From f3f9cbd21a4da19be1a3b9a0c0f356345bf01caa Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Mon, 2 Feb 2026 18:41:18 -0800 Subject: [PATCH 1/3] chore: migrate from githubnext to github organization - Update Go module path: github.com/githubnext/gh-aw-mcpg -> github.com/github/gh-aw-mcpg - Update all Go imports to use new module path - Update container images: ghcr.io/githubnext/* -> ghcr.io/github/* - Update repository URLs in documentation - Update GitHub Actions references: githubnext/gh-aw -> github/gh-aw - Update GitHub Pages URLs: githubnext.github.io -> github.github.io - All tests pass after migration --- .../agents/create-agentic-workflow.agent.md | 2 +- .../agents/debug-agentic-workflow.agent.md | 8 +-- .github/agents/upgrade-agentic-workflows.md | 4 +- .github/aw/actions-lock.json | 8 +-- .github/aw/create-agentic-workflow.md | 2 +- .github/aw/create-shared-agentic-workflow.md | 2 +- .github/aw/debug-agentic-workflow.md | 8 +-- .github/aw/github-agentic-workflows.md | 8 +-- .github/aw/schemas/agentic-workflow.json | 16 +++--- .github/aw/update-agentic-workflow.md | 2 +- .github/aw/upgrade-agentic-workflows.md | 4 +- .../workflows/.github/aw/actions-lock.json | 4 +- .../.github/workflows/copilot-setup-steps.yml | 2 +- .github/workflows/agentics-maintenance.yml | 2 +- .github/workflows/copilot-setup-steps.yml | 2 +- .../daily-compliance-checker.lock.yml | 50 +++++++++---------- .github/workflows/daily-compliance-checker.md | 30 +++++------ .../duplicate-code-detector.lock.yml | 18 +++---- .github/workflows/go-fan.lock.yml | 20 ++++---- .github/workflows/go-logger.lock.yml | 26 +++++----- .github/workflows/go-logger.md | 6 +-- .github/workflows/issue-monster.lock.yml | 20 ++++---- .../mcp-gateway-log-analyzer.lock.yml | 36 ++++++------- .github/workflows/mcp-gateway-log-analyzer.md | 18 +++---- .github/workflows/plan.lock.yml | 20 ++++---- .github/workflows/rebuild-smoke-codex.yml | 4 +- .github/workflows/rebuild-smoke-copilot.yml | 4 +- .github/workflows/release.lock.yml | 40 +++++++-------- .github/workflows/release.md | 20 ++++---- .../semantic-function-refactor.lock.yml | 18 +++---- .github/workflows/smoke-codex.lock.yml | 16 +++--- .github/workflows/smoke-codex.md | 2 +- .github/workflows/smoke-copilot.lock.yml | 32 ++++++------ .github/workflows/smoke-copilot.md | 2 +- .../workflows/test-coverage-improver.lock.yml | 20 ++++---- .github/workflows/test-improver.lock.yml | 20 ++++---- .gitignore | 2 +- AGENTS.md | 6 +-- CONTRIBUTING.md | 10 ++-- Makefile | 2 +- README.md | 18 +++---- config.json | 2 +- config.toml | 2 +- containers/serena-mcp-server/BUILD_NOTES.md | 4 +- containers/serena-mcp-server/Dockerfile | 6 +-- containers/serena-mcp-server/README.md | 10 ++-- .../serena-mcp-server/test-startup-time.sh | 2 +- docs/DIFC_INTEGRATION_PROPOSAL.md | 12 ++--- docs/GATEWAY_COMPATIBILITY_QUICK_REFERENCE.md | 6 +-- docs/WHY_GITHUB_WORKS_BUT_SERENA_DOESNT.md | 8 +-- go.mod | 2 +- internal/auth/header.go | 4 +- internal/auth/header_test.go | 2 +- internal/cmd/root.go | 8 +-- internal/cmd/root_test.go | 2 +- internal/cmd/stdout_config_test.go | 2 +- internal/config/rules/rules.go | 4 +- internal/config/validation.go | 4 +- internal/config/validation_env.go | 4 +- internal/config/validation_schema.go | 10 ++-- internal/config/validation_schema_test.go | 4 +- internal/difc/evaluator.go | 2 +- internal/guard/context.go | 2 +- internal/guard/guard.go | 2 +- internal/guard/guard_test.go | 4 +- internal/guard/noop.go | 4 +- internal/guard/registry.go | 2 +- internal/launcher/connection_pool.go | 4 +- internal/launcher/connection_pool_test.go | 2 +- internal/launcher/getorlaunch_stdio_test.go | 4 +- internal/launcher/getorlaunch_timeout_test.go | 2 +- .../launcher/getorlaunchforsession_test.go | 2 +- internal/launcher/launcher.go | 10 ++-- internal/launcher/launcher_test.go | 4 +- internal/launcher/log_helpers.go | 6 +-- internal/logger/README.md | 2 +- internal/logger/jsonl_logger.go | 2 +- internal/logger/jsonl_logger_test.go | 2 +- internal/logger/logger.go | 4 +- internal/logger/markdown_logger.go | 2 +- internal/logger/rpc_helpers.go | 2 +- internal/mcp/connection.go | 4 +- internal/mcp/connection_arguments_test.go | 4 +- internal/mcp/types.go | 2 +- internal/middleware/README.md | 2 +- internal/middleware/jqschema.go | 2 +- internal/server/auth.go | 2 +- internal/server/call_backend_tool_test.go | 2 +- internal/server/handlers.go | 2 +- internal/server/handlers_test.go | 6 +-- internal/server/health.go | 2 +- internal/server/health_test.go | 2 +- .../server/http_error_propagation_test.go | 4 +- internal/server/http_helpers.go | 6 +-- internal/server/http_helpers_test.go | 2 +- internal/server/integration_test.go | 2 +- .../server/nonexistent_tool_logging_test.go | 4 +- .../register_tools_from_backend_test.go | 2 +- internal/server/routed.go | 2 +- internal/server/routed_test.go | 2 +- internal/server/schema_normalization_test.go | 4 +- internal/server/sdk_logging.go | 4 +- internal/server/server.go | 8 +-- internal/server/shutdown_test.go | 2 +- internal/server/tool_call_arguments_test.go | 2 +- internal/server/tool_name_test.go | 2 +- internal/server/tools_list_schema_test.go | 2 +- internal/server/transport.go | 2 +- internal/server/transport_test.go | 2 +- internal/server/unified.go | 16 +++--- internal/server/unified_http_backend_test.go | 6 +-- internal/server/unified_test.go | 2 +- internal/sys/sys.go | 2 +- internal/testutil/mcptest/driver.go | 4 +- internal/testutil/mcptest/example_test.go | 2 +- .../mcptest/gateway_integration_test.go | 6 +-- internal/testutil/mcptest/harness_test.go | 2 +- main.go | 2 +- test/integration/github_test.go | 10 ++-- test/integration/http_error_test.go | 6 +-- .../IMPLEMENTATION_SUMMARY.md | 4 +- test/serena-mcp-tests/LATEST_RUN_SUMMARY.md | 2 +- test/serena-mcp-tests/QUICKSTART.md | 6 +-- test/serena-mcp-tests/README.md | 6 +-- test/serena-mcp-tests/RESULTS_SUMMARY.md | 2 +- test/serena-mcp-tests/TEST_REPORT.md | 4 +- test/serena-mcp-tests/TEST_RUN_COMPARISON.md | 2 +- test/serena-mcp-tests/test_serena.sh | 2 +- .../test_serena_via_gateway.sh | 4 +- 129 files changed, 434 insertions(+), 434 deletions(-) diff --git a/.github/agents/create-agentic-workflow.agent.md b/.github/agents/create-agentic-workflow.agent.md index f092f739..f426f897 100644 --- a/.github/agents/create-agentic-workflow.agent.md +++ b/.github/agents/create-agentic-workflow.agent.md @@ -59,7 +59,7 @@ You love to use emojis to make the conversation more engaging. - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md - Key commands: - `gh aw compile` → compile all workflows - `gh aw compile ` → compile one workflow diff --git a/.github/agents/debug-agentic-workflow.agent.md b/.github/agents/debug-agentic-workflow.agent.md index 4c3bd09c..fb291ac7 100644 --- a/.github/agents/debug-agentic-workflow.agent.md +++ b/.github/agents/debug-agentic-workflow.agent.md @@ -18,7 +18,7 @@ The tools output is not visible to the user unless you explicitly print it. Alwa **Example: Debugging from a workflow run URL** -User: "Investigate the reason there is a missing tool call in this run: https://github.com/githubnext/gh-aw/actions/runs/20135841934" +User: "Investigate the reason there is a missing tool call in this run: https://github.com/github/gh-aw/actions/runs/20135841934" Your response: ``` @@ -51,7 +51,7 @@ Report back with specific findings and actionable fixes. - The `gh aw` CLI is already installed in this environment. - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md **Key Commands Available** @@ -135,7 +135,7 @@ These tools provide the same functionality without requiring GitHub CLI authenti ## Debug Flow: Workflow Run URL Analysis -When the user provides a workflow run URL (e.g., `https://github.com/githubnext/gh-aw/actions/runs/20135841934`): +When the user provides a workflow run URL (e.g., `https://github.com/github/gh-aw/actions/runs/20135841934`): 1. **Extract Run ID** @@ -338,7 +338,7 @@ Use these tactics when a run is still executing or finishes without artifacts: - **Polling in-progress runs**: If `gh aw audit --json` returns `"status": "in_progress"`, wait ~45s and re-run the command or monitor the run URL directly. Avoid spamming the API—loop with `sleep` intervals. - **Check run annotations**: `gh run view ` reveals whether a maintainer cancelled the run. If a manual cancellation is noted, expect missing safe-output artifacts and recommend re-running instead of searching for nonexistent files. - **Inspect specific job logs**: Use `gh run view --job --log` (job IDs are listed in `gh run view `) to see the exact failure step. -- **Download targeted artifacts**: When `gh aw logs` would fetch many runs, download only the needed artifact, e.g. `GH_REPO=githubnext/gh-aw gh run download -n agent-stdio.log`. +- **Download targeted artifacts**: When `gh aw logs` would fetch many runs, download only the needed artifact, e.g. `GH_REPO=github/gh-aw gh run download -n agent-stdio.log`. - **Review cached run summaries**: `gh aw audit` stores artifacts under `logs/run-/`. Inspect `run_summary.json` or `agent-stdio.log` there for offline analysis before re-running workflows. ## Common Issues to Look For diff --git a/.github/agents/upgrade-agentic-workflows.md b/.github/agents/upgrade-agentic-workflows.md index 4eee0fdb..00cd2314 100644 --- a/.github/agents/upgrade-agentic-workflows.md +++ b/.github/agents/upgrade-agentic-workflows.md @@ -15,7 +15,7 @@ Read the ENTIRE content of this file carefully before proceeding. Follow the ins - The `gh aw` CLI may be available in this environment. - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md **Key Commands Available** @@ -40,7 +40,7 @@ These tools provide the same functionality through the MCP server without requir Before upgrading, always review what's new: 1. **Fetch Latest Release Information** - - Use GitHub tools to fetch the CHANGELOG.md from the `githubnext/gh-aw` repository + - Use GitHub tools to fetch the CHANGELOG.md from the `github/gh-aw` repository - Review and understand: - Breaking changes - New features diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 60334709..611628a1 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -60,13 +60,13 @@ "version": "v3", "sha": "c7c53464625b32c7a7e944ae62b3e17d2b600130" }, - "githubnext/gh-aw/actions/setup@v0.35.1": { - "repo": "githubnext/gh-aw/actions/setup", + "github/gh-aw/actions/setup@v0.35.1": { + "repo": "github/gh-aw/actions/setup", "version": "v0.35.1", "sha": "d76e21bcc92a3146d915794285b0b32f51d00072" }, - "githubnext/gh-aw/actions/setup@v0.36.0": { - "repo": "githubnext/gh-aw/actions/setup", + "github/gh-aw/actions/setup@v0.36.0": { + "repo": "github/gh-aw/actions/setup", "version": "v0.36.0", "sha": "547a146e95910805ca7136cedc9069497c14210d" } diff --git a/.github/aw/create-agentic-workflow.md b/.github/aw/create-agentic-workflow.md index 2d866c21..57e7a847 100644 --- a/.github/aw/create-agentic-workflow.md +++ b/.github/aw/create-agentic-workflow.md @@ -57,7 +57,7 @@ You love to use emojis to make the conversation more engaging. - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md - Key commands: - `gh aw compile` → compile all workflows - `gh aw compile ` → compile one workflow diff --git a/.github/aw/create-shared-agentic-workflow.md b/.github/aw/create-shared-agentic-workflow.md index a9715104..483cc4b1 100644 --- a/.github/aw/create-shared-agentic-workflow.md +++ b/.github/aw/create-shared-agentic-workflow.md @@ -93,7 +93,7 @@ mcp-servers: \`\`\`yaml mcp-servers: serena: - container: "ghcr.io/githubnext/serena-mcp-server" + container: "ghcr.io/github/serena-mcp-server" version: "latest" args: # args come before the docker image argument - "-v" diff --git a/.github/aw/debug-agentic-workflow.md b/.github/aw/debug-agentic-workflow.md index a4f9d2c1..5d9200d4 100644 --- a/.github/aw/debug-agentic-workflow.md +++ b/.github/aw/debug-agentic-workflow.md @@ -18,7 +18,7 @@ The tools output is not visible to the user unless you explicitly print it. Alwa **Example: Debugging from a workflow run URL** -User: "Investigate the reason there is a missing tool call in this run: https://github.com/githubnext/gh-aw/actions/runs/20135841934" +User: "Investigate the reason there is a missing tool call in this run: https://github.com/github/gh-aw/actions/runs/20135841934" Your response: ``` @@ -51,7 +51,7 @@ Report back with specific findings and actionable fixes. - The `gh aw` CLI is already installed in this environment. - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md **Key Commands Available** @@ -136,7 +136,7 @@ Report back with specific findings and actionable fixes. ## Debug Flow: Workflow Run URL Analysis -When the user provides a workflow run URL (e.g., `https://github.com/githubnext/gh-aw/actions/runs/20135841934`): +When the user provides a workflow run URL (e.g., `https://github.com/github/gh-aw/actions/runs/20135841934`): 1. **Extract Run ID** @@ -339,7 +339,7 @@ Use these tactics when a run is still executing or finishes without artifacts: - **Polling in-progress runs**: If `gh aw audit --json` returns `"status": "in_progress"`, wait ~45s and re-run the command or monitor the run URL directly. Avoid spamming the API—loop with `sleep` intervals. - **Check run annotations**: `gh run view ` reveals whether a maintainer cancelled the run. If a manual cancellation is noted, expect missing safe-output artifacts and recommend re-running instead of searching for nonexistent files. - **Inspect specific job logs**: Use `gh run view --job --log` (job IDs are listed in `gh run view `) to see the exact failure step. -- **Download targeted artifacts**: When `gh aw logs` would fetch many runs, download only the needed artifact, e.g. `GH_REPO=githubnext/gh-aw gh run download -n agent-stdio.log`. +- **Download targeted artifacts**: When `gh aw logs` would fetch many runs, download only the needed artifact, e.g. `GH_REPO=github/gh-aw gh run download -n agent-stdio.log`. - **Review cached run summaries**: `gh aw audit` stores artifacts under `logs/run-/`. Inspect `run_summary.json` or `agent-stdio.log` there for offline analysis before re-running workflows. ## Common Issues to Look For diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md index 92507160..a724388a 100644 --- a/.github/aw/github-agentic-workflows.md +++ b/.github/aw/github-agentic-workflows.md @@ -266,7 +266,7 @@ The YAML frontmatter supports these fields: sandbox: agent: awf # or "srt", or false to disable mcp: # MCP Gateway configuration (requires mcp-gateway feature flag) - container: ghcr.io/githubnext/mcp-gateway + container: ghcr.io/github/mcp-gateway port: 8080 api-key: ${{ secrets.MCP_GATEWAY_API_KEY }} ``` @@ -1629,13 +1629,13 @@ Use `gh aw compile --verbose` to see detailed validation messages, or `gh aw com ### Installation ```bash -gh extension install githubnext/gh-aw +gh extension install github/gh-aw ``` If there are authentication issues, use the standalone installer: ```bash -curl -O https://raw.githubusercontent.com/githubnext/gh-aw/main/install-gh-aw.sh +curl -O https://raw.githubusercontent.com/github/gh-aw/main/install-gh-aw.sh chmod +x install-gh-aw.sh ./install-gh-aw.sh ``` @@ -1664,4 +1664,4 @@ gh aw logs ### Documentation -For complete CLI documentation, see: https://githubnext.github.io/gh-aw/setup/cli/ \ No newline at end of file +For complete CLI documentation, see: https://github.github.io/gh-aw/setup/cli/ \ No newline at end of file diff --git a/.github/aw/schemas/agentic-workflow.json b/.github/aw/schemas/agentic-workflow.json index 5dc44b40..815222ee 100644 --- a/.github/aw/schemas/agentic-workflow.json +++ b/.github/aw/schemas/agentic-workflow.json @@ -1,6 +1,6 @@ { "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://github.com/githubnext/gh-aw/schemas/main_workflow_schema.json", + "$id": "https://github.com/github/gh-aw/schemas/main_workflow_schema.json", "title": "GitHub Agentic Workflow Schema", "description": "JSON Schema for validating agentic workflow frontmatter configuration", "version": "1.0.0", @@ -20,8 +20,8 @@ }, "source": { "type": "string", - "description": "Optional source reference indicating where this workflow was added from. Format: owner/repo/path@ref (e.g., githubnext/agentics/workflows/ci-doctor.md@v1.0.0). Rendered as a comment in the generated lock file.", - "examples": ["githubnext/agentics/workflows/ci-doctor.md", "githubnext/agentics/workflows/daily-perf-improver.md@1f181b37d3fe5862ab590648f25a292e345b5de6"] + "description": "Optional source reference indicating where this workflow was added from. Format: owner/repo/path@ref (e.g., github/agentics/workflows/ci-doctor.md@v1.0.0). Rendered as a comment in the generated lock file.", + "examples": ["github/agentics/workflows/ci-doctor.md", "github/agentics/workflows/daily-perf-improver.md@1f181b37d3fe5862ab590648f25a292e345b5de6"] }, "tracker-id": { "type": "string", @@ -64,7 +64,7 @@ }, "imports": { "type": "array", - "description": "Optional array of workflow specifications to import (similar to @include directives but defined in frontmatter). Format: owner/repo/path@ref (e.g., githubnext/agentics/workflows/shared/common.md@v1.0.0). Can be strings or objects with path and inputs. Any markdown files under .github/agents directory are treated as custom agent files and only one agent file is allowed per workflow.", + "description": "Optional array of workflow specifications to import (similar to @include directives but defined in frontmatter). Format: owner/repo/path@ref (e.g., github/agentics/workflows/shared/common.md@v1.0.0). Can be strings or objects with path and inputs. Any markdown files under .github/agents directory are treated as custom agent files and only one agent file is allowed per workflow.", "items": { "oneOf": [ { @@ -1806,7 +1806,7 @@ ] }, "env": { - "$comment": "See environment variable precedence documentation: https://githubnext.github.io/gh-aw/reference/environment-variables/", + "$comment": "See environment variable precedence documentation: https://github.github.io/gh-aw/reference/environment-variables/", "description": "Environment variables for the workflow", "oneOf": [ { @@ -2368,14 +2368,14 @@ }, { "mcp": { - "container": "ghcr.io/githubnext/mcp-gateway", + "container": "ghcr.io/github/mcp-gateway", "port": 8080 } }, { "agent": "awf", "mcp": { - "container": "ghcr.io/githubnext/mcp-gateway", + "container": "ghcr.io/github/mcp-gateway", "port": 8080, "api-key": "${{ secrets.MCP_GATEWAY_API_KEY }}" } @@ -5286,7 +5286,7 @@ "type": "boolean", "default": true, "$comment": "Strict mode enforces several security constraints that are validated in Go code (pkg/workflow/strict_mode_validation.go) rather than JSON Schema: (1) Write Permissions + Safe Outputs: When strict=true AND permissions contains write values (contents:write, issues:write, pull-requests:write), safe-outputs must be configured. This relationship is too complex for JSON Schema as it requires checking if ANY permission property has a 'write' value. (2) Network Requirements: When strict=true, the 'network' field must be present and cannot contain wildcard '*'. (3) MCP Container Network: Custom MCP servers with containers require explicit network configuration. (4) Action Pinning: Actions must be pinned to commit SHAs. These are enforced during compilation via validateStrictMode().", - "description": "Enable strict mode validation for enhanced security and compliance. Strict mode enforces: (1) Write Permissions - refuses contents:write, issues:write, pull-requests:write; requires safe-outputs instead, (2) Network Configuration - requires explicit network configuration with no wildcard '*' in allowed domains, (3) Action Pinning - enforces actions pinned to commit SHAs instead of tags/branches, (4) MCP Network - requires network configuration for custom MCP servers with containers, (5) Deprecated Fields - refuses deprecated frontmatter fields. Can be enabled per-workflow via 'strict: true' in frontmatter, or disabled via 'strict: false'. CLI flag takes precedence over frontmatter (gh aw compile --strict enforces strict mode). Defaults to true. See: https://githubnext.github.io/gh-aw/reference/frontmatter/#strict-mode-strict", + "description": "Enable strict mode validation for enhanced security and compliance. Strict mode enforces: (1) Write Permissions - refuses contents:write, issues:write, pull-requests:write; requires safe-outputs instead, (2) Network Configuration - requires explicit network configuration with no wildcard '*' in allowed domains, (3) Action Pinning - enforces actions pinned to commit SHAs instead of tags/branches, (4) MCP Network - requires network configuration for custom MCP servers with containers, (5) Deprecated Fields - refuses deprecated frontmatter fields. Can be enabled per-workflow via 'strict: true' in frontmatter, or disabled via 'strict: false'. CLI flag takes precedence over frontmatter (gh aw compile --strict enforces strict mode). Defaults to true. See: https://github.github.io/gh-aw/reference/frontmatter/#strict-mode-strict", "examples": [true, false] }, "safe-inputs": { diff --git a/.github/aw/update-agentic-workflow.md b/.github/aw/update-agentic-workflow.md index beeef734..81a28a55 100644 --- a/.github/aw/update-agentic-workflow.md +++ b/.github/aw/update-agentic-workflow.md @@ -24,7 +24,7 @@ You format your questions and responses similarly to the GitHub Copilot CLI chat - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md - Key commands: - `gh aw compile` → compile all workflows - `gh aw compile ` → compile one workflow diff --git a/.github/aw/upgrade-agentic-workflows.md b/.github/aw/upgrade-agentic-workflows.md index 83cee26e..b43750de 100644 --- a/.github/aw/upgrade-agentic-workflows.md +++ b/.github/aw/upgrade-agentic-workflows.md @@ -15,7 +15,7 @@ Read the ENTIRE content of this file carefully before proceeding. Follow the ins - The `gh aw` CLI may be available in this environment. - Always consult the **instructions file** for schema and features: - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/githubnext/gh-aw/main/.github/aw/github-agentic-workflows.md + - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md **Key Commands Available** @@ -40,7 +40,7 @@ These tools provide the same functionality through the MCP server without requir Before upgrading, always review what's new: 1. **Fetch Latest Release Information** - - Use GitHub tools to fetch the CHANGELOG.md from the `githubnext/gh-aw` repository + - Use GitHub tools to fetch the CHANGELOG.md from the `github/gh-aw` repository - Review and understand: - Breaking changes - New features diff --git a/.github/workflows/.github/aw/actions-lock.json b/.github/workflows/.github/aw/actions-lock.json index 1f061b90..06cb090e 100644 --- a/.github/workflows/.github/aw/actions-lock.json +++ b/.github/workflows/.github/aw/actions-lock.json @@ -5,8 +5,8 @@ "version": "v8", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "githubnext/gh-aw/actions/setup@v0.36.0": { - "repo": "githubnext/gh-aw/actions/setup", + "github/gh-aw/actions/setup@v0.36.0": { + "repo": "github/gh-aw/actions/setup", "version": "v0.36.0", "sha": "a933c835b5e2d12ae4dead665a0fdba420a2d421" } diff --git a/.github/workflows/.github/workflows/copilot-setup-steps.yml b/.github/workflows/.github/workflows/copilot-setup-steps.yml index 19801424..4193dfdf 100644 --- a/.github/workflows/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/.github/workflows/copilot-setup-steps.yml @@ -20,6 +20,6 @@ jobs: steps: - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/githubnext/gh-aw/refs/heads/main/install-gh-aw.sh | bash + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash - name: Verify gh-aw installation run: gh aw version diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index 2bd8a884..71ff5344 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -17,7 +17,7 @@ # # To regenerate this workflow, run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Alternative regeneration methods: # make recompile diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 7a48afc9..2b81c379 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -30,6 +30,6 @@ jobs: go-version: '1.25' - name: Install gh-aw extension run: | - curl -fsSL https://raw.githubusercontent.com/githubnext/gh-aw/refs/heads/main/install-gh-aw.sh | bash + curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash - name: Verify gh-aw installation run: gh aw version diff --git a/.github/workflows/daily-compliance-checker.lock.yml b/.github/workflows/daily-compliance-checker.lock.yml index 53333e2e..7eb8a1b5 100644 --- a/.github/workflows/daily-compliance-checker.lock.yml +++ b/.github/workflows/daily-compliance-checker.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily automated compliance checker that validates MCP Gateway implementation against the official specification @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -134,7 +134,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -153,7 +153,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -456,7 +456,7 @@ jobs: cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Daily MCP Gateway Compliance Checker 🔍 - You are an AI compliance auditor that verifies the MCP Gateway implementation follows the official [MCP Gateway Specification](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md). + You are an AI compliance auditor that verifies the MCP Gateway implementation follows the official [MCP Gateway Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md). ## Mission @@ -526,14 +526,14 @@ jobs: Get the latest specification to check against using the GitHub MCP: Use the GitHub MCP's `get_file_contents` tool to read the specification file: - - **Owner**: `githubnext` + - **Owner**: `github` - **Repo**: `gh-aw` - **Path**: `docs/src/content/docs/reference/mcp-gateway.md` - **Ref**: `main` (to get the latest version) Example: ``` - Use github get_file_contents with owner=githubnext, repo=gh-aw, path=docs/src/content/docs/reference/mcp-gateway.md, ref=main + Use github get_file_contents with owner=github, repo=gh-aw, path=docs/src/content/docs/reference/mcp-gateway.md, ref=main ``` Parse the specification to extract: @@ -568,7 +568,7 @@ jobs: 7. Verify HTTP servers require `url` field **Deep Link Template:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#41-configuration-format` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#41-configuration-format` ### 4.2 Containerization Requirement (Section 3.2.1) @@ -582,7 +582,7 @@ jobs: 4. Check that `command` field is rejected during validation **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#321-containerization-requirement` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#321-containerization-requirement` ### 4.3 Protocol Behavior (Section 5) @@ -602,7 +602,7 @@ jobs: 5. Check timeout enforcement **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#5-protocol-behavior` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#5-protocol-behavior` ### 4.4 Server Isolation (Section 6) @@ -620,7 +620,7 @@ jobs: 4. Verify failure isolation **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#6-server-isolation` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#6-server-isolation` ### 4.5 Authentication (Section 7) @@ -637,7 +637,7 @@ jobs: 4. Verify no plaintext API key logging **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#7-authentication` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#7-authentication` ### 4.6 Health Monitoring (Section 8) @@ -654,7 +654,7 @@ jobs: 4. Verify automatic restart logic **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#8-health-monitoring` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#8-health-monitoring` ### 4.7 Error Handling (Section 9) @@ -672,7 +672,7 @@ jobs: 4. Verify error codes match specification **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#9-error-handling` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#9-error-handling` ### 4.8 Compliance Testing (Section 10) @@ -690,7 +690,7 @@ jobs: 4. Verify test coverage for critical requirements **Deep Link:** - `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#10-compliance-testing` + `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#10-compliance-testing` ## Step 5: Cross-Reference with README and Documentation 📚 @@ -719,7 +719,7 @@ jobs: - **Requirement:** The specific MUST/SHOULD/SHALL requirement - **Current State:** What the code currently does - **Gap:** How it deviates from the specification - - **Deep Link:** Direct link to the spec section (format: `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#section-id`) + - **Deep Link:** Direct link to the spec section (format: `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#section-id`) - **File References:** Specific files and line numbers - **Severity:** Critical (MUST violation), Important (SHOULD violation), Minor (MAY suggestion) @@ -728,7 +728,7 @@ jobs: ### Issue: Variable Expansion Not Failing Fast **Specification Section:** 4.2.2 Variable Expression Resolution - **Deep Link:** https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior + **Deep Link:** https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior **Requirement:** > "The gateway MUST... FAIL IMMEDIATELY if a referenced variable is not defined" @@ -790,7 +790,7 @@ jobs: ### Task 1: Fix Variable Expansion Validation **Description:** Update validation logic to fail immediately on undefined variables **Files:** `internal/config/validation.go` - **Specification Reference:** https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior + **Specification Reference:** https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior **Estimated Effort:** Small (2-3 hours) ### Task 2: [Next task...] @@ -804,7 +804,7 @@ jobs: ## References - - [MCP Gateway Specification](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) + - [MCP Gateway Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) - Last review: [Previous review issue if any] - Commits reviewed: [commit range] ``` @@ -1179,7 +1179,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1264,7 +1264,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1343,7 +1343,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1424,7 +1424,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1461,7 +1461,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/daily-compliance-checker.md b/.github/workflows/daily-compliance-checker.md index da0d6851..a2d1d18f 100644 --- a/.github/workflows/daily-compliance-checker.md +++ b/.github/workflows/daily-compliance-checker.md @@ -41,7 +41,7 @@ strict: true # Daily MCP Gateway Compliance Checker 🔍 -You are an AI compliance auditor that verifies the MCP Gateway implementation follows the official [MCP Gateway Specification](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md). +You are an AI compliance auditor that verifies the MCP Gateway implementation follows the official [MCP Gateway Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md). ## Mission @@ -111,14 +111,14 @@ Use cache memory to avoid re-validating already-checked aspects: Get the latest specification to check against using the GitHub MCP: Use the GitHub MCP's `get_file_contents` tool to read the specification file: -- **Owner**: `githubnext` +- **Owner**: `github` - **Repo**: `gh-aw` - **Path**: `docs/src/content/docs/reference/mcp-gateway.md` - **Ref**: `main` (to get the latest version) Example: ``` -Use github get_file_contents with owner=githubnext, repo=gh-aw, path=docs/src/content/docs/reference/mcp-gateway.md, ref=main +Use github get_file_contents with owner=github, repo=gh-aw, path=docs/src/content/docs/reference/mcp-gateway.md, ref=main ``` Parse the specification to extract: @@ -153,7 +153,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 7. Verify HTTP servers require `url` field **Deep Link Template:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#41-configuration-format` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#41-configuration-format` ### 4.2 Containerization Requirement (Section 3.2.1) @@ -167,7 +167,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 4. Check that `command` field is rejected during validation **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#321-containerization-requirement` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#321-containerization-requirement` ### 4.3 Protocol Behavior (Section 5) @@ -187,7 +187,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 5. Check timeout enforcement **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#5-protocol-behavior` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#5-protocol-behavior` ### 4.4 Server Isolation (Section 6) @@ -205,7 +205,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 4. Verify failure isolation **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#6-server-isolation` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#6-server-isolation` ### 4.5 Authentication (Section 7) @@ -222,7 +222,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 4. Verify no plaintext API key logging **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#7-authentication` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#7-authentication` ### 4.6 Health Monitoring (Section 8) @@ -239,7 +239,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 4. Verify automatic restart logic **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#8-health-monitoring` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#8-health-monitoring` ### 4.7 Error Handling (Section 9) @@ -257,7 +257,7 @@ Review each section of the specification systematically. For **CHANGED FILES fro 4. Verify error codes match specification **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#9-error-handling` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#9-error-handling` ### 4.8 Compliance Testing (Section 10) @@ -275,7 +275,7 @@ The specification defines test categories that implementations MUST pass: 4. Verify test coverage for critical requirements **Deep Link:** -`https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#10-compliance-testing` +`https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#10-compliance-testing` ## Step 5: Cross-Reference with README and Documentation 📚 @@ -304,7 +304,7 @@ For each compliance issue found: - **Requirement:** The specific MUST/SHOULD/SHALL requirement - **Current State:** What the code currently does - **Gap:** How it deviates from the specification - - **Deep Link:** Direct link to the spec section (format: `https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#section-id`) + - **Deep Link:** Direct link to the spec section (format: `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#section-id`) - **File References:** Specific files and line numbers - **Severity:** Critical (MUST violation), Important (SHOULD violation), Minor (MAY suggestion) @@ -313,7 +313,7 @@ For each compliance issue found: ### Issue: Variable Expansion Not Failing Fast **Specification Section:** 4.2.2 Variable Expression Resolution - **Deep Link:** https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior + **Deep Link:** https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior **Requirement:** > "The gateway MUST... FAIL IMMEDIATELY if a referenced variable is not defined" @@ -375,7 +375,7 @@ If compliance issues are found: ### Task 1: Fix Variable Expansion Validation **Description:** Update validation logic to fail immediately on undefined variables **Files:** `internal/config/validation.go` - **Specification Reference:** https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior + **Specification Reference:** https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior **Estimated Effort:** Small (2-3 hours) ### Task 2: [Next task...] @@ -389,7 +389,7 @@ If compliance issues are found: ## References - - [MCP Gateway Specification](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) + - [MCP Gateway Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) - Last review: [Previous review issue if any] - Commits reviewed: [commit range] ``` diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index c323c57f..9fbfc817 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Identifies duplicate code patterns across the Go codebase and suggests refactoring opportunities @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -129,7 +129,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -148,7 +148,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -1108,7 +1108,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1193,7 +1193,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1272,7 +1272,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1353,7 +1353,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 9ce67849..1f046238 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily Go module usage reviewer - analyzes direct dependencies prioritizing recently updated ones # @@ -52,7 +52,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -145,7 +145,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -164,7 +164,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -1103,7 +1103,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1189,7 +1189,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1268,7 +1268,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1350,7 +1350,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1387,7 +1387,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index c6e8a163..96132298 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Analyzes and enhances Go logging practices across the codebase for improved debugging and observability @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -134,7 +134,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -153,7 +153,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -481,7 +481,7 @@ jobs: If a file doesn't have a logger, add this at the top of the file (after imports): ```go - import "github.com/githubnext/gh-aw-mcpg/internal/logger" + import "github.com/github/gh-aw-mcpg/internal/logger" var log = logger.New("pkg:filename") ``` @@ -587,7 +587,7 @@ jobs: For the selected file: 1. **Add logger declaration if missing:** - - Add import: `"github.com/githubnext/gh-aw-mcpg/internal/logger"` + - Add import: `"github.com/github/gh-aw-mcpg/internal/logger"` - Add logger variable using correct naming: `var log = logger.New("pkg:filename")` 2. **Reuse existing logger if present:** @@ -672,7 +672,7 @@ jobs: "fmt" "net/http" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var log = logger.New("server:server") @@ -1035,7 +1035,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1118,7 +1118,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1197,7 +1197,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1280,7 +1280,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1342,7 +1342,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/go-logger.md b/.github/workflows/go-logger.md index 5cde490e..d7b5aded 100644 --- a/.github/workflows/go-logger.md +++ b/.github/workflows/go-logger.md @@ -81,7 +81,7 @@ Add meaningful debug logging calls to Go files in the `internal/` directory foll If a file doesn't have a logger, add this at the top of the file (after imports): ```go -import "github.com/githubnext/gh-aw-mcpg/internal/logger" +import "github.com/github/gh-aw-mcpg/internal/logger" var log = logger.New("pkg:filename") ``` @@ -187,7 +187,7 @@ For the selected file: For the selected file: 1. **Add logger declaration if missing:** - - Add import: `"github.com/githubnext/gh-aw-mcpg/internal/logger"` + - Add import: `"github.com/github/gh-aw-mcpg/internal/logger"` - Add logger variable using correct naming: `var log = logger.New("pkg:filename")` 2. **Reuse existing logger if present:** @@ -272,7 +272,7 @@ import ( "fmt" "net/http" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var log = logger.New("server:server") diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 59b6ab3f..8a606150 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # The Cookie Monster of issues - assigns issues to Copilot agents one at a time @@ -56,7 +56,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -93,7 +93,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -127,7 +127,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -146,7 +146,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -915,7 +915,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -999,7 +999,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1078,7 +1078,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1146,7 +1146,7 @@ jobs: activated: ${{ ((steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true')) && (steps.check_skip_if_no_match.outputs.skip_no_match_check_ok == 'true') }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1211,7 +1211,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/mcp-gateway-log-analyzer.lock.yml b/.github/workflows/mcp-gateway-log-analyzer.lock.yml index 707b4124..8a01ded3 100644 --- a/.github/workflows/mcp-gateway-log-analyzer.lock.yml +++ b/.github/workflows/mcp-gateway-log-analyzer.