Merge branch 'main' into sentry-user-attribution

Author: d-cs

.changeset/bundle-skills-single-pass.md

@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+Fix `chat.agent` skills silently missing in `trigger dev` for projects whose task files read `process.env` at module top level (e.g. a third-party SDK client initialized at import). Skill folders now bundle into `.trigger/skills/` reliably regardless of which env vars are set when the CLI launches.

.changeset/pre.json

@@ -18,5 +18,27 @@
     "@trigger.dev/schema-to-json": "4.4.6",
     "@trigger.dev/sdk": "4.4.6"
   },
-  "changesets": []
+  "changesets": [
+    "agent-skills",
+    "ai-prompts",
+    "ai-tool-helpers",
+    "bundle-skills-single-pass",
+    "cap-idempotency-key-length",
+    "chat-agent-on-boot-hook",
+    "chat-agent",
+    "chat-history-read-primitives",
+    "chat-session-attributes",
+    "chat-start-session-action-typed-client-data",
+    "cli-deploy-skip-rewrite-timestamp",
+    "locals-key-dual-package-fix",
+    "mcp-agent-chat-sessions",
+    "mcp-list-runs-region",
+    "mock-chat-agent-test-harness",
+    "mollifier-redis-worker-primitives",
+    "plugin-auth-path",
+    "resource-catalog-runtime-registration",
+    "retry-sigsegv",
+    "runs-list-region-filter",
+    "sessions-primitive"
+  ]
 }

.changeset/resource-catalog-runtime-registration.md

@@ -0,0 +1,6 @@
+---
+"@trigger.dev/core": patch
+"trigger.dev": patch
+---
+
+Fix `COULD_NOT_FIND_EXECUTOR` when a task's definition is loaded via `await import(...)` from inside another task's `run()`. The runtime workers now register such tasks with a sentinel file context, and the catalog logs a one-time warning per task id.

.github/workflows/changesets-pr.yml

@@ -22,6 +22,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      checks: write
     if: github.repository == 'triggerdotdev/trigger.dev'
     steps:
       - name: Checkout
@@ -72,3 +73,27 @@ jobs:
                 -f body="$ENHANCED_BODY"
             fi
           fi
+
+      # The changesets bot authors release PRs with GITHUB_TOKEN, which by GitHub
+      # design cannot trigger downstream workflows. That leaves the required
+      # "All PR Checks" status permanently Expected and the PR unmergeable.
+      # The release PR only bumps package.json + lockfile + CHANGELOGs from
+      # changesets already on main, so we self-report the required check as
+      # success. If a human ever pushes to changeset-release/main, the real
+      # pr_checks.yml fires and its result overwrites this one (last write wins
+      # for the same context on the same SHA).
+      - name: Self-report "All PR Checks" success on release PR
+        if: steps.changesets.outputs.published != 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_NUMBER=$(gh pr list --head changeset-release/main --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then exit 0; fi
+          HEAD_SHA=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid')
+          gh api -X POST repos/${{ github.repository }}/check-runs \
+            -f name="All PR Checks" \
+            -f head_sha="$HEAD_SHA" \
+            -f status=completed \
+            -f conclusion=success \
+            -f 'output[title]=Auto-pass for changeset release PR' \
+            -f 'output[summary]=Required check auto-satisfied for changeset-release/main PRs. Full CI ran on the underlying commits before they landed on main.'

.github/workflows/dependabot-critical-alerts.yml

@@ -0,0 +1,83 @@
+name: Dependabot Critical Alerts
+
+on:
+  schedule:
+    - cron: "0 8 * * *"  # Daily 08:00 UTC
+  workflow_dispatch:
+    inputs:
+      severity:
+        description: "Severity to alert on"
+        type: choice
+        options:
+          - critical
+          - high
+          - medium
+          - low
+        default: critical
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  alert:
+    name: Post critical alerts
+    runs-on: ubuntu-latest
+    environment: dependabot-summary
+    env:
+      SEVERITY: ${{ inputs.severity || 'critical' }}
+    steps:
+      - name: Fetch alerts
+        id: alerts
+        env:
+          GH_TOKEN: ${{ secrets.DEPENDABOT_ALERTS_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          gh api -X GET "/repos/$REPO/dependabot/alerts" \
+            -F state=open -F severity="$SEVERITY" --paginate > pages.json
+          jq -s 'add' pages.json > alerts.json
+          TOTAL=$(jq 'length' alerts.json)
+          echo "total=$TOTAL" >> "$GITHUB_OUTPUT"
+          if [ "$TOTAL" = "0" ]; then
+            exit 0
+          fi
+          LIST=$(jq -r '
+            map("• <\(.html_url)|#\(.number)> *\(.dependency.package.name)* - \(.security_advisory.summary)")
+            | join("\n")
+          ' alerts.json)
+          {
+            echo "list<<EOF"
+            echo "$LIST"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Build Slack payload
+        if: steps.alerts.outputs.total != '0'
+        env:
+          REPO: ${{ github.repository }}
+          CHANNEL: ${{ vars.SLACK_CHANNEL_ID }}
+          TOTAL: ${{ steps.alerts.outputs.total }}
+          LIST: ${{ steps.alerts.outputs.list }}
+        run: |
+          jq -n \
+            --arg channel "$CHANNEL" \
+            --arg repo "$REPO" \
+            --arg total "$TOTAL" \
+            --arg list "$LIST" \
+            --arg severity "$SEVERITY" \
+            '{
+              channel: $channel,
+              text: ":bufo-alarma: `\($repo)` - *\($total) open \($severity) alert(s)*\n\($list)\n\n<https://github.com/\($repo)/security/dependabot?q=is%3Aopen+severity%3A\($severity)|View \($severity) alerts>"
+            }' > payload.json
+
+      - name: Post Slack alert
+        if: steps.alerts.outputs.total != '0'
+        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: payload.json

.github/workflows/vouch-check-pr.yml

@@ -32,7 +32,8 @@ jobs:
       github.event.pull_request.author_association != 'OWNER' &&
       github.event.pull_request.author_association != 'COLLABORATOR' &&
       github.event.pull_request.user.login != 'devin-ai-integration[bot]' &&
-      github.event.pull_request.user.login != 'dependabot[bot]'
+      github.event.pull_request.user.login != 'dependabot[bot]' &&
+      github.event.pull_request.user.login != 'github-actions[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Close non-draft PR