Merge branch 'main' into portal-accessibility-tweaks

Author: cathysarisky

.claude/skills/add-private-feature-flag/SKILL.md

@@ -0,0 +1,28 @@
+---
+name: add-private-feature-flag
+description: Use when adding a new private (developer experiments) feature flag to Ghost, including the backend registration and settings UI toggle.
+---
+
+# Add Private Feature Flag
+
+## Overview
+Adds a new private feature flag to Ghost. Private flags appear in Labs settings under the "Private features" tab, visible only when developer experiments are enabled.
+
+## Steps
+
+1. **Add the flag to `ghost/core/core/shared/labs.js`**
+   - Add the flag name (camelCase string) to the `PRIVATE_FEATURES` array.
+
+2. **Add a UI toggle in `apps/admin-x-settings/src/components/settings/advanced/labs/private-features.tsx`**
+   - Add a new entry to the `features` array with `title`, `description`, and `flag` (must match the string in `labs.js`).
+
+3. **Run tests and update the config API snapshot**
+   - Unit: `cd ghost/core && yarn test:single test/unit/shared/labs.test.js`
+   - Update snapshot and run e2e: `cd ghost/core && UPDATE_SNAPSHOTS=1 yarn test:single test/e2e-api/admin/config.test.js`
+   - Review the diff of `ghost/core/test/e2e-api/admin/__snapshots__/config.test.js.snap` to confirm only your new flag was added.
+
+## Notes
+- No database migration is needed. Labs flags are stored in a single JSON `labs` setting.
+- The flag name must be identical in `labs.js`, `private-features.tsx`, and the snapshot.
+- Flags are camelCase strings (e.g. `welcomeEmailDesignCustomization`).
+- For public beta flags (visible to all users), add to `PUBLIC_BETA_FEATURES` in `labs.js` instead and add the toggle to `apps/admin-x-settings/src/components/settings/advanced/labs/beta-features.tsx`.

.codex/environments/environment.toml

@@ -0,0 +1,9 @@
+# THIS IS AUTOGENERATED. DO NOT EDIT MANUALLY
+version = 1
+name = "Ghost"
+
+[setup]
+script = '''
+git submodule update --init --recursive
+yarn
+'''

.env.example

@@ -9,15 +9,16 @@
 # Debug level to pass to Ghost
 # DEBUG=
 
-# App flags to pass to the dev command
-## Run `yarn dev --show-flags` to see all available app flags
-
-# GHOST_DEV_APP_FLAGS=
-
-# Stripe keys - used to forward Stripe webhooks to the Ghost instance in `dev.js` script
+# Stripe keys - used to forward Stripe webhooks to Ghost
 ## Stripe Secret Key: sk_test_*******
 # STRIPE_SECRET_KEY=
 ## Stripe Publishable Key: pk_test_*******
 #STRIPE_PUBLISHABLE_KEY=
 ## Stripe Account ID: acct_1*******
 #STRIPE_ACCOUNT_ID=
+
+# Mailgun SMTP credentials - used with `yarn dev:mailgun`
+## SMTP username from Mailgun (often starts with `postmaster@`)
+# MAILGUN_SMTP_USER=
+## SMTP password from Mailgun
+# MAILGUN_SMTP_PASS=

.gitattributes

@@ -3,4 +3,6 @@
 *.md text eol=lf
 *.json text eol=lf
 *.yml text eol=lf
-*.hbs text eol=lf
+*.hbs text eol=lf
+
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/CODEOWNERS

@@ -4,8 +4,15 @@
 
 # E2E Test Ownership
 # The top-level e2e directory requires review from designated owners
-/e2e/ @9larsons @cmraible @ibalosh
+/e2e/ @9larsons
 
 # Tinybird Analytics
 # Tinybird data pipelines and services require review from designated owners
-**/tinybird/ @9larsons @cmraible @troyciesco
+**/tinybird/ @9larsons @cmraible @evanhahn @troyciesco
+
+# @tryghost/parse-email-address
+/ghost/parse-email-address/ @EvanHahn
+
+# Inbox Links
+ghost/core/core/server/lib/get-inbox-links.ts @EvanHahn
+ghost/core/test/unit/server/lib/get-inbox-links.test.ts @EvanHahn

