Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 38 Pull Requests 2 Actions 18 Packages Projects Releases Wiki Activity

chore: regenerate uv.lock with hashes, use lockfile in setup (#2812)

Browse Source 
- Regenerate uv.lock with sha256 hashes for all 2965 package artifacts
- Add python_version marker to yc-bench (requires >=3.12)
- Update setup-hermes.sh to prefer 'uv sync --locked' for hash-verified
  installs, with fallback to 'uv pip install' when lockfile is stale

This completes the supply chain hardening: pyproject.toml bounds the
version ranges, and uv.lock pins exact versions with cryptographic
hashes so tampered packages are rejected at install time.
This commit is contained in:
Teknium
2026-03-24 08:42:45 -07:00
committed by GitHub
parent 177e43259f
commit 624e4a8e7a
3 changed files with 2509 additions and 455 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pyproject.toml
View File

@@ -64,7 +64,7 @@ rl = [
"uvicorn[standard]>=0.24.0,<1", "uvicorn[standard]>=0.24.0,<1",
"wandb>=0.15.0,<1", "wandb>=0.15.0,<1",
] ]
yc-bench = ["yc-bench @ git+https://github.com/collinear-ai/yc-bench.git"] yc-bench = ["yc-bench @ git+https://github.com/collinear-ai/yc-bench.git ; python_version >= '3.12'"]
all = [ all = [
"hermes-agent[modal]", "hermes-agent[modal]",
"hermes-agent[daytona]", "hermes-agent[daytona]",

17
setup-hermes.sh
View File

@@ -116,9 +116,20 @@ export VIRTUAL_ENV="$SCRIPT_DIR/venv"
echo -e "${CYAN}${NC} Installing dependencies..." echo -e "${CYAN}${NC} Installing dependencies..."
$UV_CMD pip install -e ".[all]" || $UV_CMD pip install -e "." # Prefer uv sync with lockfile (hash-verified installs) when available,
# fall back to pip install for compatibility or when lockfile is stale.
echo -e "${GREEN}${NC} Dependencies installed" if [ -f "uv.lock" ]; then
echo -e "${CYAN}${NC} Using uv.lock for hash-verified installation..."
UV_PROJECT_ENVIRONMENT="$SCRIPT_DIR/venv" $UV_CMD sync --all-extras --locked 2>/dev/null && \
echo -e "${GREEN}${NC} Dependencies installed (lockfile verified)" || {
echo -e "${YELLOW}${NC} Lockfile install failed (may be outdated), falling back to pip install..."
$UV_CMD pip install -e ".[all]" || $UV_CMD pip install -e "."
echo -e "${GREEN}${NC} Dependencies installed"
}
else
$UV_CMD pip install -e ".[all]" || $UV_CMD pip install -e "."
echo -e "${GREEN}${NC} Dependencies installed"
fi
# ============================================================================ # ============================================================================
# Submodules (terminal backend + RL training) # Submodules (terminal backend + RL training)

2945
uv.lock generated
View File

File diff suppressed because it is too large Load Diff