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily analysis of MCP Gateway logs from gh-aw repository workflows to identify bugs and issues @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -85,7 +85,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -119,7 +119,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -138,7 +138,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -445,11 +445,11 @@ jobs: ## Mission - Analyze workflow runs from the last 24 hours in the `githubnext/gh-aw` repository, looking for MCP Gateway errors in the artifact logs. Create a comprehensive issue summarizing any problems found. + Analyze workflow runs from the last 24 hours in the `github/gh-aw` repository, looking for MCP Gateway errors in the artifact logs. Create a comprehensive issue summarizing any problems found. ## Target Workflows - Focus on these specific workflow files in `githubnext/gh-aw`: + Focus on these specific workflow files in `github/gh-aw`: 1. `code-scanning-fixer.lock.yml` 2. `copilot-agent-analysis.lock.yml` @@ -460,7 +460,7 @@ jobs: 1. **List workflow runs for code-scanning-fixer:** ``` Use github-mcp-server list_workflow_runs with: - - owner: githubnext + - owner: github - repo: gh-aw - resource_id: code-scanning-fixer.lock.yml ``` @@ -468,7 +468,7 @@ jobs: 2. **List workflow runs for copilot-agent-analysis:** ``` Use github-mcp-server list_workflow_runs with: - - owner: githubnext + - owner: github - repo: gh-aw - resource_id: copilot-agent-analysis.lock.yml ``` @@ -485,7 +485,7 @@ jobs: 1. **List artifacts:** ``` Use github-mcp-server list_workflow_run_artifacts with: - - owner: githubnext + - owner: github - repo: gh-aw - resource_id: ``` @@ -815,9 +815,9 @@ jobs: ## Workflow Run References - - [§run_id_1](https://github.com/githubnext/gh-aw/actions/runs/run_id_1) - - [§run_id_2](https://github.com/githubnext/gh-aw/actions/runs/run_id_2) - - [§run_id_3](https://github.com/githubnext/gh-aw/actions/runs/run_id_3) + - [§run_id_1](https://github.com/github/gh-aw/actions/runs/run_id_1) + - [§run_id_2](https://github.com/github/gh-aw/actions/runs/run_id_2) + - [§run_id_3](https://github.com/github/gh-aw/actions/runs/run_id_3) ## Analysis Period @@ -936,7 +936,7 @@ jobs: # Note: GITHUB_TOKEN will be available in the workflow environment # Get artifact download URL artifact_url=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \ - "https://api.github.com/repos/githubnext/gh-aw/actions/artifacts/$artifact_id/zip" \ + "https://api.github.com/repos/github/gh-aw/actions/artifacts/$artifact_id/zip" \ -w '%{redirect_url}') # Download and extract @@ -1247,7 +1247,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1332,7 +1332,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1411,7 +1411,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1492,7 +1492,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/mcp-gateway-log-analyzer.md b/.github/workflows/mcp-gateway-log-analyzer.md index b0fca065..b20ac7b7 100644 --- a/.github/workflows/mcp-gateway-log-analyzer.md +++ b/.github/workflows/mcp-gateway-log-analyzer.md @@ -38,11 +38,11 @@ You are an AI agent that monitors MCP Gateway logs from the gh-aw repository to ## Mission -Analyze workflow runs from the last 24 hours in the `githubnext/gh-aw` repository, looking for MCP Gateway errors in the artifact logs. Create a comprehensive issue summarizing any problems found. +Analyze workflow runs from the last 24 hours in the `github/gh-aw` repository, looking for MCP Gateway errors in the artifact logs. Create a comprehensive issue summarizing any problems found. ## Target Workflows -Focus on these specific workflow files in `githubnext/gh-aw`: +Focus on these specific workflow files in `github/gh-aw`: 1. `code-scanning-fixer.lock.yml` 2. `copilot-agent-analysis.lock.yml` @@ -53,7 +53,7 @@ Use the GitHub MCP server to fetch workflow runs from the last 24 hours: 1. **List workflow runs for code-scanning-fixer:** ``` Use github-mcp-server list_workflow_runs with: - - owner: githubnext + - owner: github - repo: gh-aw - resource_id: code-scanning-fixer.lock.yml ``` @@ -61,7 +61,7 @@ Use the GitHub MCP server to fetch workflow runs from the last 24 hours: 2. **List workflow runs for copilot-agent-analysis:** ``` Use github-mcp-server list_workflow_runs with: - - owner: githubnext + - owner: github - repo: gh-aw - resource_id: copilot-agent-analysis.lock.yml ``` @@ -78,7 +78,7 @@ For each workflow run found: 1. **List artifacts:** ``` Use github-mcp-server list_workflow_run_artifacts with: - - owner: githubnext + - owner: github - repo: gh-aw - resource_id: ``` @@ -408,9 +408,9 @@ For each reproducible error, provide: ## Workflow Run References -- [§run_id_1](https://github.com/githubnext/gh-aw/actions/runs/run_id_1) -- [§run_id_2](https://github.com/githubnext/gh-aw/actions/runs/run_id_2) -- [§run_id_3](https://github.com/githubnext/gh-aw/actions/runs/run_id_3) +- [§run_id_1](https://github.com/github/gh-aw/actions/runs/run_id_1) +- [§run_id_2](https://github.com/github/gh-aw/actions/runs/run_id_2) +- [§run_id_3](https://github.com/github/gh-aw/actions/runs/run_id_3) ## Analysis Period @@ -529,7 +529,7 @@ Use GitHub API to download artifacts (if MCP tools are not available): # Note: GITHUB_TOKEN will be available in the workflow environment # Get artifact download URL artifact_url=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \ - "https://api.github.com/repos/githubnext/gh-aw/actions/artifacts/$artifact_id/zip" \ + "https://api.github.com/repos/github/gh-aw/actions/artifacts/$artifact_id/zip" \ -w '%{redirect_url}') # Download and extract diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index c7562bb6..a170f2f8 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Generates project plans and task breakdowns when invoked with /plan command in issues or PRs @@ -64,7 +64,7 @@ jobs: text: ${{ steps.compute-text.outputs.text }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -121,7 +121,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -155,7 +155,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -174,7 +174,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -942,7 +942,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1023,7 +1023,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1102,7 +1102,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1174,7 +1174,7 @@ jobs: matched_command: ${{ steps.check_command_position.outputs.matched_command }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check team membership for command workflow @@ -1221,7 +1221,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/rebuild-smoke-codex.yml b/.github/workflows/rebuild-smoke-codex.yml index 72e52329..664e7e69 100644 --- a/.github/workflows/rebuild-smoke-codex.yml +++ b/.github/workflows/rebuild-smoke-codex.yml @@ -29,7 +29,7 @@ jobs: run: | cd /tmp rm -rf gh-aw - git clone https://github.com/githubnext/gh-aw.git + git clone https://github.com/github/gh-aw.git echo "✓ Cloned gh-aw repository" - name: Build gh-aw compiler @@ -71,7 +71,7 @@ jobs: This PR updates the `smoke-codex.lock.yml` file by recompiling it from the source `smoke-codex.md` using the latest gh-aw compiler. ### Changes - - Cloned and built gh-aw from https://github.com/githubnext/gh-aw + - Cloned and built gh-aw from https://github.com/github/gh-aw - Recompiled `.github/workflows/smoke-codex.md` using `gh-aw compile smoke-codex` - Updated `.github/workflows/smoke-codex.lock.yml` with the latest compilation diff --git a/.github/workflows/rebuild-smoke-copilot.yml b/.github/workflows/rebuild-smoke-copilot.yml index e35d1e9a..a4c5193e 100644 --- a/.github/workflows/rebuild-smoke-copilot.yml +++ b/.github/workflows/rebuild-smoke-copilot.yml @@ -34,7 +34,7 @@ jobs: run: | cd /tmp rm -rf gh-aw - git clone https://github.com/githubnext/gh-aw.git + git clone https://github.com/github/gh-aw.git echo "✓ Cloned gh-aw repository" - name: Build gh-aw compiler @@ -76,7 +76,7 @@ jobs: This PR updates the `smoke-copilot.lock.yml` file by recompiling it from the source `smoke-copilot.md` using the latest gh-aw compiler. ### Changes - - Cloned and built gh-aw from https://github.com/githubnext/gh-aw + - Cloned and built gh-aw from https://github.com/github/gh-aw - Recompiled `.github/workflows/smoke-copilot.md` using `gh-aw compile smoke-copilot` - Updated `.github/workflows/smoke-copilot.lock.yml` with the latest compilation diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index a8774ef6..ddec06e5 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Build, test, and release MCP Gateway binary and Docker image, then generate and prepend release highlights @@ -60,7 +60,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -100,7 +100,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -141,7 +141,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -160,7 +160,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -533,9 +533,9 @@ jobs: The Docker image for this release is available at: \`\`\`bash - docker pull ghcr.io/githubnext/gh-aw-mcpg:${RELEASE_TAG} + docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} # or - docker pull ghcr.io/githubnext/gh-aw-mcpg:latest + docker pull ghcr.io/github/gh-aw-mcpg:latest \`\`\` Supported platforms: `linux/amd64`, `linux/arm64` @@ -548,7 +548,7 @@ jobs: - Lead with benefits: "MCP Gateway now supports remote mode" not "Added remote mode" - Be specific: "Reduced server startup time by 40%" not "Faster startup" - Skip internal changes unless they have user impact - - Use docs links: `[Configuration Guide](https://github.com/githubnext/gh-aw-mcpg/blob/main/docs/config.md)` + - Use docs links: `[Configuration Guide](https://github.com/github/gh-aw-mcpg/blob/main/docs/config.md)` - Keep breaking changes prominent with action items - Mention Docker image availability prominently @@ -572,9 +572,9 @@ jobs: The Docker image for this release is available at: \`\`\`bash - docker pull ghcr.io/githubnext/gh-aw-mcpg:${RELEASE_TAG} + docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} # or - docker pull ghcr.io/githubnext/gh-aw-mcpg:latest + docker pull ghcr.io/github/gh-aw-mcpg:latest \`\`\` Supported platforms: `linux/amd64`, `linux/arm64` @@ -584,7 +584,7 @@ jobs: 2. Configure: Edit `config.toml` with your MCP servers 3. Run: `./awmg --config config.toml` - See the [README](https://github.com/githubnext/gh-aw-mcpg#readme) for complete setup instructions. + See the [README](https://github.com/github/gh-aw-mcpg#readme) for complete setup instructions. ``` **Maintenance Release** (no user-facing changes): @@ -598,9 +598,9 @@ jobs: The Docker image for this release is available at: \`\`\`bash - docker pull ghcr.io/githubnext/gh-aw-mcpg:${RELEASE_TAG} + docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} # or - docker pull ghcr.io/githubnext/gh-aw-mcpg:latest + docker pull ghcr.io/github/gh-aw-mcpg:latest \`\`\` Supported platforms: `linux/amd64`, `linux/arm64` @@ -626,8 +626,8 @@ jobs: **WARNING**: If you don't call the `update_release` tool, the release notes will NOT be updated! **Documentation Base URL:** - - Repository docs: `https://github.com/githubnext/gh-aw-mcpg/blob/main/docs/` - - Repository README: `https://github.com/githubnext/gh-aw-mcpg#readme` + - Repository docs: `https://github.com/github/gh-aw-mcpg/blob/main/docs/` + - Repository README: `https://github.com/github/gh-aw-mcpg#readme` Verify paths exist in `docs_files.txt` before linking. @@ -910,7 +910,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1053,7 +1053,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1132,7 +1132,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1294,7 +1294,7 @@ jobs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1429,7 +1429,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/release.md b/.github/workflows/release.md index 3027534b..8575ff31 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -499,9 +499,9 @@ Structure: The Docker image for this release is available at: \`\`\`bash -docker pull ghcr.io/githubnext/gh-aw-mcpg:${RELEASE_TAG} +docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} # or -docker pull ghcr.io/githubnext/gh-aw-mcpg:latest +docker pull ghcr.io/github/gh-aw-mcpg:latest \`\`\` Supported platforms: `linux/amd64`, `linux/arm64` @@ -514,7 +514,7 @@ For complete details, see the [full release notes](${{ github.server_url }}/${{ - Lead with benefits: "MCP Gateway now supports remote mode" not "Added remote mode" - Be specific: "Reduced server startup time by 40%" not "Faster startup" - Skip internal changes unless they have user impact -- Use docs links: `[Configuration Guide](https://github.com/githubnext/gh-aw-mcpg/blob/main/docs/config.md)` +- Use docs links: `[Configuration Guide](https://github.com/github/gh-aw-mcpg/blob/main/docs/config.md)` - Keep breaking changes prominent with action items - Mention Docker image availability prominently @@ -538,9 +538,9 @@ Welcome to the inaugural release of MCP Gateway! This Go-based proxy server enab The Docker image for this release is available at: \`\`\`bash -docker pull ghcr.io/githubnext/gh-aw-mcpg:${RELEASE_TAG} +docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} # or -docker pull ghcr.io/githubnext/gh-aw-mcpg:latest +docker pull ghcr.io/github/gh-aw-mcpg:latest \`\`\` Supported platforms: `linux/amd64`, `linux/arm64` @@ -550,7 +550,7 @@ Supported platforms: `linux/amd64`, `linux/arm64` 2. Configure: Edit `config.toml` with your MCP servers 3. Run: `./awmg --config config.toml` -See the [README](https://github.com/githubnext/gh-aw-mcpg#readme) for complete setup instructions. +See the [README](https://github.com/github/gh-aw-mcpg#readme) for complete setup instructions. ``` **Maintenance Release** (no user-facing changes): @@ -564,9 +564,9 @@ Dependency updates and internal improvements to keep MCP Gateway running smoothl The Docker image for this release is available at: \`\`\`bash -docker pull ghcr.io/githubnext/gh-aw-mcpg:${RELEASE_TAG} +docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} # or -docker pull ghcr.io/githubnext/gh-aw-mcpg:latest +docker pull ghcr.io/github/gh-aw-mcpg:latest \`\`\` Supported platforms: `linux/amd64`, `linux/arm64` @@ -592,7 +592,7 @@ update_release({ **WARNING**: If you don't call the `update_release` tool, the release notes will NOT be updated! **Documentation Base URL:** -- Repository docs: `https://github.com/githubnext/gh-aw-mcpg/blob/main/docs/` -- Repository README: `https://github.com/githubnext/gh-aw-mcpg#readme` +- Repository docs: `https://github.com/github/gh-aw-mcpg/blob/main/docs/` +- Repository README: `https://github.com/github/gh-aw-mcpg#readme` Verify paths exist in `docs_files.txt` before linking. diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 83270e97..8ea4b825 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Analyzes Go codebase daily to identify opportunities for semantic function extraction and refactoring # @@ -52,7 +52,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -87,7 +87,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -121,7 +121,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -140,7 +140,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -1220,7 +1220,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1303,7 +1303,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1382,7 +1382,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1463,7 +1463,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 48e9b52f..15a20ffe 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Smoke test workflow that validates Codex engine functionality by reviewing recent PRs twice daily # @@ -172,7 +172,7 @@ jobs: await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -186,7 +186,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -200,7 +200,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/githubnext/gh-aw-mcpg:v0.0.69 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/github/gh-aw-mcpg:v0.0.69 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -616,7 +616,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e "DEBUG=*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.69' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e "DEBUG=*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.69' cat > /tmp/gh-aw/mcp-config/config.toml << EOF [history] @@ -664,7 +664,7 @@ jobs: env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] [mcp_servers.serena] - container = "ghcr.io/githubnext/serena-mcp-server:latest" + container = "ghcr.io/github/serena-mcp-server:latest" args = [ "--network", "host", @@ -742,7 +742,7 @@ jobs: } }, "serena": { - "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "container": "ghcr.io/github/serena-mcp-server:latest", "args": [ "--network", "host" @@ -1352,7 +1352,7 @@ jobs: touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index b5843d11..754a93ef 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -34,7 +34,7 @@ tools: serena: ["go"] sandbox: mcp: - container: "ghcr.io/githubnext/gh-aw-mcpg" + container: "ghcr.io/github/gh-aw-mcpg" safe-outputs: add-comment: hide-older-comments: true diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index fdb84f77..80eebe87 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Smoke Copilot @@ -64,7 +64,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -122,7 +122,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -168,7 +168,7 @@ jobs: await main(); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -188,7 +188,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -202,18 +202,18 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/githubnext/gh-aw-mcpg:latest mcr.microsoft.com/playwright/mcp node:lts-alpine ghcr.io/githubnext/serena-mcp-server:latest + run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/github/gh-aw-mcpg:latest mcr.microsoft.com/playwright/mcp node:lts-alpine ghcr.io/github/serena-mcp-server:latest - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | # Check if gh-aw extension is already installed - if gh extension list | grep -q "githubnext/gh-aw"; then + if gh extension list | grep -q "github/gh-aw"; then echo "gh-aw extension already installed, upgrading..." gh extension upgrade gh-aw || true else echo "Installing gh-aw extension..." - gh extension install githubnext/gh-aw + gh extension install github/gh-aw fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization @@ -510,7 +510,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:latest' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:latest' mkdir -p /home/runner/.copilot cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -566,7 +566,7 @@ jobs: }, "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "container": "ghcr.io/github/serena-mcp-server:latest", "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], @@ -977,7 +977,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1082,7 +1082,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1162,7 +1162,7 @@ jobs: touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1245,7 +1245,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Add eyes reaction for immediate feedback @@ -1301,7 +1301,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1345,7 +1345,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.37.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md index 9e66619c..94b79bfc 100644 --- a/.github/workflows/smoke-copilot.md +++ b/.github/workflows/smoke-copilot.md @@ -36,7 +36,7 @@ tools: web-fetch: sandbox: mcp: - container: "ghcr.io/githubnext/gh-aw-mcpg" + container: "ghcr.io/github/gh-aw-mcpg" safe-outputs: add-comment: hide-older-comments: true diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml index 5fa48ebe..82b5d468 100644 --- a/.github/workflows/test-coverage-improver.lock.yml +++ b/.github/workflows/test-coverage-improver.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily analyzer that finds complex, under-tested functions and generates comprehensive tests @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -141,7 +141,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -160,7 +160,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -1087,7 +1087,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1170,7 +1170,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1249,7 +1249,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1332,7 +1332,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1394,7 +1394,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/test-improver.lock.yml b/.github/workflows/test-improver.lock.yml index de221c28..2a7c3dcd 100644 --- a/.github/workflows/test-improver.lock.yml +++ b/.github/workflows/test-improver.lock.yml @@ -17,7 +17,7 @@ # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily analyzer that reviews test files and suggests improvements for better testify usage, increased coverage, and cleaner tests @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -141,7 +141,7 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -160,7 +160,7 @@ jobs: - name: Install awf binary run: | echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/githubnext/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash + curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash which awf awf --version - name: Determine automatic lockdown mode for GitHub MCP server @@ -1139,7 +1139,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1222,7 +1222,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1301,7 +1301,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1384,7 +1384,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1446,7 +1446,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: githubnext/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.36.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.gitignore b/.gitignore index b595d6d0..729bae19 100644 --- a/.gitignore +++ b/.gitignore @@ -38,7 +38,7 @@ go.work.sum # env file .env .env.* -.env.githubnext +.env.github # Editor/IDE # .idea/ diff --git a/AGENTS.md b/AGENTS.md index b9b62f58..e2cac4cd 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -44,7 +44,7 @@ Quick reference for AI agents working with MCP Gateway (Go-based MCP proxy serve ## Config Examples -**Configuration Spec**: See **[MCP Gateway Configuration Reference](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)** for complete specification. +**Configuration Spec**: See **[MCP Gateway Configuration Reference](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)** for complete specification. **TOML** (`config.toml`): ```toml @@ -253,7 +253,7 @@ make agent-finished **ALWAYS use the logger package for debug logging:** ```go -import "github.com/githubnext/gh-aw-mcpg/internal/logger" +import "github.com/github/gh-aw-mcpg/internal/logger" // Create a logger with namespace following pkg:filename convention var log = logger.New("pkg:filename") @@ -273,7 +273,7 @@ if log.Enabled() { **For operational/file logging, use the file logger directly:** ```go -import "github.com/githubnext/gh-aw-mcpg/internal/logger" +import "github.com/github/gh-aw-mcpg/internal/logger" // Log operational events (written to mcp-gateway.log) logger.LogInfo("category", "Operation completed successfully") diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d5f96a49..26cdc280 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -14,7 +14,7 @@ Thank you for your interest in contributing to MCP Gateway! This document provid 1. **Clone the repository** ```bash - git clone https://github.com/githubnext/gh-aw-mcpg.git + git clone https://github.com/github/gh-aw-mcpg.git cd gh-aw-mcpg ``` @@ -251,7 +251,7 @@ awmg/ Use the logger package for debug logging: ```go -import "github.com/githubnext/gh-aw-mcpg/internal/logger" +import "github.com/github/gh-aw-mcpg/internal/logger" // Create a logger with namespace following pkg:filename convention // Use descriptive variable names (e.g., logLauncher, logConfig) for clarity @@ -454,7 +454,7 @@ make release major ✓ Release workflow will be triggered automatically Monitor the release workflow at: - https://github.com/githubnext/gh-aw-mcpg/actions/workflows/release.lock.yml + https://github.com/github/gh-aw-mcpg/actions/workflows/release.lock.yml ``` ### What Happens Automatically @@ -463,7 +463,7 @@ When you push a release tag, the automated release workflow: - Runs the full test suite - Builds multi-platform binaries (Linux for amd64, arm, and arm64) - Creates a GitHub release with all binaries and checksums -- Builds and pushes a multi-arch Docker image to `ghcr.io/githubnext/gh-aw-mcpg` with tags: +- Builds and pushes a multi-arch Docker image to `ghcr.io/github/gh-aw-mcpg` with tags: - `latest` - Always points to the newest release - `v1.2.4` - Specific version tag - `` - Specific commit reference @@ -489,7 +489,7 @@ When you push a release tag, the automated release workflow: ## Questions or Issues? -- Check existing [issues](https://github.com/githubnext/gh-aw-mcpg/issues) +- Check existing [issues](https://github.com/github/gh-aw-mcpg/issues) - Open a new issue with a clear description - Join discussions in pull requests diff --git a/Makefile b/Makefile index 15720777..4f07b058 100644 --- a/Makefile +++ b/Makefile @@ -197,7 +197,7 @@ release: echo "✓ Release workflow will be triggered automatically"; \ echo ""; \ echo "Monitor the release workflow at:"; \ - echo " https://github.com/githubnext/gh-aw-mcpg/actions/workflows/release.lock.yml" + echo " https://github.com/github/gh-aw-mcpg/actions/workflows/release.lock.yml" # Prevent make from treating the argument as a target %: diff --git a/README.md b/README.md index 0cc0b416..edabbb6e 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ A gateway for Model Context Protocol (MCP) servers. -This gateway is used with [GitHub Agentic Workflows](https://github.com/githubnext/gh-aw) via the `sandbox.mcp` configuration to provide MCP server access to AI agents running in sandboxed environments. +This gateway is used with [GitHub Agentic Workflows](https://github.com/github/gh-aw) via the `sandbox.mcp` configuration to provide MCP server access to AI agents running in sandboxed environments. -📖 **[Full Configuration Specification](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)** - Complete reference for all configuration options and validation rules. +📖 **[Full Configuration Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)** - Complete reference for all configuration options and validation rules. ## Features @@ -32,7 +32,7 @@ For detailed setup instructions, building from source, and local development, se 1. **Pull the Docker image** (when available): ```bash - docker pull ghcr.io/githubnext/gh-aw-mcpg:latest + docker pull ghcr.io/github/gh-aw-mcpg:latest ``` 2. **Create a configuration file** (`config.json`): @@ -59,7 +59,7 @@ For detailed setup instructions, building from source, and local development, se -v /var/run/docker.sock:/var/run/docker.sock \ -v /path/to/logs:/tmp/gh-aw/mcp-logs \ -p 8000:8000 \ - ghcr.io/githubnext/gh-aw-mcpg:latest < config.json + ghcr.io/github/gh-aw-mcpg:latest < config.json ``` **Required flags:** @@ -97,7 +97,7 @@ args = ["/path/to/filesystem-server.js"] ### JSON Stdin Format -For the complete JSON configuration specification with all validation rules, see the **[MCP Gateway Configuration Reference](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)**. +For the complete JSON configuration specification with all validation rules, see the **[MCP Gateway Configuration Reference](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)**. ```json { @@ -176,7 +176,7 @@ For the complete JSON configuration specification with all validation rules, see - `mode` must be either `"ro"` or `"rw"` - Both source and destination paths are required (cannot be empty) -See **[Configuration Specification](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)** for complete validation rules. +See **[Configuration Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md)** for complete validation rules. #### Gateway Configuration Fields (Reserved) @@ -283,7 +283,7 @@ docker run -i \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /path/to/logs:/tmp/gh-aw/mcp-logs \ -p 8080:8080 \ - ghcr.io/githubnext/gh-aw-mcpg:latest < config.json + ghcr.io/github/gh-aw-mcpg:latest < config.json ``` **Important flags:** @@ -489,7 +489,7 @@ Both GitHub MCP and Serena MCP servers pass comprehensive test suites including ```bash # Both servers use stdio transport via Docker containers docker run -i ghcr.io/github/github-mcp-server # GitHub MCP -docker run -i ghcr.io/githubnext/serena-mcp-server # Serena MCP +docker run -i ghcr.io/github/serena-mcp-server # Serena MCP ``` ### Using MCP Servers with the Gateway @@ -502,7 +502,7 @@ Configure MCP servers to connect directly via stdio transport for optimal perfor "mcpServers": { "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest" + "container": "ghcr.io/github/serena-mcp-server:latest" }, "github": { "type": "stdio", diff --git a/config.json b/config.json index e3748505..d76a3d71 100644 --- a/config.json +++ b/config.json @@ -17,7 +17,7 @@ }, "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "container": "ghcr.io/github/serena-mcp-server:latest", "mounts": [ "${PWD}:/workspace:ro" ], diff --git a/config.toml b/config.toml index c1a2b8ed..6add1bd1 100644 --- a/config.toml +++ b/config.toml @@ -24,7 +24,7 @@ command = "docker" args = ["run", "--rm", "-i", "-v", "${PWD}:/workspace:ro", "-e", "NO_COLOR=1", "-e", "TERM=dumb", - "ghcr.io/githubnext/serena-mcp-server:latest"] + "ghcr.io/github/serena-mcp-server:latest"] # Note: DOCKER_API_VERSION is automatically set based on architecture # - ARM64 (M1/M2/M3 Macs): 1.43 diff --git a/containers/serena-mcp-server/BUILD_NOTES.md b/containers/serena-mcp-server/BUILD_NOTES.md index 7cba5041..67527941 100644 --- a/containers/serena-mcp-server/BUILD_NOTES.md +++ b/containers/serena-mcp-server/BUILD_NOTES.md @@ -60,11 +60,11 @@ Once the container is available, test with: ```bash # Pull the image -docker pull ghcr.io/githubnext/serena-mcp-server:latest +docker pull ghcr.io/github/serena-mcp-server:latest # Run basic test echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}' | \ docker run --rm -i \ -v $(pwd):/workspace:ro \ - ghcr.io/githubnext/serena-mcp-server:latest + ghcr.io/github/serena-mcp-server:latest ``` diff --git a/containers/serena-mcp-server/Dockerfile b/containers/serena-mcp-server/Dockerfile index b7a08064..e241dea2 100644 --- a/containers/serena-mcp-server/Dockerfile +++ b/containers/serena-mcp-server/Dockerfile @@ -12,9 +12,9 @@ FROM python:3.11-slim # OCI labels for GitHub Container Registry LABEL org.opencontainers.image.title="Serena MCP Server" LABEL org.opencontainers.image.description="A containerized MCP server with semantic code analysis for Python, Go, and TypeScript" -LABEL org.opencontainers.image.source="https://github.com/githubnext/gh-aw-mcpg/tree/main/containers/serena-mcp-server" -LABEL org.opencontainers.image.documentation="https://github.com/githubnext/gh-aw-mcpg/blob/main/containers/serena-mcp-server/README.md" -LABEL org.opencontainers.image.url="https://github.com/githubnext/gh-aw-mcpg/pkgs/container/serena-mcp-server" +LABEL org.opencontainers.image.source="https://github.com/github/gh-aw-mcpg/tree/main/containers/serena-mcp-server" +LABEL org.opencontainers.image.documentation="https://github.com/github/gh-aw-mcpg/blob/main/containers/serena-mcp-server/README.md" +LABEL org.opencontainers.image.url="https://github.com/github/gh-aw-mcpg/pkgs/container/serena-mcp-server" LABEL org.opencontainers.image.vendor="GitHub" # Set working directory diff --git a/containers/serena-mcp-server/README.md b/containers/serena-mcp-server/README.md index 6ef7b7b7..0fd30618 100644 --- a/containers/serena-mcp-server/README.md +++ b/containers/serena-mcp-server/README.md @@ -27,7 +27,7 @@ Run the Serena MCP server with the MCP Gateway: "mcpServers": { "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "container": "ghcr.io/github/serena-mcp-server:latest", "mounts": [ "/path/to/your/workspace:/workspace:ro" ] @@ -66,7 +66,7 @@ args = [ "-v", "/path/to/workspace:/workspace:ro", "-e", "NO_COLOR=1", "-e", "TERM=dumb", - "ghcr.io/githubnext/serena-mcp-server:latest" + "ghcr.io/github/serena-mcp-server:latest" ] ``` @@ -76,7 +76,7 @@ args = [ "mcpServers": { "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "container": "ghcr.io/github/serena-mcp-server:latest", "mounts": [ "/path/to/workspace:/workspace:ro" ], @@ -105,7 +105,7 @@ To build for multiple architectures (amd64 and arm64): ```bash docker buildx build \ --platform linux/amd64,linux/arm64 \ - -t ghcr.io/githubnext/serena-mcp-server:latest \ + -t ghcr.io/github/serena-mcp-server:latest \ --push \ . ``` @@ -174,4 +174,4 @@ If Serena is slow: - [Serena GitHub Repository](https://github.com/oraios/serena) - [Serena Documentation](https://oraios.github.io/serena/) - [Model Context Protocol](https://github.com/modelcontextprotocol) -- [MCP Gateway Configuration](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) +- [MCP Gateway Configuration](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) diff --git a/containers/serena-mcp-server/test-startup-time.sh b/containers/serena-mcp-server/test-startup-time.sh index e3e57a5f..1f3b6a27 100755 --- a/containers/serena-mcp-server/test-startup-time.sh +++ b/containers/serena-mcp-server/test-startup-time.sh @@ -37,7 +37,7 @@ export MCP_GATEWAY_DOMAIN="host.docker.internal" export MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') export WORKSPACE="${WORKSPACE_ARG:-${PWD}}" -GATEWAY_IMAGE="ghcr.io/githubnext/gh-aw-mcpg:v0.0.84" +GATEWAY_IMAGE="ghcr.io/github/gh-aw-mcpg:v0.0.84" SERENA_IMAGE="${SERENA_IMAGE:-serena-mcp-server:slim}" echo "=== Serena Startup Time Test ===" diff --git a/docs/DIFC_INTEGRATION_PROPOSAL.md b/docs/DIFC_INTEGRATION_PROPOSAL.md index 284d77d8..53a663ad 100644 --- a/docs/DIFC_INTEGRATION_PROPOSAL.md +++ b/docs/DIFC_INTEGRATION_PROPOSAL.md @@ -54,7 +54,7 @@ package guard import ( "context" - "github.com/githubnext/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/difc" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) @@ -554,7 +554,7 @@ package guard import ( "context" - "github.com/githubnext/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/difc" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) @@ -591,8 +591,8 @@ import ( "context" "encoding/json" "fmt" - "github.com/githubnext/gh-aw-mcpg/internal/difc" - "github.com/githubnext/gh-aw-mcpg/internal/guard" + "github.com/github/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/guard" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) @@ -912,8 +912,8 @@ import ( "context" "fmt" "log" - "github.com/githubnext/gh-aw-mcpg/internal/difc" - "github.com/githubnext/gh-aw-mcpg/internal/guard" + "github.com/github/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/guard" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) diff --git a/docs/GATEWAY_COMPATIBILITY_QUICK_REFERENCE.md b/docs/GATEWAY_COMPATIBILITY_QUICK_REFERENCE.md index 8cfa6794..0d2c2359 100644 --- a/docs/GATEWAY_COMPATIBILITY_QUICK_REFERENCE.md +++ b/docs/GATEWAY_COMPATIBILITY_QUICK_REFERENCE.md @@ -47,7 +47,7 @@ args = ["run", "--rm", "-i", "ghcr.io/github/github-mcp-server:latest"] "mcpServers": { "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "container": "ghcr.io/github/serena-mcp-server:latest", "env": { "SERENA_CONFIG": "/path/to/config" } @@ -60,7 +60,7 @@ args = ["run", "--rm", "-i", "ghcr.io/github/github-mcp-server:latest"] ```toml [servers.serena] command = "docker" -args = ["run", "--rm", "-i", "ghcr.io/githubnext/serena-mcp-server:latest"] +args = ["run", "--rm", "-i", "ghcr.io/github/serena-mcp-server:latest"] ``` --- @@ -110,7 +110,7 @@ Client Request 2 (session abc): ## For More Details -📖 **Configuration Specification:** [MCP Gateway Configuration Reference](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) +📖 **Configuration Specification:** [MCP Gateway Configuration Reference](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) 📊 **Test Results:** [Serena Test Results](../SERENA_TEST_RESULTS.md) diff --git a/docs/WHY_GITHUB_WORKS_BUT_SERENA_DOESNT.md b/docs/WHY_GITHUB_WORKS_BUT_SERENA_DOESNT.md index 3b2c109e..06e91ced 100644 --- a/docs/WHY_GITHUB_WORKS_BUT_SERENA_DOESNT.md +++ b/docs/WHY_GITHUB_WORKS_BUT_SERENA_DOESNT.md @@ -26,7 +26,7 @@ This document explains the architectural differences for developers interested i **Production Deployment (Both Servers):** ``` Gateway → docker run -i ghcr.io/github/github-mcp-server (stdio) ✅ -Gateway → docker run -i ghcr.io/githubnext/serena-mcp-server (stdio) ✅ +Gateway → docker run -i ghcr.io/github/serena-mcp-server (stdio) ✅ ``` **Both servers:** @@ -234,7 +234,7 @@ args = ["run", "--rm", "-i", "ghcr.io/github/github-mcp-server:latest"] ```toml [servers.serena] command = "docker" -args = ["run", "--rm", "-i", "ghcr.io/githubnext/serena-mcp-server:latest"] +args = ["run", "--rm", "-i", "ghcr.io/github/serena-mcp-server:latest"] ``` **config.json:** @@ -242,7 +242,7 @@ args = ["run", "--rm", "-i", "ghcr.io/githubnext/serena-mcp-server:latest"] { "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest" + "container": "ghcr.io/github/serena-mcp-server:latest" } } ``` @@ -365,7 +365,7 @@ Both patterns work correctly with the gateway's stdio transport and session conn }, "serena": { "type": "stdio", - "container": "ghcr.io/githubnext/serena-mcp-server:latest" + "container": "ghcr.io/github/serena-mcp-server:latest" } } } diff --git a/go.mod b/go.mod index bc058008..11b224e2 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/githubnext/gh-aw-mcpg +module github.com/github/gh-aw-mcpg go 1.25.0 diff --git a/internal/auth/header.go b/internal/auth/header.go index f2311ec6..f6b0d122 100644 --- a/internal/auth/header.go +++ b/internal/auth/header.go @@ -38,8 +38,8 @@ import ( "errors" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) var log = logger.New("auth:header") diff --git a/internal/auth/header_test.go b/internal/auth/header_test.go index 863a26a2..e531789e 100644 --- a/internal/auth/header_test.go +++ b/internal/auth/header_test.go @@ -6,7 +6,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) func TestTruncateSecret(t *testing.T) { diff --git a/internal/cmd/root.go b/internal/cmd/root.go index 2ec495c5..ba5bc18c 100644 --- a/internal/cmd/root.go +++ b/internal/cmd/root.go @@ -14,10 +14,10 @@ import ( "strings" "syscall" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/server" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/server" "github.com/spf13/cobra" ) diff --git a/internal/cmd/root_test.go b/internal/cmd/root_test.go index cfd2eee4..a7721432 100644 --- a/internal/cmd/root_test.go +++ b/internal/cmd/root_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) func TestGetDefaultLogDir(t *testing.T) { diff --git a/internal/cmd/stdout_config_test.go b/internal/cmd/stdout_config_test.go index 0bc7f095..5ad74938 100644 --- a/internal/cmd/stdout_config_test.go +++ b/internal/cmd/stdout_config_test.go @@ -8,7 +8,7 @@ import ( "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) func TestWriteGatewayConfigToStdout(t *testing.T) { diff --git a/internal/config/rules/rules.go b/internal/config/rules/rules.go index f8aeb12c..04827ea4 100644 --- a/internal/config/rules/rules.go +++ b/internal/config/rules/rules.go @@ -7,8 +7,8 @@ import ( // Documentation URL constants const ( - ConfigSpecURL = "https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md" - SchemaURL = "https://raw.githubusercontent.com/githubnext/gh-aw/main/docs/public/schemas/mcp-gateway-config.schema.json" + ConfigSpecURL = "https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md" + SchemaURL = "https://raw.githubusercontent.com/github/gh-aw/main/docs/public/schemas/mcp-gateway-config.schema.json" ) // ValidationError represents a configuration validation error with context. diff --git a/internal/config/validation.go b/internal/config/validation.go index 28ff6ab4..b6a02556 100644 --- a/internal/config/validation.go +++ b/internal/config/validation.go @@ -5,8 +5,8 @@ import ( "os" "regexp" - "github.com/githubnext/gh-aw-mcpg/internal/config/rules" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/config/rules" + "github.com/github/gh-aw-mcpg/internal/logger" ) // ValidationError is an alias for rules.ValidationError for backward compatibility diff --git a/internal/config/validation_env.go b/internal/config/validation_env.go index 87d5906f..2f0eb9cc 100644 --- a/internal/config/validation_env.go +++ b/internal/config/validation_env.go @@ -9,8 +9,8 @@ import ( "strconv" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/config/rules" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/config/rules" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logEnv = logger.New("config:validation_env") diff --git a/internal/config/validation_schema.go b/internal/config/validation_schema.go index c6ae48b7..1764abd3 100644 --- a/internal/config/validation_schema.go +++ b/internal/config/validation_schema.go @@ -10,8 +10,8 @@ import ( "sync" "time" - "github.com/githubnext/gh-aw-mcpg/internal/config/rules" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/config/rules" + "github.com/github/gh-aw-mcpg/internal/logger" "github.com/santhosh-tekuri/jsonschema/v5" ) @@ -33,14 +33,14 @@ var ( // // Build Reproducibility: // For production builds, consider pinning to a specific commit SHA or version tag: - // - Commit SHA: "https://raw.githubusercontent.com/githubnext/gh-aw//docs/public/schemas/mcp-gateway-config.schema.json" - // - Version tag: "https://raw.githubusercontent.com/githubnext/gh-aw/v1.0.0/docs/public/schemas/mcp-gateway-config.schema.json" + // - Commit SHA: "https://raw.githubusercontent.com/github/gh-aw//docs/public/schemas/mcp-gateway-config.schema.json" + // - Version tag: "https://raw.githubusercontent.com/github/gh-aw/v1.0.0/docs/public/schemas/mcp-gateway-config.schema.json" // // Using 