fro-bot · marcusrbrown · Jun 22, 2026 · Jun 21, 2026 · Jun 22, 2026 · Jun 22, 2026
@@ -127,7 +127,7 @@
       // patch releases, so moves past the validated release must be deliberate and
       // reviewed. Raise after validating a newer release.
       matchPackageNames: ['@opencode-ai/sdk', 'anomalyco/opencode'],
-      allowedVersions: '<=1.17.6',
+      allowedVersions: '<=1.17.9',
     },
     {
       // Cap Bun at 1.3.14. The build gate requires an exact match with upstream

@@ -95,13 +95,9 @@ jobs:
         run: pnpm build
       - name: Compare the expected and actual dist/ directories
         run: |
-          DIFF_TARGETS="dist/"
-          if [[ "${{ github.head_ref || github.ref_name }}" == renovate/* ]]; then
-            DIFF_TARGETS="dist/ ':!dist/licenses.txt'"
-          fi
-          if [ "$(eval git diff --ignore-space-at-eol $DIFF_TARGETS | wc -l)" -gt "0" ]; then
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
             echo "Detected uncommitted changes after build.  See status below:"
-            eval git diff --text $DIFF_TARGETS
+            git diff --text dist/
             exit 1
           fi
         id: diff
@@ -111,6 +107,17 @@ jobs:
         with:
           name: dist
           path: dist/
+      # The SBOM is an informational artifact, not a build gate — a generation
+      # failure must not fail the build.
+      - name: Generate the dependency SBOM
+        id: sbom
+        continue-on-error: true
+        run: pnpm sbom --sbom-format cyclonedx --prod > sbom.cdx.json
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: ${{ steps.sbom.outcome == 'success' }}
+        with:
+          name: sbom-cyclonedx
+          path: sbom.cdx.json
 
   test:
     name: Test

@@ -51,6 +51,7 @@ jobs:
       base_version: ${{ steps.render.outputs.base_version }}
       rendered_prompt: ${{ steps.render.outputs.rendered_prompt }}
       has_refs: ${{ steps.render.outputs.has_refs }}
+      carries: ${{ steps.render.outputs.carries }}
 
     steps:
       - name: Checkout harness repo
@@ -150,6 +151,16 @@ jobs:
           echo "has_refs=${HAS_REFS}" >> "$GITHUB_OUTPUT"
           echo "has_refs: ${HAS_REFS}"
 
+          # --- Emit carries: the comma-joined carry labels for the release notes ---
+          # Same set `harness patches` reports (the integrationRefs labels), e.g.
+          # "anomalyco/opencode#19961, anomalyco/opencode#31859, anomalyco/opencode#31638".
+          {
+            echo "carries<<EOF_CARRIES"
+            printf '%s\n' "${BRANCHES}"
+            echo "EOF_CARRIES"
+          } >> "$GITHUB_OUTPUT"
+          echo "carries: ${BRANCHES}"
+
           # --- Render the prompt template ---
           PROMPT_TPL=$(cat packages/harness/prompt.txt)
           RENDERED=$(printf '%s' "${PROMPT_TPL}" \
@@ -736,6 +747,8 @@ jobs:
           RELEASE_TAG: ${{ steps.params.outputs.release_tag }}
           BASE_VERSION: ${{ steps.params.outputs.base_version }}
           SHORT_SHA: ${{ steps.params.outputs.short_sha }}
+          # Comma-joined carry labels (the same set `harness patches` reports).
+          CARRIES: ${{ needs.prepare-integrate.outputs.carries }}
         run: |
           set -euo pipefail
           cd /tmp/harness-release-assets
@@ -756,11 +769,30 @@ jobs:
               --clobber
             echo "Assets re-uploaded (clobber) for: ${RELEASE_TAG}"
           else
+            # Build the release notes: a summary line plus a bulleted list of the
+            # carried upstream refs (one per comma-separated label).
+            NOTES_FILE="$(mktemp)"
+            {
+              printf '%s\n\n' "Harness build of OpenCode ${BASE_VERSION} (integration ${SHORT_SHA})."
+              if [ -n "${CARRIES:-}" ]; then
+                printf '%s\n' "### Carries"
+                IFS=','
+                for CARRY in ${CARRIES}; do
+                  TRIMMED="$(echo "${CARRY}" | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//')"
+                  [ -n "${TRIMMED}" ] && printf -- '- %s\n' "${TRIMMED}"
+                done
+                unset IFS
+              fi
+            } > "${NOTES_FILE}"
+
             # Quote the tag — it contains '+' which some shells/tools misinterpret.
+            # --latest=false: a harness release must never take GitHub's "latest"
+            # pointer from the product agent releases.
             echo "Creating GitHub Release: ${RELEASE_TAG}"
             gh release create "${RELEASE_TAG}" \
               --title "${RELEASE_TAG}" \
-              --notes "Harness build of OpenCode ${BASE_VERSION} (integration ${SHORT_SHA})." \
+              --notes-file "${NOTES_FILE}" \
+              --latest=false \
               opencode-linux-x64.tar.gz \
               opencode-linux-arm64.tar.gz \
               opencode-darwin-x64.zip \

