Update release/stable-with-patches by rebasing onto upstream/main

.github/workflows/build-openhands-image.yml

@@ -0,0 +1,52 @@
+
+name: Build OpenHands Image
+
+on:
+  push:
+    branches:
+      - release/stable-with-patches
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install Poetry
+        run: pipx install poetry
+
+      - name: Install dependencies
+        run: poetry install --no-interaction --no-ansi
+
+
+      - name: Build and Push OpenHands Image
+        run: |
+          echo "Building openhands image with tag stable-with-patches and git sha tag..."
+          # Set DOCKER_IMAGE_TAG for build.sh to pick up
+          export DOCKER_IMAGE_TAG=stable-with-patches
+          # Set RELEVANT_SHA for build.sh to add git sha tag
+          export RELEVANT_SHA=${{ github.sha }}
+          ./containers/build.sh -i openhands --push -o remind101
+        env:
+          # Pass GITHUB_TOKEN for potential git operations within build script if needed
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-runtime-image.yml

@@ -0,0 +1,66 @@
+
+name: Build Runtime Image
+
+on:
+  push:
+    branches:
+      - release/stable-with-patches
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install Poetry
+        run: pipx install poetry
+
+      - name: Install dependencies
+        run: poetry install --no-interaction --no-ansi
+
+
+      - name: Prepare Runtime Build Context
+        run: poetry run python openhands/runtime/utils/runtime_build.py --build_folder ./containers/runtime
+        env:
+          # Ensure the script uses the correct base image if needed, although default should be fine
+          # OH_RUNTIME_BASE_IMAGE: nikolaik/python-nodejs:python3.12-nodejs22
+          # Ensure the script knows the target repo (though build.sh overrides org later)
+          OH_RUNTIME_RUNTIME_IMAGE_REPO: ghcr.io/remind101/runtime # This might not be strictly necessary as build.sh constructs the final path
+
+
+      - name: Free up disk space by removing tool cache
+        run: sudo rm -rf /opt/hostedtoolcache
+
+      - name: Build and Push Runtime Image
+        run: |
+          echo "Building runtime image with tag stable-with-patches and source tag..."
+          # Set DOCKER_IMAGE_TAG for build.sh to pick up
+          export DOCKER_IMAGE_TAG=stable-with-patches
+          # Override the image name defined in config.sh
+          export DOCKER_IMAGE=openhands-runtime
+          # Set RELEVANT_SHA for build.sh to add git sha tag (optional but good practice)
+          export RELEVANT_SHA=${{ github.sha }}
+          ./containers/build.sh -i runtime --push -o remind101
+        env:
+          # Pass GITHUB_TOKEN for potential git operations within build script if needed
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/openhands-resolver.yml

@@ -39,6 +39,10 @@ on:
         required: false
       LLM_API_KEY:
         required: true
+      APP_ID:
+        required: false
+      APP_PRIVATE_KEY:
+        required: false
       LLM_BASE_URL:
         required: false
       PAT_TOKEN:
@@ -89,15 +93,48 @@ jobs:
         with:
           python-version: "3.12"
 
-      - name: Get latest versions and create requirements.txt
-        run: |
-          python -m pip index versions openhands-ai > openhands_versions.txt
-          OPENHANDS_VERSION=$(head -n 1 openhands_versions.txt | awk '{print $2}' | tr -d '()')
+      - name: Generate GitHub App Token
+        id: generate-token
+        # Only run if App ID and Key are provided via secrets
+        if: secrets.APP_ID && secrets.APP_PRIVATE_KEY
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
-          # Create a new requirements.txt locally within the workflow, ensuring no reference to the repo's file
-          echo "openhands-ai==${OPENHANDS_VERSION}" > /tmp/requirements.txt
+      - name: Determine Auth Token
+        id: determine-auth-token
+        run: |
+          if [ -n "${{ steps.generate-token.outputs.token }}" ]; then
+            echo "Using GitHub App Token"
+            echo "AUTH_TOKEN=${{ steps.generate-token.outputs.token }}" >> $GITHUB_ENV
+          elif [ -n "${{ secrets.PAT_TOKEN }}" ]; then
+            echo "Using PAT Token"
+            echo "AUTH_TOKEN=${{ secrets.PAT_TOKEN }}" >> $GITHUB_ENV
+          else
+            echo "Using default GITHUB_TOKEN"
+            echo "AUTH_TOKEN=${{ github.token }}" >> $GITHUB_ENV
+          fi
+      - name: Create requirements.txt and get branch SHA
+        id: setup_reqs_and_sha
+        env:
+          # Use the determined auth token for git clone and ls-remote
+          GIT_TOKEN: ${{ env.AUTH_TOKEN }}
+        run: |
+          echo "Using openhands-ai from remind101/OpenHands@release/stable-with-patches"
+          # Create a new requirements.txt locally within the workflow
+          echo "git+https://${GIT_TOKEN}@github.com/remind101/OpenHands.git@release/stable-with-patches#egg=openhands-ai" > /tmp/requirements.txt
           cat /tmp/requirements.txt
 