'main' branch ensures we always use the latest schema but may introduce // changes that break builds. For stable releases, pin to a specific version. // // Alternative: Embed the schema using go:embed directive for zero network dependency. - schemaURL = "https://raw.githubusercontent.com/githubnext/gh-aw/main/docs/public/schemas/mcp-gateway-config.schema.json" + schemaURL = "https://raw.githubusercontent.com/github/gh-aw/main/docs/public/schemas/mcp-gateway-config.schema.json" // Schema caching to avoid recompiling the JSON schema on every validation // This improves performance by compiling the schema once and reusing it diff --git a/internal/config/validation_schema_test.go b/internal/config/validation_schema_test.go index 5b74bd73..681e221a 100644 --- a/internal/config/validation_schema_test.go +++ b/internal/config/validation_schema_test.go @@ -555,7 +555,7 @@ func TestEnhancedErrorMessages(t *testing.T) { "Location:", "Error:", "Details:", - "https://raw.githubusercontent.com/githubnext/gh-aw/main/docs/public/schemas/mcp-gateway-config.schema.json", + "https://raw.githubusercontent.com/github/gh-aw/main/docs/public/schemas/mcp-gateway-config.schema.json", }, }, { @@ -663,7 +663,7 @@ func TestSchemaURLConfiguration(t *testing.T) { // The current implementation uses 'main' branch // For production, consider pinning to a specific commit SHA or version tag - expectedPattern := "https://raw.githubusercontent.com/githubnext/gh-aw/" + expectedPattern := "https://raw.githubusercontent.com/github/gh-aw/" // We can't directly test the package-level schemaURL variable, // but we can verify that the schema compiles and validates correctly diff --git a/internal/difc/evaluator.go b/internal/difc/evaluator.go index 9ba5d022..b6802773 100644 --- a/internal/difc/evaluator.go +++ b/internal/difc/evaluator.go @@ -4,7 +4,7 @@ import ( "fmt" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logEvaluator = logger.New("difc:evaluator") diff --git a/internal/guard/context.go b/internal/guard/context.go index c3ba852c..a6382dd5 100644 --- a/internal/guard/context.go +++ b/internal/guard/context.go @@ -23,7 +23,7 @@ package guard import ( "context" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var log = logger.New("guard:context") diff --git a/internal/guard/guard.go b/internal/guard/guard.go index 36c0fdc0..1268dff1 100644 --- a/internal/guard/guard.go +++ b/internal/guard/guard.go @@ -3,7 +3,7 @@ package guard import ( "context" - "github.com/githubnext/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/difc" ) // BackendCaller provides a way for guards to make read-only calls to the backend diff --git a/internal/guard/guard_test.go b/internal/guard/guard_test.go index 68e8f48f..521504d1 100644 --- a/internal/guard/guard_test.go +++ b/internal/guard/guard_test.go @@ -8,8 +8,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/auth" - "github.com/githubnext/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/auth" + "github.com/github/gh-aw-mcpg/internal/difc" ) // mockGuard is a simple guard implementation for testing that can be distinguished by ID diff --git a/internal/guard/noop.go b/internal/guard/noop.go index 844c9638..d3600e2b 100644 --- a/internal/guard/noop.go +++ b/internal/guard/noop.go @@ -3,8 +3,8 @@ package guard import ( "context" - "github.com/githubnext/gh-aw-mcpg/internal/difc" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logNoop = logger.New("guard:noop") diff --git a/internal/guard/registry.go b/internal/guard/registry.go index e73d5080..82f8d557 100644 --- a/internal/guard/registry.go +++ b/internal/guard/registry.go @@ -4,7 +4,7 @@ import ( "fmt" "sync" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var debugLog = logger.New("guard:registry") diff --git a/internal/launcher/connection_pool.go b/internal/launcher/connection_pool.go index a4d2cedb..2cca6a5d 100644 --- a/internal/launcher/connection_pool.go +++ b/internal/launcher/connection_pool.go @@ -6,8 +6,8 @@ import ( "sync" "time" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/mcp" ) var logPool = logger.New("launcher:pool") diff --git a/internal/launcher/connection_pool_test.go b/internal/launcher/connection_pool_test.go index b99986b9..ef847f11 100644 --- a/internal/launcher/connection_pool_test.go +++ b/internal/launcher/connection_pool_test.go @@ -5,7 +5,7 @@ import ( "testing" "time" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/mcp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/launcher/getorlaunch_stdio_test.go b/internal/launcher/getorlaunch_stdio_test.go index d54c07e7..3aa65604 100644 --- a/internal/launcher/getorlaunch_stdio_test.go +++ b/internal/launcher/getorlaunch_stdio_test.go @@ -8,8 +8,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/mcp" ) // TestGetOrLaunch_StdioServer_InvalidCommand tests stdio server with invalid command diff --git a/internal/launcher/getorlaunch_timeout_test.go b/internal/launcher/getorlaunch_timeout_test.go index 252ed9c7..ebd924f5 100644 --- a/internal/launcher/getorlaunch_timeout_test.go +++ b/internal/launcher/getorlaunch_timeout_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestGetOrLaunch_Timeout tests timeout behavior during stdio connection creation diff --git a/internal/launcher/getorlaunchforsession_test.go b/internal/launcher/getorlaunchforsession_test.go index 26ad8a99..ad599448 100644 --- a/internal/launcher/getorlaunchforsession_test.go +++ b/internal/launcher/getorlaunchforsession_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/assert" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // NOTE: Many tests in this file that originally used stdio backends with commands like diff --git a/internal/launcher/launcher.go b/internal/launcher/launcher.go index f91cbc9d..7cf86513 100644 --- a/internal/launcher/launcher.go +++ b/internal/launcher/launcher.go @@ -7,11 +7,11 @@ import ( "sync" "time" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/tty" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/tty" ) var logLauncher = logger.New("launcher:launcher") diff --git a/internal/launcher/launcher_test.go b/internal/launcher/launcher_test.go index 5ccba0f3..40ea00e7 100644 --- a/internal/launcher/launcher_test.go +++ b/internal/launcher/launcher_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) // loadConfigFromJSON is a test helper that creates a config from JSON via stdin diff --git a/internal/launcher/log_helpers.go b/internal/launcher/log_helpers.go index 50d500c7..bc375da4 100644 --- a/internal/launcher/log_helpers.go +++ b/internal/launcher/log_helpers.go @@ -6,9 +6,9 @@ import ( "os" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) // sessionSuffix returns a formatted session suffix for log messages diff --git a/internal/logger/README.md b/internal/logger/README.md index 50b7edb2..229dbc77 100644 --- a/internal/logger/README.md +++ b/internal/logger/README.md @@ -19,7 +19,7 @@ A simple, debug-style logging framework for Go that follows the pattern matching ```go package main -import "github.com/githubnext/gh-aw-mcpg/internal/logger" +import "github.com/github/gh-aw-mcpg/internal/logger" var log = logger.New("myapp:feature") diff --git a/internal/logger/jsonl_logger.go b/internal/logger/jsonl_logger.go index 5ed1b6d5..f2e66d3f 100644 --- a/internal/logger/jsonl_logger.go +++ b/internal/logger/jsonl_logger.go @@ -7,7 +7,7 @@ import ( "sync" "time" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) // JSONLLogger manages logging RPC messages to a JSONL file (one JSON object per line) diff --git a/internal/logger/jsonl_logger_test.go b/internal/logger/jsonl_logger_test.go index 8082b729..9d89601a 100644 --- a/internal/logger/jsonl_logger_test.go +++ b/internal/logger/jsonl_logger_test.go @@ -8,7 +8,7 @@ import ( "path/filepath" "testing" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/logger/logger.go b/internal/logger/logger.go index 3435ba47..3b980bc2 100644 --- a/internal/logger/logger.go +++ b/internal/logger/logger.go @@ -8,8 +8,8 @@ import ( "sync" "time" - "github.com/githubnext/gh-aw-mcpg/internal/timeutil" - "github.com/githubnext/gh-aw-mcpg/internal/tty" + "github.com/github/gh-aw-mcpg/internal/timeutil" + "github.com/github/gh-aw-mcpg/internal/tty" ) // Logger represents a debug logger for a specific namespace. diff --git a/internal/logger/markdown_logger.go b/internal/logger/markdown_logger.go index 60e52a36..d39d850f 100644 --- a/internal/logger/markdown_logger.go +++ b/internal/logger/markdown_logger.go @@ -6,7 +6,7 @@ import ( "strings" "sync" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) // MarkdownLogger manages logging to a markdown file for GitHub workflow previews diff --git a/internal/logger/rpc_helpers.go b/internal/logger/rpc_helpers.go index 91b6e650..f6306137 100644 --- a/internal/logger/rpc_helpers.go +++ b/internal/logger/rpc_helpers.go @@ -19,7 +19,7 @@ import ( "regexp" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" ) // Pre-compiled regexes for performance (avoid recompiling in hot paths). diff --git a/internal/mcp/connection.go b/internal/mcp/connection.go index a913a8c7..9189e9b3 100644 --- a/internal/mcp/connection.go +++ b/internal/mcp/connection.go @@ -14,8 +14,8 @@ import ( "sync/atomic" "time" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/logger/sanitize" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger/sanitize" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) diff --git a/internal/mcp/connection_arguments_test.go b/internal/mcp/connection_arguments_test.go index c5bc01f8..bd5a4a88 100644 --- a/internal/mcp/connection_arguments_test.go +++ b/internal/mcp/connection_arguments_test.go @@ -36,13 +36,13 @@ func TestCallTool_ArgumentsPassed(t *testing.T) { inputParams: map[string]interface{}{ "name": "list_issues", "arguments": map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", "state": "open", }, }, expectedArguments: map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", "state": "open", }, diff --git a/internal/mcp/types.go b/internal/mcp/types.go index ff6092a1..6671503b 100644 --- a/internal/mcp/types.go +++ b/internal/mcp/types.go @@ -3,7 +3,7 @@ package mcp import ( "encoding/json" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) // Request represents a JSON-RPC 2.0 request diff --git a/internal/middleware/README.md b/internal/middleware/README.md index 6272d088..983708c2 100644 --- a/internal/middleware/README.md +++ b/internal/middleware/README.md @@ -161,5 +161,5 @@ Payloads are stored in: ## References -- Original jqschema utility: [gh-aw/.github/workflows/shared/jqschema.md](https://github.com/githubnext/gh-aw/blob/main/.github/workflows/shared/jqschema.md) +- Original jqschema utility: [gh-aw/.github/workflows/shared/jqschema.md](https://github.com/github/gh-aw/blob/main/.github/workflows/shared/jqschema.md) - gojq library: [github.com/itchyny/gojq](https://github.com/itchyny/gojq) diff --git a/internal/middleware/jqschema.go b/internal/middleware/jqschema.go index 2e2c525c..fa8d5f46 100644 --- a/internal/middleware/jqschema.go +++ b/internal/middleware/jqschema.go @@ -10,7 +10,7 @@ import ( "path/filepath" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" "github.com/itchyny/gojq" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) diff --git a/internal/server/auth.go b/internal/server/auth.go index 261b35a9..a3edde6a 100644 --- a/internal/server/auth.go +++ b/internal/server/auth.go @@ -5,7 +5,7 @@ import ( "net/http" "time" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logAuth = logger.New("server:auth") diff --git a/internal/server/call_backend_tool_test.go b/internal/server/call_backend_tool_test.go index 9ad54b1b..aad8ccca 100644 --- a/internal/server/call_backend_tool_test.go +++ b/internal/server/call_backend_tool_test.go @@ -7,7 +7,7 @@ import ( "net/http/httptest" "testing" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" sdk "github.com/modelcontextprotocol/go-sdk/mcp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/internal/server/handlers.go b/internal/server/handlers.go index 40522044..5dab375d 100644 --- a/internal/server/handlers.go +++ b/internal/server/handlers.go @@ -7,7 +7,7 @@ import ( "os" "time" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logHandlers = logger.New("server:handlers") diff --git a/internal/server/handlers_test.go b/internal/server/handlers_test.go index adcc7cb1..9d06c281 100644 --- a/internal/server/handlers_test.go +++ b/internal/server/handlers_test.go @@ -8,9 +8,9 @@ import ( "strings" "testing" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/launcher" - "github.com/githubnext/gh-aw-mcpg/internal/sys" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/launcher" + "github.com/github/gh-aw-mcpg/internal/sys" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/server/health.go b/internal/server/health.go index aff89754..c85170db 100644 --- a/internal/server/health.go +++ b/internal/server/health.go @@ -4,7 +4,7 @@ import ( "encoding/json" "net/http" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logHealth = logger.New("server:health") diff --git a/internal/server/health_test.go b/internal/server/health_test.go index 67f894aa..60728652 100644 --- a/internal/server/health_test.go +++ b/internal/server/health_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // serverCreator defines a function type for creating HTTP servers diff --git a/internal/server/http_error_propagation_test.go b/internal/server/http_error_propagation_test.go index f849806c..8dfe1809 100644 --- a/internal/server/http_error_propagation_test.go +++ b/internal/server/http_error_propagation_test.go @@ -11,8 +11,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/launcher" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/launcher" ) // TestUnifiedServer_HTTPErrorPropagation tests that HTTP backend errors are diff --git a/internal/server/http_helpers.go b/internal/server/http_helpers.go index 84211539..cd70ec91 100644 --- a/internal/server/http_helpers.go +++ b/internal/server/http_helpers.go @@ -7,9 +7,9 @@ import ( "log" "net/http" - "github.com/githubnext/gh-aw-mcpg/internal/auth" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/auth" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/mcp" ) var logHelpers = logger.New("server:helpers") diff --git a/internal/server/http_helpers_test.go b/internal/server/http_helpers_test.go index c424cb06..65ab2ac1 100644 --- a/internal/server/http_helpers_test.go +++ b/internal/server/http_helpers_test.go @@ -8,7 +8,7 @@ import ( "net/http/httptest" "testing" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/mcp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/server/integration_test.go b/internal/server/integration_test.go index 756f2271..e92a3249 100644 --- a/internal/server/integration_test.go +++ b/internal/server/integration_test.go @@ -18,7 +18,7 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestTransparentProxy_RoutedMode tests that awmg acts as a transparent proxy diff --git a/internal/server/nonexistent_tool_logging_test.go b/internal/server/nonexistent_tool_logging_test.go index c72cbc34..e6afbf85 100644 --- a/internal/server/nonexistent_tool_logging_test.go +++ b/internal/server/nonexistent_tool_logging_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/logger" ) // TestNonExistentToolCallLogging_RoutedMode verifies that when a non-existent tool diff --git a/internal/server/register_tools_from_backend_test.go b/internal/server/register_tools_from_backend_test.go index b4c10eb0..c296d1ad 100644 --- a/internal/server/register_tools_from_backend_test.go +++ b/internal/server/register_tools_from_backend_test.go @@ -7,7 +7,7 @@ import ( "net/http/httptest" "testing" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/internal/server/routed.go b/internal/server/routed.go index 010fd7c9..01135b45 100644 --- a/internal/server/routed.go +++ b/internal/server/routed.go @@ -7,7 +7,7 @@ import ( "net/http" "sync" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) diff --git a/internal/server/routed_test.go b/internal/server/routed_test.go index 2d6c4e83..6870089e 100644 --- a/internal/server/routed_test.go +++ b/internal/server/routed_test.go @@ -12,7 +12,7 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestCloseEndpoint_Success tests the successful shutdown flow diff --git a/internal/server/schema_normalization_test.go b/internal/server/schema_normalization_test.go index 78216457..9fa70496 100644 --- a/internal/server/schema_normalization_test.go +++ b/internal/server/schema_normalization_test.go @@ -7,8 +7,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/mcp" ) // TestSchemaNormalization_Integration tests that broken schemas from backends diff --git a/internal/server/sdk_logging.go b/internal/server/sdk_logging.go index 47576989..8c09641e 100644 --- a/internal/server/sdk_logging.go +++ b/internal/server/sdk_logging.go @@ -8,8 +8,8 @@ import ( "strings" "time" - "github.com/githubnext/gh-aw-mcpg/internal/auth" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/auth" + "github.com/github/gh-aw-mcpg/internal/logger" ) var logSDK = logger.New("server:sdk-frontend") diff --git a/internal/server/server.go b/internal/server/server.go index 37c290f5..aa036b01 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -8,10 +8,10 @@ import ( "net/http" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/launcher" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/sys" + "github.com/github/gh-aw-mcpg/internal/launcher" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/sys" ) var logServer = logger.New("server:server") diff --git a/internal/server/shutdown_test.go b/internal/server/shutdown_test.go index 9153e99d..8a55838f 100644 --- a/internal/server/shutdown_test.go +++ b/internal/server/shutdown_test.go @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestShutdownBehavior_RoutedMode tests that MCP endpoints return 503 after /close in routed mode diff --git a/internal/server/tool_call_arguments_test.go b/internal/server/tool_call_arguments_test.go index e42b287d..b236fc53 100644 --- a/internal/server/tool_call_arguments_test.go +++ b/internal/server/tool_call_arguments_test.go @@ -13,7 +13,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestUnifiedServer_ToolCallArguments tests that tool arguments are correctly passed through the gateway diff --git a/internal/server/tool_name_test.go b/internal/server/tool_name_test.go index 31382fe3..d0560990 100644 --- a/internal/server/tool_name_test.go +++ b/internal/server/tool_name_test.go @@ -10,7 +10,7 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestToolNamePreservation_RoutedMode validates that the gateway does not modify diff --git a/internal/server/tools_list_schema_test.go b/internal/server/tools_list_schema_test.go index 44d4ff31..38ef9381 100644 --- a/internal/server/tools_list_schema_test.go +++ b/internal/server/tools_list_schema_test.go @@ -8,7 +8,7 @@ import ( "github.com/stretchr/testify/require" "encoding/json" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" "io" "net/http" "net/http/httptest" diff --git a/internal/server/transport.go b/internal/server/transport.go index f26994e8..678d7214 100644 --- a/internal/server/transport.go +++ b/internal/server/transport.go @@ -6,7 +6,7 @@ import ( "net/http" "time" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) diff --git a/internal/server/transport_test.go b/internal/server/transport_test.go index 9c633654..2c863e1e 100644 --- a/internal/server/transport_test.go +++ b/internal/server/transport_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) // TestLoggingResponseWriter_WriteHeader tests the WriteHeader method diff --git a/internal/server/unified.go b/internal/server/unified.go index bed31a70..05595db5 100644 --- a/internal/server/unified.go +++ b/internal/server/unified.go @@ -10,14 +10,14 @@ import ( "sync" "time" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/difc" - "github.com/githubnext/gh-aw-mcpg/internal/guard" - "github.com/githubnext/gh-aw-mcpg/internal/launcher" - "github.com/githubnext/gh-aw-mcpg/internal/logger" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/middleware" - "github.com/githubnext/gh-aw-mcpg/internal/sys" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/difc" + "github.com/github/gh-aw-mcpg/internal/guard" + "github.com/github/gh-aw-mcpg/internal/launcher" + "github.com/github/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/middleware" + "github.com/github/gh-aw-mcpg/internal/sys" sdk "github.com/modelcontextprotocol/go-sdk/mcp" ) diff --git a/internal/server/unified_http_backend_test.go b/internal/server/unified_http_backend_test.go index 8d0aaa82..6044979e 100644 --- a/internal/server/unified_http_backend_test.go +++ b/internal/server/unified_http_backend_test.go @@ -10,9 +10,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/launcher" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/launcher" + "github.com/github/gh-aw-mcpg/internal/mcp" ) // TestHTTPBackendInitialization tests that HTTP backends receive session ID during initialization diff --git a/internal/server/unified_test.go b/internal/server/unified_test.go index 2820e9a2..2e27d318 100644 --- a/internal/server/unified_test.go +++ b/internal/server/unified_test.go @@ -8,7 +8,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/githubnext/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/config" ) func TestUnifiedServer_GetServerIDs(t *testing.T) { diff --git a/internal/sys/sys.go b/internal/sys/sys.go index 52551526..505a02d3 100644 --- a/internal/sys/sys.go +++ b/internal/sys/sys.go @@ -4,7 +4,7 @@ import ( "encoding/json" "fmt" - "github.com/githubnext/gh-aw-mcpg/internal/logger" + "github.com/github/gh-aw-mcpg/internal/logger" ) var log = logger.New("sys:sys") diff --git a/internal/testutil/mcptest/driver.go b/internal/testutil/mcptest/driver.go index 28b02132..dc123c87 100644 --- a/internal/testutil/mcptest/driver.go +++ b/internal/testutil/mcptest/driver.go @@ -8,8 +8,8 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/server" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/server" ) // TestDriver manages test servers and the gateway for integration testing diff --git a/internal/testutil/mcptest/example_test.go b/internal/testutil/mcptest/example_test.go index 75e8208d..078897e6 100644 --- a/internal/testutil/mcptest/example_test.go +++ b/internal/testutil/mcptest/example_test.go @@ -9,7 +9,7 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/testutil/mcptest" + "github.com/github/gh-aw-mcpg/internal/testutil/mcptest" ) // TestCompleteWorkflow demonstrates a complete end-to-end test workflow diff --git a/internal/testutil/mcptest/gateway_integration_test.go b/internal/testutil/mcptest/gateway_integration_test.go index be516b8d..d05e9971 100644 --- a/internal/testutil/mcptest/gateway_integration_test.go +++ b/internal/testutil/mcptest/gateway_integration_test.go @@ -11,9 +11,9 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/server" - "github.com/githubnext/gh-aw-mcpg/internal/testutil/mcptest" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/server" + "github.com/github/gh-aw-mcpg/internal/testutil/mcptest" ) // TestGatewayWithSingleBackend tests the gateway with a single backend MCP server diff --git a/internal/testutil/mcptest/harness_test.go b/internal/testutil/mcptest/harness_test.go index 9fdbb7fd..effe48dd 100644 --- a/internal/testutil/mcptest/harness_test.go +++ b/internal/testutil/mcptest/harness_test.go @@ -10,7 +10,7 @@ import ( sdk "github.com/modelcontextprotocol/go-sdk/mcp" - "github.com/githubnext/gh-aw-mcpg/internal/testutil/mcptest" + "github.com/github/gh-aw-mcpg/internal/testutil/mcptest" ) // TestBasicServerWithOneTool tests a basic MCP server with a single tool diff --git a/main.go b/main.go index c6574f2a..d880db02 100644 --- a/main.go +++ b/main.go @@ -5,7 +5,7 @@ import ( "runtime/debug" "strings" - "github.com/githubnext/gh-aw-mcpg/internal/cmd" + "github.com/github/gh-aw-mcpg/internal/cmd" ) func main() { diff --git a/test/integration/github_test.go b/test/integration/github_test.go index e7ed18cd..508cde3d 100644 --- a/test/integration/github_test.go +++ b/test/integration/github_test.go @@ -495,7 +495,7 @@ func TestGitHubMCPRealBackend(t *testing.T) { { toolPattern: "list_branches", args: map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", }, description: "List repository branches", @@ -504,7 +504,7 @@ func TestGitHubMCPRealBackend(t *testing.T) { { toolPattern: "list_commits", args: map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", }, description: "List repository commits", @@ -513,7 +513,7 @@ func TestGitHubMCPRealBackend(t *testing.T) { { toolPattern: "get_file_contents", args: map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", "path": "README.md", }, @@ -531,7 +531,7 @@ func TestGitHubMCPRealBackend(t *testing.T) { { toolPattern: "list_issues", args: map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", }, description: "List issues", @@ -540,7 +540,7 @@ func TestGitHubMCPRealBackend(t *testing.T) { { toolPattern: "list_pull_requests", args: map[string]interface{}{ - "owner": "githubnext", + "owner": "github", "repo": "gh-aw-mcpg", }, description: "List pull requests", diff --git a/test/integration/http_error_test.go b/test/integration/http_error_test.go index 0b751b3b..8224c181 100644 --- a/test/integration/http_error_test.go +++ b/test/integration/http_error_test.go @@ -11,9 +11,9 @@ import ( "github.com/stretchr/testify/require" "time" - "github.com/githubnext/gh-aw-mcpg/internal/config" - "github.com/githubnext/gh-aw-mcpg/internal/launcher" - "github.com/githubnext/gh-aw-mcpg/internal/mcp" + "github.com/github/gh-aw-mcpg/internal/config" + "github.com/github/gh-aw-mcpg/internal/launcher" + "github.com/github/gh-aw-mcpg/internal/mcp" ) // TestHTTPError_ServerError tests that 5xx server errors are properly propagated diff --git a/test/serena-mcp-tests/IMPLEMENTATION_SUMMARY.md b/test/serena-mcp-tests/IMPLEMENTATION_SUMMARY.md index 4001f86b..9d66f8b7 100644 --- a/test/serena-mcp-tests/IMPLEMENTATION_SUMMARY.md +++ b/test/serena-mcp-tests/IMPLEMENTATION_SUMMARY.md @@ -31,13 +31,13 @@ This implementation adds a comprehensive test suite for testing the Serena MCP S ## Test Configuration ### Gateway Setup -- **Image**: `ghcr.io/githubnext/gh-aw-mcpg:latest` +- **Image**: `ghcr.io/github/gh-aw-mcpg:latest` - **Port**: 18080 (configurable) - **Mode**: Routed mode (`/mcp/serena` endpoint) - **Config**: JSON via stdin with proper `gateway` section ### Serena Backend -- **Image**: `ghcr.io/githubnext/serena-mcp-server:latest` +- **Image**: `ghcr.io/github/serena-mcp-server:latest` - **Mount**: Test samples at `/workspace:ro` - **Init Time**: ~25 seconds (accounted for in tests) diff --git a/test/serena-mcp-tests/LATEST_RUN_SUMMARY.md b/test/serena-mcp-tests/LATEST_RUN_SUMMARY.md index b03a57ca..48b49a18 100644 --- a/test/serena-mcp-tests/LATEST_RUN_SUMMARY.md +++ b/test/serena-mcp-tests/LATEST_RUN_SUMMARY.md @@ -2,7 +2,7 @@ **Test Date:** January 19, 2026 **Test Script:** `make test-serena` -**Container Image:** `ghcr.io/githubnext/serena-mcp-server:latest` +**Container Image:** `ghcr.io/github/serena-mcp-server:latest` **Container Size:** 2.5GB ## Overall Results diff --git a/test/serena-mcp-tests/QUICKSTART.md b/test/serena-mcp-tests/QUICKSTART.md index 9bbeb2b2..6c8232c3 100644 --- a/test/serena-mcp-tests/QUICKSTART.md +++ b/test/serena-mcp-tests/QUICKSTART.md @@ -4,7 +4,7 @@ ### Prerequisites 1. Docker installed and running -2. Network access to pull `ghcr.io/githubnext/serena-mcp-server:latest` +2. Network access to pull `ghcr.io/github/serena-mcp-server:latest` ### Run All Tests @@ -33,7 +33,7 @@ SERENA_IMAGE="serena-mcp-server:local" ./test/serena-mcp-tests/test_serena.sh ======================================== Serena MCP Server Comprehensive Test Suite ======================================== -[INFO] Container Image: ghcr.io/githubnext/serena-mcp-server:latest +[INFO] Container Image: ghcr.io/github/serena-mcp-server:latest [INFO] Test Directory: /path/to/test/serena-mcp-tests [INFO] Samples Directory: /path/to/test/serena-mcp-tests/samples @@ -127,7 +127,7 @@ Install Docker: https://docs.docker.com/get-docker/ ### "Failed to pull container image" - Check network connectivity - Verify you have access to the GitHub Container Registry -- Try pulling manually: `docker pull ghcr.io/githubnext/serena-mcp-server:latest` +- Try pulling manually: `docker pull ghcr.io/github/serena-mcp-server:latest` ### Tests timeout or hang - Increase Docker resource limits (CPU/Memory) diff --git a/test/serena-mcp-tests/README.md b/test/serena-mcp-tests/README.md index 49ac3f8f..669414c4 100644 --- a/test/serena-mcp-tests/README.md +++ b/test/serena-mcp-tests/README.md @@ -1,6 +1,6 @@ # Serena MCP Server Test Suite -Comprehensive shell script tests for the Serena MCP Server (`ghcr.io/githubnext/serena-mcp-server:latest`), covering all 23 MCP tools across 4 programming languages. +Comprehensive shell script tests for the Serena MCP Server (`ghcr.io/github/serena-mcp-server:latest`), covering all 23 MCP tools across 4 programming languages. ## Quick Start @@ -53,7 +53,7 @@ These tests connect directly to the Serena MCP Server container via stdio (stand These tests connect to Serena through the MCP Gateway container, which proxies requests to the backend Serena server. This validates that Serena works correctly when accessed through the gateway infrastructure. - **Connection Method**: HTTP requests to MCP Gateway → Gateway proxies to Serena via stdio -- **Gateway Image**: `ghcr.io/githubnext/gh-aw-mcpg:latest` +- **Gateway Image**: `ghcr.io/github/gh-aw-mcpg:latest` - **Results Directory**: `results-gateway/` - **Use Case**: Testing Serena through production gateway setup - **Purpose**: Identify any behavioral differences when using the gateway @@ -369,7 +369,7 @@ Example GitHub Actions usage: - [Serena MCP Server Documentation](https://github.com/oraios/serena) - [Model Context Protocol Specification](https://github.com/modelcontextprotocol) -- [MCP Gateway Configuration](https://github.com/githubnext/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) +- [MCP Gateway Configuration](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) ## Contributing diff --git a/test/serena-mcp-tests/RESULTS_SUMMARY.md b/test/serena-mcp-tests/RESULTS_SUMMARY.md index d7a3af17..4eb9a569 100644 --- a/test/serena-mcp-tests/RESULTS_SUMMARY.md +++ b/test/serena-mcp-tests/RESULTS_SUMMARY.md @@ -6,7 +6,7 @@ ## Test Execution -The Serena MCP Server comprehensive test suite was executed successfully using the updated `test_serena.sh` script against the container image `ghcr.io/githubnext/serena-mcp-server:latest`. +The Serena MCP Server comprehensive test suite was executed successfully using the updated `test_serena.sh` script against the container image `ghcr.io/github/serena-mcp-server:latest`. ## Quick Results diff --git a/test/serena-mcp-tests/TEST_REPORT.md b/test/serena-mcp-tests/TEST_REPORT.md index e76709d6..9e7ab87e 100644 --- a/test/serena-mcp-tests/TEST_REPORT.md +++ b/test/serena-mcp-tests/TEST_REPORT.md @@ -1,7 +1,7 @@ # Serena MCP Server Test Report **Test Execution Date:** January 19, 2026 -**Container Image:** `ghcr.io/githubnext/serena-mcp-server:latest` +**Container Image:** `ghcr.io/github/serena-mcp-server:latest` **Test Script:** `test_serena.sh` (Updated) **Test Location:** `/home/runner/work/gh-aw-mcpg/gh-aw-mcpg/test/serena-mcp-tests` @@ -21,7 +21,7 @@ The test suite validates multi-language support (Go, Java, JavaScript, Python), | Test # | Test Name | Status | Notes | |--------|-----------|--------|-------| | 1 | Docker Availability | ✓ PASS | Docker is installed and operational | -| 2 | Container Image Availability | ✓ PASS | Successfully pulled `ghcr.io/githubnext/serena-mcp-server:latest` | +| 2 | Container Image Availability | ✓ PASS | Successfully pulled `ghcr.io/github/serena-mcp-server:latest` | | 3 | Container Basic Functionality | ✓ PASS | Container help command works correctly | ### Language Runtime Verification (4/4 Passed) diff --git a/test/serena-mcp-tests/TEST_RUN_COMPARISON.md b/test/serena-mcp-tests/TEST_RUN_COMPARISON.md index 649a835c..146e3059 100644 --- a/test/serena-mcp-tests/TEST_RUN_COMPARISON.md +++ b/test/serena-mcp-tests/TEST_RUN_COMPARISON.md @@ -126,7 +126,7 @@ The direct connection test confirmed all 29 Serena tools are available: **Date:** January 19, 2026 **Command:** `make test-serena-gateway` **Connection Type:** HTTP requests through MCP Gateway to Serena backend -**Gateway Image:** `ghcr.io/githubnext/gh-aw-mcpg:latest` +**Gateway Image:** `ghcr.io/github/gh-aw-mcpg:latest` **Results Directory:** `test/serena-mcp-tests/results-gateway/` ### Summary diff --git a/test/serena-mcp-tests/test_serena.sh b/test/serena-mcp-tests/test_serena.sh index fcdb5be5..1605e289 100755 --- a/test/serena-mcp-tests/test_serena.sh +++ b/test/serena-mcp-tests/test_serena.sh @@ -17,7 +17,7 @@ BLUE='\033[0;34m' NC='\033[0m' # No Color # Configuration -CONTAINER_IMAGE="${SERENA_IMAGE:-ghcr.io/githubnext/serena-mcp-server:latest}" +CONTAINER_IMAGE="${SERENA_IMAGE:-ghcr.io/github/serena-mcp-server:latest}" TEST_DIR="$(cd "$(dirname "$0")" && pwd)" SAMPLES_DIR="${TEST_DIR}/samples" EXPECTED_DIR="${TEST_DIR}/expected" diff --git a/test/serena-mcp-tests/test_serena_via_gateway.sh b/test/serena-mcp-tests/test_serena_via_gateway.sh index 49a8dc5c..0e2c8e7b 100755 --- a/test/serena-mcp-tests/test_serena_via_gateway.sh +++ b/test/serena-mcp-tests/test_serena_via_gateway.sh @@ -18,8 +18,8 @@ BLUE='\033[0;34m' NC='\033[0m' # No Color # Configuration -GATEWAY_IMAGE="${GATEWAY_IMAGE:-ghcr.io/githubnext/gh-aw-mcpg:latest}" -SERENA_IMAGE="${SERENA_IMAGE:-ghcr.io/githubnext/serena-mcp-server:latest}" +GATEWAY_IMAGE="${GATEWAY_IMAGE:-ghcr.io/github/gh-aw-mcpg:latest}" +SERENA_IMAGE="${SERENA_IMAGE:-ghcr.io/github/serena-mcp-server:latest}" TEST_DIR="$(cd "$(dirname "$0")" && pwd)" SAMPLES_DIR="${TEST_DIR}/samples" EXPECTED_DIR="${TEST_DIR}/expected" From ab16889d562a9366c00c41e5235400ad66d5785a Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Mon, 2 Feb 2026 18:51:49 -0800 Subject: [PATCH 2/3] chore: update gh-aw actions to v0.40.0 --- .../workflows/daily-compliance-checker.lock.yml | 12 ++++++------ .github/workflows/duplicate-code-detector.lock.yml | 10 +++++----- .github/workflows/go-fan.lock.yml | 12 ++++++------ .github/workflows/go-logger.lock.yml | 12 ++++++------ .github/workflows/issue-monster.lock.yml | 12 ++++++------ .../workflows/mcp-gateway-log-analyzer.lock.yml | 10 +++++----- .github/workflows/plan.lock.yml | 12 ++++++------ .github/workflows/release.lock.yml | 12 ++++++------ .../workflows/semantic-function-refactor.lock.yml | 10 +++++----- .github/workflows/smoke-copilot.lock.yml | 14 +++++++------- .github/workflows/test-coverage-improver.lock.yml | 12 ++++++------ .github/workflows/test-improver.lock.yml | 12 ++++++------ 12 files changed, 70 insertions(+), 70 deletions(-) diff --git a/.github/workflows/daily-compliance-checker.lock.yml b/.github/workflows/daily-compliance-checker.lock.yml index 7eb8a1b5..cfb2b027 100644 --- a/.github/workflows/daily-compliance-checker.lock.yml +++ b/.github/workflows/daily-compliance-checker.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1179,7 +1179,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1264,7 +1264,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1424,7 +1424,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1461,7 +1461,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 9fbfc817..78108ff9 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1108,7 +1108,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1193,7 +1193,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1353,7 +1353,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 1f046238..2b148476 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -52,7 +52,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1103,7 +1103,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1189,7 +1189,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1350,7 +1350,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1387,7 +1387,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 96132298..1335977b 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1035,7 +1035,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1118,7 +1118,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1280,7 +1280,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1342,7 +1342,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 8a606150..e214badc 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -56,7 +56,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -93,7 +93,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -915,7 +915,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -999,7 +999,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1146,7 +1146,7 @@ jobs: activated: ${{ ((steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true')) && (steps.check_skip_if_no_match.outputs.skip_no_match_check_ok == 'true') }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1211,7 +1211,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/mcp-gateway-log-analyzer.lock.yml b/.github/workflows/mcp-gateway-log-analyzer.lock.yml index 8a01ded3..a3811d59 100644 --- a/.github/workflows/mcp-gateway-log-analyzer.lock.yml +++ b/.github/workflows/mcp-gateway-log-analyzer.lock.yml @@ -49,7 +49,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -85,7 +85,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1247,7 +1247,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1332,7 +1332,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1492,7 +1492,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index a170f2f8..68a7eb76 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -64,7 +64,7 @@ jobs: text: ${{ steps.compute-text.outputs.text }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -121,7 +121,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -942,7 +942,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1023,7 +1023,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1174,7 +1174,7 @@ jobs: matched_command: ${{ steps.check_command_position.outputs.matched_command }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check team membership for command workflow @@ -1221,7 +1221,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index ddec06e5..10f655be 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -60,7 +60,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -100,7 +100,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -910,7 +910,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1053,7 +1053,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1294,7 +1294,7 @@ jobs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1429,7 +1429,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 8ea4b825..3adde91e 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -52,7 +52,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -87,7 +87,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1220,7 +1220,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1303,7 +1303,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1463,7 +1463,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 80eebe87..3743a17a 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -64,7 +64,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -122,7 +122,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -977,7 +977,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1082,7 +1082,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1245,7 +1245,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Add eyes reaction for immediate feedback @@ -1301,7 +1301,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1345,7 +1345,7 @@ jobs: actions persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.37.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml index 82b5d468..eb1dd25d 100644 --- a/.github/workflows/test-coverage-improver.lock.yml +++ b/.github/workflows/test-coverage-improver.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1087,7 +1087,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1170,7 +1170,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1332,7 +1332,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1394,7 +1394,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/test-improver.lock.yml b/.github/workflows/test-improver.lock.yml index 2a7c3dcd..52886728 100644 --- a/.github/workflows/test-improver.lock.yml +++ b/.github/workflows/test-improver.