diff --git a/.claude/skills/recompile-workflows/SKILL.md b/.claude/skills/recompile-workflows/SKILL.md new file mode 100644 index 00000000..118818ba --- /dev/null +++ b/.claude/skills/recompile-workflows/SKILL.md @@ -0,0 +1,67 @@ +--- +name: recompile-workflows +description: Regenerate and post-process all agentic workflows. Use when gh-aw is updated, workflow .md files change, or when asked to recompile/regenerate workflows. +allowed-tools: Bash(gh:*), Bash(npx:*), Read, Glob, Edit +--- + +# Recompile Agentic Workflows + +Use this skill when you need to regenerate all agentic workflow lock files and apply post-processing. + +## IMPORTANT: Post-processing is required after EVERY lock file change + +Any time `.lock.yml` files are regenerated — whether via `gh aw compile`, `gh aw upgrade`, or any other gh-aw command — you MUST run the post-processing script afterward. This is not optional. + +## Steps + +### 1. Compile or upgrade workflows + +Use whichever command is appropriate: + +```bash +# Full upgrade (updates agents, actions, codemods, then compiles) +gh aw upgrade + +# Just recompile (when only .md workflow files changed) +gh aw compile +``` + +If any workflow fails to compile (e.g., strict mode violations like `contents: write`), fix the `.md` source file and re-run. + +### 2. Run post-processing script (ALWAYS) + +**This step MUST run every time lock files are regenerated, regardless of how they were generated.** + +The post-processing script replaces the "Install awf binary" step in smoke and build-test workflows with local build+install steps, so CI tests the repo's own code instead of a released binary. + +```bash +npx ts-node scripts/ci/postprocess-smoke-workflows.ts +``` + +This updates these lock files: +- `smoke-copilot.lock.yml` +- `smoke-claude.lock.yml` +- `smoke-chroot.lock.yml` +- `build-test-node.lock.yml` +- `build-test-go.lock.yml` +- `build-test-rust.lock.yml` +- `build-test-java.lock.yml` +- `build-test-cpp.lock.yml` +- `build-test-deno.lock.yml` +- `build-test-bun.lock.yml` + +## Common Issues + +### Strict mode violations +Newer gh-aw versions enforce strict mode which disallows write permissions like `contents: write`, `issues: write`, etc. Workflows should use `safe-outputs` for write operations and only request `read` permissions. + +### Discussion category warnings +Warnings about "General" vs "general" discussion category casing are non-blocking. + +## Verification + +After both steps, run `git diff --stat` to review all changed files. Expect changes in: +- `.github/agents/` - Updated agent files +- `.github/aw/actions-lock.json` - Updated action pins +- `.github/workflows/*.lock.yml` - Regenerated lock files +- `.github/workflows/*.md` - If codemods applied fixes diff --git a/.github/agents/agentic-workflows.agent.md b/.github/agents/agentic-workflows.agent.md index c00386ad..4bc6a2e7 100644 --- a/.github/agents/agentic-workflows.agent.md +++ b/.github/agents/agentic-workflows.agent.md @@ -17,12 +17,17 @@ This is a **dispatcher agent** that routes your request to the appropriate speci - **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt - **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt +Workflows may optionally include: + +- **Project tracking / monitoring** (GitHub Projects updates, status reporting) +- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows) + ## Files This Applies To - Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md` - Workflow lock files: `.github/workflows/*.lock.yml` - Shared components: `.github/workflows/shared/*.md` -- Configuration: `.github/aw/github-agentic-workflows.md` +- Configuration: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/github-agentic-workflows.md ## Problems This Solves @@ -44,7 +49,7 @@ When you interact with this agent, it will: ### Create New