.github/actions/load-docker-image/action.yml

@@ -1,41 +1,45 @@
 name: 'Load Docker Image'
 description: 'Load Docker image from registry or artifact based on build source'
 inputs:
-  is-fork:
-    description: 'Whether this is a fork PR build'
+  use-artifact:
+    description: 'Whether to load the image from an artifact (true) or pull from GHCR (false)'
     required: true
   image-tags:
     description: 'Docker image tags (multi-line string)'
     required: true
+  artifact-name:
+    description: 'Name of the artifact to download (fork PRs only)'
+    required: false
+    default: 'docker-image'
 
 runs:
   using: 'composite'
   steps:
-    - name: Download image artifact (fork PR)
-      if: inputs.is-fork == 'true'
+    - name: Download image artifact (artifact)
+      if: inputs.use-artifact == 'true'
       uses: actions/download-artifact@v4
       with:
-        name: docker-image
+        name: ${{ inputs.artifact-name }}
 
-    - name: Load image from artifact (fork PR)
-      if: inputs.is-fork == 'true'
+    - name: Load image from artifact (artifact)
+      if: inputs.use-artifact == 'true'
       shell: bash
       run: |
         echo "Loading Docker image from artifact..."
-        gunzip -c docker-image.tar.gz | docker load
+        gunzip -c ${{ inputs.artifact-name }}.tar.gz | docker load
         echo "Available images after load:"
         docker images
 
     - name: Log in to GitHub Container Registry
-      if: inputs.is-fork == 'false'
+      if: inputs.use-artifact == 'false'
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ github.token }}
 
     - name: Pull image from registry (main repo/branch)
-      if: inputs.is-fork == 'false'
+      if: inputs.use-artifact == 'false'
       shell: bash
       run: |
         IMAGE_TAG=$(echo "${{ inputs.image-tags }}" | head -n1)