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -83,7 +83,7 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -1139,7 +1139,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1222,7 +1222,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1384,7 +1384,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1446,7 +1446,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.36.0 + uses: github/gh-aw/actions/setup@v0.40.0 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) From 1e5d7c5f9143a364b1892b798a05d993cd9c265a Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Mon, 2 Feb 2026 18:58:36 -0800 Subject: [PATCH 3/3] chore: recompile agentic workflows --- .github/aw/actions-lock.json | 39 +- .github/workflows/agentics-maintenance.yml | 146 +-- .../daily-compliance-checker.lock.yml | 809 ++++------------ .../duplicate-code-detector.lock.yml | 711 ++++---------- .github/workflows/go-fan.lock.yml | 724 +++++--------- .github/workflows/go-logger.lock.yml | 663 +++++-------- .github/workflows/issue-monster.lock.yml | 592 +++++------- .../mcp-gateway-log-analyzer.lock.yml | 890 ++++-------------- .github/workflows/plan.lock.yml | 528 +++++------ .github/workflows/release.lock.yml | 546 ++++------- .../semantic-function-refactor.lock.yml | 833 +++++----------- .github/workflows/smoke-codex.lock.yml | 253 ++--- .github/workflows/smoke-copilot.lock.yml | 273 ++---- .../workflows/test-coverage-improver.lock.yml | 723 +++++--------- .github/workflows/test-improver.lock.yml | 777 +++++---------- 15 files changed, 2642 insertions(+), 5865 deletions(-) diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 611628a1..55a7471e 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -1,5 +1,15 @@ { "entries": { + "actions/cache/restore@v4.3.0": { + "repo": "actions/cache/restore", + "version": "v4.3.0", + "sha": "0057852bfaa89a56745cba8c7296529d2fc39830" + }, + "actions/cache/save@v4.3.0": { + "repo": "actions/cache/save", + "version": "v4.3.0", + "sha": "0057852bfaa89a56745cba8c7296529d2fc39830" + }, "actions/checkout@v4": { "repo": "actions/checkout", "version": "v4", @@ -10,9 +20,19 @@ "version": "v5", "sha": "93cb6efe18208431cddfb8368fd83d5badbf9bfd" }, - "actions/github-script@v8": { + "actions/checkout@v6": { + "repo": "actions/checkout", + "version": "v6", + "sha": "8e8c483db84b4bee98b60c0593521ed34d9990e8" + }, + "actions/download-artifact@v6.0.0": { + "repo": "actions/download-artifact", + "version": "v6.0.0", + "sha": "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53" + }, + "actions/github-script@v8.0.0": { "repo": "actions/github-script", - "version": "v8", + "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, "actions/setup-go@v6": { @@ -20,6 +40,11 @@ "version": "v6", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, + "actions/setup-node@v6.1.0": { + "repo": "actions/setup-node", + "version": "v6.1.0", + "sha": "395ad3262231945c25e8478fd5baf05154b1d79f" + }, "actions/setup-python@v5": { "repo": "actions/setup-python", "version": "v5", @@ -30,6 +55,11 @@ "version": "v5", "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4" }, + "actions/upload-artifact@v6.0.0": { + "repo": "actions/upload-artifact", + "version": "v6.0.0", + "sha": "b7c566a772e6b6bfb58ed0dc250532a479d7789f" + }, "anchore/sbom-action@v0.20.10": { "repo": "anchore/sbom-action", "version": "v0.20.10", @@ -69,6 +99,11 @@ "repo": "github/gh-aw/actions/setup", "version": "v0.36.0", "sha": "547a146e95910805ca7136cedc9069497c14210d" + }, + "githubnext/gh-aw/actions/setup@v0.38.5": { + "repo": "githubnext/gh-aw/actions/setup", + "version": "v0.38.5", + "sha": "c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2" } } } diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index 71ff5344..4ce096d5 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -13,11 +13,11 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by pkg/workflow/maintenance_workflow.go. DO NOT EDIT. +# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.38.5). DO NOT EDIT. # # To regenerate this workflow, run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Alternative regeneration methods: # make recompile @@ -26,7 +26,7 @@ # ./gh-aw compile --validate --verbose # # The workflow is generated when any workflow uses the 'expires' field -# in create-discussions or create-issues safe-outputs configuration. +# in create-discussions, create-issues, or create-pull-request safe-outputs configuration. # Schedule frequency is automatically determined by the shortest expiration time. # name: Agentic Maintenance @@ -39,20 +39,15 @@ on: permissions: {} jobs: - close-expired-discussions: + close-expired-entities: runs-on: ubuntu-slim permissions: discussions: write + issues: write + pull-requests: write steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@v0.38.5 with: destination: /opt/gh-aw/actions @@ -65,23 +60,6 @@ jobs: const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); await main(); - close-expired-issues: - runs-on: ubuntu-slim - permissions: - issues: write - steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - - name: Close expired issues uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: @@ -91,117 +69,11 @@ jobs: const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); await main(); - compile-workflows: - runs-on: ubuntu-slim - permissions: - contents: read - issues: write - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - go-version-file: go.mod - cache: true - - - name: Build gh-aw - run: make build - - - name: Compile workflows - run: | - ./gh-aw compile --validate --verbose - echo "✓ All workflows compiled successfully" - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - - - name: Check for out-of-sync workflows and create issue if needed - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - script: | - const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); - setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/check_workflow_recompile_needed.cjs'); - await main(); - - zizmor-scan: - runs-on: ubuntu-slim - needs: compile-workflows - permissions: - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Setup Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - go-version-file: go.mod - cache: true - - - name: Build gh-aw - run: make build - - - name: Run zizmor security scanner - run: | - ./gh-aw compile --zizmor --verbose - echo "✓ Zizmor security scan completed" - - secret-validation: - runs-on: ubuntu-slim - permissions: - contents: read - steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - - - name: Setup Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: '22' - - - name: Setup Scripts - uses: ./actions/setup - with: - destination: /opt/gh-aw/actions - - - name: Validate Secrets + - name: Close expired pull requests uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - # GitHub tokens - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} - GH_AW_COPILOT_TOKEN: ${{ secrets.GH_AW_COPILOT_TOKEN }} - # AI Engine API keys - ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }} - # Integration tokens - NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/validate_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs'); await main(); - - - name: Upload secret validation report - if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: secret-validation-report - path: secret-validation-report.md - retention-days: 30 - if-no-files-found: warn diff --git a/.github/workflows/daily-compliance-checker.lock.yml b/.github/workflows/daily-compliance-checker.lock.yml index cfb2b027..655774b3 100644 --- a/.github/workflows/daily-compliance-checker.lock.yml +++ b/.github/workflows/daily-compliance-checker.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily automated compliance checker that validates MCP Gateway implementation against the official specification +# +# frontmatter-hash: c8ca6259f7431a068511cd78abc674ee95a4f5abab27c701cba12a68be670358 name: "Daily Compliance Checker" "on": @@ -28,10 +30,7 @@ name: "Daily Compliance Checker" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -48,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -72,8 +71,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -81,13 +84,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -101,7 +105,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - - name: Restore cache memory file share data + - name: Restore cache-memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} @@ -134,28 +138,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +156,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -219,7 +209,7 @@ jobs: "name": "create_issue" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -228,16 +218,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -260,6 +249,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -313,7 +329,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -333,69 +348,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -408,8 +450,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Daily Compliance Checker", experimental: false, supports_tools_allowlist: true, @@ -423,10 +465,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -447,490 +489,26 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Daily MCP Gateway Compliance Checker 🔍 - - You are an AI compliance auditor that verifies the MCP Gateway implementation follows the official [MCP Gateway Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md). - - ## Mission - - Review the MCP Gateway codebase daily to ensure full compliance with the specification, focusing on recent changes to prevent regressions. Report any deviations with detailed references and suggest remediation tasks. - - ## Step 1: Review Recent Changes First 🔄 - - Start by understanding what changed recently to catch regressions early: - - 1. **Get recent commit history:** - ```bash - git log --oneline --max-count=20 - ``` - - 2. **Review changes from last 10 commits:** - ```bash - git --no-pager diff HEAD~10..HEAD - ``` - - 3. **Identify modified files:** - - Focus on `internal/config/`, `internal/server/`, `internal/launcher/` - - Check for changes to validation logic - - Look for new features or configuration options - - 4. **Prioritize recent changes:** - - Files modified in the last 10 commits get highest priority - - Check if recent changes align with specification requirements - - ## Step 2: Check Cache Memory 💾 - - Use cache memory to avoid re-validating already-checked aspects: - - 1. **Check cache directory:** - - Path: `/tmp/gh-aw/cache-memory/daily-compliance-checker/` - - Read `validated-aspects.json` to see what was already validated - - Read `last-commit.json` to track the last reviewed commit - - Read `known-issues.json` to track ongoing compliance issues - - 2. **Update cache after validation:** - - Save validated specification sections - - Track the current commit SHA - - Update known issues list - - 3. **Cache structure:** - ```json - { - "lastCommit": "abc123...", - "lastRun": "2026-01-09T16:00:00Z", - "validatedAspects": { - "configuration-validation": "passed", - "variable-expansion": "passed", - "containerization-requirement": "issue-found", - "protocol-translation": "passed" - }, - "knownIssues": [ - { - "aspect": "containerization-requirement", - "issue": "Brief description", - "issueNumber": 123 - } - ] - } - ``` - - ## Step 3: Fetch Official Specification 📖 - - Get the latest specification to check against using the GitHub MCP: - - Use the GitHub MCP's `get_file_contents` tool to read the specification file: - - **Owner**: `github` - - **Repo**: `gh-aw` - - **Path**: `docs/src/content/docs/reference/mcp-gateway.md` - - **Ref**: `main` (to get the latest version) - - Example: - ``` - Use github get_file_contents with owner=github, repo=gh-aw, path=docs/src/content/docs/reference/mcp-gateway.md, ref=main - ``` - - Parse the specification to extract: - - Required features (marked with "MUST", "REQUIRED", "SHALL") - - Recommended features (marked with "SHOULD", "RECOMMENDED") - - Optional features (marked with "MAY", "OPTIONAL") - - Compliance test requirements (Section 10) - - ## Step 4: Systematic Compliance Review 🔬 - - Review each section of the specification systematically. For **CHANGED FILES from Step 1**, perform DEEP review. For unchanged aspects in cache, perform LIGHT review. - - ### 4.1 Configuration Compliance (Section 4) - - **Specification Requirements:** - - Configuration via stdin in JSON format ✓ - - Support for `mcpServers` object structure ✓ - - Server configuration fields (container, entrypoint, entrypointArgs, mounts, env, type, url) ✓ - - Gateway configuration fields (port, domain, apiKey, startupTimeout, toolTimeout) ✓ - - Variable expression rendering with `${VAR_NAME}` syntax ✓ - - Fail-fast on undefined variables ✓ - - Schema validation with helpful error messages ✓ - - Reject unknown top-level fields ✓ - - **Check:** - 1. Read `internal/config/config.go` and `internal/config/validation.go` - 2. Verify all required fields are validated - 3. Confirm variable expansion fails fast on undefined variables - 4. Check error messages include JSONPath and suggestions - 5. Verify `command` field is NOT supported (spec requirement) - 6. Verify stdio servers require `container` field - 7. Verify HTTP servers require `url` field - - **Deep Link Template:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#41-configuration-format` - - ### 4.2 Containerization Requirement (Section 3.2.1) - - **Critical Specification Requirement:** - > "Stdio-based MCP servers MUST be containerized. The gateway SHALL NOT support direct command execution without containerization (stdio+command)" - - **Check:** - 1. Read `internal/launcher/` code - 2. Verify NO support for direct command execution - 3. Verify all stdio servers use Docker containers - 4. Check that `command` field is rejected during validation - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#321-containerization-requirement` - - ### 4.3 Protocol Behavior (Section 5) - - **Specification Requirements:** - - HTTP endpoints: `POST /mcp/{server-name}` and `GET /health` ✓ - - JSON-RPC 2.0 request/response format ✓ - - Request routing to backend servers ✓ - - Protocol translation (stdio ↔ HTTP) ✓ - - Timeout handling (startup and tool timeouts) ✓ - - Stdout configuration output after initialization ✓ - - **Check:** - 1. Read `internal/server/routed.go` and `internal/server/unified.go` - 2. Verify endpoint structure matches specification - 3. Check JSON-RPC 2.0 compliance - 4. Verify protocol translation logic - 5. Check timeout enforcement - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#5-protocol-behavior` - - ### 4.4 Server Isolation (Section 6) - - **Specification Requirements:** - - Each stdio server in separate container ✓ - - Isolated stdin/stdout/stderr streams ✓ - - Prevent cross-container communication ✓ - - Container failures don't affect other containers ✓ - - No sharing of environment variables, credentials, or config ✓ - - **Check:** - 1. Read `internal/launcher/docker.go` - 2. Verify container isolation implementation - 3. Check environment variable isolation - 4. Verify failure isolation - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#6-server-isolation` - - ### 4.5 Authentication (Section 7) - - **Specification Requirements:** - - API key authentication via Authorization header ✓ - - Reject requests with missing/invalid tokens (HTTP 401) ✓ - - Health endpoint exempt from authentication ✓ - - No logging of API keys in plaintext ✓ - - **Check:** - 1. Read authentication middleware code - 2. Verify Authorization header validation - 3. Check health endpoint exemption - 4. Verify no plaintext API key logging - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#7-authentication` - - ### 4.6 Health Monitoring (Section 8) - - **Specification Requirements:** - - `/health` endpoint returns server status ✓ - - Health check includes server uptime and status ✓ - - Periodic health checks (every 30 seconds recommended) ✓ - - Automatic restart of failed stdio servers ✓ - - **Check:** - 1. Read health endpoint implementation - 2. Verify health check response format - 3. Check periodic health monitoring - 4. Verify automatic restart logic - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#8-health-monitoring` - - ### 4.7 Error Handling (Section 9) - - **Specification Requirements:** - - Detailed startup failure messages to stdout ✓ - - Exit with status code 1 on startup failure ✓ - - JSON-RPC error response format ✓ - - Proper error codes (-32700 to -32603, -32000 to -32099) ✓ - - Graceful degradation (continue serving healthy servers) ✓ - - **Check:** - 1. Read error handling code across `internal/` packages - 2. Verify startup failure behavior - 3. Check JSON-RPC error format - 4. Verify error codes match specification - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#9-error-handling` - - ### 4.8 Compliance Testing (Section 10) - - **Specification Requirements:** - The specification defines test categories that implementations MUST pass: - - Configuration Tests (T-CFG-001 to T-CFG-008) - - Protocol Translation Tests (T-PTL-001 to T-PTL-006) - - Isolation Tests (T-ISO-001 to T-ISO-005) - - Authentication Tests (T-AUTH-001 to T-AUTH-005) - - **Check:** - 1. Read test files in `test/` and `internal/*/` - 2. Map existing tests to specification test IDs - 3. Identify missing compliance tests - 4. Verify test coverage for critical requirements - - **Deep Link:** - `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#10-compliance-testing` - - ## Step 5: Cross-Reference with README and Documentation 📚 - - Ensure documentation matches implementation and specification: - - 1. **Read README.md:** - - Check configuration examples match specification - - Verify feature list is accurate - - Ensure documented limitations align with spec - - 2. **Read AGENTS.md:** - - Check agent instructions reference correct features - - Verify build/test commands are accurate - - 3. **Check for inconsistencies:** - - Documentation claims features not in code - - Code implements features not documented - - Examples that violate specification - - ## Step 6: Identify Issues and Create Report 📋 - - For each compliance issue found: - - 1. **Document the issue:** - - **Section:** Which spec section (e.g., "4.1 Configuration Format") - - **Requirement:** The specific MUST/SHOULD/SHALL requirement - - **Current State:** What the code currently does - - **Gap:** How it deviates from the specification - - **Deep Link:** Direct link to the spec section (format: `https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#section-id`) - - **File References:** Specific files and line numbers - - **Severity:** Critical (MUST violation), Important (SHOULD violation), Minor (MAY suggestion) - - 2. **Example issue format:** - ```markdown - ### Issue: Variable Expansion Not Failing Fast - - **Specification Section:** 4.2.2 Variable Expression Resolution - **Deep Link:** https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior - - **Requirement:** - > "The gateway MUST... FAIL IMMEDIATELY if a referenced variable is not defined" - - **Current State:** - In `internal/config/validation.go:45`, undefined variables are logged but don't stop execution. - - **Gap:** - The implementation logs warnings instead of failing immediately with exit code 1. - - **Severity:** Critical (MUST violation) - - **File References:** - - `internal/config/validation.go:45-52` - - `internal/config/config.go:78` - - **Suggested Fix:** - Return an error immediately when an undefined variable is detected, and exit with status code 1 in the CLI. - ``` - - ## Step 7: Create GitHub Issue with Findings 🎫 - - If compliance issues are found: - - 1. **Create a comprehensive issue** using the safe-outputs create-issue: - - **Title Format:** `Compliance Gap: [Brief Description]` - - **Issue Body Structure:** - ```markdown - # MCP Gateway Compliance Review - [Date] - - ## Summary - - Found [N] compliance issues during daily review of commits [commit-range]. - - ## Recent Changes Reviewed - - - [List of modified files from Step 1] - - [Commit SHAs reviewed] - - ## Critical Issues (MUST violations) - - ### 1. [Issue Title] - [Full issue details with deep links as per Step 6] - - ### 2. [Next issue...] - - ## Important Issues (SHOULD violations) - - [Similar format] - - ## Minor Suggestions (MAY improvements) - - [Similar format] - - ## Suggested Remediation Tasks - - ### Task 1: Fix Variable Expansion Validation - **Description:** Update validation logic to fail immediately on undefined variables - **Files:** `internal/config/validation.go` - **Specification Reference:** https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#422-resolution-behavior - **Estimated Effort:** Small (2-3 hours) - - ### Task 2: [Next task...] - - ## Compliance Status - - - ✅ Configuration Format (Section 4.1): Compliant - - ⚠️ Variable Expansion (Section 4.2): Partial compliance - - ✅ Containerization (Section 3.2.1): Compliant - - ❌ Error Handling (Section 9): Non-compliant - - ## References - - - [MCP Gateway Specification](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md) - - Last review: [Previous review issue if any] - - Commits reviewed: [commit range] - ``` - - 2. **Update cache memory:** - - Save the current compliance status - - Track the issue number for this report - - Update validated aspects with new findings - - ## Step 8: Success Case - No Issues Found ✅ - - If NO compliance issues are found: - - 1. **DO NOT create an issue** (successful runs should be quiet) - 2. **Update cache memory:** - - Mark all sections as validated - - Save current commit SHA - - Update last run timestamp - 3. **Exit successfully** - - The workflow should only create issues when problems are found, following the principle of "silence is golden" for successful operations. - - ## Guidelines for Excellence - - ### Accuracy - - Always verify claims against actual code - - Include specific file and line references - - Test your assumptions by reading the code - - Don't report false positives - - ### Thoroughness - - Check ALL specification sections systematically - - Focus extra attention on recent changes - - Use cache to avoid redundant checks - - Cross-reference documentation - - ### Actionability - - Every issue must have a clear remediation path - - Include deep links to specification sections - - Provide file references and line numbers - - Suggest specific fixes - - ### Efficiency - - Use cache memory to skip validated aspects - - Focus on changed files first - - Batch related issues together - - Don't create duplicate issues - - ### Quality - - Prioritize by severity (MUST > SHOULD > MAY) - - Be specific about gaps, not vague - - Include reproduction steps if applicable - - Link to related issues or PRs - - ## Cache Memory Structure - - Maintain the following in `/tmp/gh-aw/cache-memory/daily-compliance-checker/`: - - 1. **`validated-aspects.json`** - Tracks validation status of spec sections - 2. **`last-commit.json`** - Records last reviewed commit SHA - 3. **`known-issues.json`** - Tracks open compliance issues - 4. **`review-history.json`** - Historical review results - - ## Important Notes - - - **Focus on regressions:** Recent changes are highest priority - - **Use deep links:** Every issue needs a specification URL - - **Be constructive:** Suggest fixes, not just problems - - **Track progress:** Use cache to avoid redundant work - - **Quality over quantity:** Better to find 2 real issues than 10 false positives - - ## Expected Output - - Your workflow run should result in: - - 1. **If issues found:** - - A detailed GitHub issue with all findings - - Updated cache with current status - - Clear remediation tasks - - 2. **If no issues found:** - - Updated cache confirming compliance - - No issue created (silence is success) - - Begin your compliance review! Review recent changes first, use cache memory to track progress, and report any deviations from the specification with deep URL references. - + PROMPT_EOF - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append cache memory instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - PROMPT_EOF - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -940,25 +518,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -988,10 +552,18 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/daily-compliance-checker.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -1008,6 +580,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -1028,6 +602,10 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1038,8 +616,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -1049,7 +629,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -1071,6 +650,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1098,7 +686,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1133,12 +721,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload cache-memory data as artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: always() @@ -1179,7 +780,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1233,6 +834,22 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Daily Compliance Checker" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1264,7 +881,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1343,22 +960,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1424,7 +1031,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1443,7 +1050,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"compliance\",\"automation\",\"specification\"],\"max\":1,\"title_prefix\":\"[compliance] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"compliance\",\"automation\",\"specification\"],\"max\":1,\"title_prefix\":\"[compliance] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1461,7 +1068,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 78108ff9..a52305e3 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Identifies duplicate code patterns across the Go codebase and suggests refactoring opportunities +# +# frontmatter-hash: c04c0ee2251c00734c0be25cbf4e0dc7a7c35d1170669d50e9727203947f01db name: "Duplicate Code Detector" "on": @@ -28,10 +30,7 @@ name: "Duplicate Code Detector" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -48,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -72,8 +71,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -81,27 +84,16 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - - name: Setup Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: '1.25' - - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: '3.12' - - name: Setup uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - - name: Install Go language service (gopls) - run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials @@ -129,28 +121,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -161,15 +139,15 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"create_issue":{"max":4},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"create_issue":{"expires":168,"max":4},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"link_sub_issue":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -214,7 +192,7 @@ jobs: "name": "create_issue" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -223,16 +201,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -283,6 +260,33 @@ jobs: "type": "object" }, "name": "link_sub_issue" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -350,7 +354,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -370,75 +373,104 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } }, "serena": { - "type": "local", - "command": "uvx", - "args": ["--from", "git+https://github.com/oraios/serena", "serena", "start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], - "tools": ["*"] + "type": "stdio", + "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "args": ["--network", "host"], + "entrypoint": "serena", + "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], + "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw"] } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -451,8 +483,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Duplicate Code Detector", experimental: false, supports_tools_allowlist: true, @@ -466,10 +498,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -490,379 +522,25 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID: ${{ github.event.head_commit.id }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Duplicate Code Detection - - Analyze Go code to identify duplicated patterns using Serena's semantic code analysis capabilities. Report significant findings that require refactoring. - - ## Task - - Detect and report code duplication by: - - 1. **Analyzing Recent Commits**: Review changes in the latest commits - 2. **Detecting Duplicated Code**: Identify similar or duplicated code patterns using semantic analysis - 3. **Reporting Findings**: Create a detailed issue if significant duplication is detected (threshold: >10 lines or 3+ similar patterns) - - ## Context - - - **Repository**: __GH_AW_GITHUB_REPOSITORY__ - - **Commit ID**: __GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID__ - - **Triggered by**: @__GH_AW_GITHUB_ACTOR__ - - ## Analysis Workflow - - ### 1. Project Activation - - Activate the project in Serena: - - Use `activate_project` tool with workspace path `__GH_AW_GITHUB_WORKSPACE__` (mounted repository directory) - - This sets up the semantic code analysis environment for Go code - - ### 2. Changed Files Analysis - - Identify and analyze modified files: - - Determine files changed in the recent commits - - **ONLY analyze .go files** - this is a Go-only project - - **Exclude test files** from analysis (files matching patterns: `*_test.go`, or located in directories named `test`, `tests`, or `__tests__`) - - **Exclude workflow files** from analysis (files under `.github/workflows/*`) - - **Exclude agent configuration** from analysis (files under `.github/agents/*`) - - Use `get_symbols_overview` to understand file structure - - Use `read_file` to examine modified file contents - - ### 3. Duplicate Detection - - Apply semantic code analysis to find duplicates: - - **Symbol-Level Analysis**: - - For significant functions/methods in changed files, use `find_symbol` to search for similarly named symbols - - Use `find_referencing_symbols` to understand usage patterns - - Identify functions with similar names in different files (e.g., `NewLogger` across modules) - - **Pattern Search**: - - Use `search_for_pattern` to find similar code patterns - - Search for duplication indicators: - - Similar function signatures - - Repeated logic blocks - - Similar variable naming patterns - - Near-identical code blocks - - Repeated error handling patterns - - Similar struct initialization patterns - - **Structural Analysis**: - - Use `list_dir` and `find_file` to identify files with similar names or purposes - - Compare symbol overviews across files for structural similarities - - Look for similar package structures in `internal/` directory - - ### 4. Duplication Evaluation - - Assess findings to identify true code duplication: - - **Duplication Types**: - - **Exact Duplication**: Identical code blocks in multiple locations - - **Structural Duplication**: Same logic with minor variations (different variable names, etc.) - - **Functional Duplication**: Different implementations of the same functionality - - **Copy-Paste Programming**: Similar code blocks that could be extracted into shared utilities - - **Assessment Criteria**: - - **Severity**: Amount of duplicated code (lines of code, number of occurrences) - - **Impact**: Where duplication occurs (critical paths, frequently called code) - - **Maintainability**: How duplication affects code maintainability - - **Refactoring Opportunity**: Whether duplication can be easily refactored - - ### 5. Issue Reporting - - Create a parent issue summarizing all duplication findings, with individual sub-issues for each distinct pattern (maximum 3 patterns per run). - - **When to Create Issues**: - - Only create issues if significant duplication is found (threshold: >10 lines of duplicated code OR 3+ instances of similar patterns) - - **First, create ONE parent issue** that summarizes all duplication findings - - Use `temporary_id` (format: `aw_` + 12 hex chars, e.g., `aw_abc123def456`) to reference this parent issue - - The parent issue should provide an overview of all patterns detected - - **Then, create individual sub-issues** for each distinct duplication pattern (up to 3) - - Use the `parent` field with the parent's `temporary_id` to link each sub-issue - - Each sub-issue focuses on ONE specific duplication pattern - - Use the `create_issue` tool from safe-outputs MCP for both parent and sub-issues - - **Parent Issue Contents**: - - **Executive Summary**: Overview of all duplication findings in this analysis - - **Summary of Patterns**: List of all duplication patterns detected (with references to sub-issues using `#aw_`) - - **Overall Impact**: High-level assessment of duplication impact on the codebase - - **Analysis Metadata**: Commit, files analyzed, detection method - - **Sub-Issue Contents (for Each Pattern)**: - - **Pattern Description**: Brief description of this specific duplication pattern - - **Duplication Details**: Specific locations and code blocks for this pattern only - - **Severity Assessment**: Impact and maintainability concerns for this pattern - - **Refactoring Recommendations**: Suggested approaches to eliminate this pattern - - **Code Examples**: Concrete examples with file paths and line numbers for this pattern - - **Parent Reference**: Include reference to parent issue using `#aw_` - - ## Detection Scope - - ### Report These Issues - - - Identical or nearly identical functions in different files - - Repeated code blocks that could be extracted to utilities - - Similar classes or modules with overlapping functionality - - Copy-pasted code with minor modifications - - Duplicated business logic across components - - Repeated error handling patterns - - Similar initialization or setup code - - ### Skip These Patterns - - - Standard boilerplate code (imports, package declarations) - - Test setup/teardown code (acceptable duplication in tests) - - **All test files** (files matching: `*_test.go` or in `test/`, `tests/`, `__tests__/` directories) - - **All workflow files** (files under `.github/workflows/*`) - - **All agent configuration files** (files under `.github/agents/*`) - - Configuration files with similar structure - - Language-specific patterns (constructors, getters/setters, interface implementations) - - Small code snippets (<5 lines) unless highly repetitive - - ### Analysis Depth - - - **File Type Restriction**: ONLY analyze .go files - this is a Go-only project - - **Primary Focus**: All .go files changed in the current push (excluding test files, workflow files, and agent config files) - - **Secondary Analysis**: Check for duplication with existing .go codebase (excluding test files, workflow files, and agent config files) - - **Cross-Reference**: Look for patterns across .go files in the repository - - **Historical Context**: Consider if duplication is new or existing - - **Focus Areas**: Pay special attention to: - - `internal/` packages (server, mcp, launcher, config, logger, guard, difc) - - Error handling patterns - - Logging patterns - - Configuration parsing - - HTTP handling - - ## Issue Templates - - ### Parent Issue Template - - For the overall summary, create ONE parent issue using this structure: - - ```markdown - # 🔍 Duplicate Code Analysis Report - - *Analysis of commit __GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID__* - - ## Summary - - [Brief overview of duplication findings - how many patterns detected, overall severity] - - ## Detected Patterns - - This analysis found [N] significant duplication patterns: - - 1. **[Pattern 1 Name]** - Severity: [High/Medium/Low] - See sub-issue #aw_[sub1_temp_id] - 2. **[Pattern 2 Name]** - Severity: [High/Medium/Low] - See sub-issue #aw_[sub2_temp_id] - 3. **[Pattern 3 Name]** - Severity: [High/Medium/Low] - See sub-issue #aw_[sub3_temp_id] - - ## Overall Impact - - - **Total Duplicated Lines**: [Approximate count] - - **Affected Files**: [Number of files with duplication] - - **Maintainability Risk**: [High/Medium/Low assessment] - - **Refactoring Priority**: [Recommended priority level] - - ## Next Steps - - 1. Review individual pattern sub-issues for detailed analysis - 2. Prioritize refactoring based on severity and impact - 3. Create implementation plan for highest priority patterns - - ## Analysis Metadata - - - **Analyzed Files**: [count] Go files - - **Detection Method**: Serena semantic code analysis - - **Commit**: __GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID__ - - **Analysis Date**: [timestamp] - ``` - - ### Sub-Issue Template - - For each distinct duplication pattern found, create a separate sub-issue using this structure: - - ```markdown - # 🔍 Duplicate Code Pattern: [Pattern Name] - - *Part of duplicate code analysis: #aw_[parent_temp_id]* - - ## Summary - - [Brief overview of this specific duplication pattern] - - ## Duplication Details - - ### Pattern: [Description] - - **Severity**: High/Medium/Low - - **Occurrences**: [Number of instances] - - **Locations**: - - `path/to/file1.go` (lines X-Y) - - `path/to/file2.go` (lines A-B) - - **Code Sample**: - ```go - [Example of duplicated code] - ``` - - ## Impact Analysis - - - **Maintainability**: [How this affects code maintenance] - - **Bug Risk**: [Potential for inconsistent fixes] - - **Code Bloat**: [Impact on codebase size] - - ## Refactoring Recommendations - - 1. **[Recommendation 1]** - - Extract common functionality to: `suggested/path/utility.go` - - Estimated effort: [hours/complexity] - - Benefits: [specific improvements] - - 2. **[Recommendation 2]** - [... additional recommendations ...] - - ## Implementation Checklist - - - [ ] Review duplication findings - - [ ] Prioritize refactoring tasks - - [ ] Create refactoring plan - - [ ] Implement changes - - [ ] Update tests - - [ ] Verify no functionality broken - - ## Parent Issue - - See parent analysis report: #aw_[parent_temp_id] - ``` - - ## Creating Parent and Sub-Issues: Example - - Here's how to create the parent issue and link sub-issues using the `create_issue` tool: - - **Step 1: Create Parent Issue** - ```json - { - "type": "create_issue", - "temporary_id": "aw_abc123def456", - "title": "Duplicate Code Analysis Report", - "body": "[Parent issue content with references to sub-issues: #aw_xyz789ghi012, #aw_mno345pqr678]" - } - ``` - - **Step 2: Create Sub-Issues** - ```json - { - "type": "create_issue", - "temporary_id": "aw_xyz789ghi012", - "parent": "aw_abc123def456", - "title": "Duplicate Code Pattern: Error Handling in Server Module", - "body": "[Sub-issue content for pattern 1, referencing parent: #aw_abc123def456]" - } - ``` - - ```json - { - "type": "create_issue", - "temporary_id": "aw_mno345pqr678", - "parent": "aw_abc123def456", - "title": "Duplicate Code Pattern: Logger Initialization", - "body": "[Sub-issue content for pattern 2, referencing parent: #aw_abc123def456]" - } - ``` - - **Key Points:** - - Use `temporary_id` format: `aw_` + 12 hexadecimal characters - - Generate unique temporary IDs for both parent and each sub-issue - - Use `parent` field in sub-issue creation to link to parent's `temporary_id` - - References like `#aw_abc123def456` are automatically replaced with actual issue numbers after creation - - The `link-sub-issue` safe-output will automatically establish the parent-child relationship - - ## Operational Guidelines - - ### Security - - Never execute untrusted code or commands - - Only use Serena's read-only analysis tools - - Do not modify files during analysis - - ### Efficiency - - Focus on recently changed files first - - Use semantic analysis for meaningful duplication, not superficial matches - - Stay within timeout limits (balance thoroughness with execution time) - - ### Accuracy - - Verify findings before reporting - - Distinguish between acceptable patterns and true duplication - - Consider Go-specific idioms and best practices (e.g., error handling, interface implementations) - - Provide specific, actionable recommendations - - ### Issue Creation - - Create **one parent issue** to summarize all findings, then **individual sub-issues** for each pattern - - Use `temporary_id` (format: `aw_` + 12 hex chars) for the parent issue to enable sub-issue linking - - Use the `parent` field with the parent's `temporary_id` when creating sub-issues - - Limit to the top 3 most significant patterns if more are found - - Only create issues if significant duplication is found - - Include sufficient detail for SWE agents to understand and act on findings - - Provide concrete examples with file paths and line numbers - - Suggest practical refactoring approaches - - Use descriptive titles that clearly identify patterns (e.g., "Duplicate Code Pattern: Error Handling in Server Module") - - ## Tool Usage Sequence - - 1. **Project Setup**: `activate_project` with repository path - 2. **File Discovery**: `list_dir`, `find_file` for changed files - 3. **Symbol Analysis**: `get_symbols_overview` for structure understanding - 4. **Content Review**: `read_file` for detailed code examination - 5. **Pattern Matching**: `search_for_pattern` for similar code - 6. **Symbol Search**: `find_symbol` for duplicate function names - 7. **Reference Analysis**: `find_referencing_symbols` for usage patterns - - **Objective**: Improve code quality by identifying and reporting meaningful code duplication that impacts maintainability. Focus on actionable findings that enable automated or manual refactoring. - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID: ${{ github.event.head_commit.id }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, - GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID: process.env.GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID, - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -872,25 +550,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_issue, link_sub_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -920,6 +584,12 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/duplicate-code-detector.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -954,16 +624,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_HEAD_COMMIT_ID: ${{ github.event.head_commit.id }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -974,8 +644,10 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -985,7 +657,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -1007,6 +678,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1034,7 +714,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1069,12 +749,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload agent artifacts if: always() continue-on-error: true @@ -1108,7 +801,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1162,6 +855,22 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Duplicate Code Detector" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1193,7 +902,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1272,22 +981,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1353,7 +1052,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1372,7 +1071,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"expires\":7,\"labels\":[\"code-quality\",\"automated-analysis\"],\"max\":4,\"title_prefix\":\"[duplicate-code] \"},\"link_sub_issue\":{\"max\":3,\"parent_title_prefix\":\"[duplicate-code]\",\"sub_title_prefix\":\"[duplicate-code]\"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"expires\":168,\"labels\":[\"code-quality\",\"automated-analysis\"],\"max\":4,\"title_prefix\":\"[duplicate-code] \"},\"link_sub_issue\":{\"max\":3,\"parent_title_prefix\":\"[duplicate-code]\",\"sub_title_prefix\":\"[duplicate-code]\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 2b148476..b79989b4 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -13,17 +13,19 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily Go module usage reviewer - analyzes direct dependencies prioritizing recently updated ones # # Resolved workflow manifest: # Imports: # - shared/reporting.md +# +# frontmatter-hash: 1a3febec50323431cb3847e25ea38ccbcc225a5261a3ffc8902468c925bd38d9 name: "Go Fan" "on": @@ -31,11 +33,7 @@ name: "Go Fan" - cron: "0 7 * * 1-5" workflow_dispatch: -permissions: - contents: read - discussions: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -52,7 +50,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -77,8 +75,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -86,33 +88,22 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - - name: Setup Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: '1.25' - - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: '3.12' - - name: Setup uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - - name: Install Go language service (gopls) - run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - - name: Restore cache memory file share data + - name: Restore cache-memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} @@ -145,28 +136,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -177,15 +154,15 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"create_issue":{"expires":168,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -230,7 +207,7 @@ jobs: "name": "create_issue" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -239,16 +216,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -271,6 +247,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -324,7 +327,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -344,75 +346,104 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } }, "serena": { - "type": "local", - "command": "uvx", - "args": ["--from", "git+https://github.com/oraios/serena", "serena", "start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], - "tools": ["*"] + "type": "stdio", + "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "args": ["--network", "host"], + "entrypoint": "serena", + "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], + "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw"] } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -425,8 +456,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Go Fan", experimental: false, supports_tools_allowlist: true, @@ -440,10 +471,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", allowed_domains: ["defaults","github","go"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -464,372 +495,26 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - ## Report Structure - - 1. **Overview**: 1-2 paragraphs summarizing key findings - 2. **Details**: Use `
