chore: bump max-sixty/tend from 0.1.6 to 0.1.7

[dependabot]

Bumps max-sixty/tend from 0.1.6 to 0.1.7.

Release notes

Sourced from max-sixty/tend's releases.

0.1.7

Improved

• Generated workflows pin actions/checkout to v7. All generated workflows (and tend's own) move from checkout v6 to v7. The review workflow opts into v7's fork-PR checkout guard (allow-unsafe-pr-checkout: true), which otherwise refuses to check out a fork's refs/pull/N/{merge,head} under pull_request_target (the "pwn request" guard), so fork-PR reviews keep running. (#725)
• Both Claude harnesses update to claude-code 2.1.185. (#719)
• The bot surfaces a blocking scope rule instead of silently routing around it. When a running-in-ci scope restriction blocks the right action — e.g. engaging an existing upstream thread in another repo — the bot now surfaces the blocker on the triggering thread and offers either to take the upstream action on approval or to relax the rule via the consuming repo's running-tend overlay, rather than substituting a second-best local workaround without signaling it hit a wall. (#717)

Fixed

• CI-poll loops fit the Bash tool's 10-minute cap. The bundled running-in-ci poll recipes cap their sleep loops at 9 iterations and call the Bash step with timeout: 600000, so the harness no longer auto-backgrounds a longer loop and strands the gated follow-up (dismissing a stale approval, posting failure analysis). (#695)
• Nightly workflow-regen bases its worktree on an open PR, not branch-ref existence. The nightly skill's regen step now bases on the tend/update-workflows branch only when an open PR rides it, and otherwise bases on HEAD and drops any leftover remote branch. A PR previously closed without merge no longer leaves a stale branch that inflates the diff, produces an inaccurate PR body, or defeats the no-value skip. (#721)

Documentation

• The codex effort value list in the README and the install-tend skill is corrected to low | medium | high | xhigh. (#710)

Internal

• Composite-action step bodies are de-duplicated into scripts under shared/steps/, and each harness action lives under a harness-named path. Generated workflows now invoke max-sixty/tend/claude@X.Y.Z (and claude-interactive) rather than the bare-root default; existing pinned refs keep resolving and the nightly regen stamps the new path automatically. (#712)
• review-reviewers documents the pull_request_review self-trigger as expected (non-)behavior, and the worker-deploy comment corrects the live-stream count to two. (#707, #711)

Changelog

Sourced from max-sixty/tend's changelog.

0.1.7

Improved

• Generated workflows pin actions/checkout to v7. All generated workflows (and tend's own) move from checkout v6 to v7. The review workflow opts into v7's fork-PR checkout guard (allow-unsafe-pr-checkout: true), which otherwise refuses to check out a fork's refs/pull/N/{merge,head} under pull_request_target (the "pwn request" guard), so fork-PR reviews keep running. (#725)
• Both Claude harnesses update to claude-code 2.1.185. (#719)
• The bot surfaces a blocking scope rule instead of silently routing around it. When a running-in-ci scope restriction blocks the right action — e.g. engaging an existing upstream thread in another repo — the bot now surfaces the blocker on the triggering thread and offers either to take the upstream action on approval or to relax the rule via the consuming repo's running-tend overlay, rather than substituting a second-best local workaround without signaling it hit a wall. (#717)

Fixed

• CI-poll loops fit the Bash tool's 10-minute cap. The bundled running-in-ci poll recipes cap their sleep loops at 9 iterations and call the Bash step with timeout: 600000, so the harness no longer auto-backgrounds a longer loop and strands the gated follow-up (dismissing a stale approval, posting failure analysis). (#695)
• Nightly workflow-regen bases its worktree on an open PR, not branch-ref existence. The nightly skill's regen step now bases on the tend/update-workflows branch only when an open PR rides it, and otherwise bases on HEAD and drops any leftover remote branch. A PR previously closed without merge no longer leaves a stale branch that inflates the diff, produces an inaccurate PR body, or defeats the no-value skip. (#721)

Documentation

• The codex effort value list in the README and the install-tend skill is corrected to low | medium | high | xhigh. (#710)

Internal

• Composite-action step bodies are de-duplicated into scripts under shared/steps/, and each harness action lives under a harness-named path. Generated workflows now invoke max-sixty/tend/claude@X.Y.Z (and claude-interactive) rather than the bare-root default; existing pinned refs keep resolving and the nightly regen stamps the new path automatically. (#712)
• review-reviewers documents the pull_request_review self-trigger as expected (non-)behavior, and the worker-deploy comment corrects the live-stream count to two. (#707, #711)

Commits

• c7a7b56 chore: release 0.1.7 (#726)
• 67da54b fix(nightly): base workflow-regen worktree on open PR, not branch ref (#721)
• 0b22561 fix(review): opt into v7 fork-PR checkout so fork reviews run (#725)
• 2de9bba fix(running-in-ci): surface scope blockers instead of silently routing around...
• 9d31da3 chore: bump claude_version to 2.1.185 (#719)
• 6b03677 fix(running-in-ci): trim CI-poll loops to fit Bash tool's 10-min cap (#695)
• 4b7baf7 refactor(actions): share step scripts; name actions by harness (#712)
• 579b646 skills(review-reviewers): name pull_request_review self-trigger variant (#707)
• 0e9a5a2 docs: correct codex effort value list (#710)
• 2178194 docs: correct worker-deploy stream count comment (#711)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[prql-bot]

Heads up — this bump would break every tend workflow as written, so I've dismissed my earlier approval (which was a mistake on my part).

Why it breaks: tend 0.1.7 removed the bare-root action.yaml and split each harness into its own subdirectory (claude/, codex/, claude-interactive/). A plain max-sixty/tend@0.1.7 no longer resolves — the handle job failed at Set up job with Can't find 'action.yml', 'action.yaml' or 'Dockerfile' for action 'max-sixty/tend@0.1.7' (failed run). Dependabot bumps the version number but can't follow the path move, so the 8 uses: lines here can't be merged as-is.

Correct invocation (this repo uses the Claude harness): max-sixty/tend/claude@0.1.7. The 0.1.7 changelog documents this: "Generated workflows now invoke max-sixty/tend/claude@X.Y.Z … rather than the bare-root default … the nightly regen stamps the new path automatically."

So the proper migration runs through the nightly tend/update-workflows regen, not a dependabot version bump — the next nightly should open that PR with the correct path. A maintainer who wants it sooner can change the 8 uses: max-sixty/tend@0.1.7 lines to uses: max-sixty/tend/claude@0.1.7 here, or close this in favor of the regen.

Verification

• max-sixty/tend@0.1.6 root: action.yaml present → bumping the version alone worked previously.
• max-sixty/tend@0.1.7 root: action.yml / action.yaml / Dockerfile all return 404; the action moved to claude/action.yaml, codex/action.yaml, claude-interactive/action.yaml.
• claude/action.yaml at 0.1.7 declares the same inputs these workflows pass (github_token, claude_code_oauth_token, bot_name, prompt, model, allowed_tools), so /claude is the drop-in path.
• To stop dependabot re-proposing broken version-only bumps, a maintainer could add max-sixty/tend to an ignore entry in .github/dependabot.yaml since the nightly regen owns this dependency.

Dismissing: 0.1.7 removed the bare-root action.yaml, so max-sixty/tend@0.1.7 no longer resolves and the handle job fails at Set up job. See comment for the correct max-sixty/tend/claude@0.1.7 path.

[dependabot]

Looks like max-sixty/tend is no longer being updated by Dependabot, so this is no longer needed.