diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 469aa506fc..6e52975040 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -25,6 +25,11 @@ "version": "v5.0.2", "sha": "8b402f58fbc84540c8b491a91e594a4576fec3d7" }, + "actions/checkout@v5": { + "repo": "actions/checkout", + "version": "v5", + "sha": "93cb6efe18208431cddfb8368fd83d5badbf9bfd" + }, "actions/checkout@v6.0.2": { "repo": "actions/checkout", "version": "v6.0.2", @@ -35,11 +40,21 @@ "version": "v3.0.0-beta.2", "sha": "bf559f85448f9380bcfa2899dbdc01eb5b37be3a" }, + "actions/download-artifact@v6": { + "repo": "actions/download-artifact", + "version": "v6", + "sha": "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53" + }, "actions/download-artifact@v7": { "repo": "actions/download-artifact", "version": "v7", "sha": "37930b1c2abaa49bbe596cd826c3c89aef350131" }, + "actions/github-script@v7": { + "repo": "actions/github-script", + "version": "v7", + "sha": "f28e40c7f34bde8b3046d885e986cb6290c5673b" + }, "actions/github-script@v8": { "repo": "actions/github-script", "version": "v8", @@ -125,6 +140,11 @@ "version": "v4.32.0", "sha": "e6985fd516cce3b1a0e8db34a4013d2e50a1e252" }, + "github/stale-repos@v3": { + "repo": "github/stale-repos", + "version": "v3", + "sha": "3477b6488008d9411aaf22a0924ec7c1f6a69980" + }, "github/stale-repos@v8.0.4": { "repo": "github/stale-repos", "version": "v8.0.4", @@ -145,6 +165,11 @@ "version": "v1.286.0", "sha": "90be1154f987f4dc0fe0dd0feedac9e473aa4ba8" }, + "super-linter/super-linter@v8.2.1": { + "repo": "super-linter/super-linter", + "version": "v8.2.1", + "sha": "2bdd90ed3262e023ac84bf8fe35dc480721fc1f2" + }, "super-linter/super-linter@v8.3.2": { "repo": "super-linter/super-linter", "version": "v8.3.2", diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index bfe9117751..24810aef07 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -46,7 +46,7 @@ jobs: issues: write steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -144,7 +144,7 @@ jobs: contents: read steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 19b7c58913..4dde87127d 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -951,7 +951,7 @@ jobs: found_patterns: ${{ steps.detect.outputs.found_patterns }} steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: persist-credentials: false - name: Install ast-grep diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index dce72cabf7..da14721e85 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -999,7 +999,7 @@ jobs: persist-credentials: false - name: Compute release configuration id: compute_config - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const releaseType = context.payload.inputs.release_type; diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 54bfce4260..af842d83fa 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -174,7 +174,7 @@ jobs: ORGANIZATION: ${{ env.ORGANIZATION }} id: stale-repos name: Run stale_repos tool - uses: github/stale-repos@6084a41431c4ce8842a7e879b1a15082b88742ae # v3 + uses: github/stale-repos@3477b6488008d9411aaf22a0924ec7c1f6a69980 # v3 - env: INACTIVE_REPOS: ${{ steps.stale-repos.outputs.inactiveRepos }} name: Save stale repos output diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 1c9612fdf0..e10b65aca1 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -113,7 +113,7 @@ jobs: - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Download super-linter log - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 with: name: super-linter-log path: /tmp/gh-aw/ @@ -1291,13 +1291,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 persist-credentials: false - name: Super-linter id: super-linter - uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.2.1 + uses: super-linter/super-linter@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1 env: CREATE_LOG_FILE: "true" DEFAULT_BRANCH: main diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 4cb15b7953..566330f7c2 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -48,7 +48,7 @@ jobs: comment_repo: "" steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -95,7 +95,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -105,7 +105,7 @@ jobs: with: destination: /opt/gh-aw/actions - name: Checkout repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create gh-aw temp directory @@ -1224,7 +1224,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -1349,7 +1349,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -1494,7 +1494,7 @@ jobs: activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }} steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -1551,7 +1551,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Checkout actions folder - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | actions @@ -1579,7 +1579,7 @@ jobs: path: /tmp/gh-aw/ - name: Checkout repository if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_pull_request')) - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ github.token }} persist-credentials: false diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 9eb49b567c..8802587d2c 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -132,7 +132,7 @@ jobs: - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: persist-credentials: false - name: Setup Node.js diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index 469aa506fc..6e52975040 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -25,6 +25,11 @@ "version": "v5.0.2", "sha": "8b402f58fbc84540c8b491a91e594a4576fec3d7" }, + "actions/checkout@v5": { + "repo": "actions/checkout", + "version": "v5", + "sha": "93cb6efe18208431cddfb8368fd83d5badbf9bfd" + }, "actions/checkout@v6.0.2": { "repo": "actions/checkout", "version": "v6.0.2", @@ -35,11 +40,21 @@ "version": "v3.0.0-beta.2", "sha": "bf559f85448f9380bcfa2899dbdc01eb5b37be3a" }, + "actions/download-artifact@v6": { + "repo": "actions/download-artifact", + "version": "v6", + "sha": "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53" + }, "actions/download-artifact@v7": { "repo": "actions/download-artifact", "version": "v7", "sha": "37930b1c2abaa49bbe596cd826c3c89aef350131" }, + "actions/github-script@v7": { + "repo": "actions/github-script", + "version": "v7", + "sha": "f28e40c7f34bde8b3046d885e986cb6290c5673b" + }, "actions/github-script@v8": { "repo": "actions/github-script", "version": "v8", @@ -125,6 +140,11 @@ "version": "v4.32.0", "sha": "e6985fd516cce3b1a0e8db34a4013d2e50a1e252" }, + "github/stale-repos@v3": { + "repo": "github/stale-repos", + "version": "v3", + "sha": "3477b6488008d9411aaf22a0924ec7c1f6a69980" + }, "github/stale-repos@v8.0.4": { "repo": "github/stale-repos", "version": "v8.0.4", @@ -145,6 +165,11 @@ "version": "v1.286.0", "sha": "90be1154f987f4dc0fe0dd0feedac9e473aa4ba8" }, + "super-linter/super-linter@v8.2.1": { + "repo": "super-linter/super-linter", + "version": "v8.2.1", + "sha": "2bdd90ed3262e023ac84bf8fe35dc480721fc1f2" + }, "super-linter/super-linter@v8.3.2": { "repo": "super-linter/super-linter", "version": "v8.3.2", diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index 8bf6fc61be..c7f919de5a 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -889,24 +889,42 @@ func prepareConfigForValidation(config string) string { cleaned := strings.Join(cleanedLines, "\n") // Substitute shell variables with sample values for validation - // $MCP_GATEWAY_PORT -> 8080 (example port) - // ${MCP_GATEWAY_DOMAIN} -> "localhost" (example domain) - // ${MCP_GATEWAY_API_KEY} -> "sample-api-key" (example key) - // $GITHUB_MCP_SERVER_TOKEN -> "sample-token" (example token) - // $GITHUB_MCP_LOCKDOWN -> "1" (example lockdown value) - // \${...} (escaped for Copilot) -> ${...} (unescaped for validation) - + // This makes the config valid JSON that can be validated against the schema + // These variables are normally interpolated by the shell or GitHub Actions at runtime + + // 1. Handle backslash-escaped shell variables (used in Copilot engine for JSON strings) + // Pattern: "\${VARIABLE_NAME}" -> "sample-value" + // These are escaped with backslash to prevent shell expansion in the heredoc + cleaned = strings.ReplaceAll(cleaned, "\"\\${GITHUB_TOKEN}\"", "\"sample-token\"") + cleaned = strings.ReplaceAll(cleaned, "\"\\${GITHUB_PERSONAL_ACCESS_TOKEN}\"", "\"sample-token\"") + cleaned = strings.ReplaceAll(cleaned, "\"\\${GITHUB_MCP_SERVER_TOKEN}\"", "\"sample-token\"") + cleaned = strings.ReplaceAll(cleaned, "\"\\${GH_AW_SAFE_INPUTS_API_KEY}\"", "\"sample-api-key\"") + cleaned = strings.ReplaceAll(cleaned, "\"\\${GH_AW_SAFE_OUTPUTS_API_KEY}\"", "\"sample-api-key\"") + + // 2. Handle GitHub Actions expressions + // Pattern: ${{ github.workspace }} -> /workspace + // These are interpolated by GitHub Actions before the workflow runs + cleaned = strings.ReplaceAll(cleaned, "${{ github.workspace }}", "/workspace") + + // 3. Handle unescaped shell variables in gateway section + // Pattern: $VARIABLE_NAME -> value (unquoted, for numeric values) + // Pattern: "${VARIABLE_NAME}" -> "value" (quoted strings) cleaned = strings.ReplaceAll(cleaned, "$MCP_GATEWAY_PORT", "8080") cleaned = strings.ReplaceAll(cleaned, "\"${MCP_GATEWAY_DOMAIN}\"", "\"localhost\"") cleaned = strings.ReplaceAll(cleaned, "\"${MCP_GATEWAY_API_KEY}\"", "\"sample-api-key\"") + + // 4. Handle unescaped shell variables in URLs (for safe-inputs/safe-outputs) + // Pattern: $VARIABLE_NAME in URL -> value + cleaned = strings.ReplaceAll(cleaned, "$GH_AW_SAFE_INPUTS_PORT", "8081") + cleaned = strings.ReplaceAll(cleaned, "$GH_AW_SAFE_OUTPUTS_PORT", "8082") + + // 5. Handle other unescaped shell variables + // Pattern: "$VARIABLE_NAME" -> "value" (quoted strings) cleaned = strings.ReplaceAll(cleaned, "\"$GITHUB_MCP_SERVER_TOKEN\"", "\"sample-token\"") cleaned = strings.ReplaceAll(cleaned, "\"$GITHUB_MCP_LOCKDOWN\"", "\"1\"") - // Handle Copilot-style escaped variables: \${VARIABLE} -> sample-value - cleaned = strings.ReplaceAll(cleaned, "\\${GITHUB_PERSONAL_ACCESS_TOKEN}", "sample-token") - cleaned = strings.ReplaceAll(cleaned, "\\${GITHUB_MCP_SERVER_TOKEN}", "sample-token") - - // Handle shell command substitutions: $([ "$VAR" = "1" ] && echo true || echo false) -> true + // 6. Handle shell command substitutions + // Pattern: "$(command)" -> "result" cleaned = strings.ReplaceAll(cleaned, "\"$([ \\\"$GITHUB_MCP_LOCKDOWN\\\" = \\\"1\\\" ] && echo true || echo false)\"", "\"true\"") return cleaned