Workflow **Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet -**Prompt file**: `.github/aw/create-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/create-agentic-workflow.md **Use cases**: - "Create a workflow that triages issues" @@ -54,7 +59,7 @@ When you interact with this agent, it will: ### Update Existing Workflow **Load when**: User wants to modify, improve, or refactor an existing workflow -**Prompt file**: `.github/aw/update-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/update-agentic-workflow.md **Use cases**: - "Add web-fetch tool to the issue-classifier workflow" @@ -64,7 +69,7 @@ When you interact with this agent, it will: ### Debug Workflow **Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors -**Prompt file**: `.github/aw/debug-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/debug-agentic-workflow.md **Use cases**: - "Why is this workflow failing?" @@ -74,7 +79,7 @@ When you interact with this agent, it will: ### Upgrade Agentic Workflows **Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations -**Prompt file**: `.github/aw/upgrade-agentic-workflows.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/upgrade-agentic-workflows.md **Use cases**: - "Upgrade all workflows to the latest version" @@ -84,19 +89,43 @@ When you interact with this agent, it will: ### Create Shared Agentic Workflow **Load when**: User wants to create a reusable workflow component or wrap an MCP server -**Prompt file**: `.github/aw/create-shared-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/create-shared-agentic-workflow.md **Use cases**: - "Create a shared component for Notion integration" - "Wrap the Slack MCP server as a reusable component" - "Design a shared workflow for database queries" +### Orchestration and Delegation + +**Load when**: Creating or updating workflows that coordinate multiple agents or dispatch work to other workflows + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/orchestration.md + +**Use cases**: +- Assigning work to AI coding agents +- Dispatching specialized worker workflows +- Using correlation IDs for tracking +- Orchestration design patterns + +### GitHub Projects Integration + +**Load when**: Creating or updating workflows that manage GitHub Projects v2 + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/projects.md + +**Use cases**: +- Tracking items and fields with update-project +- Posting periodic run summaries +- Creating new projects +- Projects v2 authentication and configuration + ## Instructions When a user interacts with you: 1. **Identify the task type** from the user's request -2. **Load the appropriate prompt** using `.github/aw/.md` +2. **Load the appropriate prompt** from the GitHub repository URLs listed above 3. **Follow the loaded prompt's instructions** exactly 4. **If uncertain**, ask clarifying questions to determine the right prompt @@ -106,9 +135,6 @@ When a user interacts with you: # Initialize repository for agentic workflows gh aw init -# Create a new workflow -gh aw new - # Compile workflows gh aw compile [workflow-name] @@ -133,7 +159,7 @@ gh aw compile --validate ## Important Notes -- Always reference the instructions file at `.github/aw/github-agentic-workflows.md` for complete documentation +- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.42.0/.github/aw/github-agentic-workflows.md for complete documentation - Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud - Workflows must be compiled to `.lock.yml` files before running in GitHub Actions - Follow security best practices: minimal permissions, explicit network access, no template injection diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 237ec666..b3a2c581 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -1,8 +1,8 @@ { "entries": { - "actions/checkout@v4": { + "actions/checkout@v4.3.1": { "repo": "actions/checkout", - "version": "v4", + "version": "v4.3.1", "sha": "34e114876b0b11c390a56381ad16ebd13914f8d5" }, "actions/github-script@v8": { @@ -10,51 +10,41 @@ "version": "v8", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-node@v4": { + "actions/setup-node@v4.4.0": { "repo": "actions/setup-node", - "version": "v4", + "version": "v4.4.0", "sha": "49933ea5288caeca8642d1e84afbd3f7d6820020" }, - "actions/upload-artifact@v4": { + "actions/upload-artifact@v4.6.2": { "repo": "actions/upload-artifact", - "version": "v4", + "version": "v4.6.2", "sha": "ea165f8d65b6e75b540449e92b4886f43607fa02" }, - "docker/build-push-action@v5": { + "docker/build-push-action@v5.4.0": { "repo": "docker/build-push-action", - "version": "v5", + "version": "v5.4.0", "sha": "ca052bb54ab0790a636c9b5f226502c73d547a25" }, - "docker/login-action@v3": { + "docker/login-action@v3.7.0": { "repo": "docker/login-action", - "version": "v3", - "sha": "5e57cd118135c172c3672efd75eb46360885c0ef" + "version": "v3.7.0", + "sha": "c94ce9fb468520275223c153574b00df6fe4bcc9" }, - "docker/setup-buildx-action@v3": { + "docker/setup-buildx-action@v3.12.0": { "repo": "docker/setup-buildx-action", - "version": "v3", + "version": "v3.12.0", "sha": "8d2750c68a42422c14e847fe6c8ac0403b4cbd6f" }, - "github/gh-aw/actions/setup@v0.37.3": { - "repo": "github/gh-aw/actions/setup", - "version": "v0.37.3", - "sha": "55503f44aef44813947980f65655a67b5ed8702f" - }, - "github/gh-aw/actions/setup@v0.38.1": { - "repo": "github/gh-aw/actions/setup", - "version": "v0.38.1", - "sha": "98493c96da3fb6a59dc232e32a7b990a4c4e8969" - }, - "github/gh-aw/actions/setup@v0.40.0": { - "repo": "github/gh-aw/actions/setup", - "version": "v0.40.0", - "sha": "76d37d925abd44fee97379206f105b74b91a285b" - }, "github/gh-aw/actions/setup@v0.42.0": { "repo": "github/gh-aw/actions/setup", "version": "v0.42.0", "sha": "a7134347103ecf66b4bd422c3e9ce6466d400c02" }, + "github/gh-aw/actions/setup@v0.42.7": { + "repo": "github/gh-aw/actions/setup", + "version": "v0.42.7", + "sha": "b16be66a3f0089b92ad39c580f42421b7104a849" + }, "softprops/action-gh-release@v1": { "repo": "softprops/action-gh-release", "version": "v1", diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index b9eaeabb..7877bb51 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -33,7 +33,7 @@ name: Agentic Maintenance on: schedule: - - cron: "37 0 * * *" # Daily (based on minimum expires: 30 days) + - cron: "37 0 * * *" # Daily (based on minimum expires: 7 days) workflow_dispatch: permissions: {} diff --git a/.github/workflows/build-test-bun.lock.yml b/.github/workflows/build-test-bun.lock.yml index 138561be..f5996965 100644 --- a/.github/workflows/build-test-bun.lock.yml +++ b/.github/workflows/build-test-bun.lock.yml @@ -134,8 +134,31 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 + - name: Install awf dependencies + run: npm ci + - name: Build awf + run: npm run build + - name: Install awf binary (local) + run: | + WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}" + NODE_BIN="$(command -v node)" + if [ ! -d "$WORKSPACE_PATH" ]; then + echo "Workspace path not found: $WORKSPACE_PATH" + exit 1 + fi + if [ ! -x "$NODE_BIN" ]; then + echo "Node binary not found: $NODE_BIN" + exit 1 + fi + if [ ! -d "/usr/local/bin" ]; then + echo "/usr/local/bin is missing" + exit 1 + fi + sudo tee /usr/local/bin/awf > /dev/null < /dev/null < /dev/null < /dev/null < /dev/null < /dev/null < /dev/null </dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -747,7 +750,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@76d37d925abd44fee97379206f105b74b91a285b # v0.40.0 + uses: github/gh-aw/actions/setup@a7134347103ecf66b4bd422c3e9ce6466d400c02 # v0.42.