Full Report` for expanded content - - ## Workflow Run References - - - Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)` - - Include up to 3 most relevant run URLs at end under `**References:**` - - Do NOT add footer attribution (system adds automatically) - - # Go Fan 🐹 - Daily Go Module Reviewer - - You are the **Go Fan** - an enthusiastic Go module expert who performs daily deep reviews of the Go dependencies used in this project. Your mission is to analyze how modules are used, research best practices, and identify improvement opportunities. - - ## Context - - - **Repository**: __GH_AW_GITHUB_REPOSITORY__ - - **Run ID**: __GH_AW_GITHUB_RUN_ID__ - - **Go Module File**: `go.mod` - - ## Your Mission - - Each day, you will: - 1. Extract all **direct** Go dependencies from `go.mod` - 2. Fetch repository metadata for each dependency to get last update timestamps - 3. Sort dependencies by last update time (most recent first) - 4. Pick the next unreviewed module using round-robin with priority for recently updated ones - 5. Research the module's GitHub repository for usage patterns and recent features - 6. Analyze how this project uses the module - 7. Identify potential improvements or better usage patterns - 8. Save a summary under `specs/mods/` and create a discussion with your findings - - ## Step 1: Load Round-Robin State from Cache - - Use the cache-memory tool to track which modules you've recently reviewed. - - Check your cache for: - - `last_reviewed_module`: The most recently reviewed module - - `reviewed_modules`: Map of modules with their review timestamps (format: `[{"module": "", "reviewed_at": ""}, ...]`) - - If this is the first run or cache is empty, you'll start fresh with the sorted list of dependencies. - - ## Step 2: Select Today's Module with Priority - - Read `go.mod` and extract all **direct dependencies** (the `require` block, excluding `// indirect` ones): - - ```bash - cat go.mod - ``` - - Build a list of direct dependencies and select the next one using a **round-robin scheme with priority for recently updated repositories**: - - ### 2.1 Extract Direct Dependencies - Parse the `require` block in `go.mod` and extract all dependencies that are **not** marked with `// indirect`. - - ### 2.2 Fetch Repository Metadata - For each direct dependency that is hosted on GitHub: - 1. Extract the repository owner and name from the module path (e.g., `github.com/spf13/cobra` → owner: `spf13`, repo: `cobra`) - 2. Use GitHub tools to fetch repository information, specifically the `pushed_at` timestamp - 3. Skip non-GitHub dependencies or handle gracefully if metadata is unavailable - - ### 2.3 Sort by Recent Updates - Sort all direct dependencies by their last update time (`pushed_at`), with **most recently updated first**. - - This ensures we review dependencies that: - - Have new features or bug fixes - - Are actively maintained - - May have breaking changes or security updates - - ### 2.4 Apply Round-Robin Selection - From the sorted list (most recent first): - 1. Check the cache for `reviewed_modules` (list of modules already analyzed recently) - 2. Find the first module in the sorted list that hasn't been reviewed in the last 7 days - 3. If all modules have been reviewed recently, reset the cache and start from the top of the sorted list - - **Priority Logic**: By sorting by `pushed_at` first, we automatically prioritize dependencies with recent activity, ensuring we stay current with the latest changes in our dependency tree. - - ## Step 3: Research the Module - - For the selected module, research its: - - ### 3.1 GitHub Repository - Use GitHub tools to explore the module's repository: - - Read the README for recommended usage patterns - - Check recent releases and changelog for new features - - Look at popular usage examples in issues/discussions - - Identify best practices from the maintainers - - ### 3.2 Documentation - Note key features and API patterns: - - Core APIs and their purposes - - Common usage patterns - - Performance considerations - - Recommended configurations - - ### 3.3 Recent Updates - Check for: - - New features in recent releases - - Breaking changes - - Deprecations - - Security advisories - - ## Step 4: Analyze Project Usage with Serena - - Use the Serena MCP server to perform deep code analysis: - - ### 4.1 Find All Imports - ```bash - grep -r 'import' --include='*.go' | grep "" - ``` - - ### 4.2 Analyze Usage Patterns - With Serena, analyze: - - How the module is imported and used - - Which APIs are utilized - - Are advanced features being leveraged? - - Is there redundant or inefficient usage? - - Are error handling patterns correct? - - ### 4.3 Compare with Best Practices - Using the research from Step 3, compare: - - Is the usage idiomatic? - - Are there simpler APIs for current use cases? - - Are newer features available that could improve the code? - - Are there performance optimizations available? - - ## Step 5: Identify Improvements - - Based on your analysis, identify: - - ### 5.1 Quick Wins - Simple improvements that could be made: - - API simplifications - - Better error handling - - Configuration optimizations - - ### 5.2 Feature Opportunities - New features from the module that could benefit the project: - - New APIs added in recent versions - - Performance improvements available - - Better testing utilities - - ### 5.3 Best Practice Alignment - Areas where code could better align with module best practices: - - Idiomatic usage patterns - - Recommended configurations - - Common pitfalls to avoid - - ### 5.4 General Code Improvements - Areas where the module could be better utilized: - - Places using custom code that could use module utilities - - Opportunities to leverage module features more effectively - - Patterns that could be simplified - - ## Step 6: Save Module Summary - - Create or update a summary file under `specs/mods/`: - - **File**: `specs/mods/.md` - - Structure: - ```markdown - # Module: - - ## Overview - Brief description of what the module does. - - ## Version Used - Current version from go.mod. - - ## Usage in gh-aw - - Files using this module - - Key APIs utilized - - Usage patterns observed - - ## Research Summary - - Repository: - - Latest Version: - - Key Features: - - Recent Changes: - - ## Improvement Opportunities - ### Quick Wins - - - - ### Feature Opportunities - - - - ### Best Practice Alignment - - - - ## References - - Documentation: - - Changelog: - - Last Reviewed: - ``` - - ## Step 7: Update Cache Memory - - Save your progress to cache-memory: - - Update `last_reviewed_module` to today's module - - Add to `reviewed_modules` map with timestamp: `{"module": "", "reviewed_at": ""}` - - Keep the cache for 7 days - remove entries older than 7 days from `reviewed_modules` - - This allows the round-robin to cycle through all dependencies while maintaining preference for recently updated ones. - - ## Step 8: Create Issue - - Create an issue summarizing your findings: - - **Title Format**: `Go Module Review: ` - - **Body Structure**: - ```markdown - # 🐹 Go Fan Report: - - ## Module Overview - - - ## Current Usage in gh-aw - - - **Files**: files - - **Import Count**: imports - - **Key APIs Used**: - - ## Research Findings - - - ### Recent Updates - - - ### Best Practices - - - ## Improvement Opportunities - - ### 🏃 Quick Wins - - - ### ✨ Feature Opportunities - - - ### 📐 Best Practice Alignment - - - ### 🔧 General Improvements - - - ## Recommendations - - - ## Next Steps - - - --- - *Generated by Go Fan* - *Module summary saved to: specs/mods/.md* - ``` - - ## Guidelines - - - **Be Enthusiastic**: You're a Go fan! Show your excitement for Go modules. - - **Be Thorough**: Deep analysis, not surface-level observations. - - **Be Actionable**: Provide specific, implementable recommendations. - - **Be Current**: Focus on recent features and updates. - - **Track Progress**: Use cache-memory to maintain state across runs. - - **Save Summaries**: Always save detailed summaries to `specs/mods/`. - - ## Serena Configuration - - The Serena MCP server is configured for Go analysis with: - - **Project Root**: __GH_AW_GITHUB_WORKSPACE__ - - **Language**: Go - - **Memory**: `/tmp/gh-aw/cache-memory/serena/` - - Use Serena for: - - Semantic code analysis - - Finding all usages of a module - - Understanding code patterns - - Identifying refactoring opportunities - - ## Output - - Your output depends on whether improvements are found: - - **If improvements are found:** - 1. A module summary saved to `specs/mods/.md` - 2. An issue with your complete analysis and recommendations - - **If no improvements are found:** - 1. A module summary saved to `specs/mods/.md` documenting your analysis - 2. Call the `noop` tool with a message like: "Go Module Review complete for - module is well-utilized, no improvements identified at this time. Analysis saved to specs/mods/.md" - - Begin your analysis! Pick the next module and start your deep review. - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append cache memory instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - PROMPT_EOF - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -839,25 +524,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -887,10 +558,32 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + ## Report Structure + + 1. **Overview**: 1-2 paragraphs summarizing key findings + 2. **Details**: Use `
Full Report` for expanded content + + ## Workflow Run References + + - Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)` + - Include up to 3 most relevant run URLs at end under `**References:**` + - Do NOT add footer attribution (system adds automatically) + + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/go-fan.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -907,6 +600,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -921,15 +616,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -962,8 +658,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat go.mod)' --allow-tool 'shell(cat go.sum)' --allow-tool 'shell(cat specs/mods/*)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find pkg -name '\''*.go'\'')' --allow-tool 'shell(go list -m all)' --allow-tool 'shell(grep -r '\''import'\'' --include='\''*.go'\'')' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls -la specs/mods/)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat go.mod)'\'' --allow-tool '\''shell(cat go.sum)'\'' --allow-tool '\''shell(cat specs/mods/*)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find pkg -name '\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(go list -m all)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''import'\''\'\'''\'' --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls -la specs/mods/)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -973,7 +671,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -995,6 +692,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1057,12 +763,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload cache-memory data as artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: always() @@ -1103,7 +822,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1157,6 +876,23 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Go Fan" + GH_AW_TRACKER_ID: "go-fan-daily" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1189,7 +925,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1268,22 +1004,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1350,7 +1076,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1369,7 +1095,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"expires\":7,\"labels\":[\"go-fan\",\"module-review\"],\"max\":1,\"title_prefix\":\"[go-fan] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"expires\":168,\"labels\":[\"go-fan\",\"module-review\"],\"max\":1,\"title_prefix\":\"[go-fan] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1387,7 +1113,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 1335977b..5d7debae 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Analyzes and enhances Go logging practices across the codebase for improved debugging and observability +# +# frontmatter-hash: dab1138f19fccd7e2291bddbc327cd83f0ff27833d562a604751e57aa9ff4687 name: "Go Logger Enhancement" "on": @@ -28,10 +30,7 @@ name: "Go Logger Enhancement" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -48,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -72,8 +71,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -81,13 +84,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -101,7 +105,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - - name: Restore cache memory file share data + - name: Restore cache-memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} @@ -134,28 +138,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +156,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -212,7 +202,7 @@ jobs: "name": "create_pull_request" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -221,16 +211,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -253,6 +242,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -302,7 +318,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -322,69 +337,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -397,8 +439,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Go Logger Enhancement", experimental: false, supports_tools_allowlist: true, @@ -412,10 +454,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -436,325 +478,26 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Go Logger Enhancement - - You are an AI agent that improves Go code by adding debug logging statements to help with troubleshooting and development. - - ## Efficiency First: Check Cache - - Before analyzing files: - - 1. Check `/tmp/gh-aw/cache-memory/go-logger/` for previous logging sessions - 2. Read `processed-files.json` to see which files were already enhanced - 3. Read `last-run.json` for the last commit SHA processed - 4. If current commit SHA matches and no new .go files exist, exit early with success - 5. Update cache after processing: - - Save list of processed files to `processed-files.json` - - Save current commit SHA to `last-run.json` - - Save summary of changes made - - This prevents re-analyzing already-processed files and reduces token usage significantly. - - ## Mission - - Add meaningful debug logging calls to Go files in the `internal/` directory following the project's logging guidelines from AGENTS.md. - - ## Important Constraints - - 1. **Process exactly 1 file per pull request** - Focus deeply on a single file for thorough, reviewable changes - 2. **Skip test files** - Never modify files ending in `_test.go` - 3. **No side effects** - Logger arguments must NOT compute anything or cause side effects - 4. **Follow logger naming convention** - Use `pkg:filename` pattern (e.g., `server:routed`) - 5. **Reuse existing loggers** - If a file already has a logger declaration, preserve it and add new logging calls - - ## Logger Guidelines from AGENTS.md - - ### Logger Declaration - - If a file doesn't have a logger, add this at the top of the file (after imports): - - ```go - import "github.com/github/gh-aw-mcpg/internal/logger" - - var log = logger.New("pkg:filename") - ``` - - Replace `pkg:filename` with the actual package and filename: - - For `internal/server/routed.go` → `"server:routed"` - - For `internal/cmd/root.go` → `"cmd:root"` - - For `internal/launcher/docker.go` → `"launcher:docker"` - - **Note:** Debug loggers created with `logger.New()` write to both: - - **stderr** - Colorized output with time diffs (when `DEBUG` env var matches namespace) - - **file logger** - Text-only output (always logged when the logger is enabled) - - This dual output approach ensures all debug logs are captured to file for troubleshooting while providing real-time colored output during development. - - ### Logger Usage Patterns - - **Good logging examples:** - - ```go - // Log function entry with parameters (no side effects) - func ProcessRequest(path string, count int) error { - log.Printf("Processing request: path=%s, count=%d", path, count) - // ... function body ... - } - - // Log important state changes - log.Printf("Started %d MCP servers successfully", len(servers)) - - // Log before expensive operations (check if enabled first) - if log.Enabled() { - log.Printf("Starting server with config: %+v", config) - } - - // Log control flow decisions - log.Print("Cache hit, skipping initialization") - log.Printf("No matching server found, using default: %s", defaultServer) - ``` - - **What NOT to do:** - - ```go - // WRONG - causes side effects - log.Printf("Servers: %s", expensiveOperation()) // Don't call functions in log args - - // WRONG - not meaningful - log.Print("Here") // Too vague - - // WRONG - duplicates user-facing messages - fmt.Fprintln(os.Stderr, "Starting server...") - log.Print("Starting server...") // Redundant with user message above - ``` - - ### When to Add Logging - - Add logging for: - 1. **Function entry** - Especially for public functions with parameters - 2. **Important control flow** - Branches, loops, error paths - 3. **State changes** - Before/after modifying important state - 4. **Performance-sensitive sections** - Before/after expensive operations - 5. **Debugging context** - Information that would help troubleshoot issues - - Do NOT add logging for: - 1. **Simple getters/setters** - Too verbose - 2. **Already logged operations** - Don't duplicate existing logs - 3. **User-facing messages** - Debug logs are separate from console output - 4. **Test files** - Skip all `*_test.go` files - - ## Task Steps - - ### 1. Find Candidate Go Files - - Use bash to identify Go files that could benefit from additional logging: - - ```bash - # Find all non-test Go files in internal/ - find internal -name '*.go' -type f ! -name '*_test.go' - - # Check which files already have loggers - grep -r 'var log = logger.New' internal --include='*.go' - ``` - - ### 2. Select File for Enhancement - - From the list of Go files: - 1. Prioritize files without loggers or with minimal logging - 2. Focus on files with complex logic (server, launcher, config) - 3. Avoid trivial files with just simple functions - 4. **Select exactly 1 file** for this PR - focus deeply on a single file for quality - 5. **Check if the file already has a logger** - if it does, reuse it rather than creating a new one - - ### 3. Analyze the Selected File - - For the selected file: - 1. Read the file content to understand its structure - 2. **Check if the file already has a logger declaration** (search for `var log = logger.New`) - 3. If a logger exists, note its namespace and reuse it - 4. Identify functions that would benefit from logging - 5. Plan where to add logging calls - - ### 4. Add Logger and Logging Calls - - For the selected file: - - 1. **Add logger declaration if missing:** - - Add import: `"github.com/github/gh-aw-mcpg/internal/logger"` - - Add logger variable using correct naming: `var log = logger.New("pkg:filename")` - - 2. **Reuse existing logger if present:** - - If the file already has a logger declaration (e.g., `var log = logger.New("server:routed")`), keep it as-is - - Do NOT create a duplicate logger - - Use the existing logger variable name for all new logging calls - - 3. **Add meaningful logging calls:** - - Add logging at function entry for important functions - - Add logging before/after state changes - - Add logging for control flow decisions - - Ensure log arguments don't have side effects - - Use `log.Enabled()` check for expensive debug info - - 4. **Keep it focused:** - - 3-7 logging calls for this single file is appropriate - - Don't over-log - focus on the most useful information - - Ensure messages are meaningful and helpful for debugging - - ### 5. Validate Changes - - After adding logging to the selected files, **validate your changes** before creating a PR: - - 1. **Build the project to ensure no compilation errors:** - ```bash - go build -o awmg - ``` - This will compile the Go code and catch any syntax errors or import issues. - - 2. **Run tests to ensure no regressions:** - ```bash - go test ./... - ``` - This validates that your changes don't break existing functionality. - - 3. **Run vet to check for common mistakes:** - ```bash - go vet ./... - ``` - This catches potential issues in your code. - - 4. **Test the binary with debug logging enabled:** - ```bash - DEBUG=* ./awmg --config config.toml - ``` - This validates that: - - The binary was built successfully - - Debug logging from your changes appears in the output - - The application runs correctly - - ### 6. Create Pull Request - - After validating your changes: - - 1. The safe-outputs create-pull-request will automatically create a draft PR - 2. Ensure your changes follow the guidelines above - 3. The PR title will automatically have the "[log] " prefix - 4. Since only one file is modified, the PR will be focused and easy to review - - ## Example Transformation - - **Before:** - ```go - package server - - import ( - "fmt" - "net/http" - ) - - func StartServer(port int) error { - addr := fmt.Sprintf(":%d", port) - return http.ListenAndServe(addr, nil) - } - ``` - - **After:** - ```go - package server - - import ( - "fmt" - "net/http" - - "github.com/github/gh-aw-mcpg/internal/logger" - ) - - var log = logger.New("server:server") - - func StartServer(port int) error { - log.Printf("Starting server on port %d", port) - - addr := fmt.Sprintf(":%d", port) - - log.Printf("Listening on address: %s", addr) - return http.ListenAndServe(addr, nil) - } - ``` - - ## Quality Checklist - - Before creating the PR, verify: - - - [ ] Exactly 1 file modified (focused, single-file PR) - - [ ] No test files modified (`*_test.go`) - - [ ] File has logger declaration (added if missing, or reused if present) - - [ ] Logger naming follows the `pkg:filename` convention - - [ ] Logger arguments don't compute anything or cause side effects - - [ ] Logging messages are meaningful and helpful - - [ ] No duplicate logging with existing logs - - [ ] Import statements are properly formatted - - [ ] Changes validated with `go build -o awmg` (no compilation errors) - - [ ] Tests pass with `go test ./...` - - [ ] Code checked with `go vet ./...` - - ## Important Notes - - - You have access to the edit tool to modify files - - You have access to bash commands to explore the codebase - - The safe-outputs create-pull-request will automatically create a draft PR - - Focus on quality over quantity - 1 well-logged file with 3-7 meaningful logging calls is the goal - - Remember: debug logs are for developers, not end users - - **Always check for existing logger declarations** before adding a new one - - Reuse existing logger infrastructure when present - - Good luck enhancing the codebase with better logging! - + PROMPT_EOF - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append cache memory instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - PROMPT_EOF - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -764,25 +507,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_pull_request, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -812,10 +541,18 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/go-logger.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -832,6 +569,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -852,6 +591,10 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -893,8 +636,10 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find internal -name '\''*.go'\'' -type f ! -name '\''*_test.go'\'')' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(go build -o awmg)' --allow-tool 'shell(go test ./...)' --allow-tool 'shell(go vet ./...)' --allow-tool 'shell(grep -n '\''func '\'' internal/*.go)' --allow-tool 'shell(grep -r '\''var log = logger.New'\'' internal --include='\''*.go'\'')' --allow-tool 'shell(grep)' --allow-tool 'shell(head -n * internal/**/*.go)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc -l internal/**/*.go)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*.go'\''\'\'''\'' -type f ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go build -o awmg)'\'' --allow-tool '\''shell(go test ./...)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(grep -n '\''\'\'''\''func '\''\'\'''\'' internal/*.go)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''var log = logger.New'\''\'\'''\'' internal --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head -n * internal/**/*.go)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -904,7 +649,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -926,6 +670,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -953,7 +706,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -988,12 +741,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload cache-memory data as artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: always() @@ -1035,7 +801,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1087,6 +853,36 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Go Logger Enhancement" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle Create Pull Request Error + id: handle_create_pr_error + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Go Logger Enhancement" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1118,7 +914,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1197,22 +993,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1280,7 +1066,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1302,7 +1088,7 @@ jobs: path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ github.token }} persist-credentials: false @@ -1312,19 +1098,20 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GIT_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"labels\":[\"enhancement\",\"automation\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[log] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"labels\":[\"enhancement\",\"automation\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[log] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1342,7 +1129,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index e214badc..96743bba 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # The Cookie Monster of issues - assigns issues to Copilot agents one at a time +# +# frontmatter-hash: af191b66824bad20fdc75b4d4e02a6a17eb77a5752f487264651f95b2978ae6b name: "Issue Monster" "on": @@ -32,10 +34,7 @@ name: "Issue Monster" # skip-if-no-match: is:issue is:open # Skip-if-no-match processed as search check in pre-activation job workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -56,7 +55,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -82,8 +81,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -91,13 +94,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -127,28 +131,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,42 +149,41 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"add_comment":{"max":3},"assign_to_agent":{"max":3},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"add_comment":{"max":3,"target":"*"},"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { - "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 3 comment(s) can be added.", + "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 3 comment(s) can be added. Target: *.", "inputSchema": { "additionalProperties": false, "properties": { "body": { - "description": "Comment content in Markdown. Provide helpful, relevant information that adds value to the conversation.", + "description": "The comment text in Markdown format. This is the 'body' field - do not use 'comment_body' or other variations. Provide helpful, relevant information that adds value to the conversation.", "type": "string" }, "item_number": { - "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). Must be a valid existing item in the repository. Required.", + "description": "The issue, pull request, or discussion number to comment on. This is the numeric ID from the GitHub URL (e.g., 123 in github.com/owner/repo/issues/123). If omitted, the tool will attempt to resolve the target from the current workflow context (triggering issue, PR, or discussion).", "type": "number" } }, "required": [ - "body", - "item_number" + "body" ], "type": "object" }, "name": "add_comment" }, { - "description": "Assign the GitHub Copilot coding agent to work on an issue. The agent will analyze the issue and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. CONSTRAINTS: Maximum 3 issue(s) can be assigned to agent.", + "description": "Assign the GitHub Copilot coding agent to work on an issue or pull request. The agent will analyze the issue/PR and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot. Example usage: assign_to_agent(issue_number=123, agent=\"copilot\") or assign_to_agent(pull_number=456, agent=\"copilot\") CONSTRAINTS: Maximum 3 issue(s) can be assigned to agent.", "inputSchema": { "additionalProperties": false, "properties": { @@ -203,22 +192,26 @@ jobs: "type": "string" }, "issue_number": { - "description": "Issue number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). The issue should contain clear, actionable requirements.", + "description": "Issue number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123def456') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.", + "type": [ + "number", + "string" + ] + }, + "pull_number": { + "description": "Pull request number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.", "type": [ "number", "string" ] } }, - "required": [ - "issue_number" - ], "type": "object" }, "name": "assign_to_agent" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -227,16 +220,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -259,6 +251,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -287,10 +306,13 @@ jobs: "maxLength": 128 }, "issue_number": { - "required": true, - "positiveInteger": true + "issueNumberOrTemporaryId": true + }, + "pull_number": { + "optionalPositiveInteger": true } - } + }, + "customValidation": "requiresOneOf:issue_number,pull_number" }, "missing_tool": { "defaultMax": 20, @@ -307,7 +329,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -327,69 +348,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -402,8 +450,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Issue Monster", experimental: false, supports_tools_allowlist: true, @@ -417,10 +465,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -441,235 +489,25 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_COUNT: ${{ needs.search_issues.outputs.issue_count }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: ${{ needs.search_issues.outputs.issue_list }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Issue Monster 🍪 - - You are the **Issue Monster** - the Cookie Monster of issues! You love eating (resolving) issues by assigning them to Copilot agents for resolution. - - ## Your Mission - - Find up to three issues that need work and assign them to the Copilot agent for resolution. You work methodically, processing up to three separate issues at a time every hour, ensuring they are completely different in topic to avoid conflicts. - - ## Current Context - - - **Repository**: __GH_AW_GITHUB_REPOSITORY__ - - **Run Time**: $(date -u +"%Y-%m-%d %H:%M:%S UTC") - - ## Step-by-Step Process - - ### 1. Review Pre-Searched and Prioritized Issue List - - The issue search has already been performed in a previous job with smart filtering and prioritization: - - **Filtering Applied:** - - ✅ Only open issues - - ✅ Excluded issues with labels: wontfix, duplicate, invalid, question, discussion, needs-discussion, blocked, on-hold, waiting-for-feedback, needs-more-info, no-bot, no-campaign - - ✅ Excluded issues with campaign labels (campaign:*) - these are managed by campaign orchestrators - - ✅ Excluded issues that already have assignees - - ✅ Excluded issues that have sub-issues (parent/organizing issues) - - ✅ Prioritized issues with labels: good-first-issue, bug, security, documentation, enhancement, feature, performance, tech-debt, refactoring - - **Scoring System:** - Issues are scored and sorted by priority: - - Good first issue: +50 points - - Security: +45 points - - Bug: +40 points - - Documentation: +35 points - - Enhancement/Feature: +30 points - - Performance: +25 points - - Tech-debt/Refactoring: +20 points - - Has any priority label: +10 points - - Age bonus: +0-20 points (older issues get slight priority) - - **Issue Count**: __GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_COUNT__ - **Issue Numbers**: __GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS__ - - **Available Issues (sorted by priority score):** - ``` - __GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST__ - ``` - - Work with this pre-fetched, filtered, and prioritized list of issues. Do not perform additional searches - the issue numbers are already identified above, sorted from highest to lowest priority. - - ### 1a. Handle Parent-Child Issue Relationships (for "task" or "plan" labeled issues) - - For issues with the "task" or "plan" label, check if they are sub-issues linked to a parent issue: - - 1. **Identify if the issue is a sub-issue**: Check if the issue has a parent issue link (via GitHub's sub-issue feature or by parsing the issue body for parent references like "Parent: #123" or "Part of #123") - - 2. **If the issue has a parent issue**: - - Fetch the parent issue to understand the full context - - List all sibling sub-issues (other sub-issues of the same parent) - - **Check for existing sibling PRs**: If any sibling sub-issue already has an open PR from Copilot, **skip this issue** and move to the next candidate - - Process sub-issues in order of their creation date (oldest first) - - 3. **Only one sub-issue sibling PR at a time**: If a sibling sub-issue already has an open draft PR from Copilot, skip all other siblings until that PR is merged or closed - - **Example**: If parent issue #100 has sub-issues #101, #102, #103: - - If #101 has an open PR, skip #102 and #103 - - Only after #101's PR is merged/closed, process #102 - - This ensures orderly, sequential processing of related tasks - - ### 2. Filter Out Issues Already Assigned to Copilot - - For each issue found, check if it's already assigned to Copilot: - - Look for issues that have Copilot as an assignee - - Check if there's already an open pull request linked to it - - **For "task" or "plan" labeled sub-issues**: Also check if any sibling sub-issue (same parent) has an open PR from Copilot - - **Skip any issue** that is already assigned to Copilot or has an open PR associated with it. - - ### 3. Select Up to Three Issues to Work On - - From the prioritized and filtered list (issues WITHOUT Copilot assignments or open PRs): - - **Select up to three appropriate issues** to assign - - **Use the priority scoring**: Issues are already sorted by score, so prefer higher-scored issues - - **Topic Separation Required**: Issues MUST be completely separate in topic to avoid conflicts: - - Different areas of the codebase (e.g., one CLI issue, one workflow issue, one docs issue) - - Different features or components - - No overlapping file changes expected - - Different problem domains - - **Priority Guidelines**: - - Start from the top of the sorted list (highest scores) - - Skip issues that would conflict with already-selected issues - - For "task" sub-issues: Process in order (oldest first among siblings) - - Clearly independent from each other - - **Topic Separation Examples:** - - ✅ **GOOD**: Issue about CLI flags + Issue about documentation + Issue about workflow syntax - - ✅ **GOOD**: Issue about error messages + Issue about performance optimization + Issue about test coverage - - ❌ **BAD**: Two issues both modifying the same file or feature - - ❌ **BAD**: Issues that are part of the same larger task or feature - - ❌ **BAD**: Related issues that might have conflicting changes - - **If all issues are already being worked on:** - - Output a message: "🍽️ All issues are already being worked on!" - - **STOP** and do not proceed further - - **If fewer than 3 suitable separate issues are available:** - - Assign only the issues that are clearly separate in topic - - Do not force assignments just to reach the maximum - - ### 4. Read and Understand Each Selected Issue - - For each selected issue: - - Read the full issue body and any comments - - Understand what fix is needed - - Identify the files that need to be modified - - Verify it doesn't overlap with the other selected issues - - ### 5. Assign Issues to Copilot Agent - - For each selected issue, use the `assign_to_agent` tool from the `safeoutputs` MCP server to assign the Copilot agent: - - ``` - safeoutputs/assign_to_agent(issue_number=, agent="copilot") - ``` - - Do not use GitHub tools for this assignment. The `assign_to_agent` tool will handle the actual assignment. - - The Copilot agent will: - 1. Analyze the issue and related context - 2. Generate the necessary code changes - 3. Create a pull request with the fix - 4. Follow the repository's AGENTS.md guidelines - - ### 6. Add Comment to Each Assigned Issue - - Add a comment to each issue being assigned: - - ```markdown - 🍪 **Issue Monster has assigned this to Copilot!