+          echo "Fetching latest commit SHA for release/stable-with-patches..."
+          SHA=$(git ls-remote https://${GIT_TOKEN}@github.com/remind101/OpenHands.git refs/heads/release/stable-with-patches | awk '{print $1}')
+          echo "Latest SHA: $SHA"
+          if [ -z "$SHA" ]; then
+            echo "Error: Could not retrieve SHA for release/stable-with-patches branch."
+            exit 1
+          fi
+          echo "OPENHANDS_BRANCH_SHA=$SHA" >> $GITHUB_ENV
+
       - name: Cache pip dependencies
         if: |
           !(
@@ -114,9 +151,10 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ${{ env.pythonLocation }}/lib/python3.12/site-packages/*
-          key: ${{ runner.os }}-pip-openhands-resolver-${{ hashFiles('/tmp/requirements.txt') }}
+          key: ${{ runner.os }}-pip-openhands-resolver-${{ env.OPENHANDS_BRANCH_SHA }}
           restore-keys: |
-            ${{ runner.os }}-pip-openhands-resolver-${{ hashFiles('/tmp/requirements.txt') }}
+            ${{ runner.os }}-pip-openhands-resolver-${{ env.OPENHANDS_BRANCH_SHA }}
+            ${{ runner.os }}-pip-openhands-resolver-
 
       - name: Check required environment variables
         env:
@@ -126,7 +164,7 @@ jobs:
           LLM_API_VERSION: ${{ inputs.LLM_API_VERSION }}
           PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
           PAT_USERNAME: ${{ secrets.PAT_USERNAME }}
-          GITHUB_TOKEN: ${{ github.token }}
+          APP_TOKEN_GENERATED: ${{ steps.generate-token.outputs.token && 'true' || 'false' }}
         run: |
           required_vars=("LLM_API_KEY")
           for var in "${required_vars[@]}"; do
@@ -141,8 +179,13 @@ jobs:
             echo "Warning: LLM_BASE_URL is not set, will use default API endpoint"
           fi
 
-          if [ -z "$PAT_TOKEN" ]; then
-            echo "Warning: PAT_TOKEN is not set, falling back to GITHUB_TOKEN"
+          # Check auth token source
+          if [ "$APP_TOKEN_GENERATED" == "true" ]; then
+            echo "Info: Using GitHub App Token for authentication."
+          elif [ -n "$PAT_TOKEN" ]; then
+            echo "Info: Using PAT_TOKEN for authentication."
+          else
+            echo "Warning: Neither App Token nor PAT_TOKEN is set, falling back to default GITHUB_TOKEN. This may have insufficient permissions."
           fi
 
           if [ -z "$PAT_USERNAME" ]; then
@@ -178,16 +221,16 @@ jobs:
           fi
 
           echo "MAX_ITERATIONS=${{ inputs.max_iterations || 50 }}" >> $GITHUB_ENV
-          echo "SANDBOX_ENV_GITHUB_TOKEN=${{ secrets.PAT_TOKEN || github.token }}" >> $GITHUB_ENV
-          echo "SANDBOX_BASE_CONTAINER_IMAGE=${{ inputs.base_container_image }}" >> $GITHUB_ENV
+          echo "SANDBOX_ENV_GITHUB_TOKEN=${{ env.AUTH_TOKEN }}" >> $GITHUB_ENV
+          echo "SANDBOX_ENV_BASE_CONTAINER_IMAGE=${{ inputs.base_container_image }}" >> $GITHUB_ENV
 
           # Set branch variables
           echo "TARGET_BRANCH=${{ inputs.target_branch || 'main' }}" >> $GITHUB_ENV
 
       - name: Comment on issue with start message
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          github-token: ${{ env.AUTH_TOKEN }}
           script: |
             const issueType = process.env.ISSUE_TYPE;
             github.rest.issues.createComment({
@@ -235,7 +278,7 @@ jobs:
 
       - name: Attempt to resolve issue
         env:
-          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN || github.token }}
+          GITHUB_TOKEN: ${{ env.AUTH_TOKEN }}
           GITHUB_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
           GIT_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
           LLM_MODEL: ${{ secrets.LLM_MODEL || inputs.LLM_MODEL }}
@@ -272,7 +315,7 @@ jobs:
       - name: Create draft PR or push branch
         if: always() # Create PR or branch even if the previous steps fail
         env:
-          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN || github.token }}
+          GITHUB_TOKEN: ${{ env.AUTH_TOKEN }}
           GITHUB_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
           GIT_USERNAME: ${{ secrets.PAT_USERNAME || 'openhands-agent' }}
           LLM_MODEL: ${{ secrets.LLM_MODEL || inputs.LLM_MODEL }}
@@ -304,7 +347,7 @@ jobs:
           AGENT_RESPONDED: ${{ env.AGENT_RESPONDED || 'false' }}
           ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
         with:
-          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          github-token: ${{ env.AUTH_TOKEN }}
           script: |
             const fs = require('fs');
             const issueNumber = process.env.ISSUE_NUMBER;
@@ -341,7 +384,7 @@ jobs:
           ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
           RESOLUTION_SUCCESS: ${{ steps.check_result.outputs.RESOLUTION_SUCCESS }}
         with:
-          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          github-token: ${{ env.AUTH_TOKEN }}
           script: |
             const fs = require('fs');
             const path = require('path');
@@ -414,7 +457,7 @@ jobs:
         env:
           ISSUE_NUMBER: ${{ env.ISSUE_NUMBER }}
         with:
-          github-token: ${{ secrets.PAT_TOKEN || github.token }}
+          github-token: ${{ env.AUTH_TOKEN }}
           script: |
             const issueNumber = process.env.ISSUE_NUMBER;
 