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -808,6 +811,9 @@ jobs: GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + GH_AW_CREATE_DISCUSSION_ERRORS: ${{ needs.safe_outputs.outputs.create_discussion_errors }} + GH_AW_CREATE_DISCUSSION_ERROR_COUNT: ${{ needs.safe_outputs.outputs.create_discussion_error_count }} with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -846,7 +852,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@76d37d925abd44fee97379206f105b74b91a285b # v0.40.0 + uses: github/gh-aw/actions/setup@a7134347103ecf66b4bd422c3e9ce6466d400c02 # v0.42.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -888,7 +894,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.400 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -950,11 +956,13 @@ jobs: GH_AW_WORKFLOW_ID: "cli-flag-consistency-checker" GH_AW_WORKFLOW_NAME: "CLI Flag Consistency Checker" outputs: + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@76d37d925abd44fee97379206f105b74b91a285b # v0.40.0 + uses: github/gh-aw/actions/setup@a7134347103ecf66b4bd422c3e9ce6466d400c02 # v0.42.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -973,7 +981,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"general\",\"expires\":168,\"max\":1,\"title_prefix\":\"[CLI Flag Review] \"},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_discussion\":{\"category\":\"general\",\"expires\":168,\"fallback_to_issue\":true,\"max\":1,\"title_prefix\":\"[CLI Flag Review] \"},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 1126d8eb..df44fac1 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -21,7 +21,7 @@ # # The Cookie Monster of issues - assigns issues to Copilot agents one at a time # -# frontmatter-hash: 3a6a379ce94166649edd1371fe0c7b3693ad1308709a0856651aeb9b0ca70b18 +# frontmatter-hash: 1aec29a3d679779c462f3107f9b39751bd841f31632479e542a7a7b47031cd75 name: "Issue Monster" "on": @@ -78,10 +78,10 @@ jobs: - search_issues runs-on: ubuntu-latest permissions: - actions: write - contents: write - issues: write - pull-requests: write + actions: read + contents: read + issues: read + pull-requests: read env: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} GH_AW_ASSETS_ALLOWED_EXTS: "" @@ -765,8 +765,7 @@ jobs: if: (always()) && (needs.agent.result != 'skipped') runs-on: ubuntu-slim permissions: - actions: write - contents: write + contents: read discussions: write issues: write pull-requests: write @@ -1022,8 +1021,7 @@ jobs: if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') runs-on: ubuntu-slim permissions: - actions: write - contents: write + contents: read discussions: write issues: write pull-requests: write diff --git a/.github/workflows/issue-monster.md b/.github/workflows/issue-monster.md index ad1c6600..8ea1711e 100644 --- a/.github/workflows/issue-monster.md +++ b/.github/workflows/issue-monster.md @@ -12,10 +12,10 @@ on: skip-if-no-match: "is:issue is:open" permissions: - actions: write - contents: write - issues: write - pull-requests: write + actions: read + contents: read + issues: read + pull-requests: read engine: copilot timeout-minutes: 30 diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml index 06ec2ef6..0e9c52f8 100644 --- a/.github/workflows/smoke-chroot.lock.yml +++ b/.github/workflows/smoke-chroot.lock.yml @@ -21,7 +21,7 @@ # # Smoke test workflow that validates the --enable-chroot feature by testing host binary access and comparing versions # -# frontmatter-hash: 609448872bf0700e99cd66630a740f6b9332ccb01fff5efee6ae4d16c9cabef2 +# frontmatter-hash: f4d66484aa69e2df392fd05d9a3f13b6c396e693acdf5fcdb9df43d54b5c68bc name: "Smoke Chroot" "on": @@ -159,7 +159,12 @@ jobs: run: "echo \"=== Running chroot version tests ===\"\n\n# Capture GOROOT for chroot tests\nexport GOROOT=$(go env GOROOT)\n\n# Test Python version in chroot\necho \"Testing Python...\"\nCHROOT_PYTHON=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- python3 --version 2>&1 | grep -oP 'Python \\d+\\.