Move safe-output file from /tmp to /opt for read-only agent access #11169
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot, ensure that secret redaction also processes this new file location. |
Changes: - Updated Go code to set GH_AW_SAFE_OUTPUTS to /opt/gh-aw/safeoutputs/outputs.jsonl - Updated JavaScript default paths in safe_outputs_config.cjs and safe_outputs_bootstrap.cjs - Updated collect_ndjson_output.cjs to read from /opt for config and validation files - Updated test assertions to expect new path - Updated documentation in specs/ and docs/ - Recompiled all workflow files with new path Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Extended redact_secrets.cjs to scan both /tmp/gh-aw and /opt/gh-aw directories for secret redaction. This ensures the safe-output file in /opt/gh-aw/safeoutputs/outputs.jsonl is also processed for secret removal before artifacts are uploaded. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test Results - Copilot
Status: PASS
|
Smoke Test ResultsLast 2 Merged PRs:
Tests:
Overall: PASS
|
|
GitHub MCP: ✅ Add temporary project ID support for safe outputs; Fix add_comment to respect append-only-comments from messages config
|
|
@copilot, merge main, format, lint, fix text, then recompile. |
Updated all JavaScript test files to use /opt/gh-aw/safeoutputs paths: - collect_ndjson_output.test.cjs: Updated config and validation paths - safe_outputs_config.test.cjs: Updated expected default path - safe_outputs_mcp_server_defaults.test.cjs: Updated config paths and expectations - safe_outputs_tools_loader.test.cjs: Updated default tools path - redact_secrets.test.cjs: Updated log message expectations All 3000 JS tests now pass ✅ Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Completed in 5b478eb (merge) and 3043e0c (test fixes). Merged main branch and fixed all JavaScript test failures:
✅ All 3000 JavaScript tests now passing |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
Smoke Test ResultsRecent PRs:
Tests:
Overall: PASS
|
|
GitHub MCP ✅: Add version check to upgrade command to enforce latest extension | Pass HTTP MCP server secrets to gateway container
|
Smoke Test: Copilot Engine ✅Last 2 Merged PRs:
Results:
Overall: PASS cc: @pelikhan
|
|
@copilot grep for any references to the old file location as a sanity check |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Change safe-output file location from /tmp to /opt
Security Improvement: The safe-output MCP server now stores outputs in
/opt/gh-aw/safeoutputs/outputs.jsonl(read-only mount for agent container) instead of/tmp/gh-aw/safeoutputs/outputs.jsonl(read-write mount). This prevents the agent container from having write access to the output file.Changes Made
/tmp/gh-aw/safeoutputs/outputs.jsonlto/opt/gh-aw/safeoutputs/outputs.jsonlFiles Changed
Go Code:
pkg/workflow/compiler_activation_jobs.go- Updated GH_AW_SAFE_OUTPUTS environment variablepkg/workflow/agentic_output_test.go- Updated test assertionsJavaScript:
actions/setup/js/safe_outputs_config.cjs- Updated default output file pathactions/setup/js/safe_outputs_bootstrap.cjs- Updated config path defaultactions/setup/js/safe_outputs_tools_loader.cjs- Updated default tools pathactions/setup/js/collect_ndjson_output.cjs- Updated validation config and output file pathsactions/setup/js/redact_secrets.cjs- Extended to scan both /tmp/gh-aw and /opt/gh-aw directoriesJavaScript Tests:
actions/setup/js/collect_ndjson_output.test.cjs- Updated all config paths to /optactions/setup/js/safe_outputs_config.test.cjs- Updated expected default pathactions/setup/js/safe_outputs_mcp_server_defaults.test.cjs- Updated config paths and directory setupactions/setup/js/safe_outputs_tools_loader.test.cjs- Updated default tools pathactions/setup/js/redact_secrets.test.cjs- Updated log message expectationsDocumentation:
specs/layout.md- Updated file location documentationspecs/security_review.md- Updated security review diagrams and examplesspecs/safe-output-environment-variables.md- Updated environment variable examplesdocs/src/content/docs/reference/environment-variables.md- Updated documentationCompiled Workflows:
.lock.ymlfiles recompiled with new pathTest Results
✅ All tests passing:
TestAgenticOutputCollection- PASSSecurity Enhancement
The secret redaction script now processes both directories:
/tmp/gh-aw- Temporary files and logs/opt/gh-aw- Configuration and safe-output files (including outputs.jsonl)This ensures secrets are redacted from the safe-output file before artifacts are uploaded.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
Changeset
/tmpto/optand update the agent intake and secret-redaction scripts to read from the new path (/opt/gh-aw/safeoutputs/outputs.jsonl). This keeps the file writable by the MCP server while making it read-only inside the agent container.Changeset
/tmpto/optand update the agent intake and secret-redaction scripts to read from/opt/gh-aw/safeoutputs/outputs.jsonl. This keeps the file writable by the MCP server while making it read-only inside the agent container.