diff --git a/.github/workflows/build-test-bun.lock.yml b/.github/workflows/build-test-bun.lock.yml index 991430fb..5f784525 100644 --- a/.github/workflows/build-test-bun.lock.yml +++ b/.github/workflows/build-test-bun.lock.yml @@ -97,7 +97,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -802,7 +802,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -908,13 +908,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1021,7 +1021,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/build-test-cpp.lock.yml b/.github/workflows/build-test-cpp.lock.yml index 5e7dd3d0..e1ce138e 100644 --- a/.github/workflows/build-test-cpp.lock.yml +++ b/.github/workflows/build-test-cpp.lock.yml @@ -97,7 +97,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -802,7 +802,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -908,13 +908,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1021,7 +1021,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/build-test-deno.lock.yml b/.github/workflows/build-test-deno.lock.yml index 9d03ed69..a972aecc 100644 --- a/.github/workflows/build-test-deno.lock.yml +++ b/.github/workflows/build-test-deno.lock.yml @@ -97,7 +97,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -802,7 +802,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -908,13 +908,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1021,7 +1021,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/build-test-go.lock.yml b/.github/workflows/build-test-go.lock.yml index 44d2440d..b5b57499 100644 --- a/.github/workflows/build-test-go.lock.yml +++ b/.github/workflows/build-test-go.lock.yml @@ -97,11 +97,11 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Setup Go - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version: '1.22' - name: Capture GOROOT for AWF chroot mode @@ -808,7 +808,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -914,13 +914,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1027,7 +1027,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/build-test-java.lock.yml b/.github/workflows/build-test-java.lock.yml index a708e2db..20e2ce0f 100644 --- a/.github/workflows/build-test-java.lock.yml +++ b/.github/workflows/build-test-java.lock.yml @@ -97,15 +97,11 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: - sparse-checkout: | - .github - .agents - depth: 1 persist-credentials: false - name: Setup Java - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: java-version: '21' distribution: temurin @@ -143,8 +139,31 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 + - name: Install awf dependencies + run: npm ci + - name: Build awf + run: npm run build + - name: Install awf binary (local) + run: | + WORKSPACE_PATH="${GITHUB_WORKSPACE:-$(pwd)}" + NODE_BIN="$(command -v node)" + if [ ! -d "$WORKSPACE_PATH" ]; then + echo "Workspace path not found: $WORKSPACE_PATH" + exit 1 + fi + if [ ! -x "$NODE_BIN" ]; then + echo "Node binary not found: $NODE_BIN" + exit 1 + fi + if [ ! -d "/usr/local/bin" ]; then + echo "/usr/local/bin is missing" + exit 1 + fi + sudo tee /usr/local/bin/awf > /dev/null <&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -788,7 +807,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -894,13 +913,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1007,7 +1026,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/build-test-node.lock.yml b/.github/workflows/build-test-node.lock.yml index ea3e01b5..c409d18c 100644 --- a/.github/workflows/build-test-node.lock.yml +++ b/.github/workflows/build-test-node.lock.yml @@ -97,11 +97,11 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '20' package-manager-cache: false @@ -807,7 +807,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -913,13 +913,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1026,7 +1026,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/build-test-rust.lock.yml b/.github/workflows/build-test-rust.lock.yml index bdd9f0ed..6f2e5a34 100644 --- a/.github/workflows/build-test-rust.lock.yml +++ b/.github/workflows/build-test-rust.lock.yml @@ -97,7 +97,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -802,7 +802,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -908,13 +908,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1021,7 +1021,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/ci-cd-gaps-assessment.lock.yml b/.github/workflows/ci-cd-gaps-assessment.lock.yml index 