\\d+\\.\\d+' | head -1) || CHROOT_PYTHON=\"FAILED\"\n\n# Test Node version in chroot\necho \"Testing Node...\"\nCHROOT_NODE=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- node --version 2>&1 | grep -oP 'v\\d+\\.\\d+\\.\\d+' | head -1) || CHROOT_NODE=\"FAILED\"\n\n# Test Go version in chroot\necho \"Testing Go...\"\nCHROOT_GO=$(sudo -E awf --enable-chroot --skip-pull --allow-domains localhost -- go version 2>&1 | grep -oP 'go\\d+\\.\\d+(\\.\\d+)?' | head -1) || CHROOT_GO=\"FAILED\"\n\n# Save chroot versions\n{\n echo \"CHROOT_PYTHON_VERSION=$CHROOT_PYTHON\"\n echo \"CHROOT_NODE_VERSION=$CHROOT_NODE\"\n echo \"CHROOT_GO_VERSION=$CHROOT_GO\"\n} > /tmp/gh-aw/chroot-test/chroot-versions.env\n\ncat /tmp/gh-aw/chroot-test/chroot-versions.env\n\n# Compare versions and create results\nsource /tmp/gh-aw/chroot-test/host-versions.env\n\nPYTHON_MATCH=\"NO\"\nNODE_MATCH=\"NO\"\nGO_MATCH=\"NO\"\n\n# Compare Python (extract version number - chroot already extracted as \"Python X.Y.Z\")\nHOST_PY_NUM=$(echo \"$HOST_PYTHON_VERSION\" | grep -oP 'Python \\d+\\.\\d+\\.\\d+' || echo \"\")\nCHROOT_PY_NUM=\"$CHROOT_PYTHON\"\n[ \"$HOST_PY_NUM\" = \"$CHROOT_PY_NUM\" ] && [ -n \"$HOST_PY_NUM\" ] && PYTHON_MATCH=\"YES\"\n\n# Compare Node (extract version number - already extracted as v\\d+.\\d+.\\d+)\nHOST_NODE_NUM=$(echo \"$HOST_NODE_VERSION\" | grep -oP 'v\\d+\\.\\d+\\.\\d+' || echo \"\")\nCHROOT_NODE_NUM=\"$CHROOT_NODE\"\n[ \"$HOST_NODE_NUM\" = \"$CHROOT_NODE_NUM\" ] && [ -n \"$HOST_NODE_NUM\" ] && NODE_MATCH=\"YES\"\n\n# Compare Go (extract version number - chroot already extracted as \"goX.Y.Z\")\nHOST_GO_NUM=$(echo \"$HOST_GO_VERSION\" | grep -oP 'go\\d+\\.\\d+(\\.\\d+)?' || echo \"\")\nCHROOT_GO_NUM=\"$CHROOT_GO\"\n[ \"$HOST_GO_NUM\" = \"$CHROOT_GO_NUM\" ] && [ -n \"$HOST_GO_NUM\" ] && GO_MATCH=\"YES\"\n\n# Create results summary\n{\n echo \"PYTHON_MATCH=$PYTHON_MATCH\"\n echo \"NODE_MATCH=$NODE_MATCH\"\n echo \"GO_MATCH=$GO_MATCH\"\n echo \"HOST_PY_NUM=$HOST_PY_NUM\"\n echo \"CHROOT_PY_NUM=$CHROOT_PY_NUM\"\n echo \"HOST_NODE_NUM=$HOST_NODE_NUM\"\n echo \"CHROOT_NODE_NUM=$CHROOT_NODE_NUM\"\n echo \"HOST_GO_NUM=$HOST_GO_NUM\"\n echo \"CHROOT_GO_NUM=$CHROOT_GO_NUM\"\n} > /tmp/gh-aw/chroot-test/results.env\n\ncat /tmp/gh-aw/chroot-test/results.env\n\n# Determine overall result\nif [ \"$PYTHON_MATCH\" = \"YES\" ] && [ \"$NODE_MATCH\" = \"YES\" ] && [ \"$GO_MATCH\" = \"YES\" ]; then\n echo \"ALL_TESTS_PASSED=true\" >> /tmp/gh-aw/chroot-test/results.env\n echo \"=== ALL CHROOT TESTS PASSED ===\"\nelse\n echo \"ALL_TESTS_PASSED=false\" >> /tmp/gh-aw/chroot-test/results.env\n echo \"=== SOME CHROOT TESTS FAILED ===\"\nfi\n" - if: always() name: Cleanup test containers - run: ./scripts/ci/cleanup.sh || true + run: | + ./scripts/ci/cleanup.sh || true + - name: Ensure .copilot directory permissions + run: |- + mkdir -p /home/runner/.copilot + sudo chown -R runner:runner /home/runner/.copilot - name: Configure Git credentials env: @@ -191,14 +196,33 @@ jobs: run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - - name: Ensure .copilot directory permissions - run: | - mkdir -p /home/runner/.copilot - sudo chown -R runner:runner /home/runner/.copilot - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 + - name: Install awf dependencies + run: npm ci + - name: Build awf + run: npm run build + - name: Install awf binary (local) + run: | + WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}" + NODE_BIN="$(command -v node)" + if [ ! -d "$WORKSPACE_PATH" ]; then + echo "Workspace path not found: $WORKSPACE_PATH" + exit 1 + fi + if [ ! -x "$NODE_BIN" ]; then + echo "Node binary not found: $NODE_BIN" + exit 1 + fi + if [ ! -d "/usr/local/bin" ]; then + echo "/usr/local/bin is missing" + exit 1 + fi + sudo tee /usr/local/bin/awf > /dev/null <