.github/agents/agentic-workflows.agent.md

@@ -0,0 +1,155 @@
+---
+description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing
+disable-model-invocation: true
+---
+
+# GitHub Agentic Workflows Agent
+
+This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files.
+
+## What This Agent Does
+
+This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task:
+
+- **Creating new workflows**: Routes to `create` prompt
+- **Updating existing workflows**: Routes to `update` prompt
+- **Debugging workflows**: Routes to `debug` prompt  
+- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt
+- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
+- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
+
+Workflows may optionally include:
+
+- **Project tracking / monitoring** (GitHub Projects updates, status reporting)
+- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows)
+
+## Files This Applies To
+
+- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
+- Workflow lock files: `.github/workflows/*.lock.yml`
+- Shared components: `.github/workflows/shared/*.md`
+- Configuration: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/github-agentic-workflows.md
+
+## Problems This Solves
+
+- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions
+- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues
+- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes
+- **Component Design**: Create reusable shared workflow components that wrap MCP servers
+
+## How to Use
+
+When you interact with this agent, it will:
+
+1. **Understand your intent** - Determine what kind of task you're trying to accomplish
+2. **Route to the right prompt** - Load the specialized prompt file for your task
+3. **Execute the task** - Follow the detailed instructions in the loaded prompt
+
+## Available Prompts
+
+### Create New Workflow
+**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/create-agentic-workflow.md
+
+**Use cases**:
+- "Create a workflow that triages issues"
+- "I need a workflow to label pull requests"
+- "Design a weekly research automation"
+
+### Update Existing Workflow  
+**Load when**: User wants to modify, improve, or refactor an existing workflow
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/update-agentic-workflow.md
+
+**Use cases**:
+- "Add web-fetch tool to the issue-classifier workflow"
+- "Update the PR reviewer to use discussions instead of issues"
+- "Improve the prompt for the weekly-research workflow"
+
+### Debug Workflow  
+**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/debug-agentic-workflow.md
+
+**Use cases**:
+- "Why is this workflow failing?"
+- "Analyze the logs for workflow X"
+- "Investigate missing tool calls in run #12345"
+
+### Upgrade Agentic Workflows
+**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/upgrade-agentic-workflows.md
+
+**Use cases**:
+- "Upgrade all workflows to the latest version"
+- "Fix deprecated fields in workflows"
+- "Apply breaking changes from the new release"
+
+### Create Shared Agentic Workflow
+**Load when**: User wants to create a reusable workflow component or wrap an MCP server
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/create-shared-agentic-workflow.md
+
+**Use cases**:
+- "Create a shared component for Notion integration"
+- "Wrap the Slack MCP server as a reusable component"
+- "Design a shared workflow for database queries"
+
+### Fix Dependabot PRs
+**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/dependabot.md
+
+**Use cases**:
+- "Fix the open Dependabot PRs for npm dependencies"
+- "Bundle and close the Dependabot PRs for workflow dependencies"
+- "Update @playwright/test to fix the Dependabot PR"
+
+## Instructions
+
+When a user interacts with you:
+
+1. **Identify the task type** from the user's request
+2. **Load the appropriate prompt** from the GitHub repository URLs listed above
+3. **Follow the loaded prompt's instructions** exactly
+4. **If uncertain**, ask clarifying questions to determine the right prompt
+
+## Quick Reference
+
+```bash
+# Initialize repository for agentic workflows
+gh aw init
+
+# Generate the lock file for a workflow
+gh aw compile [workflow-name]
+
+# Debug workflow runs
+gh aw logs [workflow-name]
+gh aw audit <run-id>
+
+# Upgrade workflows
+gh aw fix --write
+gh aw compile --validate
+```
+
+## Key Features of gh-aw
+
+- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter
+- **AI Engine Support**: Copilot, Claude, Codex, or custom engines
+- **MCP Server Integration**: Connect to Model Context Protocol servers for tools
+- **Safe Outputs**: Structured communication between AI and GitHub API
+- **Strict Mode**: Security-first validation and sandboxing
+- **Shared Components**: Reusable workflow building blocks
+- **Repo Memory**: Persistent git-backed storage for agents
+- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default
+
+## Important Notes
+
+- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.49.3/.github/aw/github-agentic-workflows.md for complete documentation
+- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
+- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
+- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
+- Follow security best practices: minimal permissions, explicit network access, no template injection
+- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.

.github/aw/actions-lock.json

@@ -0,0 +1,14 @@
+{
+  "entries": {
+    "actions/github-script@v8": {
+      "repo": "actions/github-script",
+      "version": "v8",
+      "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
+    },
+    "github/gh-aw/actions/setup@v0.51.5": {
+      "repo": "github/gh-aw/actions/setup",
+      "version": "v0.51.5",
+      "sha": "88319be75ab1adc60640307a10e5cf04b3deff1e"
+    }
+  }
+}

.github/scripts/bump-version.js

@@ -23,8 +23,7 @@ const semver = require('semver');
         const bumpedVersion = semver.inc(current_version, 'minor');
         newVersion = `${bumpedVersion}-pre-g${buildString}`;
     } else {
-        const gitVersion = await exec('git describe --long HEAD').then(({stdout}) => stdout.trim().replace(/^v/, ''));
-        newVersion = gitVersion;
+        newVersion = `${current_version}-0-g${buildString}`;
     }
 
     newVersion += '+moya';

.github/scripts/check-app-version-bump.js

@@ -159,7 +159,15 @@ function compareSemver(a, b) {
 }
 
 function getChangedFiles(baseSha, compareSha) {
-    return runGit(['diff', '--name-only', baseSha, compareSha, '--', ...MONITORED_APP_PATHS])
+    let mergeBaseSha;
+
+    try {
+        mergeBaseSha = runGit(['merge-base', baseSha, compareSha]);
+    } catch (error) {
+        throw new Error(`Unable to determine merge-base for ${baseSha} and ${compareSha}. Ensure the base branch history is available in the checkout.\n${error.message}`);
+    }
+
+    return runGit(['diff', '--name-only', mergeBaseSha, compareSha, '--', ...MONITORED_APP_PATHS])
         .split('\n')
         .map(file => file.trim())
         .filter(Boolean);