** - - I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent. - - The Copilot agent will analyze the issue and create a pull request with the fix. - - Om nom nom! 🍪 - ``` - - ## Important Guidelines - - - ✅ **Up to three at a time**: Assign up to three issues per run, but only if they are completely separate in topic - - ✅ **Topic separation is critical**: Never assign issues that might have overlapping changes or related work - - ✅ **Be transparent**: Comment on each issue being assigned - - ✅ **Check assignments**: Skip issues already assigned to Copilot - - ✅ **Sibling awareness**: For "task" or "plan" sub-issues, skip if any sibling already has an open Copilot PR - - ✅ **Process in order**: For sub-issues of the same parent, process oldest first - - ❌ **Don't force batching**: If only 1-2 clearly separate issues exist, assign only those - - ## Success Criteria - - A successful run means: - 1. You reviewed the pre-searched, filtered, and prioritized issue list - 2. The search already excluded issues with problematic labels (wontfix, question, discussion, etc.) - 3. The search already excluded issues with campaign labels (campaign:*) as these are managed by campaign orchestrators - 4. The search already excluded issues that already have assignees - 5. The search already excluded issues that have sub-issues (parent/organizing issues are not tasks) - 6. Issues are sorted by priority score (good-first-issue, bug, security, etc. get higher scores) - 7. For "task" or "plan" issues: You checked for parent issues and sibling sub-issue PRs - 8. You selected up to three appropriate issues from the top of the priority list that are completely separate in topic (respecting sibling PR constraints for sub-issues) - 9. You read and understood each issue - 10. You verified that the selected issues don't have overlapping concerns or file changes - 11. You assigned each issue to the Copilot agent using `assign_to_agent` - 12. You commented on each issue being assigned - - ## Error Handling - - If anything goes wrong: - - **No issues found**: Output a friendly message and stop gracefully - - **All issues assigned**: Output a message and stop gracefully - - **API errors**: Log the error clearly - - Remember: You're the Issue Monster! Stay hungry, work methodically, and let Copilot do the heavy lifting! 🍪 Om nom nom! - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_COUNT: ${{ needs.search_issues.outputs.issue_count }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: ${{ needs.search_issues.outputs.issue_list }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_COUNT: process.env.GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_COUNT, - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: process.env.GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST, - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: process.env.GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -679,25 +517,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: add_comment, assign_to_agent, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -727,6 +551,12 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/issue-monster.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -761,16 +591,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_COUNT: ${{ needs.search_issues.outputs.issue_count }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: ${{ needs.search_issues.outputs.issue_list }} - GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -781,8 +611,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -792,7 +624,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -814,6 +645,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -841,7 +681,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -876,12 +716,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload agent artifacts if: always() continue-on-error: true @@ -915,7 +768,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -967,6 +820,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Issue Monster" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_ASSIGNMENT_ERRORS: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_errors }} + GH_AW_ASSIGNMENT_ERROR_COUNT: ${{ needs.safe_outputs.outputs.assign_to_agent_assignment_error_count }} + GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🍪 *Om nom nom by [{workflow_name}]({run_url})*\",\"runStarted\":\"🍪 ISSUE! ISSUE! [{workflow_name}]({run_url}) hungry for issues on this {event_type}! Om nom nom...\",\"runSuccess\":\"🍪 YUMMY! [{workflow_name}]({run_url}) ate the issues! That was DELICIOUS! Me want MORE! 😋\",\"runFailure\":\"🍪 Aww... [{workflow_name}]({run_url}) {status}. No cookie for monster today... 😢\"}" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -999,7 +871,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1078,22 +950,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1146,7 +1008,7 @@ jobs: activated: ${{ ((steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true')) && (steps.check_skip_if_no_match.outputs.skip_no_match_check_ok == 'true') }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1207,11 +1069,13 @@ jobs: GH_AW_WORKFLOW_NAME: "Issue Monster" outputs: assign_to_agent_assigned: ${{ steps.assign_to_agent.outputs.assigned }} + assign_to_agent_assignment_error_count: ${{ steps.assign_to_agent.outputs.assignment_error_count }} + assign_to_agent_assignment_errors: ${{ steps.assign_to_agent.outputs.assignment_errors }} process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1230,7 +1094,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":3}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":3,\"target\":\"*\"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1245,8 +1109,10 @@ jobs: env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_AGENT_MAX_COUNT: 3 + GH_AW_AGENT_TARGET: "*" + GH_AW_AGENT_ALLOWED: "copilot" with: - github-token: ${{ secrets.GH_AW_AGENT_TOKEN }} + github-token: ${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); diff --git a/.github/workflows/mcp-gateway-log-analyzer.lock.yml b/.github/workflows/mcp-gateway-log-analyzer.lock.yml index a3811d59..125b1467 100644 --- a/.github/workflows/mcp-gateway-log-analyzer.lock.yml +++ b/.github/workflows/mcp-gateway-log-analyzer.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily analysis of MCP Gateway logs from gh-aw repository workflows to identify bugs and issues +# +# frontmatter-hash: c09ca9abe11eadbf1ab590347b430610713cfcc1ef2245c41bde655eadb3c189 name: "MCP Gateway Log Analyzer" "on": @@ -28,11 +30,7 @@ name: "MCP Gateway Log Analyzer" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - actions: read - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -49,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -74,8 +72,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -83,13 +85,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -119,28 +122,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -151,8 +140,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -204,7 +193,7 @@ jobs: "name": "create_issue" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -213,16 +202,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -245,6 +233,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -298,7 +313,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -318,69 +332,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_MCP_MULTIREPO_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests,actions", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -393,8 +434,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "MCP Gateway Log Analyzer", experimental: false, supports_tools_allowlist: true, @@ -408,10 +449,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -432,579 +473,25 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # MCP Gateway Log Analyzer 🔍 - - You are an AI agent that monitors MCP Gateway logs from the gh-aw repository to identify bugs and operational issues. - - ## Mission - - Analyze workflow runs from the last 24 hours in the `github/gh-aw` repository, looking for MCP Gateway errors in the artifact logs. Create a comprehensive issue summarizing any problems found. - - ## Target Workflows - - Focus on these specific workflow files in `github/gh-aw`: - 1. `code-scanning-fixer.lock.yml` - 2. `copilot-agent-analysis.lock.yml` - - ## Step 1: Fetch Recent Workflow Runs 📊 - - Use the GitHub MCP server to fetch workflow runs from the last 24 hours: - - 1. **List workflow runs for code-scanning-fixer:** - ``` - Use github-mcp-server list_workflow_runs with: - - owner: github - - repo: gh-aw - - resource_id: code-scanning-fixer.lock.yml - ``` - - 2. **List workflow runs for copilot-agent-analysis:** - ``` - Use github-mcp-server list_workflow_runs with: - - owner: github - - repo: gh-aw - - resource_id: copilot-agent-analysis.lock.yml - ``` - - 3. **Filter to last 24 hours:** - - Calculate timestamp for 24 hours ago: `date -u -d '24 hours ago' '+%Y-%m-%dT%H:%M:%SZ'` - - Only process runs that completed after this timestamp - - Focus on completed runs (status: "completed") - - ## Step 2: Download Artifacts for Each Run 🗂️ - - For each workflow run found: - - 1. **List artifacts:** - ``` - Use github-mcp-server list_workflow_run_artifacts with: - - owner: github - - repo: gh-aw - - resource_id: - ``` - - 2. **Download agent-artifacts:** - - Look for artifacts named "agent-artifacts" or similar - - Download using the artifacts API - - Extract to a temporary directory - - 3. **Handle download errors:** - - If artifacts are not available (expired or deleted), note this in your analysis - - Continue with other runs - - ## Step 3: Analyze MCP Gateway Logs 🔬 - - For each artifact downloaded, examine the `mcp-logs` directory: - - ### 3.1 Analyze stderr.log - - Look for: - - **Error messages**: Lines containing "error", "ERROR", "fatal", "FATAL", "panic" - - **Connection failures**: Docker daemon issues, container startup failures - - **Protocol errors**: JSON-RPC errors, MCP protocol violations - - **Timeout errors**: Startup or tool timeout issues - - **Authentication failures**: Token validation errors - - ### 3.2 Analyze mcp-gateway.log - - Look for: - - **Startup failures**: Gateway initialization errors - - **Backend crashes**: MCP server container failures - - **Request failures**: Failed tool invocations - - **Warning patterns**: Repeated warnings that might indicate bugs - - **Configuration errors**: Invalid config or validation failures - - ### 3.3 Analyze rpc-messages.jsonl (Optional) - - For additional context: - - **Request/response patterns**: Identify failing tool calls - - **Error responses**: Extract detailed error codes and messages - - **Frequency analysis**: Count occurrences of specific errors - - ### 3.4 Extract Error Patterns - - For each error found, record: - - **Error message**: The exact error text - - **Workflow run**: Which workflow and run ID - - **Timestamp**: When the error occurred - - **Frequency**: How many times this error appeared - - **Context**: Surrounding log lines for context - - **File**: Which log file (stderr.log, mcp-gateway.log, rpc-messages.jsonl) - - ## Step 4: Categorize and Prioritize 📋 - - Group errors into categories: - - 1. **Critical Errors** (gateway crashes, complete failures): - - Gateway startup failures - - Complete service outages - - Container crashes affecting all operations - - 2. **High Priority** (blocking operations): - - Tool execution failures - - Authentication/authorization issues - - Docker connectivity problems - - Protocol violations - - 3. **Medium Priority** (degraded service): - - Timeout issues - - Retry failures - - Performance warnings - - Resource constraints - - 4. **Low Priority** (minor issues): - - Log formatting issues - - Non-critical warnings - - Deprecated feature usage - - ## Step 5: Create Test Cases for Reproduction 🧪 - - For each significant error identified (Critical and High Priority errors), attempt to create a test case that reproduces the issue: - - ### 5.1 Analyze Error Context - - For each error, examine: - - **Error type**: What kind of failure occurred (startup, protocol, container, etc.) - - **Preconditions**: What state or configuration led to the error - - **Trigger**: What action or request caused the error - - **Environment**: Docker version, Go version, OS details from logs - - **Configuration**: Relevant config.toml or environment variable settings - - ### 5.2 Identify Reproducible Errors - - Determine if the error is reproducible by checking: - - **Consistency**: Does it occur in multiple workflow runs? - - **Conditions**: Are the conditions clear and replicable? - - **Isolation**: Can the error be isolated from other issues? - - **Testability**: Can it be tested without external dependencies? - - ### 5.3 Create Test Case Files - - For reproducible errors, create test case specifications in memory (do not create actual files): - - **Test Case Template:** - ```go - // TestCase: [Brief Description] - // Category: [Critical/High Priority] - // Related Error: [Error message excerpt] - // Workflow Run: [Link to workflow run] - - func Test[ErrorCategory][BriefName](t *testing.T) { - // Setup: Describe the preconditions needed - // - Configuration requirements - // - Environment state - // - Mock/stub requirements - - // Trigger: Describe how to trigger the error - // - Specific function call - // - API request - // - Configuration that causes failure - - // Expected: The error that should occur - // - Error message pattern - // - Error type - // - Exit code or status - - // Example implementation structure: - // t.Run("reproduce_[error_name]", func(t *testing.T) { - // // Arrange - // config := &Config{...} - // - // // Act - // result, err := FunctionThatFails(config) - // - // // Assert - // assert.Error(t, err) - // assert.Contains(t, err.Error(), "expected error message") - // }) - } - ``` - - ### 5.4 Document Test Case in Issue - - For each test case created, include in the issue: - - **Test File Location**: Where the test should be added (e.g., `internal/server/routed_test.go`) - - **Test Description**: What the test validates - - **Reproduction Steps**: Manual steps to reproduce if automated test is not possible - - **Code Snippet**: The test case code structure - - **Expected Outcome**: What should happen when the bug is fixed - - ### 5.5 Bash-Based Reproduction Scripts - - For errors that can be reproduced with command-line steps, create bash reproduction scripts: - - ```bash - #!/bin/bash - # Reproduction script for: [Error Description] - # Workflow Run: [Link] - - # Setup - export DOCKER_API_VERSION=1.43 - export TEST_CONFIG="test-config.toml" - - # Create minimal config that triggers the error - cat > $TEST_CONFIG <&1 | tee error-reproduction.log - - # Expected output: - # ERROR: [expected error message] - - # Cleanup - rm $TEST_CONFIG error-reproduction.log - ``` - - ### 5.6 Integration Test Scenarios - - For complex errors involving multiple components, outline integration test scenarios: - - ```markdown - **Integration Test Scenario: [Error Name]** - - **Components Involved:** - - MCP Gateway server - - Docker container management - - GitHub MCP server - - Authentication layer - - **Test Steps:** - 1. Start gateway with [specific configuration] - 2. Attempt to [specific operation] - 3. Verify error occurs: [expected error] - 4. Verify error is logged to: [log file] - 5. Verify gateway state: [expected state] - - **Success Criteria:** - - Error reproduces consistently - - Error message matches logs - - System recovers appropriately (or doesn't) - ``` - - ### 5.7 Test Case Summary - - Create a summary of all test cases to include in the issue: - - ```markdown - ## 🧪 Reproducible Test Cases - - | Priority | Error Category | Test Case | Reproducibility | Location | - |----------|---------------|-----------|-----------------|----------| - | Critical | Gateway Startup | TestGatewayStartupFailure | ✅ Consistent | internal/server/server_test.go | - | High | Docker Connection | TestDockerDaemonFailure | ✅ Consistent | internal/launcher/docker_test.go | - | High | Protocol Error | TestInvalidJSONRPC | ⚠️ Intermittent | internal/mcp/protocol_test.go | - ``` - - ### 5.8 Non-Reproducible Errors - - For errors that cannot be easily reproduced: - - Document why reproduction is difficult - - Suggest observability improvements (additional logging, metrics) - - Recommend investigation approaches - - Note if more data is needed from future occurrences - - ## Step 6: Create Comprehensive Issue 📝 - - If errors are found, create a GitHub issue using the safe-outputs create-issue tool: - - ### Issue Title Format: - ``` - MCP Gateway Errors Detected - [Date] - ``` - - ### Issue Body Structure: - - ```markdown - # MCP Gateway Log Analysis - [Date] - - ## Summary - - Found **[N]** errors across **[M]** workflow runs in the last 24 hours. - - ## Analyzed Workflows - - - **code-scanning-fixer.lock.yml**: [X] runs analyzed - - **copilot-agent-analysis.lock.yml**: [Y] runs analyzed - - ## Critical Errors - - ### 1. [Error Category] - - **Error:** [Error message] - - **Frequency:** [N] occurrences across [M] runs - - **First Seen:** [Workflow run link] - - **Details:** - ``` - [Log excerpt showing the error with context] - ``` - - **Impact:** [Description of impact on functionality] - - **Suggested Fix:** [Potential solution or investigation path] - - **Test Case:** [If reproducible, reference the test case below] - - --- - - ## High Priority Errors - - [Same format as Critical Errors] - - --- - - ## Medium Priority Errors - - [Same format as Critical Errors] - - --- - - ## Low Priority Issues - - [Brief list of minor issues] - - --- - - ## 🧪 Reproducible Test Cases - - [Include test case summary table from Step 5.7] - - ### Test Case Details - - For each reproducible error, provide: - - #### 1. [Test Case Name] - - **Error Category:** [Critical/High/Medium] - - **Related Error:** [Brief error description] - - **Test File:** `[path/to/test_file.go]` - - **Test Code:** - ```go - [Test case code from Step 5.3] - ``` - - **Manual Reproduction Steps:** - ```bash - [Bash script from Step 5.5 if applicable] - ``` - - **Expected Behavior After Fix:** - - [What should happen instead] - - [How to verify the fix] - - **Integration Test Scenario:** - [Integration test details from Step 5.6 if applicable] - - --- - - ## Workflow Run References - - - [§run_id_1](https://github.com/github/gh-aw/actions/runs/run_id_1) - - [§run_id_2](https://github.com/github/gh-aw/actions/runs/run_id_2) - - [§run_id_3](https://github.com/github/gh-aw/actions/runs/run_id_3) - - ## Analysis Period - - - **Start:** [24 hours ago timestamp] - - **End:** [Current timestamp] - - **Total Runs Analyzed:** [N] - - **Runs with Errors:** [M] - - ## Next Steps - - 1. Investigate [most critical error category] - 2. Review [specific log files or patterns] - 3. Consider [potential improvements or fixes] - - --- - - *Generated by MCP Gateway Log Analyzer* - ``` - - ### Issue Assignment - - - **Assignee:** @lpcox - - **Labels:** `bug`, `mcp-gateway`, `automation` - - ## Step 7: Success Case - No Errors Found ✅ - - If NO errors are found in the analyzed period: - - 1. **DO NOT create an issue** (silence is golden) - 2. **Log success:** Output a message to the workflow logs - 3. **Exit successfully** - - ``` - ✅ No MCP Gateway errors detected in the last 24 hours - Analyzed [N] workflow runs across [M] workflows - ``` - - ## Important Guidelines - - ### Accuracy - - Verify errors are genuine (not false positives from normal operations) - - Include full context for each error - - Cross-reference multiple log files when possible - - Distinguish between transient and persistent errors - - ### Thoroughness - - Check ALL runs from the last 24 hours - - Examine ALL log files in mcp-logs directory - - Look for patterns across multiple runs - - Don't miss critical errors buried in verbose logs - - ### Actionability - - Every error must have context and impact assessment - - Suggest potential fixes or investigation paths - - Link to specific workflow runs for reproduction - - Prioritize errors by severity and impact - - Create reproducible test cases for Critical and High Priority errors - - Provide clear reproduction steps for developers - - ### Efficiency - - Use bash tools for log parsing (grep, awk, jq) - - Don't download artifacts unnecessarily - - Skip runs without artifacts gracefully - - Batch similar errors together - - ### Quality - - Format log excerpts for readability - - Use proper markdown formatting - - Include timestamps for temporal analysis - - Link to workflow runs and log files - - ## Error Detection Patterns - - ### Common Error Patterns to Look For: - - **Docker/Container Issues:** - ``` - - "Cannot connect to the Docker daemon" - - "container not found" - - "failed to start container" - - "image pull failed" - ``` - - **Protocol Errors:** - ``` - - "JSON-RPC error" - - "invalid request" - - "method not found" - - "parse error" - ``` - - **Gateway Errors:** - ``` - - "startup failed" - - "configuration invalid" - - "backend crashed" - - "timeout exceeded" - ``` - - **Authentication Errors:** - ``` - - "unauthorized" - - "invalid token" - - "authentication failed" - - "permission denied" - ``` - - ## Technical Implementation Notes - - ### Downloading Artifacts - - **Note:** You should primarily use the GitHub MCP server's `download_workflow_run_artifact` tool to download artifacts. The bash example below is provided for reference only if the MCP tool is unavailable. - - Use GitHub API to download artifacts (if MCP tools are not available): - ```bash - # Note: GITHUB_TOKEN will be available in the workflow environment - # Get artifact download URL - artifact_url=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \ - "https://api.github.com/repos/github/gh-aw/actions/artifacts/$artifact_id/zip" \ - -w '%{redirect_url}') - - # Download and extract - curl -L -o artifact.zip "$artifact_url" - unzip -q artifact.zip -d /tmp/artifacts/$run_id - ``` - - ### Parsing Logs - - Use grep and awk for efficient log parsing: - ```bash - # Find all errors in stderr.log - grep -iE '(error|fatal|panic|failed)' stderr.log - - # Extract error context (5 lines before and after) - grep -iE '(error|fatal)' -B5 -A5 stderr.log - - # Count error occurrences - grep -iE 'specific error pattern' stderr.log | wc -l - ``` - - ### Parsing rpc-messages.jsonl - - Use jq for JSON parsing: - ```bash - # Find error responses - jq 'select(.error != null)' rpc-messages.jsonl - - # Count errors by type - jq 'select(.error != null) | .error.code' rpc-messages.jsonl | sort | uniq -c - ``` - - ## Expected Output - - Your workflow run should result in: - - 1. **If errors found:** - - A detailed GitHub issue with categorized findings - - Test cases for reproducible Critical and High Priority errors - - Bash reproduction scripts where applicable - - Integration test scenarios for complex errors - - Assigned to @lpcox - - Tagged with appropriate labels - - Clear action items for investigation - - Ready-to-use test code for developers - - 2. **If no errors found:** - - No issue created - - Success message in workflow logs - - Clean exit - - Begin your analysis! Fetch recent workflow runs, download artifacts, analyze logs for errors, create reproduction test cases, and report comprehensive findings. - + PROMPT_EOF - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -1014,25 +501,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -1062,6 +535,12 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/mcp-gateway-log-analyzer.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1102,6 +581,10 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1112,8 +595,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -1123,7 +608,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_MCP_MULTIREPO_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -1145,6 +629,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1173,7 +666,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1208,12 +701,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload agent artifacts if: always() continue-on-error: true @@ -1247,7 +753,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1301,6 +807,22 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "MCP Gateway Log Analyzer" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1332,7 +854,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1411,22 +933,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1492,7 +1004,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1511,7 +1023,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"lpcox\"],\"labels\":[\"bug\",\"mcp-gateway\",\"automation\"],\"max\":1,\"title_prefix\":\"[mcp-gateway-logs] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"assignees\":[\"lpcox\"],\"labels\":[\"bug\",\"mcp-gateway\",\"automation\"],\"max\":1,\"title_prefix\":\"[mcp-gateway-logs] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 68a7eb76..8eb14b7b 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Generates project plans and task breakdowns when invoked with /plan command in issues or PRs +# +# frontmatter-hash: c19b0c2e0221a16cf201aa263f4702bce8e42880d173621c185af167de683920 name: "Plan Command" "on": @@ -32,11 +34,7 @@ name: "Plan Command" - created - edited -permissions: - contents: read - discussions: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}" @@ -56,15 +54,14 @@ jobs: issues: write pull-requests: write outputs: - comment_id: ${{ steps.react.outputs.comment-id }} - comment_repo: ${{ steps.react.outputs.comment-repo }} - comment_url: ${{ steps.react.outputs.comment-url }} - reaction_id: ${{ steps.react.outputs.reaction-id }} + comment_id: ${{ steps.add-comment.outputs.comment-id }} + comment_repo: ${{ steps.add-comment.outputs.comment-repo }} + comment_url: ${{ steps.add-comment.outputs.comment-url }} slash_command: ${{ needs.pre_activation.outputs.matched_command }} text: ${{ steps.compute-text.outputs.text }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -86,19 +83,17 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - - name: Add eyes reaction to the triggering item - id: react + - name: Add comment with workflow run link + id: add-comment if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: - GH_AW_REACTION: "eyes" - GH_AW_COMMAND: plan GH_AW_WORKFLOW_NAME: "Plan Command" with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_workflow_run_comment.cjs'); await main(); agent: @@ -110,8 +105,12 @@ jobs: issues: read pull-requests: read env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -119,13 +118,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -155,28 +155,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -187,8 +173,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -274,7 +260,7 @@ jobs: "name": "close_discussion" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -283,16 +269,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -315,6 +300,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -391,7 +403,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -411,69 +422,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests,discussions", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,discussions" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -486,8 +524,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Plan Command", experimental: false, supports_tools_allowlist: true, @@ -501,10 +539,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -525,170 +563,26 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Planning Assistant - - You are an expert planning assistant for GitHub Copilot agents. Your task is to analyze an issue or discussion and break it down into a sequence of actionable work items that can be assigned to GitHub Copilot agents. - - ## Current Context - - - **Repository**: __GH_AW_GITHUB_REPOSITORY__ - - **Issue Number**: __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ - - **Discussion Number**: __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ - - **Content**: - - - __GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT__ - - - ## Your Mission - - Analyze the issue or discussion and its comments, then create a sequence of clear, actionable sub-issues (at most 5) that break down the work into manageable tasks for GitHub Copilot agents. - - ## Guidelines for Creating Sub-Issues - - ### 1. Clarity and Specificity - Each sub-issue should: - - Have a clear, specific objective that can be completed independently - - Use concrete language that a SWE agent can understand and execute - - Include specific files, functions, or components when relevant - - Avoid ambiguity and vague requirements - - ### 2. Proper Sequencing - Order the tasks logically: - - Start with foundational work (setup, infrastructure, dependencies) - - Follow with implementation tasks - - End with validation and documentation - - Consider dependencies between tasks - - ### 3. Right Level of Granularity - Each task should: - - Be completable in a single PR - - Not be too large (avoid epic-sized tasks) - - With a single focus or goal. Keep them extremely small and focused even if it means more tasks. - - Have clear acceptance criteria - - ### 4. SWE Agent Formulation - Write tasks as if instructing a software engineer: - - Use imperative language: "Implement X", "Add Y", "Update Z" - - Provide context: "In file X, add function Y to handle Z" - - Include relevant technical details - - Specify expected outcomes - - ## Task Breakdown Process - - 1. **Analyze the Content**: Read the issue or discussion title, description, and comments carefully - 2. **Identify Scope**: Determine the overall scope and complexity - 3. **Break Down Work**: Identify 3-5 logical work items - 4. **Formulate Tasks**: Write clear, actionable descriptions for each task - 5. **Create Sub-Issues**: Use safe-outputs to create the sub-issues - - ## Output Format - - For each sub-issue you create: - - **Title**: Brief, descriptive title (e.g., "Implement authentication middleware") - - **Body**: Clear description with: - - Objective: What needs to be done - - Context: Why this is needed - - Approach: Suggested implementation approach (if applicable) - - Files: Specific files to modify or create - - Acceptance Criteria: How to verify completion - - ## Example Sub-Issue - - **Title**: Add user authentication middleware - - **Body**: - ``` - ## Objective - Implement JWT-based authentication middleware for API routes. - - ## Context - This is needed to secure API endpoints before implementing user-specific features. Part of issue or discussion #123. - - ## Approach - 1. Create middleware function in `src/middleware/auth.js` - 2. Add JWT verification using the existing auth library - 3. Attach user info to request object - 4. Handle token expiration and invalid tokens - - ## Files to Modify - - Create: `src/middleware/auth.js` - - Update: `src/routes/api.js` (to use the middleware) - - Update: `tests/middleware/auth.test.js` (add tests) - - ## Acceptance Criteria - - [ ] Middleware validates JWT tokens - - [ ] Invalid tokens return 401 status - - [ ] User info is accessible in route handlers - - [ ] Tests cover success and error cases - ``` - - ## Important Notes - - - **Maximum 5 sub-issues**: Don't create more than 5 sub-issues (as configured in safe-outputs) - - **Parent Reference**: You must specify the current issue (#__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__) or discussion (#__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__) as the parent when creating sub-issues. The system will automatically link them with "Related to #N" in the issue body. - - **Clear Steps**: Each sub-issue should have clear, actionable steps - - **No Duplication**: Don't create sub-issues for work that's already done - - **Prioritize Clarity**: SWE agents need unambiguous instructions - - ## Instructions - - Review instructions in `.github/instructions/*.instructions.md` if you need guidance. - - ## Begin Planning - - Analyze the issue or discussion and create the sub-issues now. Remember to use the safe-outputs mechanism to create each issue. Each sub-issue you create will be automatically linked to the parent (issue #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ or discussion #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__). - - After creating all the sub-issues successfully, if this was triggered from a discussion in the "Ideas" category, close the discussion with a comment summarizing the plan and resolution reason "RESOLVED". - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: process.env.GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -698,25 +592,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: close_discussion, create_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -746,6 +626,15 @@ jobs: PROMPT_EOF + if [ "$GITHUB_EVENT_NAME" = "issue_comment" ] && [ -n "$GH_AW_IS_PR_COMMENT" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review_comment" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_review" ]; then + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + fi + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/plan.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -758,6 +647,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + GH_AW_IS_PR_COMMENT: ${{ github.event.issue.pull_request && 'true' || '' }} with: script: | const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); @@ -773,30 +663,24 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE, + GH_AW_IS_PR_COMMENT: process.env.GH_AW_IS_PR_COMMENT } }); - - name: Append PR context instructions to prompt - if: | - (github.event_name == 'issue_comment') && (github.event.issue.pull_request != null) || github.event_name == 'pull_request_review_comment' || github.event_name == 'pull_request_review' - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -807,8 +691,10 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -818,7 +704,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -840,6 +725,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -867,7 +761,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} GH_AW_COMMAND: plan @@ -903,12 +797,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload agent artifacts if: always() continue-on-error: true @@ -942,7 +849,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -994,6 +901,22 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Plan Command" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1023,7 +946,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1102,22 +1025,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1169,14 +1082,31 @@ jobs: (github.event_name == 'issue_comment') && ((contains(github.event.comment.body, '/plan')) && (github.event.issue.pull_request == null)) || (github.event_name == 'discussion_comment') && (contains(github.event.comment.body, '/plan')) runs-on: ubuntu-slim + permissions: + discussions: write + issues: write + pull-requests: write outputs: activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_command_position.outputs.command_position_ok == 'true') }} matched_command: ${{ steps.check_command_position.outputs.matched_command }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions + - name: Add eyes reaction for immediate feedback + id: react + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'discussion' || github.event_name == 'discussion_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.id == github.repository_id) + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_REACTION: "eyes" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/add_reaction.cjs'); + await main(); - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1221,7 +1151,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1240,7 +1170,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"close_discussion\":{\"max\":1,\"required_category\":\"Ideas\"},\"create_issue\":{\"labels\":[\"task\",\"ai-generated\"],\"max\":5,\"title_prefix\":\"[task] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"close_discussion\":{\"max\":1},\"create_issue\":{\"labels\":[\"task\",\"ai-generated\"],\"max\":5,\"title_prefix\":\"[task] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 10f655be..d339e364 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Build, test, and release MCP Gateway binary and Docker image, then generate and prepend release highlights +# +# frontmatter-hash: bc9cbee4878811234b7dae7664b9db0308c0417655211c39cf25159c96df11c9 name: "Release" "on": @@ -37,11 +39,7 @@ name: "Release" required: true type: choice -permissions: - actions: read - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}-${{ github.ref }}" @@ -60,7 +58,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -89,8 +87,12 @@ jobs: issues: read pull-requests: read env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -98,13 +100,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -141,28 +144,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -173,8 +162,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -218,7 +207,7 @@ jobs: "name": "update_release" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -227,16 +216,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -259,6 +247,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -279,7 +294,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -324,69 +338,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -399,8 +440,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Release", experimental: false, supports_tools_allowlist: true, @@ -414,10 +455,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", allowed_domains: ["defaults","node","ghcr.io"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -438,234 +479,25 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} - GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: ${{ needs.release.outputs.release_id }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Release Highlights Generator - - Generate an engaging release highlights summary for **__GH_AW_GITHUB_REPOSITORY__** (MCP Gateway) release `${RELEASE_TAG}`. - - **Release ID**: __GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID__ - - ## Data Available - - All data is pre-fetched in `/tmp/gh-aw-mcpg/release-data/`: - - `current_release.json` - Release metadata (tag, name, dates, existing body) - - `pull_requests.json` - PRs merged between `${PREV_RELEASE_TAG}` and `${RELEASE_TAG}` (empty array if first release) - - `README.md` - Project overview for context (if exists) - - `docs_files.txt` - Available documentation files for linking - - ## Project Context - - **MCP Gateway** is a Go-based proxy server for Model Context Protocol (MCP) servers. Key features: - - Routes requests to multiple MCP backend servers (routed and unified modes) - - Launches MCP servers as Docker containers - - Handles JSON-RPC 2.0 over stdio communication - - Provides security through guards and DIFC labeling - - ## Output Requirements - - Create a **"🌟 Release Highlights"** section that: - - Is concise and scannable (users grasp key changes in 30 seconds) - - Uses professional, enthusiastic tone (not overly casual) - - Categorizes changes logically (features, fixes, docs, breaking changes) - - Links to relevant documentation where helpful (GitHub repo docs/ directory) - - Focuses on user impact (why changes matter, not just what changed) - - Mentions Docker image availability with version tag - - ## Workflow - - ### 1. Load Data - - ```bash - # View release metadata - cat /tmp/gh-aw-mcpg/release-data/current_release.json | jq - - # List PRs (empty if first release) - cat /tmp/gh-aw-mcpg/release-data/pull_requests.json | jq -r '.