35bbd456..5343834c 100644 --- a/.github/workflows/ci-cd-gaps-assessment.lock.yml +++ b/.github/workflows/ci-cd-gaps-assessment.lock.yml @@ -97,7 +97,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -752,7 +752,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -858,13 +858,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -965,7 +965,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 879c0d9c..a8a08802 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -129,7 +129,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -142,7 +142,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -895,7 +895,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1001,13 +1001,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1136,7 +1136,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1172,13 +1172,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/cli-flag-consistency-checker.lock.yml b/.github/workflows/cli-flag-consistency-checker.lock.yml index 6f781111..3099da3b 100644 --- a/.github/workflows/cli-flag-consistency-checker.lock.yml +++ b/.github/workflows/cli-flag-consistency-checker.lock.yml @@ -92,7 +92,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -759,7 +759,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -867,13 +867,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -978,7 +978,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/dependency-security-monitor.lock.yml b/.github/workflows/dependency-security-monitor.lock.yml index 725bb319..896e0797 100644 --- a/.github/workflows/dependency-security-monitor.lock.yml +++ b/.github/workflows/dependency-security-monitor.lock.yml @@ -99,7 +99,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -889,7 +889,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1009,13 +1009,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1122,7 +1122,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1133,13 +1133,13 @@ jobs: echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" - name: Download patch artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ github.token }} persist-credentials: false diff --git a/.github/workflows/doc-maintainer.lock.yml b/.github/workflows/doc-maintainer.lock.yml index 69e3a0c4..2693baa3 100644 --- a/.github/workflows/doc-maintainer.lock.yml +++ b/.github/workflows/doc-maintainer.lock.yml @@ -97,7 +97,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -775,7 +775,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -895,13 +895,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1042,7 +1042,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1053,13 +1053,13 @@ jobs: echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" - name: Download patch artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ github.token }} persist-credentials: false diff --git a/.github/workflows/issue-duplication-detector.lock.yml b/.github/workflows/issue-duplication-detector.lock.yml index eab9a93e..fc82dd3d 100644 --- a/.github/workflows/issue-duplication-detector.lock.yml +++ b/.github/workflows/issue-duplication-detector.lock.yml @@ -95,7 +95,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -108,7 +108,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: issue-duplication-detector-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -774,7 +774,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -878,13 +878,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1012,7 +1012,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1048,13 +1048,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: issue-duplication-detector-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 145cd631..1a87fd43 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -104,7 +104,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -812,7 +812,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -920,13 +920,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1084,7 +1084,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/pelis-agent-factory-advisor.lock.yml b/.github/workflows/pelis-agent-factory-advisor.lock.yml index c9c8c18a..91725801 100644 --- a/.github/workflows/pelis-agent-factory-advisor.lock.yml +++ b/.github/workflows/pelis-agent-factory-advisor.lock.yml @@ -98,7 +98,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -111,7 +111,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -776,7 +776,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -882,13 +882,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -989,7 +989,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1025,13 +1025,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 6679ff31..be7770b4 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -126,7 +126,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -879,7 +879,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -983,13 +983,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1148,7 +1148,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 71a3aa4d..32c5e730 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -94,7 +94,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -135,7 +135,7 @@ jobs: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false @@ -795,7 +795,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -899,13 +899,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -937,7 +937,7 @@ jobs: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false @@ -1026,7 +1026,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index aa287fa3..57736c7d 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -99,7 +99,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -112,7 +112,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -777,7 +777,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -883,13 +883,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -990,7 +990,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1026,13 +1026,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml index 5edbb80a..6b35f449 100644 --- a/.github/workflows/smoke-chroot.lock.yml +++ b/.github/workflows/smoke-chroot.lock.yml @@ -116,22 +116,22 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false - name: Setup Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Go - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # 0aaccfd150d50ccaeb58ebd88d36e91967a5f35b + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # 0aaccfd150d50ccaeb58ebd88d36e91967a5f35b with: go-version: "1.22" - name: Capture host versions for verification @@ -866,7 +866,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -972,13 +972,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1085,7 +1085,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 68540223..fa12baee 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -117,7 +117,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -126,7 +126,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -165,7 +165,7 @@ jobs: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false @@ -943,7 +943,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1049,13 +1049,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1087,7 +1087,7 @@ jobs: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false @@ -1178,7 +1178,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1214,13 +1214,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 4cc6ab3d..d09b64d9 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -123,7 +123,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -132,7 +132,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -171,7 +171,7 @@ jobs: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false @@ -1545,7 +1545,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1651,13 +1651,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1689,7 +1689,7 @@ jobs: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' package-manager-cache: false @@ -1796,7 +1796,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1832,13 +1832,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index b0eaa21d..f03ee1c2 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -114,7 +114,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -123,7 +123,7 @@ jobs: - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache-memory file share data - uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory @@ -889,7 +889,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -995,13 +995,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1108,7 +1108,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1144,13 +1144,13 @@ jobs: with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true with: name: cache-memory path: /tmp/gh-aw/cache-memory - name: Save cache-memory to cache (default) - uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml index 57591d7a..a1be1f76 100644 --- a/.github/workflows/test-coverage-improver.lock.yml +++ b/.github/workflows/test-coverage-improver.lock.yml @@ -100,7 +100,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -843,7 +843,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -963,13 +963,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1111,7 +1111,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -1122,13 +1122,13 @@ jobs: echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" - name: Download patch artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ github.token }} persist-credentials: false diff --git a/.github/workflows/update-release-notes.lock.yml b/.github/workflows/update-release-notes.lock.yml index c403db93..6a5d3241 100644 --- a/.github/workflows/update-release-notes.lock.yml +++ b/.github/workflows/update-release-notes.lock.yml @@ -94,7 +94,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout .github and .agents folders - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: sparse-checkout: | .github @@ -789,7 +789,7 @@ jobs: echo "Agent Conclusion: $AGENT_CONCLUSION" - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ @@ -895,13 +895,13 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-artifacts path: /tmp/gh-aw/threat-detection/ - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/threat-detection/ @@ -1026,7 +1026,7 @@ jobs: destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output path: /tmp/gh-aw/safeoutputs/ diff --git a/CLAUDE.md b/CLAUDE.md index 38504099..4a053d88 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -232,6 +232,14 @@ DNS traffic is restricted to trusted DNS servers only to prevent DNS-based data - Container DNS config (`containers/agent/entrypoint.sh`): Configures `/etc/resolv.conf` - Docker Compose (`src/docker-manager.ts`): Sets container `dns:` config and `AWF_DNS_SERVERS` env var +## Proxy Environment Variables + +AWF sets the following proxy-related environment variables in the agent container: + +- `HTTP_PROXY` / `HTTPS_PROXY`: Standard proxy variables (used by curl, wget, pip, npm, etc.) +- `SQUID_PROXY_HOST` / `SQUID_PROXY_PORT`: Raw proxy host and port for tools that need them separately +- `JAVA_TOOL_OPTIONS`: JVM system properties (`-Dhttp.proxyHost`, `-Dhttps.proxyHost`, etc.) for Java tools. Works for Gradle, SBT, and most JVM tools. **Maven requires separate `~/.m2/settings.xml` configuration** — see `docs/troubleshooting.md`. + **Example**: ```bash # Use Cloudflare DNS instead of Google DNS diff --git a/containers/agent/setup-iptables.sh b/containers/agent/setup-iptables.sh index 3f12c1e9..6214b69d 100644 --- a/containers/agent/setup-iptables.sh +++ b/containers/agent/setup-iptables.sh @@ -11,6 +11,12 @@ is_ipv6() { [[ "$ip" == *:* ]] } +# Function to validate an IPv4 address format (e.g., 172.17.0.1) +is_valid_ipv4() { + local ip="$1" + echo "$ip" | grep -qE '^([0-9]{1,3}\.){3}[0-9]{1,3}$' +} + # Function to check if ip6tables is available and functional has_ip6tables() { if command -v ip6tables &>/dev/null && ip6tables -L -n &>/dev/null; then @@ -124,12 +130,28 @@ iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN # Bypass Squid for host.docker.internal when host access is enabled. # MCP gateway traffic to host.docker.internal gets DNAT'd to Squid, # where Squid fails with "Invalid URL" because rmcp sends relative URLs. +# The NAT RETURN prevents DNAT to Squid (which would crash on MCP traffic). +# The FILTER ACCEPT is restricted to allowed ports only (80, 443, and --allow-host-ports). if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then HOST_GATEWAY_IP=$(getent hosts host.docker.internal | awk 'NR==1 { print $1 }') - if [ -n "$HOST_GATEWAY_IP" ]; then + if [ -n "$HOST_GATEWAY_IP" ] && is_valid_ipv4 "$HOST_GATEWAY_IP"; then echo "[iptables] Allow direct traffic to host gateway (${HOST_GATEWAY_IP}) - bypassing Squid..." + # NAT: skip DNAT to Squid for all traffic to host gateway (prevents Squid crash) iptables -t nat -A OUTPUT -d "$HOST_GATEWAY_IP" -j RETURN - iptables -A OUTPUT -d "$HOST_GATEWAY_IP" -j ACCEPT + # FILTER: only allow standard ports (80, 443) to host gateway + iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 80 -j ACCEPT + iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 443 -j ACCEPT + # FILTER: also allow user-specified ports from --allow-host-ports + if [ -n "$AWF_ALLOW_HOST_PORTS" ]; then + IFS=',' read -ra HOST_PORTS <<< "$AWF_ALLOW_HOST_PORTS" + for port_spec in "${HOST_PORTS[@]}"; do + port_spec=$(echo "$port_spec" | xargs) + echo "[iptables] Allow host gateway port $port_spec" + iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport "$port_spec" -j ACCEPT + done + fi + elif [ -n "$HOST_GATEWAY_IP" ]; then + echo "[iptables] WARNING: host.docker.internal resolved to invalid IP '${HOST_GATEWAY_IP}', skipping host gateway bypass" else echo "[iptables] WARNING: host.docker.internal could not be resolved, skipping host gateway bypass" fi @@ -139,10 +161,20 @@ if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then # instead of the Docker bridge gateway (172.17.0.1). Without this bypass, # MCP Streamable HTTP traffic goes through Squid, which crashes on SSE connections. NETWORK_GATEWAY_IP=$(route -n 2>/dev/null | awk '/^0\.0\.0\.0/ { print $2; exit }') - if [ -n "$NETWORK_GATEWAY_IP" ] && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then + if [ -n "$NETWORK_GATEWAY_IP" ] && is_valid_ipv4 "$NETWORK_GATEWAY_IP" && [ "$NETWORK_GATEWAY_IP" != "$HOST_GATEWAY_IP" ]; then echo "[iptables] Allow direct traffic to network gateway (${NETWORK_GATEWAY_IP}) - bypassing Squid..." iptables -t nat -A OUTPUT -d "$NETWORK_GATEWAY_IP" -j RETURN iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport 80 -j ACCEPT + iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport 443 -j ACCEPT + if [ -n "$AWF_ALLOW_HOST_PORTS" ]; then + IFS=',' read -ra NET_GW_PORTS <<< "$AWF_ALLOW_HOST_PORTS" + for port_spec in "${NET_GW_PORTS[@]}"; do + port_spec=$(echo "$port_spec" | xargs) + iptables -A OUTPUT -p tcp -d "$NETWORK_GATEWAY_IP" --dport "$port_spec" -j ACCEPT + done + fi + elif [ -n "$NETWORK_GATEWAY_IP" ] && ! is_valid_ipv4 "$NETWORK_GATEWAY_IP"; then + echo "[iptables] WARNING: network gateway resolved to invalid IP '${NETWORK_GATEWAY_IP}', skipping" fi fi diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 375e7a27..fc12fb8c 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -129,6 +129,54 @@ cat /tmp/awf-agent-logs-/*.log ``` +## Java / Maven / Gradle Issues + +### How AWF Handles Java Proxy + +AWF automatically sets `JAVA_TOOL_OPTIONS` with `-Dhttp.proxyHost`, `-Dhttp.proxyPort`, `-Dhttps.proxyHost`, `-Dhttps.proxyPort`, and `-Dhttp.nonProxyHosts` inside the agent container. This works for most Java tools that read standard JVM system properties, including Gradle and SBT. + +### Maven Requires Extra Configuration + +**Problem:** Maven builds fail with network errors even though the domain is in `--allow-domains` + +**Cause:** Maven's HTTP transport (Apache HttpClient / Maven Resolver) ignores Java system properties for proxy configuration. Unlike Gradle and most other Java tools, Maven does **not** read `-DproxyHost`/`-DproxyPort` from `JAVA_TOOL_OPTIONS`. + +**Solution:** Create `~/.m2/settings.xml` with proxy configuration before running Maven: + +```bash +mkdir -p ~/.m2 +cat > ~/.m2/settings.xml << EOF + + + + awf-httptruehttp + ${SQUID_PROXY_HOST}${SQUID_PROXY_PORT} + + + awf-httpstruehttps + ${SQUID_PROXY_HOST}${SQUID_PROXY_PORT} + + + +EOF +``` + +The `SQUID_PROXY_HOST` and `SQUID_PROXY_PORT` environment variables are automatically set by AWF in the agent container. + +For agentic workflows, add this as a setup step in the workflow `.md` file so the agent creates the file before running Maven commands. + +### Gradle Works Automatically + +Gradle reads JVM system properties via `ProxySelector.getDefault()`, so the `JAVA_TOOL_OPTIONS` environment variable set by AWF is sufficient. No extra configuration is needed for Gradle builds. + +### Why This Is Needed + +AWF uses a forward proxy (Squid) for HTTPS egress control rather than transparent interception. This means tools must be proxy-aware: + +- **Most tools**: Use `HTTP_PROXY`/`HTTPS_PROXY` environment variables (set automatically by AWF) +- **Java tools**: Use `JAVA_TOOL_OPTIONS` with JVM system properties (set automatically by AWF) +- **Maven**: Requires `~/.m2/settings.xml` (must be configured manually — see above) + ## Log Analysis ### Finding Blocked Domains diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts index 63aa7490..e76db0a8 100644 --- a/src/docker-manager.test.ts +++ b/src/docker-manager.test.ts @@ -259,6 +259,15 @@ describe('docker-manager', () => { agentIp: '172.30.0.20', }; + // Ensure workDir exists for chroot tests that create