooks/scripts/ session_start.sh. Install pattern mirrors copywriting/: curl from raw.githubusercontent.com with local fallback. Uninstall scopes state cleanup — removes ~/.config/claude-watch/ and ~/claude-watch/library/ but leaves the shared ~/.whisper/ggml-base.en.bin in place (only touched if user accepts the whisper-cpp brew uninstall). Docs: README "What this is" + "How I actually use" + "What gets installed" table + uninstall list updated. CHEAT-SHEET gains a new "Video study + channel sweep" section + 4 installed-path rows. CHANGELOG records the new module under Unreleased. Tests: new tests/test_claude_watch_install.sh (58 assertions covering static contract, vendored-file existence, shared-model-path recognition, behavioral install with forced curl-failure + local fallback, idempotency, prereq-fail). test_root_install.sh + test_update.sh + test_uninstall.sh extended with 4th-module shims and state-cleanup scoping (preserves bystander ~/.whisper/ggml-base.en.bin). Full suite 7/7 green (343 assertions).
…watch commit The previous commit (e0ab26e) accidentally included 10 .pyc files under claude-watch-skill/scripts/__pycache__/ from a local pytest run against the upstream working tree. Removes them from the tree and adds __pycache__/ + *.pyc + *.pyo to .gitignore so future commits can't repeat the mistake.
Slash command is now /watch. Skill installs at ~/.claude/skills/watch/. Library at ~/watch/library/<slug>/. Config at ~/.config/watch/.env. Directory renames (git mv preserves history): - claude-watch/ → watch/ - claude-watch-skill/ → watch-skill/ - claude-watch-skill/commands/ → watch-skill/commands/ claude-watch.md → watch.md - tests/test_claude_watch_install.sh → tests/test_watch_install.sh Function renames in uninstall.sh: - remove_claude_watch_skill → remove_watch_skill - remove_claude_watch_state → remove_watch_state Content updates (bulk perl s/claude-watch/watch/g, both hyphen + underscore variants, across 18 source files): install.sh, update.sh, uninstall.sh, README.md, CHEAT-SHEET.md, .gitignore, watch/install.sh, all of watch-skill/, all 4 test files. The fork repo on GitHub stays `lorecraft-io/claude-watch` (raw.githubusercontent URLs continue to work) and the CHANGELOG history block for the original `Claude-Watch module` addition is preserved verbatim — only the SKILL identity changes. Backwards compat: watch-skill/scripts/setup.py::EXTRA_LOCAL_MODEL_PATHS recognizes ~/.config/claude-watch/models/ggml-base.en.bin alongside ~/.whisper/ggml-base.en.bin so pre-rename installs keep their model. Suite: 7/7 green, 343 assertions.
…ed URLs watch-skill/SKILL.md description now ends with an explicit `Triggers on:` enumeration so Claude Code's auto-router picks /watch on plain-English requests — "watch this video", "study this lecture", "transcribe this reel", "break down this tiktok", "analyze this channel", "scrape this creator", "sweep this playlist", "frame by frame", "hook analysis", "script structure", etc. Mirrors the Higgsfield-skill convention already used elsewhere in this repo. Also fixes 2 broken URLs in watch-skill/SKILL.md that the prior rename pass's bulk perl-substitute corrupted: `homepage:` and `repository:` were `https://github.com/devinilabs/watch` (broken) → restored to `https://github.com/lorecraft-io/claude-watch` (correct fork URL). README.md `/watch` bullet under "How I actually use" gets a Natural-language activation note; CHEAT-SHEET.md ships a new "### Natural-language activation" subsection at the top of the `/watch` section with concrete trigger-phrase examples. CHANGELOG records the hardening + URL fix under Unreleased. Suite 7/7 green, 343 assertions.
The Lint Shell Scripts workflow on lorecraft-io/creativity-maxxing has been failing on every push since 7:35 PM tonight (4 commits) on 4 shellcheck warnings: - watch/install.sh:79 — SC2155 (declare + assign on one line masks rc) - copywriting/install.sh:78 — SC2155 (same pattern; pre-existing in copywriting, mirrored into watch when I added the module) - tests/test_watch_install.sh:188 — SC2034 (RERUN_OUT captured but unused) - tests/test_copywriting_install.sh:149 — SC2034 (same; pre-existing) Fixes: - Split `local LOCAL_SRC="$(dirname ...)/..."` into a separate `local LOCAL_SRC` declaration followed by an assignment so shellcheck no longer worries about masked exit codes. - Rename `RERUN_OUT=` to `_RERUN_OUT=` (underscore = intentionally unused convention) and add a `# shellcheck disable=SC2034` comment with a rationale (captured for debug-on-fail). Local shellcheck -S warning clean across all .sh files; test harness still 7/7 green.
…homepage/repository → fidgetcoding/fidget-watching
Relocated to the LAVA-NET project as client-bound tooling; it was never wired into install.sh (orphan in the creativity install flow).
Add a hard no-dash rule (em/en dashes are the top AI tell) and a no-hyphen-flourish rule with a carve-out for URLs, paths, and proper nouns.
RETURN traps set inside a function persist for later function returns;
_TMP is local, so under set -u the stale trap crashed at the end of the
media module and the root installer's set -e then silently skipped the
copywriting and watch modules. Expand with ${_TMP:-} so the late firings
are no-ops.
README documents re-running install.sh --with-gamma to opt into Gamma later, but the idempotency marker exited before flags were parsed, making the documented path a silent no-op on installed machines. Detect --with-* flags, skip the early exit, and forward them to the (idempotent) module installers. The no-flag already-installed message now also points at the opt-in path.
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4.2.2 to 7.0.0.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)