[] | "- #\(.number): \(.title) by @\(.author.login)"' - - # Check README context - head -100 /tmp/gh-aw-mcpg/release-data/README.md 2>/dev/null || echo "No README" - - # View available docs - cat /tmp/gh-aw-mcpg/release-data/docs_files.txt - ``` - - ### 2. Categorize & Prioritize - - Group PRs by category (omit categories with no items): - - **✨ New Features** - User-facing capabilities (routing, server management, etc.) - - **🐛 Bug Fixes** - Issue resolutions - - **⚡ Performance** - Speed/efficiency improvements - - **📚 Documentation** - Guide/reference updates - - **⚠️ Breaking Changes** - Requires user action (ALWAYS list first if present) - - **🔧 Internal** - Refactoring, dependencies (usually omit from highlights) - - ### 3. Write Highlights - - Structure: - ```markdown - ## 🌟 Release Highlights - - [1-2 sentence summary of the release theme/focus] - - ### ⚠️ Breaking Changes - [If any - list FIRST with migration guidance] - - ### ✨ What's New - [Top 3-5 features with user benefit, link docs when relevant] - - ### 🐛 Bug Fixes & Improvements - [Notable fixes - focus on user impact] - - ### 📚 Documentation - [Only if significant doc additions/improvements] - - ### 🐳 Docker Image - - The Docker image for this release is available at: - - \`\`\`bash - docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} - # or - docker pull ghcr.io/github/gh-aw-mcpg:latest - \`\`\` - - Supported platforms: `linux/amd64`, `linux/arm64` - - --- - For complete details, see the [full release notes](__GH_AW_GITHUB_SERVER_URL__/__GH_AW_GITHUB_REPOSITORY__/releases/tag/${RELEASE_TAG}). - ``` - - **Writing Guidelines:** - - Lead with benefits: "MCP Gateway now supports remote mode" not "Added remote mode" - - Be specific: "Reduced server startup time by 40%" not "Faster startup" - - Skip internal changes unless they have user impact - - Use docs links: `[Configuration Guide](https://github.com/github/gh-aw-mcpg/blob/main/docs/config.md)` - - Keep breaking changes prominent with action items - - Mention Docker image availability prominently - - ### 4. Handle Special Cases - - **First Release** (no `${PREV_RELEASE_TAG}`): - ```markdown - ## 🎉 First Release - - Welcome to the inaugural release of MCP Gateway! This Go-based proxy server enables seamless integration with multiple Model Context Protocol (MCP) servers. - - ### Key Features - - **Multi-server routing**: Route requests to different MCP backends via `/mcp/{serverID}` - - **Unified endpoint**: Single `/mcp` endpoint with intelligent routing - - **Docker integration**: Launch and manage MCP servers as containers - - **JSON-RPC 2.0**: Full support for MCP protocol over stdio - - **Security**: Built-in guards and DIFC labeling support - - ### 🐳 Docker Image - - The Docker image for this release is available at: - - \`\`\`bash - docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} - # or - docker pull ghcr.io/github/gh-aw-mcpg:latest - \`\`\` - - Supported platforms: `linux/amd64`, `linux/arm64` - - ### Getting Started - 1. Build: `make build` - 2. Configure: Edit `config.toml` with your MCP servers - 3. Run: `./awmg --config config.toml` - - See the [README](https://github.com/github/gh-aw-mcpg#readme) for complete setup instructions. - ``` - - **Maintenance Release** (no user-facing changes): - ```markdown - ## 🔧 Maintenance Release - - Dependency updates and internal improvements to keep MCP Gateway running smoothly. - - ### 🐳 Docker Image - - The Docker image for this release is available at: - - \`\`\`bash - docker pull ghcr.io/github/gh-aw-mcpg:${RELEASE_TAG} - # or - docker pull ghcr.io/github/gh-aw-mcpg:latest - \`\`\` - - Supported platforms: `linux/amd64`, `linux/arm64` - ``` - - ## Output Format - - **CRITICAL**: You MUST call the `update_release` tool to update the release with the generated highlights: - - ```javascript - update_release({ - tag: "${RELEASE_TAG}", - operation: "prepend", - body: "## 🌟 Release Highlights\n\n[Your complete markdown highlights here]" - }) - ``` - - **Required Parameters:** - - `tag` - Release tag from `${RELEASE_TAG}` environment variable (e.g., "v0.1.0") - - `operation` - Must be `"prepend"` to add before existing notes - - `body` - Complete markdown content (include all formatting, emojis, links) - - **WARNING**: If you don't call the `update_release` tool, the release notes will NOT be updated! - - **Documentation Base URL:** - - Repository docs: `https://github.com/github/gh-aw-mcpg/blob/main/docs/` - - Repository README: `https://github.com/github/gh-aw-mcpg#readme` - - Verify paths exist in `docs_files.txt` before linking. - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} - GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: ${{ needs.release.outputs.release_id }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_GITHUB_SERVER_URL: process.env.GH_AW_GITHUB_SERVER_URL, - GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: process.env.GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -675,25 +507,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: missing_tool, noop, update_release + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -723,6 +541,12 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/release.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -757,15 +581,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} - GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: ${{ needs.release.outputs.release_id }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -776,8 +601,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -787,7 +614,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -809,6 +635,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -836,7 +671,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -871,12 +706,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload agent artifacts if: always() continue-on-error: true @@ -910,7 +758,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -962,6 +810,22 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Release" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1053,7 +917,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1132,22 +996,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1294,7 +1148,7 @@ jobs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1429,7 +1283,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1448,7 +1302,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"update_release\":{\"max\":1}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1},\"update_release\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 3adde91e..e17f73c6 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -13,17 +13,19 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Analyzes Go codebase daily to identify opportunities for semantic function extraction and refactoring # # Resolved workflow manifest: # Imports: # - shared/reporting.md +# +# frontmatter-hash: 5632fd0e79ebe8e5e1ace98c24d836db91eef65e30d6c47f91126da19ac71b6f name: "Semantic Function Refactoring" "on": @@ -32,10 +34,7 @@ name: "Semantic Function Refactoring" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -52,7 +51,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -76,8 +75,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -85,13 +88,14 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -121,28 +125,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -153,8 +143,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -230,7 +220,7 @@ jobs: "name": "close_issue" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -239,16 +229,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -271,6 +260,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -338,7 +354,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -358,69 +373,96 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -433,8 +475,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Semantic Function Refactoring", experimental: false, supports_tools_allowlist: true, @@ -448,10 +490,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -472,511 +514,25 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - ## Report Structure - - 1. **Overview**: 1-2 paragraphs summarizing key findings - 2. **Details**: Use `
Full Report` for expanded content - - ## Workflow Run References - - - Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)` - - Include up to 3 most relevant run URLs at end under `**References:**` - - Do NOT add footer attribution (system adds automatically) - - # Semantic Function Clustering and Refactoring - - You are an AI agent that analyzes Go code to identify potential refactoring opportunities by clustering functions semantically and detecting outliers or duplicates. - - ## Mission - - **IMPORTANT: Before performing analysis, close any existing open issues with the title prefix `[refactor]` to avoid duplicate issues.** - - Analyze all Go source files (`.go` files, excluding test files) in the repository to: - 1. **First, close existing open issues** with the `[refactor]` prefix - 2. Collect all function names per file - 3. Cluster functions semantically by name and purpose - 4. Identify outliers (functions that might be in the wrong file) - 5. Use Serena's semantic analysis to detect potential duplicates - 6. Suggest refactoring fixes - - ## Important Constraints - - 1. **Only analyze `.go` files** - Ignore all other file types - 2. **Skip test files** - Never analyze files ending in `_test.go` - 3. **Focus on internal/ directory** - Primary analysis area (this repository uses `internal/` instead of `pkg/`) - 4. **Use Serena for semantic analysis** - Leverage the MCP server's capabilities - 5. **One file per feature rule** - Files should be named after their primary purpose/feature - - ## Repository Structure - - This is the MCP Gateway repository (gh-aw-mcpg), which uses the `internal/` directory structure: - - `internal/cmd/` - CLI commands (Cobra) - - `internal/config/` - Configuration parsing (TOML/JSON) - - `internal/server/` - HTTP server (routed/unified modes) - - `internal/mcp/` - MCP protocol types - - `internal/launcher/` - Backend process management - - `internal/guard/` - Security guards - - `internal/difc/` - Security labels - - `internal/logger/` - Debug logging framework - - `internal/timeutil/` - Time formatting utilities - - `internal/tty/` - TTY handling - - `internal/sys/` - System utilities - - Total: ~39 Go files (excluding tests) - - ## Serena Configuration - - The Serena MCP server is configured for this workspace: - - **Workspace**: __GH_AW_GITHUB_WORKSPACE__ - - **Memory cache**: /tmp/gh-aw/cache-memory/serena - - **Context**: codex - - **Language service**: Go (gopls) - - ## Close Existing Refactor Issues (CRITICAL FIRST STEP) - - **Before performing any analysis**, you must close existing open issues with the `[refactor]` title prefix to prevent duplicate issues. - - Use the GitHub API tools to: - 1. Search for open issues with title containing `[refactor]` in repository __GH_AW_GITHUB_REPOSITORY__ - 2. Close each found issue with a comment explaining a new analysis is being performed - 3. Use the `close_issue` safe output to close these issues - - **Important**: The `close-issue` safe output is configured with: - - `required-title-prefix: "[refactor]"` - Only issues starting with this prefix will be closed - - `target: "*"` - Can close any issue by number (not just triggering issue) - - `max: 10` - Can close up to 10 issues in one run - - To close an existing refactor issue, emit: - ``` - close_issue(issue_number=123, body="Closing this issue as a new semantic function refactoring analysis is being performed.") - ``` - - **Do not proceed with analysis until all existing `[refactor]` issues are closed.** - - ## Task Steps - - ### 1. Close Existing Refactor Issues - - **CRITICAL FIRST STEP**: Before performing any analysis, close existing open issues with the `[refactor]` prefix to prevent duplicate issues. - - 1. Use GitHub search to find open issues with `[refactor]` in the title - 2. For each found issue, use `close_issue` to close it with an explanatory comment - 3. Example: `close_issue(issue_number=4542, body="Closing this issue as a new semantic function refactoring analysis is being performed.")` - - **Do not proceed to step 2 until all existing `[refactor]` issues are closed.** - - ### 2. Activate Serena Project - - After closing existing issues, activate the project in Serena to enable semantic analysis: - - ```bash - # Serena's activate_project tool should be called with the workspace path - # This is handled automatically by the MCP server configuration - ``` - - Use Serena's `activate_project` tool with the workspace path. - - ### 3. Discover Go Source Files - - Find all non-test Go files in the repository: - - ```bash - # Find all Go files excluding tests in internal/ directory - find internal -name "*.go" ! -name "*_test.go" -type f | sort - ``` - - Group files by package/directory to understand the organization. - - ### 4. Collect Function Names Per File - - For each discovered Go file: - - 1. Use Serena's `get_symbols_overview` to get all symbols (functions, methods, types) in the file - 2. Use Serena's `read_file` if needed to understand context - 3. Create a structured inventory of: - - File path - - Package name - - All function names - - All method names (with receiver type) - - Function signatures (parameters and return types) - - Example structure: - ``` - File: internal/config/validation.go - Package: config - Functions: - - ValidateConfig(cfg *Config) error - - validateServer(name string, srv Server) error - - expandEnvVars(s string) (string, error) - ``` - - ### 5. Semantic Clustering Analysis - - Analyze the collected functions to identify patterns: - - **Clustering by Naming Patterns:** - - Group functions with similar prefixes (e.g., `create*`, `parse*`, `validate*`) - - Group functions with similar suffixes (e.g., `*Helper`, `*Config`, `*Handler`) - - Identify functions that operate on the same data types - - Identify functions that share common functionality - - **File Organization Rules:** - According to Go best practices, files should be organized by feature: - - `server.go` - core server functionality - - `routed.go` - routed mode implementation - - `unified.go` - unified mode implementation - - `validation.go` - validation-related functions - - `*_test.go` - test files (excluded from analysis) - - **Identify Outliers:** - Look for functions that don't match their file's primary purpose: - - Validation functions in a server handler file - - Parser functions in a network file - - Helper functions scattered across multiple files - - Generic utility functions not in a dedicated utils file - - ### 6. Use Serena for Semantic Duplicate Detection - - For each cluster of similar functions: - - 1. Use `find_symbol` to locate functions with similar names across files - 2. Use `search_for_pattern` to find similar code patterns - 3. Use `find_referencing_symbols` to understand usage patterns - 4. Compare function implementations to identify: - - Exact duplicates (identical implementations) - - Near duplicates (similar logic with variations) - - Functional duplicates (different implementations, same purpose) - - Example Serena tool usage: - ```bash - # Find symbols with similar names - # Use find_symbol for "processData" or similar - # Use search_for_pattern to find similar implementations - ``` - - ### 7. Deep Reasoning Analysis - - Apply deep reasoning to identify refactoring opportunities: - - **Duplicate Detection Criteria:** - - Functions with >80% code similarity - - Functions with identical logic but different variable names - - Functions that perform the same operation on different types (candidates for generics) - - Helper functions repeated across multiple files - - **Refactoring Patterns to Suggest:** - - **Extract Common Function**: When 2+ functions share significant code - - **Move to Appropriate File**: When a function is in the wrong file based on its purpose - - **Create Utility File**: When helper functions are scattered - - **Use Generics**: When similar functions differ only by type - - **Extract Interface**: When similar methods are defined on different types - - ### 8. Generate Refactoring Report - - Create a comprehensive issue with findings: - - **Report Structure:** - - ```markdown - # 🔧 Semantic Function Clustering Analysis - - *Analysis of repository: __GH_AW_GITHUB_REPOSITORY__* - - ## Executive Summary - - [Brief overview of findings - total files analyzed, clusters found, outliers identified, duplicates detected] - - ## Function Inventory - - ### By Package - - [List of packages with file counts and primary purposes] - - ### Clustering Results - - [Summary of function clusters identified by semantic similarity] - - ## Identified Issues - - ### 1. Outlier Functions (Functions in Wrong Files) - - **Issue**: Functions that don't match their file's primary purpose - - #### Example: Validation in Server File - - - **File**: `internal/server/routed.go` - - **Function**: `validateRequest(req *Request) error` - - **Issue**: Validation function in server handler file - - **Recommendation**: Move to `internal/server/validation.go` or consider consolidating with config validation - - **Estimated Impact**: Improved code organization - - [... more outliers ...] - - ### 2. Duplicate or Near-Duplicate Functions - - **Issue**: Functions with similar or identical implementations - - #### Example: Error Formatting Duplicates - - - **Occurrence 1**: `internal/logger/error_formatting.go:formatError(err error) string` - - **Occurrence 2**: `internal/mcp/connection.go:formatMCPError(err error) string` - - **Similarity**: 85% code similarity - - **Code Comparison**: - ```go - // logger/error_formatting.go - func formatError(err error) string { - if err == nil { - return "" - } - return fmt.Sprintf("error: %v", err) - } - - // mcp/connection.go - func formatMCPError(err error) string { - if err == nil { - return "no error" - } - return fmt.Sprintf("MCP error: %v", err) - } - ``` - - **Recommendation**: Consolidate into single function in `internal/logger/error_formatting.go` with customizable prefix - - **Estimated Impact**: Reduced code duplication, easier maintenance - - [... more duplicates ...] - - ### 3. Scattered Helper Functions - - **Issue**: Similar helper functions spread across multiple files - - **Examples**: - - `parseValue()` in multiple files - - `formatError()` in different packages - - `sanitizeInput()` in various locations - - **Recommendation**: Create or enhance utility files in appropriate packages - **Estimated Impact**: Centralized utilities, easier testing - - ### 4. Opportunities for Generics - - **Issue**: Type-specific functions that could use generics - - [Examples of functions that differ only by type] - - ## Detailed Function Clusters - - ### Cluster 1: Configuration Functions - - **Pattern**: Configuration loading, parsing, and validation - **Files**: internal/config/ - **Functions**: - - `config.go:LoadConfig(...)` - - `validation.go:ValidateConfig(...)` - - `env_validation.go:ValidateEnv(...)` - - **Analysis**: Well-organized by functionality ✓ - - ### Cluster 2: Server Functions - - **Pattern**: HTTP server and routing - **Files**: internal/server/ - **Functions**: [list] - - **Analysis**: [Whether organization is good or needs improvement] - - [... more clusters ...] - - ## Refactoring Recommendations - - ### Priority 1: High Impact - - 1. **Move Outlier Functions** - - Move validation functions to appropriate validation files - - Move parser functions to appropriate parser files - - Estimated effort: 2-4 hours - - Benefits: Clearer code organization - - 2. **Consolidate Duplicate Functions** - - Merge duplicate error formatting functions - - Merge duplicate string processing functions - - Estimated effort: 3-5 hours - - Benefits: Reduced code size, single source of truth - - ### Priority 2: Medium Impact - - 3. **Centralize Helper Functions** - - Create or enhance helper utility files - - Move scattered helpers to central location - - Estimated effort: 4-6 hours - - Benefits: Easier discoverability, reduced duplication - - ### Priority 3: Long-term Improvements - - 4. **Consider Generics for Type-Specific Functions** - - Identify candidates for generic implementations - - Estimated effort: 6-8 hours - - Benefits: Type-safe code reuse - - ## Implementation Checklist - - - [ ] Review findings and prioritize refactoring tasks - - [ ] Create detailed refactoring plan for Priority 1 items - - [ ] Implement outlier function moves - - [ ] Consolidate duplicate functions - - [ ] Update tests to reflect changes - - [ ] Verify no functionality broken - - [ ] Consider Priority 2 and 3 items for future work - - ## Analysis Metadata - - - **Total Go Files Analyzed**: [count] - - **Total Functions Cataloged**: [count] - - **Function Clusters Identified**: [count] - - **Outliers Found**: [count] - - **Duplicates Detected**: [count] - - **Detection Method**: Serena semantic code analysis + naming pattern analysis - - **Analysis Date**: [timestamp] - ``` - - ## Operational Guidelines - - ### Security - - Never execute untrusted code - - Only use read-only analysis tools - - Do not modify files during analysis (read-only mode) - - ### Efficiency - - Use Serena's semantic analysis capabilities effectively - - Cache Serena results in the memory folder - - Balance thoroughness with timeout constraints - - Focus on meaningful patterns, not trivial similarities - - ### Accuracy - - Verify findings before reporting - - Distinguish between acceptable duplication and problematic duplication - - Consider Go idioms and best practices - - Provide specific, actionable recommendations - - ### Issue Creation - - Only create an issue if significant findings are discovered - - Include sufficient detail for developers to understand and act - - Provide concrete examples with file paths and function signatures - - Suggest practical refactoring approaches - - Focus on high-impact improvements - - ## Analysis Focus Areas - - ### High-Value Analysis - 1. **Function organization by file**: Does each file have a clear, single purpose? - 2. **Function naming patterns**: Are similar functions grouped together? - 3. **Code duplication**: Are there functions that should be consolidated? - 4. **Utility scatter**: Are helper functions properly centralized? - - ### What to Report - - Functions clearly in the wrong file (e.g., network functions in parser file) - - Duplicate implementations of the same functionality - - Scattered helper functions that should be centralized - - Opportunities for improved code organization - - ### What to Skip - - Minor naming inconsistencies - - Single-occurrence patterns - - Language-specific idioms (constructors, standard patterns) - - Test files (already excluded) - - Trivial helper functions (<5 lines) - - ## Serena Tool Usage Guide - - ### Project Activation - ``` - Tool: activate_project - Args: { "path": "__GH_AW_GITHUB_WORKSPACE__" } - ``` - - ### Symbol Overview - ``` - Tool: get_symbols_overview - Args: { "file_path": "internal/config/validation.go" } - ``` - - ### Find Similar Symbols - ``` - Tool: find_symbol - Args: { "symbol_name": "validateConfig", "workspace": "__GH_AW_GITHUB_WORKSPACE__" } - ``` - - ### Search for Patterns - ``` - Tool: search_for_pattern - Args: { "pattern": "func.*Config.*error", "workspace": "__GH_AW_GITHUB_WORKSPACE__" } - ``` - - ### Find References - ``` - Tool: find_referencing_symbols - Args: { "symbol_name": "LoadConfig", "file_path": "internal/config/config.go" } - ``` - - ### Read File Content - ``` - Tool: read_file - Args: { "file_path": "internal/config/config.go" } - ``` - - ## Success Criteria - - This analysis is successful when: - 1. ✅ All non-test Go files in internal/ are analyzed - 2. ✅ Function names and signatures are collected and organized - 3. ✅ Semantic clusters are identified based on naming and purpose - 4. ✅ Outliers (functions in wrong files) are detected - 5. ✅ Duplicates are identified using Serena's semantic analysis - 6. ✅ Concrete refactoring recommendations are provided - 7. ✅ A detailed issue is created with actionable findings - - **Objective**: Improve code organization and reduce duplication by identifying refactoring opportunities through semantic function clustering and duplicate detection. Focus on high-impact, actionable findings that developers can implement. - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -986,25 +542,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: close_issue, create_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -1034,6 +576,26 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + ## Report Structure + + 1. **Overview**: 1-2 paragraphs summarizing key findings + 2. **Details**: Use `
Full Report` for expanded content + + ## Workflow Run References + + - Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)` + - Include up to 3 most relevant run URLs at end under `**References:**` + - Do NOT add footer attribution (system adds automatically) + + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/semantic-function-refactor.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1068,14 +630,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1086,8 +650,10 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -1097,7 +663,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -1119,6 +684,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1146,7 +720,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1181,12 +755,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload agent artifacts if: always() continue-on-error: true @@ -1220,7 +807,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1272,6 +859,22 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Semantic Function Refactoring" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1303,7 +906,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1382,22 +985,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1463,7 +1056,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1482,7 +1075,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"close_issue\":{\"max\":10,\"required_title_prefix\":\"[refactor] \",\"target\":\"*\"},\"create_issue\":{\"labels\":[\"refactoring\",\"code-quality\",\"automated-analysis\"],\"max\":1,\"title_prefix\":\"[refactor] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"close_issue\":{\"max\":10,\"required_title_prefix\":\"[refactor] \",\"target\":\"*\"},\"create_issue\":{\"labels\":[\"refactoring\",\"code-quality\",\"automated-analysis\"],\"max\":1,\"title_prefix\":\"[refactor] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 15a20ffe..4d26f9ec 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -13,11 +13,11 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw. DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Smoke test workflow that validates Codex engine functionality by reviewing recent PRs twice daily # @@ -25,6 +25,8 @@ # Imports: # - shared/gh.md # - shared/mcp/tavily.md +# +# frontmatter-hash: ce2b2ce04d2f3afadc4d51e9606c0c911f59017419d05002ee02342090e5e995 name: "Smoke Codex" "on": @@ -62,14 +64,8 @@ jobs: comment_repo: ${{ steps.add-comment.outputs.comment-repo }} comment_url: ${{ steps.add-comment.outputs.comment-url }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -109,7 +105,7 @@ jobs: GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -119,18 +115,12 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -172,7 +162,7 @@ jobs: await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -182,13 +172,9 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.87.0 + run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -200,14 +186,14 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/github/gh-aw-mcpg:v0.0.69 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.84 ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-codex"],"max":3},"create_issue":{"max":1},"hide_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-codex"],"max":3},"create_issue":{"expires":2,"max":1},"hide_comment":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -471,7 +457,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -491,6 +476,43 @@ jobs: } } EOF + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + - name: Setup Safe Inputs Config run: | mkdir -p /opt/gh-aw/safe-inputs/logs @@ -533,7 +555,7 @@ jobs: const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; startHttpServer(configPath, { port: port, - stateless: false, + stateless: true, logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); @@ -598,10 +620,12 @@ jobs: GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GH_DEBUG: 1 GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - DEBUG: "*" + TAVILY_API_KEY: ${{ secrets.TAVILY_API_KEY }} run: | set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config @@ -616,7 +640,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="codex" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e "DEBUG=*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.69' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e TAVILY_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.84' cat > /tmp/gh-aw/mcp-config/config.toml << EOF [history] @@ -630,7 +654,7 @@ jobs: user_agent = "smoke-codex" startup_timeout_sec = 120 tool_timeout_sec = 60 - container = "ghcr.io/github/github-mcp-server:v0.28.1" + container = "ghcr.io/github/github-mcp-server:v0.30.2" env = { "GITHUB_PERSONAL_ACCESS_TOKEN" = "$GH_AW_GITHUB_TOKEN", "GITHUB_READ_ONLY" = "1", "GITHUB_TOOLSETS" = "context,repos,issues,pull_requests" } env_vars = ["GITHUB_PERSONAL_ACCESS_TOKEN", "GITHUB_READ_ONLY", "GITHUB_TOOLSETS"] @@ -645,9 +669,9 @@ jobs: "--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", - "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com", + "localhost;localhost:*;127.0.0.1;127.0.0.1:*", "--allowed-origins", - "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com" + "localhost;localhost:*;127.0.0.1;127.0.0.1:*" ] mounts = ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] @@ -657,14 +681,14 @@ jobs: headers = { Authorization = "$GH_AW_SAFE_INPUTS_API_KEY" } [mcp_servers.safeoutputs] - container = "node:lts-alpine" - entrypoint = "node" - entrypointArgs = ["/opt/gh-aw/safeoutputs/mcp-server.cjs"] - mounts = ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw"] - env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] + type = "http" + url = "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT" + + [mcp_servers.safeoutputs.headers] + Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" [mcp_servers.serena] - container = "ghcr.io/github/serena-mcp-server:latest" + container = "ghcr.io/githubnext/serena-mcp-server:latest" args = [ "--network", "host", @@ -689,7 +713,7 @@ jobs: { "mcpServers": { "github": { - "container": "ghcr.io/github/github-mcp-server:v0.28.1", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN", @@ -722,27 +746,14 @@ jobs: } }, "safeoutputs": { - "container": "node:lts-alpine", - "entrypoint": "node", - "entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "env": { - "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", - "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "$GH_AW_SAFE_OUTPUTS_CONFIG_PATH", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "$GH_AW_SAFE_OUTPUTS_TOOLS_PATH", - "GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH", - "GH_AW_ASSETS_MAX_SIZE_KB": "$GH_AW_ASSETS_MAX_SIZE_KB", - "GH_AW_ASSETS_ALLOWED_EXTS": "$GH_AW_ASSETS_ALLOWED_EXTS", - "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY", - "GITHUB_SERVER_URL": "$GITHUB_SERVER_URL", - "GITHUB_SHA": "$GITHUB_SHA", - "GITHUB_WORKSPACE": "$GITHUB_WORKSPACE", - "DEFAULT_BRANCH": "$DEFAULT_BRANCH" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" } }, "serena": { - "container": "ghcr.io/github/serena-mcp-server:latest", + "container": "ghcr.io/githubnext/serena-mcp-server:latest", "args": [ "--network", "host" @@ -784,9 +795,10 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.87.0", + agent_version: "0.92.0", + cli_version: "v0.38.5", workflow_name: "Smoke Codex", - experimental: true, + experimental: false, supports_tools_allowlist: true, supports_http_transport: true, run_id: context.runId, @@ -798,11 +810,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", allowed_domains: ["api.github.com","defaults","github","playwright"], firewall_enabled: true, - awf_version: "v0.10.0", - awmg_version: "v0.0.69", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -843,34 +854,17 @@ jobs: cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - GitHub API Access Instructions The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. - To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool from the safeoutputs MCP server. Simply writing content will NOT work - the workflow requires actual tool calls. + To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. + + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. @@ -927,33 +921,17 @@ jobs: - # Smoke Test: Codex Engine Validation - - **IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.** - - ## Test Requirements - - 1. **GitHub MCP Testing**: Review the last 2 merged pull requests in __GH_AW_GITHUB_REPOSITORY__ - 2. **Serena Go Testing**: Use the serena-go tool to run a basic go command like "go version" to verify the tool is available - 3. **Playwright Testing**: Use playwright to navigate to https://github.com and verify the page title contains "GitHub" - 4. **Tavily Web Search Testing**: Use the Tavily MCP server to perform a web search for "GitHub Agentic Workflows" and verify that results are returned with at least one item - 5. **File Writing Testing**: Create a test file `/tmp/gh-aw/agent/smoke-test-codex-__GH_AW_GITHUB_RUN_ID__.txt` with content "Smoke test passed for Codex at $(date)" (create the directory if it doesn't exist) - 6. **Bash Tool Testing**: Execute bash commands to verify file creation was successful (use `cat` to read the file back) - - ## Output - - Add a **very brief** comment (max 5-10 lines) to the current pull request with: - - PR titles only (no descriptions) - - ✅ or ❌ for each test result - - Overall status: PASS or FAIL - - If all tests pass, add the label `smoke-codex` to the pull request. + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/smoke-codex.md}} PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -970,6 +948,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -984,8 +964,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); @@ -1003,10 +981,12 @@ jobs: - name: Run Codex run: | set -o pipefail + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.10.0 \ - -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -mindepth 1 -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check --sandbox danger-full-access "$INSTRUCTION" \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} @@ -1160,14 +1140,8 @@ jobs: tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1265,14 +1239,8 @@ jobs: outputs: success: ${{ steps.parse_results.outputs.success }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1352,7 +1320,7 @@ jobs: touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://github.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1362,13 +1330,13 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.87.0 + run: npm install -g --silent @openai/codex@0.92.0 - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - codex ${GH_AW_MODEL_DETECTION_CODEX:+-c model="$GH_AW_MODEL_DETECTION_CODEX" }exec --full-auto --skip-git-repo-check --sandbox danger-full-access "$INSTRUCTION" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log + codex ${GH_AW_MODEL_DETECTION_CODEX:+-c model="$GH_AW_MODEL_DETECTION_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION" 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} CODEX_HOME: /tmp/gh-aw/mcp-config @@ -1401,21 +1369,14 @@ jobs: ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim permissions: - contents: read discussions: write issues: write pull-requests: write outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Add hooray reaction for immediate feedback @@ -1425,6 +1386,7 @@ jobs: env: GH_AW_REACTION: "hooray" with: + github-token: ${{ secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1464,14 +1426,8 @@ jobs: process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1490,7 +1446,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":1},\"add_labels\":{\"allowed\":[\"smoke-codex\"]},\"create_issue\":{\"expires\":2,\"max\":1},\"hide_comment\":{\"max\":5},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":1},\"add_labels\":{\"allowed\":[\"smoke-codex\"]},\"create_issue\":{\"expires\":2,\"max\":1},\"hide_comment\":{\"max\":5},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1505,17 +1461,10 @@ jobs: - detection if: always() && needs.detection.outputs.success == 'true' runs-on: ubuntu-latest - permissions: - contents: read + permissions: {} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: ./actions/setup + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 3743a17a..2af5d023 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw. DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Smoke Copilot +# +# frontmatter-hash: 704f2f05930d13915e7b7deb7817a8abd6c02162f1f0f586edd210ab52fe6677 name: "Smoke Copilot" "on": @@ -29,7 +31,7 @@ name: "Smoke Copilot" types: - labeled schedule: - - cron: "1 */12 * * *" + - cron: "55 */12 * * *" workflow_dispatch: null permissions: {} @@ -57,14 +59,8 @@ jobs: comment_repo: ${{ steps.add-comment.outputs.comment-repo }} comment_url: ${{ steps.add-comment.outputs.comment-url }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -105,7 +101,7 @@ jobs: GH_AW_ASSETS_BRANCH: "" GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -115,18 +111,12 @@ jobs: output_types: ${{ steps.collect_output.outputs.output_types }} secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Create gh-aw temp directory @@ -168,29 +158,13 @@ jobs: await main(); - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - # Pass VERSION directly to sudo to ensure it's available to the installer script - sudo VERSION=0.0.384 bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.10.0)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.10.0 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -202,18 +176,18 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.28.1 ghcr.io/github/gh-aw-mcpg:latest mcr.microsoft.com/playwright/mcp node:lts-alpine ghcr.io/github/serena-mcp-server:latest + run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/gh-aw-mcpg:v0.0.84 ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | # Check if gh-aw extension is already installed - if gh extension list | grep -q "github/gh-aw"; then + if gh extension list | grep -q "githubnext/gh-aw"; then echo "gh-aw extension already installed, upgrading..." gh extension upgrade gh-aw || true else echo "Installing gh-aw extension..." - gh extension install github/gh-aw + gh extension install githubnext/gh-aw fi gh aw --version # Copy the gh-aw binary to /opt/gh-aw for MCP server containerization @@ -233,7 +207,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-copilot"],"max":3},"create_issue":{"group":true,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-copilot"],"max":3},"create_issue":{"expires":2,"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -469,7 +443,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -489,10 +462,49 @@ jobs: } } EOF + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + - name: Start MCP gateway id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -510,7 +522,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:latest' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.84' mkdir -p /home/runner/.copilot cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -521,14 +533,14 @@ jobs: "container": "alpine:latest", "entrypoint": "/opt/gh-aw/gh-aw", "entrypointArgs": ["mcp-server"], - "mounts": ["/opt/gh-aw:/opt/gh-aw:ro"], + "mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "${{ github.workspace }}:${{ github.workspace }}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"], "env": { "GITHUB_TOKEN": "\${GITHUB_TOKEN}" } }, "github": { "type": "stdio", - "container": "ghcr.io/github/github-mcp-server:v0.28.1", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", @@ -544,29 +556,15 @@ jobs: "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, "safeoutputs": { - "type": "stdio", - "container": "node:lts-alpine", - "entrypoint": "node", - "entrypointArgs": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "mounts": ["/opt/gh-aw:/opt/gh-aw:ro", "/tmp/gh-aw:/tmp/gh-aw:rw"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } }, "serena": { "type": "stdio", - "container": "ghcr.io/github/serena-mcp-server:latest", + "container": "ghcr.io/githubnext/serena-mcp-server:latest", "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], @@ -592,7 +590,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.384", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Smoke Copilot", experimental: false, supports_tools_allowlist: true, @@ -606,11 +605,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", allowed_domains: ["defaults","node","github","playwright"], firewall_enabled: true, - awf_version: "v0.10.0", - awmg_version: "v0.0.62", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -642,7 +640,6 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh @@ -650,28 +647,10 @@ jobs: PROMPT_EOF cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - GitHub API Access Instructions @@ -680,7 +659,7 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: add_comment, add_labels, create_issue, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. @@ -718,42 +697,14 @@ jobs: PROMPT_EOF cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - # Smoke Test: Copilot Engine Validation - - **IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.** - - ## Test Requirements - - 1. **GitHub MCP Testing**: Review the last 2 merged pull requests in __GH_AW_GITHUB_REPOSITORY__ - 2. **Serena MCP Testing**: Use the Serena MCP server tool `activate_project` to initialize the workspace at `__GH_AW_GITHUB_WORKSPACE__` then verify it succeeds (do NOT use bash to run go commands - use Serena's MCP tools) - 3. **Playwright Testing**: Use playwright to navigate to and verify the page title contains "GitHub" - 4. **File Writing Testing**: Create a test file `/tmp/gh-aw/agent/smoke-test-copilot-__GH_AW_GITHUB_RUN_ID__.txt` with content "Smoke test passed for Copilot at $(date)" (create the directory if it doesn't exist) - 5. **Bash Tool Testing**: Execute bash commands to verify file creation was successful (use `cat` to read the file back) - - ## Output - - 1. **Create an issue** with a summary of the smoke test run: - - Title: "Smoke Test: Copilot - __GH_AW_GITHUB_RUN_ID__" - - Body should include: - - Test results (✅ or ❌ for each test) - - Overall status: PASS or FAIL - - Run URL: __GH_AW_GITHUB_SERVER_URL__/__GH_AW_GITHUB_REPOSITORY__/actions/runs/__GH_AW_GITHUB_RUN_ID__ - - Timestamp - - Pull request author and assignees - - 2. Add a **very brief** comment (max 5-10 lines) to the current pull request with: - - PR titles only (no descriptions) - - ✅ or ❌ for each test result - - Overall status: PASS or FAIL - - Mention the pull request author and any assignees - - If all tests pass, add the label `smoke-copilot` to the pull request. - + {{#runtime-import workflows/smoke-copilot.md}} PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -761,7 +712,6 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | @@ -771,6 +721,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -778,7 +730,6 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, - GH_AW_GITHUB_SERVER_URL: process.env.GH_AW_GITHUB_SERVER_URL, GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE } }); @@ -786,9 +737,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); @@ -809,8 +757,10 @@ jobs: timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.10.0 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -877,7 +827,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -970,14 +920,8 @@ jobs: tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1075,14 +1019,8 @@ jobs: outputs: success: ${{ steps.parse_results.outputs.success }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1162,23 +1100,11 @@ jobs: touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret id: validate-secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - # Pass VERSION directly to sudo to ensure it's available to the installer script - sudo VERSION=0.0.384 bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1231,21 +1157,14 @@ jobs: ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'smoke'))) runs-on: ubuntu-slim permissions: - contents: read discussions: write issues: write pull-requests: write outputs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Add eyes reaction for immediate feedback @@ -1255,6 +1174,7 @@ jobs: env: GH_AW_REACTION: "eyes" with: + github-token: ${{ secrets.GITHUB_TOKEN }} script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); @@ -1294,14 +1214,8 @@ jobs: process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1320,7 +1234,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":1},\"add_labels\":{\"allowed\":[\"smoke-copilot\"]},\"create_issue\":{\"expires\":2,\"group\":true,\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":1},\"add_labels\":{\"allowed\":[\"smoke-copilot\"]},\"create_issue\":{\"expires\":2,\"max\":1},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1335,17 +1249,10 @@ jobs: - detection if: always() && needs.detection.outputs.success == 'true' runs-on: ubuntu-latest - permissions: - contents: read + permissions: {} steps: - - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - sparse-checkout: | - actions - persist-credentials: false - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml index eb1dd25d..9249a841 100644 --- a/.github/workflows/test-coverage-improver.lock.yml +++ b/.github/workflows/test-coverage-improver.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily analyzer that finds complex, under-tested functions and generates comprehensive tests +# +# frontmatter-hash: 19c340b4b293824a67ad8d29065a6fc78850f668065f0dd32d097bad2587fa17 name: "Test Coverage Improver" "on": @@ -28,10 +30,7 @@ name: "Test Coverage Improver" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -48,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -72,8 +71,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -81,34 +84,28 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - - name: Setup Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: '1.25' - - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: '3.12' - - name: Setup uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - - name: Install Go language service (gopls) - run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + with: + cache: true + go-version-file: go.mod # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - - name: Restore cache memory file share data + - name: Restore cache-memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} @@ -141,28 +138,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -173,8 +156,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -219,7 +202,7 @@ jobs: "name": "create_pull_request" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -228,16 +211,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -260,6 +242,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -309,7 +318,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -329,75 +337,104 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } }, "serena": { - "type": "local", - "command": "uvx", - "args": ["--from", "git+https://github.com/oraios/serena", "serena", "start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], - "tools": ["*"] + "type": "stdio", + "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "args": ["--network", "host"], + "entrypoint": "serena", + "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], + "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw"] } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -410,8 +447,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Test Coverage Improver", experimental: false, supports_tools_allowlist: true, @@ -425,10 +462,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -449,359 +486,26 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Test Coverage Improver 🧪 - - You are an AI agent that improves test coverage by identifying complex, under-tested functions and generating comprehensive tests for them. - - ## Mission - - Find the most complex function with the lowest test coverage in the codebase and create comprehensive tests for it. Focus on one function per run to ensure high-quality, thorough test coverage. - - ## Step 1: Generate Coverage Report - - Run the test suite with coverage: - - ```bash - go test -coverprofile=coverage.out ./... - go tool cover -func=coverage.out - ``` - - This generates a detailed coverage report showing: - - Package-level coverage percentages - - Function-level coverage percentages - - Overall coverage statistics - - Save the output for analysis. - - ## Step 2: Identify Under-Tested Functions - - From the coverage report, extract functions with **low or zero coverage**: - - 1. Parse the `coverage.out` or the output of `go tool cover -func=coverage.out` - 2. Identify functions with coverage < 50% (prioritize 0% coverage) - 3. Exclude test files (`*_test.go`) - 4. Exclude simple getters/setters and trivial functions - - Create a list of candidate functions with their: - - Package path - - Function name - - Current coverage percentage - - File location - - ## Step 3: Analyze Function Complexity with Serena - - For each candidate function, use **Serena** to analyze code complexity: - - 1. Use Serena's Go analysis capabilities to: - - Measure cyclomatic complexity - - Count number of branches/conditionals - - Identify error handling paths - - Detect complex logic patterns - - Analyze dependencies and method calls - - 2. Rank functions by a combined score: - - **Complexity score** (from Serena analysis) - - **Inverse coverage** (lower coverage = higher priority) - - **Code significance** (exported functions, core logic) - - 3. Select the **top-ranked function** - the most complex function with lowest coverage - - ## Step 4: Understand the Function - - Before writing tests, deeply understand the selected function: - - 1. **Read the function implementation**: - - What does it do? - - What are the inputs and outputs? - - What are the edge cases? - - What can go wrong? - - 2. **Analyze dependencies**: - - What does it import? - - What types does it use? - - What external calls does it make? - - Are there interfaces that need mocking? - - 3. **Study existing tests** (if any): - - Find the corresponding test file (`*_test.go`) - - Identify what's already covered - - Note any test utilities or helpers - - Check testing patterns used in the package - - 4. **Review similar test files**: - - Look at other `*_test.go` files in the same package - - Identify common testing patterns - - Find test utilities and helper functions - - Note how mocking is done - - ## Step 5: Generate Comprehensive Tests - - Create a new test file or enhance the existing one: - - ### Test Structure - - ```go - package packagename - - import ( - "testing" - // Add necessary imports - ) - - func TestFunctionName(t *testing.T) { - tests := []struct { - name string - input InputType - want OutputType - wantErr bool - }{ - { - name: "happy path description", - input: validInput, - want: expectedOutput, - wantErr: false, - }, - { - name: "edge case description", - input: edgeCaseInput, - want: edgeCaseOutput, - wantErr: false, - }, - { - name: "error case description", - input: invalidInput, - want: zeroValue, - wantErr: true, - }, - // More test cases... - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got, err := FunctionName(tt.input) - if (err != nil) != tt.wantErr { - t.Errorf("FunctionName() error = %v, wantErr %v", err, tt.wantErr) - return - } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("FunctionName() = %v, want %v", got, tt.want) - } - }) - } - } - ``` - - ### Coverage Goals - - Ensure your tests cover: - - 1. **Happy path**: Normal, expected inputs and outputs - 2. **Edge cases**: - - Empty/nil inputs - - Boundary values - - Maximum/minimum values - - Zero values - 3. **Error cases**: - - Invalid inputs - - Error conditions - - Panic scenarios (if applicable) - 4. **Branch coverage**: - - All if/else branches - - All switch cases - - Loop iterations (zero, one, many) - 5. **Integration points**: - - Mock external dependencies - - Test different dependency behaviors - - ### Testing Best Practices - - Follow the project's Go conventions: - - - Use **table-driven tests** (as shown above) - - Use **descriptive test names** in the format `TestFunctionName_Scenario` - - Use **sub-tests** with `t.Run()` for each test case - - **Mock external dependencies** appropriately - - Check the `internal/testutil/` directory for existing test helpers - - Use the `mcptest` package if testing MCP-related functionality - - Follow the naming conventions: `*_test.go` in the same package - - ## Step 6: Verify Tests Pass - - After creating tests: - - 1. Run the specific test file: - ```bash - go test -v ./path/to/package -run TestFunctionName - ``` - - 2. Verify the test passes and covers the function properly - - 3. Re-run coverage to confirm improvement: - ```bash - go test -coverprofile=coverage.out ./... - go tool cover -func=coverage.out | grep "function-name" - ``` - - 4. Ensure coverage increased significantly for the target function - - ## Step 7: Create Pull Request - - Create a PR with: - - **Title Format**: `Add tests for [PackageName].[FunctionName]` - - **Example**: `Add tests for server.HandleRequest` - - **PR Body Structure**: - - ```markdown - # Test Coverage Improvement: [FunctionName] - - ## Function Analyzed - - - **Package**: `internal/[package]` - - **Function**: `[FunctionName]` - - **Previous Coverage**: [X]% - - **New Coverage**: [Y]% - - **Complexity**: [High/Medium/Low] - - ## Why This Function? - - [Brief explanation of why this function was selected - mention complexity and previous low coverage] - - ## Tests Added - - - ✅ Happy path test cases - - ✅ Edge cases (empty inputs, boundary values) - - ✅ Error handling test cases - - ✅ Branch coverage for all conditionals - - ✅ [Any specific scenarios covered] - - ## Coverage Report - - ``` - Before: [X]% coverage - After: [Y]% coverage - Improvement: +[Z]% - ``` - - ## Test Execution - - All tests pass: - ``` - [Include test output showing PASS] - ``` - - --- - *Generated by Test Coverage Improver* - *Next run will target the next most complex under-tested function* - ``` - - ## Guidelines - - - **One function per run**: Focus deeply on a single function to ensure comprehensive coverage - - **Quality over quantity**: Write meaningful tests, not just lines of code - - **Follow conventions**: Match the testing patterns used in the codebase - - **Be thorough**: Cover all branches, edge cases, and error paths - - **Use Serena**: Leverage Serena's code analysis for complexity measurement - - **Verify coverage**: Always confirm tests actually improve coverage - - **Table-driven tests**: Use Go's table-driven test pattern consistently - - ## Serena Configuration - - Serena is configured for Go code analysis: - - **Project Root**: __GH_AW_GITHUB_WORKSPACE__ - - **Language**: Go - - **Capabilities**: Complexity analysis, code understanding, function analysis - - Use Serena to: - - Identify function complexity - - Understand code structure - - Find all function usages - - Analyze branching logic - - ## Cache Memory - - Use cache-memory to track progress: - - Save the last tested function to avoid repetition - - Track coverage improvements over time - - Store analysis results for future reference - - ## Output - - Your output MUST include: - 1. A pull request with comprehensive tests for the selected function - 2. Updated test files following Go conventions - 3. Verification that tests pass and coverage improved - - Focus on one function at a time. Make the tests excellent. - - Begin your analysis! Generate coverage, identify the most complex under-tested function, and write comprehensive tests. - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append cache memory instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - PROMPT_EOF - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -811,25 +515,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_pull_request, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -859,10 +549,18 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/test-coverage-improver.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -879,6 +577,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -893,13 +593,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -945,8 +648,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat internal/**/*.go)' --allow-tool 'shell(cat internal/**/*_test.go)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find internal -name '\''*.go'\'' -type f ! -name '\''*_test.go'\'')' --allow-tool 'shell(find internal -name '\''*_test.go'\'' -type f)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(go build -o awmg)' --allow-tool 'shell(go test -coverprofile=coverage.out ./...)' --allow-tool 'shell(go test -v ./...)' --allow-tool 'shell(go tool cover -func=coverage.out)' --allow-tool 'shell(go tool cover -html=coverage.out -o coverage.html)' --allow-tool 'shell(go vet ./...)' --allow-tool 'shell(grep -n '\''func '\'' internal/**/*.go)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc -l internal/**/*.go)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat internal/**/*.go)'\'' --allow-tool '\''shell(cat internal/**/*_test.go)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*.go'\''\'\'''\'' -type f ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go build -o awmg)'\'' --allow-tool '\''shell(go test -coverprofile=coverage.out ./...)'\'' --allow-tool '\''shell(go test -v ./...)'\'' --allow-tool '\''shell(go tool cover -func=coverage.out)'\'' --allow-tool '\''shell(go tool cover -html=coverage.out -o coverage.html)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(grep -n '\''\'\'''\''func '\''\'\'''\'' internal/**/*.go)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -956,7 +661,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -978,6 +682,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1005,7 +718,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1040,12 +753,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload cache-memory data as artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: always() @@ -1087,7 +813,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1139,6 +865,36 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Test Coverage Improver" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle Create Pull Request Error + id: handle_create_pr_error + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Test Coverage Improver" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1170,7 +926,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1249,22 +1005,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1332,7 +1078,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1354,7 +1100,7 @@ jobs: path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ github.token }} persist-credentials: false @@ -1364,19 +1110,20 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GIT_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"labels\":[\"testing\",\"automation\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[test] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"labels\":[\"testing\",\"automation\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[test] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1394,7 +1141,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/test-improver.lock.yml b/.github/workflows/test-improver.lock.yml index 52886728..6ea977c5 100644 --- a/.github/workflows/test-improver.lock.yml +++ b/.github/workflows/test-improver.lock.yml @@ -13,13 +13,15 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.36.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.38.5). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile -# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # # Daily analyzer that reviews test files and suggests improvements for better testify usage, increased coverage, and cleaner tests +# +# frontmatter-hash: 5fbe0d8fc178d54ea6a939e9eeb149f4b2d18fb6596be2604283342fbb6d47fb name: "Test Improver" "on": @@ -28,10 +30,7 @@ name: "Test Improver" # Friendly format: daily (scattered) workflow_dispatch: -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" @@ -48,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -72,8 +71,12 @@ jobs: concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs - GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: @@ -81,34 +84,28 @@ jobs: model: ${{ steps.generate_aw_info.outputs.model }} output: ${{ steps.collect_output.outputs.output }} output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - - name: Setup Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: '1.25' - - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: '3.12' - - name: Setup uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 - - name: Install Go language service (gopls) - run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + with: + cache: true + go-version-file: go.mod # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - - name: Restore cache memory file share data + - name: Restore cache-memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: memory-${{ github.workflow }}-${{ github.run_id }} @@ -141,28 +138,14 @@ jobs: const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Install awf binary - run: | - echo "Installing awf via installer script (requested version: v0.8.2)" - curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo AWF_VERSION=v0.8.2 bash - which awf - awf --version + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -173,8 +156,8 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Downloading container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -219,7 +202,7 @@ jobs: "name": "create_pull_request" }, { - "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { "additionalProperties": false, "properties": { @@ -228,16 +211,15 @@ jobs: "type": "string" }, "reason": { - "description": "Explanation of why this tool is needed to complete the task (max 256 characters).", + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", "type": "string" }, "tool": { - "description": "Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", "type": "string" } }, "required": [ - "tool", "reason" ], "type": "object" @@ -260,6 +242,33 @@ jobs: "type": "object" }, "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" } ] EOF @@ -309,7 +318,6 @@ jobs: "maxLength": 256 }, "tool": { - "required": true, "type": "string", "sanitize": true, "maxLength": 128 @@ -329,75 +337,104 @@ jobs: } } EOF - - name: Setup MCPs + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} run: | + set -eo pipefail mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG="*" -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/githubnext/gh-aw-mcpg:v0.0.84' + mkdir -p /home/runner/.copilot - cat > /home/runner/.copilot/mcp-config.json << EOF + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { "mcpServers": { "github": { - "type": "local", - "command": "docker", - "args": [ - "run", - "-i", - "--rm", - "-e", - "GITHUB_PERSONAL_ACCESS_TOKEN", - "-e", - "GITHUB_READ_ONLY=1", - "-e", - "GITHUB_LOCKDOWN_MODE=$GITHUB_MCP_LOCKDOWN", - "-e", - "GITHUB_TOOLSETS=context,repos,issues,pull_requests", - "ghcr.io/github/github-mcp-server:v0.27.0" - ], - "tools": ["*"], + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.2", "env": { - "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}" + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, "safeoutputs": { - "type": "local", - "command": "node", - "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], - "tools": ["*"], - "env": { - "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", - "GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}", - "GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "\${GH_AW_SAFE_OUTPUTS_CONFIG_PATH}", - "GH_AW_SAFE_OUTPUTS_TOOLS_PATH": "\${GH_AW_SAFE_OUTPUTS_TOOLS_PATH}", - "GH_AW_ASSETS_BRANCH": "\${GH_AW_ASSETS_BRANCH}", - "GH_AW_ASSETS_MAX_SIZE_KB": "\${GH_AW_ASSETS_MAX_SIZE_KB}", - "GH_AW_ASSETS_ALLOWED_EXTS": "\${GH_AW_ASSETS_ALLOWED_EXTS}", - "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}", - "GITHUB_SERVER_URL": "\${GITHUB_SERVER_URL}", - "GITHUB_SHA": "\${GITHUB_SHA}", - "GITHUB_WORKSPACE": "\${GITHUB_WORKSPACE}", - "DEFAULT_BRANCH": "\${DEFAULT_BRANCH}" + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" } }, "serena": { - "type": "local", - "command": "uvx", - "args": ["--from", "git+https://github.com/oraios/serena", "serena", "start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], - "tools": ["*"] + "type": "stdio", + "container": "ghcr.io/githubnext/serena-mcp-server:latest", + "args": ["--network", "host"], + "entrypoint": "serena", + "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], + "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw"] } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}" } } - EOF - echo "-------START MCP CONFIG-----------" - cat /home/runner/.copilot/mcp-config.json - echo "-------END MCP CONFIG-----------" - echo "-------/home/runner/.copilot-----------" - find /home/runner/.copilot - echo "HOME: $HOME" - echo "GITHUB_COPILOT_CLI_MODE: $GITHUB_COPILOT_CLI_MODE" + MCPCONFIG_EOF - name: Generate agentic run info id: generate_aw_info uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -410,8 +447,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.375", - cli_version: "v0.36.0", + agent_version: "0.0.399", + cli_version: "v0.38.5", workflow_name: "Test Improver", experimental: false, supports_tools_allowlist: true, @@ -425,10 +462,10 @@ jobs: actor: context.actor, event_name: context.eventName, staged: false, - network_mode: "defaults", - allowed_domains: [], + allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.8.2", + awf_version: "v0.11.2", + awmg_version: "v0.0.84", steps: { firewall: "squid" }, @@ -449,413 +486,26 @@ jobs: script: | const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - - name: Create prompt + - name: Create prompt with built-in context env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Test Improver 🧹 - - You are an AI agent specialized in improving Go test files. Your mission is to review a single test file and suggest improvements focused on better testify library usage, increased coverage, and cleaner, more stable tests. - - ## Mission - - Select one test file from the codebase, analyze it thoroughly, and create improvements that focus on: - 1. **Better idiomatic use of the testify library** - Use testify assertions instead of manual error checking - 2. **Increase coverage** - Add missing test cases to cover untested code paths - 3. **Stabler, cleaner tests** - Improve test structure, readability, and reliability - - ## Important: This project does NOT currently use testify - - **CRITICAL**: Before making any changes, check if the testify library is already in `go.mod`. If testify is NOT present: - 1. DO NOT add testify to the project - 2. Focus on improving tests using standard library testing patterns - 3. Suggest improvements like: - - Better table-driven test structures - - More comprehensive edge case coverage - - Cleaner test organization and naming - - More robust error checking - - Better use of subtests with `t.Run()` - - ## Step 1: Find All Test Files - - List all test files in the codebase: - - ```bash - find internal -name '*_test.go' -type f - ``` - - Create an inventory of all test files with their: - - File path - - Package name - - Approximate line count - - Number of test functions - - ## Step 2: Select a Single Test File - - Use **Serena** to help select the best candidate test file. Consider: - - 1. **Complexity vs. test quality**: Files with complex code but simple tests - 2. **Coverage gaps**: Files where the corresponding code has low coverage - 3. **Testing patterns**: Files that could benefit from better testing structure - 4. **Size**: Medium-sized test files (not too small, not huge) that can be meaningfully improved - - **Selection criteria** (prioritize in this order): - - Test files with manual error checking instead of proper assertions - - Test files with low coverage of the corresponding code - - Test files with repetitive test code that could be table-driven - - Test files with poor edge case coverage - - Test files without proper subtests - - **Avoid**: - - Test files that were recently modified (check git history) - - Test files that are already well-structured with comprehensive coverage - - Integration test files that are inherently complex - - Use Serena to analyze and rank test files, then select the top candidate. - - ## Step 3: Deep Analysis of Selected Test File - - Before making changes, thoroughly understand the selected test file: - - 1. **Read the test file completely**: - - What functions are being tested? - - What test patterns are used? - - Are there table-driven tests? - - How is error handling done? - - Are subtests used properly? - - 2. **Read the corresponding implementation file**: - - What functionality needs testing? - - What are the edge cases? - - What error conditions exist? - - What branches/conditionals need coverage? - - 3. **Run coverage analysis**: - ```bash - go test -coverprofile=coverage.out ./... - go tool cover -func=coverage.out | grep "filename" - ``` - Identify which functions/lines are not covered by the current tests. - - 4. **Use Serena** to analyze: - - Code complexity in the implementation - - Test coverage gaps - - Potential edge cases - - Error handling paths - - ## Step 4: Plan Improvements - - Based on your analysis, create a concrete improvement plan. Focus on: - - ### A. Better Assertions (if applicable) - - **Current pattern** (manual checking): - ```go - if err != nil { - t.Errorf("unexpected error: %v", err) - } - if got != want { - t.Errorf("got %v, want %v", got, want) - } - ``` - - **Improved pattern** (only if testify is available): - ```go - require.NoError(t, err) - assert.Equal(t, want, got) - ``` - - **If testify is NOT available**, improve manual checks: - ```go - if err != nil { - t.Fatalf("unexpected error: %v", err) - } - if got != want { - t.Errorf("got %v, want %v", got, want) - } - ``` - - ### B. Increased Coverage - - Identify missing test cases: - - **Edge cases**: nil inputs, empty values, boundary conditions - - **Error paths**: invalid inputs, error conditions - - **Branch coverage**: all if/else branches, switch cases - - **Loop coverage**: zero iterations, one iteration, many iterations - - ### C. Cleaner Test Structure - - Apply these improvements: - - 1. **Use table-driven tests** for multiple similar test cases: - ```go - tests := []struct { - name string - input InputType - want OutputType - wantErr bool - }{ - { - name: "valid input", - input: validInput, - want: expectedOutput, - wantErr: false, - }, - { - name: "empty input", - input: emptyInput, - want: zeroValue, - wantErr: true, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got, err := FunctionUnderTest(tt.input) - if (err != nil) != tt.wantErr { - t.Errorf("error = %v, wantErr %v", err, tt.wantErr) - return - } - if got != tt.want { - t.Errorf("got %v, want %v", got, tt.want) - } - }) - } - ``` - - 2. **Use descriptive test names**: `TestFunctionName_Scenario` format - - 3. **Use t.Helper()** in test helper functions - - 4. **Proper cleanup**: Use `t.Cleanup()` or `defer` for resource cleanup - - 5. **Better error messages**: Include context in error messages - - 6. **Avoid test interdependence**: Each test should be independent - - ### D. More Stable Tests - - Make tests more reliable: - - Avoid timing-dependent tests (use mocks/fakes for time) - - Don't depend on external state - - Use proper setup/teardown with `t.Cleanup()` - - Mock external dependencies consistently - - Use deterministic test data - - ## Step 5: Implement Improvements - - Make the improvements to the selected test file: - - 1. **Preserve existing test coverage**: Don't remove working tests - 2. **Add new test cases**: Fill coverage gaps - 3. **Refactor existing tests**: Improve structure and clarity - 4. **Follow project conventions**: Match the style of the codebase - 5. **Update test utilities**: If needed, enhance or use existing test helpers in `internal/testutil/` - - ## Step 6: Verify Improvements - - After making changes: - - 1. **Run the tests**: - ```bash - go test -v ./path/to/package - ``` - - 2. **Check coverage improvement**: - ```bash - go test -coverprofile=coverage.out ./path/to/package - go tool cover -func=coverage.out - ``` - - 3. **Run multiple times** to ensure stability: - ```bash - for i in {1..5}; do go test ./path/to/package || break; done - ``` - - 4. **Verify formatting**: - ```bash - gofmt -l path/to/test_file.go - ``` - - 5. **Run go vet**: - ```bash - go vet ./path/to/package - ``` - - ## Step 7: Create Pull Request or Call Noop - - **If improvements were made**: - - Create a pull request using the `create-pull-request` safe output. - - **PR Title Format**: `Improve tests for [PackageName]` - - **Example**: `Improve tests for config package` - - **PR Body Structure**: - - ```markdown - # Test Improvements: [TestFileName] - - ## File Analyzed - - - **Test File**: `internal/[package]/[filename]_test.go` - - **Package**: `internal/[package]` - - **Lines of Code**: [X] → [Y] (if changed significantly) - - ## Improvements Made - - ### 1. Better Testing Patterns - - ✅ [Specific improvement, e.g., "Converted to table-driven tests"] - - ✅ [Specific improvement, e.g., "Added descriptive test names"] - - ✅ [Specific improvement, e.g., "Better error messages"] - - ### 2. Increased Coverage - - ✅ Added test for [edge case or scenario] - - ✅ Added test for [error condition] - - ✅ Added test for [branch/path] - - **Previous Coverage**: [X]% - - **New Coverage**: [Y]% - - **Improvement**: +[Z]% - - ### 3. Cleaner & More Stable Tests - - ✅ [Improvement, e.g., "Proper use of t.Cleanup()"] - - ✅ [Improvement, e.g., "Removed timing dependencies"] - - ✅ [Improvement, e.g., "Better test isolation"] - - ## Test Execution - - All tests pass: - ``` - [Include test output showing PASS and coverage improvement] - ``` - - ## Why These Changes? - - [Brief explanation of the rationale - why this test file was selected, what problems were addressed, and how the improvements make the tests better] - - --- - *Generated by Test Improver Workflow* - *Focuses on better patterns, increased coverage, and more stable tests* - ``` - - **If NO improvements were made** (test file is already excellent): - - Call the `noop` safe output instead of creating a PR. This signals that no action was needed. - - **When to use noop**: - - All test files are already well-structured - - Selected test file is already at high quality - - No meaningful improvements can be made - - Coverage is already comprehensive - - ## Guidelines - - - **One test file per run**: Focus deeply on a single test file for quality improvements - - **Preserve working tests**: Don't break existing functionality - - **Follow conventions**: Match the testing patterns in the codebase - - **Use Serena**: Leverage Go analysis capabilities for intelligent file selection - - **Quality over quantity**: Better to make meaningful improvements to one file than superficial changes to many - - **Verify stability**: Run tests multiple times to ensure reliability - - **Standard library first**: If testify is not in the project, use standard library patterns - - **Cache memory**: Use cache to track which files were improved to avoid repetition - - ## Serena Configuration - - Serena is configured for Go code analysis: - - **Project Root**: __GH_AW_GITHUB_WORKSPACE__ - - **Language**: Go - - **Capabilities**: Code complexity analysis, test quality assessment, coverage gap identification - - Use Serena to: - - Rank test files by improvement potential - - Identify coverage gaps - - Analyze test quality metrics - - Suggest specific improvements - - ## Cache Memory - - Use cache-memory to track progress: - - Save the last improved test file to avoid immediate repetition - - Track improvements over time - - Store analysis results for future reference - - ## Avoiding Duplicate PRs - - Before creating a PR, check if there's already an open PR with "[test-improver]" in the title using the GitHub tools. If one exists, call `noop` instead of creating a duplicate PR. - - ## Output Decision - - Your final action MUST be one of: - 1. **Create a pull request** (via `create-pull-request` safe output) if improvements were made - 2. **Call noop** (via `noop` safe output) if no improvements are needed - - Do not create a PR if the test file is already excellent and no meaningful improvements can be made. - - --- - - Begin your analysis! Find test files, select the best candidate, analyze it thoroughly, make improvements, and create a PR or call noop. - + PROMPT_EOF - - name: Substitute placeholders - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - with: - script: | - const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); - - // Call the substitution function - return await substitutePlaceholders({ - file: process.env.GH_AW_PROMPT, - substitutions: { - GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE - } - }); - - name: Append XPIA security instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - - name: Append temporary folder instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - - name: Append cache memory instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - --- - - ## Cache Folder Available - - You have access to a persistent cache folder at `/tmp/gh-aw/cache-memory/` where you can read and write files to create memories and store information. - - - **Read/Write Access**: You can freely read from and write to any files in this folder - - **Persistence**: Files in this folder persist across workflow runs via GitHub Actions cache - - **Last Write Wins**: If multiple processes write to the same file, the last write will be preserved - - **File Share**: Use this as a simple file share - organize files as you see fit - - Examples of what you can store: - - `/tmp/gh-aw/cache-memory/notes.txt` - general notes and observations - - `/tmp/gh-aw/cache-memory/preferences.json` - user preferences and settings - - `/tmp/gh-aw/cache-memory/history.log` - activity history and logs - - `/tmp/gh-aw/cache-memory/state/` - organized state files in subdirectories - - Feel free to create, read, update, and organize files in this folder as needed for your tasks. - PROMPT_EOF - - name: Append safe outputs instructions to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: | + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" GitHub API Access Instructions @@ -865,25 +515,11 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: create_pull_request, missing_tool, noop + Discover available tools from the safeoutputs MCP server. **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. - PROMPT_EOF - - name: Append GitHub context to prompt - env: - GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_ACTOR: ${{ github.actor }} - GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} - GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} - GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} - GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -913,10 +549,18 @@ jobs: PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import workflows/test-improver.md}} + PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} @@ -933,6 +577,8 @@ jobs: return await substitutePlaceholders({ file: process.env.GH_AW_PROMPT, substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, @@ -947,13 +593,16 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -997,8 +646,10 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ - -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat internal/**/*.go)' --allow-tool 'shell(cat internal/**/*_test.go)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find internal -name '\''*_test.go'\'' -type f)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(go test -coverprofile=coverage.out ./...)' --allow-tool 'shell(go test -v ./...)' --allow-tool 'shell(go tool cover -func=coverage.out)' --allow-tool 'shell(go vet ./...)' --allow-tool 'shell(gofmt -l .)' --allow-tool 'shell(grep -rn '\''func Test'\'' internal/)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc -l internal/**/*_test.go)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat internal/**/*.go)'\'' --allow-tool '\''shell(cat internal/**/*_test.go)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go test -coverprofile=coverage.out ./...)'\'' --allow-tool '\''shell(go test -v ./...)'\'' --allow-tool '\''shell(go tool cover -func=coverage.out)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(gofmt -l .)'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''func Test'\''\'\'''\'' internal/)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*_test.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -1008,7 +659,6 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GITHUB_HEAD_REF: ${{ github.head_ref }} - GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} GITHUB_WORKSPACE: ${{ github.workspace }} @@ -1030,6 +680,15 @@ jobs: else echo "No session-state directory found at $SESSION_STATE_DIR" fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" - name: Redact secrets in logs if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1057,7 +716,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org" + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1092,12 +751,25 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Firewall summary + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs if: always() continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: awf logs summary >> $GITHUB_STEP_SUMMARY + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - name: Upload cache-memory data as artifact uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: always() @@ -1139,7 +811,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1191,6 +863,36 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Test Improver" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Handle Create Pull Request Error + id: handle_create_pr_error + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Test Improver" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); + await main(); - name: Update reaction comment with completion status id: conclusion uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1222,7 +924,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1301,22 +1003,12 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://github.github.io/gh-aw/reference/engines/#github-copilot-default + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: | - # Download official Copilot CLI installer script - curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh - - # Execute the installer with the specified version - export VERSION=0.0.375 && sudo bash /tmp/copilot-install.sh - - # Cleanup - rm -f /tmp/copilot-install.sh - - # Verify installation - copilot --version + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.399 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1384,7 +1076,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1406,7 +1098,7 @@ jobs: path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: token: ${{ github.token }} persist-credentials: false @@ -1416,19 +1108,20 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GIT_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GIT_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Process Safe Outputs id: process_safe_outputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"labels\":[\"testing\",\"improvement\",\"automation\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[test-improver] \"}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"draft\":true,\"labels\":[\"testing\",\"improvement\",\"automation\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[test-improver] \"},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -1446,7 +1139,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.40.0 + uses: githubnext/gh-aw/actions/setup@c62cb1aecba894a20fdb4c6bbc39992bc6ce37e2 # v0.38.5 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default)