chroot-hosts file + beforeEach(() => { + fs.mkdirSync(mockConfig.workDir, { recursive: true }); + }); + + afterEach(() => { + fs.rmSync(mockConfig.workDir, { recursive: true, force: true }); + }); + it('should generate docker-compose config with GHCR images by default', () => { const result = generateDockerCompose(mockConfig, mockNetworkConfig); @@ -559,7 +568,10 @@ describe('docker-manager', () => { expect(volumes).toContain('/etc/ca-certificates:/host/etc/ca-certificates:ro'); expect(volumes).toContain('/etc/alternatives:/host/etc/alternatives:ro'); expect(volumes).toContain('/etc/ld.so.cache:/host/etc/ld.so.cache:ro'); - expect(volumes).toContain('/etc/hosts:/host/etc/hosts:ro'); + // /etc/hosts is always a custom hosts file in a secure chroot temp dir (for pre-resolved domains) + const hostsVolume = volumes.find((v: string) => v.includes('/host/etc/hosts')); + expect(hostsVolume).toBeDefined(); + expect(hostsVolume).toMatch(/chroot-.*\/hosts:\/host\/etc\/hosts:ro/); // Should still include essential mounts expect(volumes).toContain('/tmp:/tmp:rw'); @@ -774,53 +786,42 @@ describe('docker-manager', () => { expect(volumes).toContain('/etc/nsswitch.conf:/host/etc/nsswitch.conf:ro'); }); - it('should mount writable chroot-hosts when enableChroot and enableHostAccess are true', () => { - // Ensure workDir exists for chroot-hosts file creation - fs.mkdirSync(mockConfig.workDir, { recursive: true }); - try { - const config = { - ...mockConfig, - enableChroot: true, - enableHostAccess: true - }; - const result = generateDockerCompose(config, mockNetworkConfig); - const agent = result.services.agent; - const volumes = agent.volumes as string[]; + it('should mount read-only chroot-hosts when enableChroot and enableHostAccess are true', () => { + const config = { + ...mockConfig, + enableChroot: true, + enableHostAccess: true + }; + const result = generateDockerCompose(config, mockNetworkConfig); + const agent = result.services.agent; + const volumes = agent.volumes as string[]; - // Should mount a writable copy of /etc/hosts (not the read-only original) - const hostsVolume = volumes.find((v: string) => v.includes('/host/etc/hosts')); - expect(hostsVolume).toBeDefined(); - expect(hostsVolume).toContain('chroot-hosts:/host/etc/hosts'); - expect(hostsVolume).not.toContain(':ro'); - } finally { - fs.rmSync(mockConfig.workDir, { recursive: true, force: true }); - } + // Should mount a read-only copy of /etc/hosts with host.docker.internal pre-injected + const hostsVolume = volumes.find((v: string) => v.includes('/host/etc/hosts')); + expect(hostsVolume).toBeDefined(); + expect(hostsVolume).toMatch(/chroot-.*\/hosts:\/host\/etc\/hosts:ro/); }); it('should inject host.docker.internal into chroot-hosts file', () => { - // Ensure workDir exists for chroot-hosts file creation - fs.mkdirSync(mockConfig.workDir, { recursive: true }); - try { - const config = { - ...mockConfig, - enableChroot: true, - enableHostAccess: true - }; - generateDockerCompose(config, mockNetworkConfig); - - // The chroot-hosts file should exist and contain host.docker.internal - const chrootHostsPath = `${mockConfig.workDir}/chroot-hosts`; - expect(fs.existsSync(chrootHostsPath)).toBe(true); - const content = fs.readFileSync(chrootHostsPath, 'utf8'); - // Docker bridge gateway resolution may succeed or fail in test env, - // but the file should exist with at least localhost - expect(content).toContain('localhost'); - } finally { - fs.rmSync(mockConfig.workDir, { recursive: true, force: true }); - } + const config = { + ...mockConfig, + enableChroot: true, + enableHostAccess: true + }; + generateDockerCompose(config, mockNetworkConfig); + + // Find the chroot hosts file (mkdtempSync creates chroot-XXXXXX directory) + const chrootDir = fs.readdirSync(mockConfig.workDir).find(d => d.startsWith('chroot-')); + expect(chrootDir).toBeDefined(); + const chrootHostsPath = `${mockConfig.workDir}/${chrootDir}/hosts`; + expect(fs.existsSync(chrootHostsPath)).toBe(true); + const content = fs.readFileSync(chrootHostsPath, 'utf8'); + // Docker bridge gateway resolution may succeed or fail in test env, + // but the file should exist with at least localhost + expect(content).toContain('localhost'); }); - it('should mount read-only /etc/hosts when enableChroot is true but enableHostAccess is false', () => { + it('should mount custom chroot-hosts when enableChroot is true even without enableHostAccess', () => { const config = { ...mockConfig, enableChroot: true, @@ -830,7 +831,114 @@ describe('docker-manager', () => { const agent = result.services.agent; const volumes = agent.volumes as string[]; - expect(volumes).toContain('/etc/hosts:/host/etc/hosts:ro'); + // Should mount a custom hosts file in a secure chroot temp dir (for pre-resolved domains) + const hostsVolume = volumes.find((v: string) => v.includes('/host/etc/hosts')); + expect(hostsVolume).toBeDefined(); + expect(hostsVolume).toMatch(/chroot-.