@@ -52,7 +52,7 @@ jobs:
     secrets:
       APPLICATION_ID: ${{ secrets.APPLICATION_ID }}
       APPLICATION_PRIVATE_KEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
-    uses: bfra-me/.github/.github/workflows/renovate.yaml@3f97c9262265bc1881a8d34e99ae83df22ea8b89 # v4.16.27
+    uses: bfra-me/.github/.github/workflows/renovate.yaml@1fcc99e06473c76aac512169b066da273fba218c # v4.16.28
     with:
       log-level: ${{ inputs.log-level || 'debug' }}
       print-config: ${{ inputs.print-config || false }}
@@ -18,4 +18,4 @@ jobs:
     secrets:
       APPLICATION_ID: ${{ secrets.APPLICATION_ID }}
       APPLICATION_PRIVATE_KEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
-    uses: bfra-me/.github/.github/workflows/update-repo-settings.yaml@3f97c9262265bc1881a8d34e99ae83df22ea8b89 # v4.16.27
+    uses: bfra-me/.github/.github/workflows/update-repo-settings.yaml@1fcc99e06473c76aac512169b066da273fba218c # v4.16.28
@@ -226,5 +226,5 @@ pnpm build          # Type check + bundle to dist/ (must stay in sync)
 Read-only dependency source repositories are available under
 `.slim/clonedeps/repos/` for inspection. Do not edit these clones.
 
-- `.slim/clonedeps/repos/anomalyco__opencode/packages/opencode/` — `anomalyco/opencode` at `v1.17.6`; OpenCode server source. Read `src/session/{prompt,message,message-v2,processor}.ts` to understand how `message.part.updated` bus events transition through the tool-part lifecycle (pending → running → completed) the Fro Bot harness consumes.
-- `.slim/clonedeps/repos/anomalyco__opencode/packages/sdk/js/` — `@opencode-ai/sdk` at `v1.17.6`; thin HTTP + SSE client over the server. Useful for confirming event shapes pass through unchanged and for verifying our `processEventStream` consumer matches the SSE subscription contract.
+- `.slim/clonedeps/repos/anomalyco__opencode/packages/opencode/` — `anomalyco/opencode` at `v1.17.9`; OpenCode server source. Read `src/session/{prompt,message,message-v2,processor}.ts` to understand how `message.part.updated` bus events transition through the tool-part lifecycle (pending → running → completed) the Fro Bot harness consumes.
+- `.slim/clonedeps/repos/anomalyco__opencode/packages/sdk/js/` — `@opencode-ai/sdk` at `v1.17.9`; thin HTTP + SSE client over the server. Useful for confirming event shapes pass through unchanged and for verifying our `processEventStream` consumer matches the SSE subscription contract.
@@ -730,7 +730,8 @@ lint-staged        # Runs on staged files
 - **Bundle (setup)**: `dist/setup.js` (ESM, minified)
 - **Bundle (post)**: `dist/post.js` (ESM, minified) - post-action cache hook
 - **Bundle (plugin)**: `dist/plugin/fro-bot-agent.js` (ESM, self-contained)
-- **Licenses**: `dist/licenses.txt` (auto-extracted)
+- **Third-party notices**: `dist/THIRD_PARTY_NOTICES.txt` (auto-generated, committed attribution for the bundled dependencies)
+- **SBOM**: a CycloneDX dependency SBOM is generated in CI (`pnpm sbom`) and uploaded as a build artifact (not committed)
 - **Source maps**: Not included in production
 
 ### dist/ Directory Rules

@@ -42,7 +42,7 @@ WORKDIR /app
 # OPENCODE_VERSION is the harness build of OpenCode (fro-bot/agent releases),
 # in the form <base>+harness.<sha>. Bumped in lockstep with the action default
 # by the harness-release workflow; merge the auto-PR to advance both surfaces.
-ARG OPENCODE_VERSION=1.17.6+harness.13169873
+ARG OPENCODE_VERSION=1.17.9+harness.bd89c818
 ARG SYSTEMATIC_VERSION=2.32.0
 
 # System packages: