Skip to content

Sync docs/readme-fix from fork to upstream #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Arvuno wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Sync docs/readme-fix from fork to upstream #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
efc2d57
ci: add security scanning
Arvuno May 22, 2026
9dca75b
docs: clarify API key sign-up step in Setup
Arvuno May 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,25 @@ jobs:

- name: Run tests
run: ./scripts/test

security:
timeout-minutes: 15
name: security
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot May 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Missing explicit permissions block in the security job may cause SARIF upload to fail due to insufficient token permissions, especially on fork pull requests where the job is enabled.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/ci.yml, line 120:

<comment>Missing explicit `permissions` block in the `security` job may cause SARIF upload to fail due to insufficient token permissions, especially on fork pull requests where the job is enabled.</comment>

<file context>
@@ -114,3 +114,25 @@ jobs:
+
+  security:
+    timeout-minutes: 15
+    name: security
+    runs-on: ${{ github.repository == 'stainless-sdks/agentmail-cli' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
+    if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')
</file context>
Fix with Cubic

runs-on: ${{ github.repository == 'stainless-sdks/agentmail-cli' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c7e9f9e64e329e6a8c92c7e2c26f1a78ad5f6ab # v0.29.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@49c3cd5deaee37c3cd3ddc0cac1d3ef12e6e13f1 # v4.0.4
with:
sarif_file: 'trivy-results.sarif'
3 changes: 3 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ npm install -g agentmail-cli

## Setup

1. Sign up at [app.agentmail.to](https://app.agentmail.to) to get an API key.
2. Set the key in your environment:

```sh
export AGENTMAIL_API_KEY=am_us_xxx
```
Expand Down