Development.md

@@ -118,7 +118,7 @@ poetry run pytest ./tests/unit/test_*.py
 To reduce build time (e.g., if no changes were made to the client-runtime component), you can use an existing Docker container image by
 setting the SANDBOX_RUNTIME_CONTAINER_IMAGE environment variable to the desired Docker image.
 
-Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/all-hands-ai/runtime:0.33-nikolaik`
+Example: `export SANDBOX_RUNTIME_CONTAINER_IMAGE=ghcr.io/all-hands-ai/runtime:0.34-nikolaik`
 
 ## Develop inside Docker container
 

Makefile

@@ -38,6 +38,7 @@ check-dependencies:
 ifeq ($(INSTALL_DOCKER),)
 	@$(MAKE) -s check-docker
 endif
+	@$(MAKE) -s check-tmux
 	@$(MAKE) -s check-poetry
 	@echo "$(GREEN)Dependencies checked successfully.$(RESET)"
 
@@ -101,6 +102,15 @@ check-docker:
 		exit 1; \
 	fi
 
+check-tmux:
+	@echo "$(YELLOW)Checking tmux installation...$(RESET)"
+	@if command -v tmux > /dev/null; then \
+		echo "$(BLUE)$(shell tmux -V) is already installed.$(RESET)"; \
+	else \
+		echo "$(RED)tmux is not installed. Please install tmux to continue.$(RESET)"; \
+		exit 1; \
+	fi
+
 check-poetry:
 	@echo "$(YELLOW)Checking Poetry installation...$(RESET)"
 	@if command -v poetry > /dev/null; then \

README.md

@@ -52,17 +52,17 @@ system requirements and more information.
 
 
 ```bash
-docker pull docker.all-hands.dev/all-hands-ai/runtime:0.33-nikolaik
+docker pull docker.all-hands.dev/all-hands-ai/runtime:0.34-nikolaik
 
 docker run -it --rm --pull=always \
-    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.33-nikolaik \
+    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.34-nikolaik \
     -e LOG_ALL_EVENTS=true \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v ~/.openhands-state:/.openhands-state \
     -p 3000:3000 \
     --add-host host.docker.internal:host-gateway \
     --name openhands-app \
-    docker.all-hands.dev/all-hands-ai/openhands:0.33
+    docker.all-hands.dev/all-hands-ai/openhands:0.34
 ```
 
 You'll find OpenHands running at [http://localhost:3000](http://localhost:3000)!

containers/app/Dockerfile

@@ -5,7 +5,7 @@ WORKDIR /app
 
 COPY ./frontend/package.json frontend/package-lock.json ./
 RUN npm install -g [email protected]
-RUN npm ci
+RUN npm ci --network-timeout 600000
 
 COPY ./frontend ./
 RUN npm run build
@@ -63,14 +63,37 @@ RUN useradd -l -m -u $OPENHANDS_USER_ID -s /bin/bash openhands && \
     echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 RUN chown -R openhands:app /app && chmod -R 770 /app
 RUN sudo chown -R openhands:app $WORKSPACE_BASE && sudo chmod -R 770 $WORKSPACE_BASE
+
+# Install Playwright Chromium dependencies as root
+USER root
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libnss3 \
+    libnspr4 \
+    libdbus-1-3 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libcups2 \
+    libdrm2 \
+    libgbm1 \
+    libatspi2.0-0 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxfixes3 \
+    libxrandr2 \
+    libxkbcommon0 \
+    libpango-1.0-0 \
+    libcairo2 \
+    libasound2 \
+    && rm -rf /var/lib/apt/lists/*
+
 USER openhands
 
 ENV VIRTUAL_ENV=/app/.venv \
     PATH="/app/.venv/bin:$PATH" \
     PYTHONPATH='/app'
 
 COPY --chown=openhands:app --chmod=770 --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
-RUN playwright install --with-deps chromium
+RUN playwright install chromium
 
 COPY --chown=openhands:app --chmod=770 ./microagents ./microagents
 COPY --chown=openhands:app --chmod=770 ./openhands ./openhands