*\/hosts:\/host\/etc\/hosts:ro/); + }); + + it('should pre-resolve allowed domains into chroot-hosts file', () => { + // Mock getent to return a resolved IP for a test domain + mockExecaSync.mockImplementation((...args: any[]) => { + if (args[0] === 'getent' && args[1]?.[0] === 'hosts') { + const domain = args[1][1]; + if (domain === 'github.com') { + return { stdout: '140.82.121.4 github.com', stderr: '', exitCode: 0 }; + } + if (domain === 'npmjs.org') { + return { stdout: '104.16.22.35 npmjs.org', stderr: '', exitCode: 0 }; + } + throw new Error('Resolution failed'); + } + // For docker network inspect (host.docker.internal) + throw new Error('Not found'); + }); + + const config = { + ...mockConfig, + allowedDomains: ['github.com', 'npmjs.org', '*.wildcard.com'], + enableChroot: true + }; + generateDockerCompose(config, mockNetworkConfig); + + // Find the chroot hosts file (mkdtempSync creates chroot-XXXXXX directory) + const chrootDir = fs.readdirSync(mockConfig.workDir).find(d => d.startsWith('chroot-')); + expect(chrootDir).toBeDefined(); + const chrootHostsPath = `${mockConfig.workDir}/${chrootDir}/hosts`; + expect(fs.existsSync(chrootHostsPath)).toBe(true); + const content = fs.readFileSync(chrootHostsPath, 'utf8'); + + // Should contain pre-resolved domains + expect(content).toContain('140.82.121.4\tgithub.com'); + expect(content).toContain('104.16.22.35\tnpmjs.org'); + // Should NOT contain wildcard domains (can't be resolved) + expect(content).not.toContain('wildcard.com'); + + // Reset mock + mockExecaSync.mockReset(); + }); + + it('should skip domains that fail to resolve during pre-resolution', () => { + // Mock getent to fail for all domains + mockExecaSync.mockImplementation(() => { + throw new Error('Resolution failed'); + }); + + const config = { + ...mockConfig, + allowedDomains: ['unreachable.tailnet.example'], + enableChroot: true + }; + // Should not throw even if resolution fails + generateDockerCompose(config, mockNetworkConfig); + + // Find the chroot hosts file (mkdtempSync creates chroot-XXXXXX directory) + const chrootDir = fs.readdirSync(mockConfig.workDir).find(d => d.startsWith('chroot-')); + expect(chrootDir).toBeDefined(); + const chrootHostsPath = `${mockConfig.workDir}/${chrootDir}/hosts`; + expect(fs.existsSync(chrootHostsPath)).toBe(true); + const content = fs.readFileSync(chrootHostsPath, 'utf8'); + + // Should still have the base hosts content (localhost) + expect(content).toContain('localhost'); + // Should NOT contain the unresolvable domain + expect(content).not.toContain('unreachable.tailnet.example'); + + // Reset mock + mockExecaSync.mockReset(); + }); + + it('should not add duplicate entries for domains already in /etc/hosts', () => { + // Mock getent to return a resolved IP + mockExecaSync.mockImplementation((...args: any[]) => { + if (args[0] === 'getent' && args[1]?.[0] === 'hosts') { + return { stdout: '127.0.0.1 localhost', stderr: '', exitCode: 0 }; + } + throw new Error('Not found'); + }); + + const config = { + ...mockConfig, + allowedDomains: ['localhost'], // localhost is already in /etc/hosts + enableChroot: true + }; + generateDockerCompose(config, mockNetworkConfig); + + // Find the chroot hosts file (mkdtempSync creates chroot-XXXXXX directory) + const chrootDir = fs.readdirSync(mockConfig.workDir).find(d => d.startsWith('chroot-')); + expect(chrootDir).toBeDefined(); + const chrootHostsPath = `${mockConfig.workDir}/${chrootDir}/hosts`; + const content = fs.readFileSync(chrootHostsPath, 'utf8'); + + // Count occurrences of 'localhost' - should only be the original entries, not duplicated + const localhostMatches = content.match(/localhost/g); + // /etc/hosts typically has multiple localhost entries (127.0.0.1 and ::1) + // The key assertion is that getent should NOT have been called for localhost + // since it's already in the hosts file + expect(localhostMatches).toBeDefined(); + + // Reset mock + mockExecaSync.mockReset(); }); it('should use GHCR image when enableChroot is true with default preset (GHCR)', () => { diff --git a/src/docker-manager.ts b/src/docker-manager.ts index 18481fe9..155a092b 100644 --- a/src/docker-manager.ts +++ b/src/docker-manager.ts @@ -496,18 +496,48 @@ export function generateDockerCompose( ); // Mount /etc/hosts for host name resolution inside chroot - // When BOTH chroot and host access are enabled, we create a copy with host.docker.internal - // injected. Docker only adds this to the container's /etc/hosts via extra_hosts, but the - // chroot uses the host's /etc/hosts which lacks this entry. MCP servers need it to connect - // to the MCP gateway running on the host. - if (config.enableHostAccess) { - const chrootHostsPath = path.join(config.workDir, 'chroot-hosts'); + // Always create a custom hosts file in chroot mode to: + // 1. Pre-resolve allowed domains using the host's DNS stack (supports Tailscale MagicDNS, + // split DNS, and other custom resolvers not available inside the container) + // 2. Inject host.docker.internal when --enable-host-access is set + // Build complete chroot hosts file content in memory, then write atomically + // to a securely-created temp directory (mkdtempSync) to satisfy CWE-377. + let hostsContent = '127.0.0.1 localhost\n'; + try { + hostsContent = fs.readFileSync('/etc/hosts', 'utf-8'); + } catch { + // /etc/hosts not readable, use minimal fallback + } + + // Pre-resolve allowed domains on the host and append to hosts content. + // This is critical for domains that rely on custom DNS (e.g., Tailscale MagicDNS + // at 100.100.100.100) which is unreachable from inside the Docker container's + // network namespace. Resolution runs on the host where all DNS resolvers are available. + for (const domain of config.allowedDomains) { + // Skip patterns that aren't resolvable hostnames + if (domain.startsWith('*.') || domain.startsWith('.') || domain.includes('*')) continue; + // Skip if already in hosts file + if (hostsContent.includes(domain)) continue; + try { - fs.copyFileSync('/etc/hosts', chrootHostsPath); + const { stdout } = execa.sync('getent', ['hosts', domain], { timeout: 5000 }); + const parts = stdout.trim().split(/\s+/); + const ip = parts[0]; + if (ip) { + hostsContent += `${ip}\t${domain}\n`; + logger.debug(`Pre-resolved ${domain} -> ${ip} for chroot /etc/hosts`); + } } catch { - fs.writeFileSync(chrootHostsPath, '127.0.0.1 localhost\n'); + // Domain couldn't be resolved on the host - it will use DNS at runtime + logger.debug(`Could not pre-resolve ${domain} for chroot /etc/hosts (will use DNS at runtime)`); } - // Resolve host-gateway IP from Docker bridge and append host.docker.internal + } + + // Add host.docker.internal when host access is enabled. + // Docker only adds this to the container's /etc/hosts via extra_hosts, but the + // chroot uses the host's /etc/hosts which lacks this entry. MCP servers need it + // to connect to the MCP gateway running on the host. + if (config.enableHostAccess) { try { const { stdout } = execa.sync('docker', [ 'network', 'inspect', 'bridge', @@ -515,18 +545,20 @@ export function generateDockerCompose( ]); const hostGatewayIp = stdout.trim(); if (hostGatewayIp) { - fs.appendFileSync(chrootHostsPath, `${hostGatewayIp}\thost.docker.internal\n`); + hostsContent += `${hostGatewayIp}\thost.docker.internal\n`; logger.debug(`Added host.docker.internal (${hostGatewayIp}) to chroot-hosts`); } } catch (err) { logger.debug(`Could not resolve Docker bridge gateway: ${err}`); } - fs.chmodSync(chrootHostsPath, 0o644); - agentVolumes.push(`${chrootHostsPath}:/host/etc/hosts`); - } else { - agentVolumes.push('/etc/hosts:/host/etc/hosts:ro'); } + // Write to a securely-created directory (mkdtempSync satisfies CWE-377) + const chrootHostsDir = fs.mkdtempSync(path.join(config.workDir, 'chroot-')); + const chrootHostsPath = path.join(chrootHostsDir, 'hosts'); + fs.writeFileSync(chrootHostsPath, hostsContent, { mode: 0o644 }); + agentVolumes.push(`${chrootHostsPath}:/host/etc/hosts:ro`); + // SECURITY: Hide Docker socket to prevent firewall bypass via 'docker run' // An attacker could otherwise spawn a new container without network restrictions agentVolumes.push('/dev/null:/host/var/run/docker.sock:ro');