diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index d5a05f6b98..80130e4a1a 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -65,7 +65,7 @@ "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-dotnet@v4": { + "actions/setup-dotnet@v4.3.1": { "repo": "actions/setup-dotnet", "version": "v4.3.1", "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9" @@ -80,7 +80,7 @@ "version": "v6.1.0", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, - "actions/setup-java@v4": { + "actions/setup-java@v4.8.0": { "repo": "actions/setup-java", "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 08acefb511..b877ea5c4b 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -193,7 +193,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server @@ -489,7 +489,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.395", + agent_version: "0.0.397", workflow_name: "CI Optimization Coach", experimental: false, supports_tools_allowlist: true, @@ -1776,7 +1776,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index b6cd1b3bc9..4b8c1bfba2 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -976,6 +976,56 @@ jobs: - **Visual trends**: Charts showing token usage and cost trends - **Actionable insights**: Identify high-cost workflows and optimization opportunities + **CRITICAL**: Follow these formatting guidelines to create well-structured, readable reports: + + ### 1. Header Levels + **Use h3 (###) or lower for all headers in your report to maintain proper document hierarchy.** + + The discussion title serves as h1, so all content headers should start at h3: + - Use `###` for main sections (e.g., "### Token Consumption Overview", "### Per-Workflow Statistics") + - Use `####` for subsections (e.g., "#### Top 10 Most Expensive Workflows", "#### Cost Trends") + - Never use `##` (h2) or `#` (h1) in the report body + + ### 2. Progressive Disclosure + **Wrap detailed sections in `
Section Name` tags to improve readability and reduce scrolling.** + + Use collapsible sections for: + - Per-workflow detailed statistics tables + - Full workflow run lists + - Historical comparison data + - Verbose metrics breakdowns + + Example: + ```markdown +
+ Per-Workflow Detailed Statistics + + | Workflow | Runs | Total Tokens | Avg Tokens | Total Cost | Avg Cost | + |----------|------|--------------|------------|------------|----------| + | workflow-1 | 25 | 1,234,567 | 49,382 | $1.23 | $0.05 | + | ... | ... | ... | ... | ... | ... | + +
+ ``` + + ### 3. Report Structure Pattern + + Your report should follow this structure for optimal readability: + + 1. **Executive Summary** (always visible): Brief overview of total token usage, costs, and key findings + 2. **Key Highlights** (always visible): Top 5 most expensive workflows, notable cost increases/decreases + 3. **Visual Trends** (always visible): Embedded charts showing token usage and cost trends + 4. **Detailed Per-Workflow Statistics** (in `
` tags): Complete breakdown for all workflows + 5. **Recommendations** (always visible): Actionable suggestions for optimization + + ### Design Principles + + Create reports that: + - **Build trust through clarity**: Most important info (summary, top consumers, trends) immediately visible + - **Exceed expectations**: Add helpful context like week-over-week comparisons, cost projections + - **Create delight**: Use progressive disclosure to reduce overwhelm while keeping details accessible + - **Maintain consistency**: Follow the same patterns as other reporting workflows like `daily-issues-report` and `daily-team-status` + ## Current Context - **Repository**: __GH_AW_GITHUB_REPOSITORY__ @@ -1095,6 +1145,8 @@ jobs: **IMPORTANT**: Copy the complete Python script from above (lines starting with `#!/usr/bin/env python3`) and save it to `/tmp/gh-aw/python/process_logs.py`, then run it: ```bash + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" python3 /tmp/gh-aw/python/process_logs.py ``` @@ -1168,8 +1220,6 @@ jobs: ## Phase 3: Generate Trend Charts - PROMPT_EOF - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" ### Step 3.1: Prepare Data for Visualization Create CSV files for chart generation: @@ -1408,36 +1458,33 @@ jobs: ```markdown # πŸ“Š Daily Copilot Token Consumption Report - [DATE] - ## Executive Summary + ### Executive Summary Over the last 30 days, Copilot-powered agentic workflows consumed **[TOTAL_TOKENS]** tokens at an estimated cost of **$[TOTAL_COST]**, across **[TOTAL_RUNS]** workflow runs covering **[NUM_WORKFLOWS]** unique workflows. - **Key Highlights:** + #### Key Highlights: - **Highest consuming workflow**: [WORKFLOW_NAME] ([TOKENS] tokens, $[COST]) - **Most active workflow**: [WORKFLOW_NAME] ([RUN_COUNT] runs) - **Average cost per run**: $[AVG_COST] - **Trend**: Token usage is [increasing/decreasing/stable] by [PERCENT]% over the last 7 days -
- Full Report Details - - ## πŸ“ˆ Token Usage Trends + ### πŸ“ˆ Token Usage Trends - ### Overall Trends + #### Overall Trends ![Token Usage Trends](URL_FROM_UPLOAD_ASSET_CHART_1) The chart above shows daily token consumption over the last 30 days. [Brief analysis of the trend: are we increasing, decreasing, or stable? Any spikes or anomalies?] - ### Cost Trends + #### Cost Trends ![Cost Trends](URL_FROM_UPLOAD_ASSET_CHART_2) Daily cost trends show [analysis of cost patterns, efficiency, and notable changes]. - ## πŸ† Top Workflows by Token Consumption + ### πŸ† Top Workflows by Token Consumption ![Top Workflows](URL_FROM_UPLOAD_ASSET_CHART_3) - ### Detailed Breakdown + #### Top 10 Most Expensive Workflows | Rank | Workflow | Total Tokens | Total Cost | Runs | Avg Tokens/Run | Avg Cost/Run | |------|----------|--------------|------------|------|----------------|--------------| @@ -1445,10 +1492,8 @@ jobs: | 2 | [name] | [tokens] | $[cost] | [n] | [avg] | $[avg] | | ... | ... | ... | ... | ... | ... | ... | - ## πŸ“Š Per-Workflow Statistics (All Workflows) -
- View All Workflows + Per-Workflow Detailed Statistics (All Workflows) | Workflow | Total Tokens | Total Cost | Runs | Avg Tokens | Avg Cost | Avg Turns | Avg Duration | |----------|--------------|------------|------|------------|----------|-----------|--------------| @@ -1457,9 +1502,9 @@ jobs:
- ## πŸ’‘ Insights & Recommendations + ### πŸ’‘ Insights & Recommendations - ### High-Cost Workflows + #### High-Cost Workflows The following workflows account for the majority of token consumption: @@ -1471,7 +1516,8 @@ jobs: - **Observation**: [Analysis] - **Recommendation**: [Suggestion] - ### Optimization Opportunities +
+ Optimization Opportunities 1. **[Opportunity 1]**: [Description] - **Affected Workflows**: [list] @@ -1483,13 +1529,19 @@ jobs: - **Potential Savings**: ~$[amount] per month - **Action**: [Specific steps to implement] - ### Efficiency Trends +
+ +
+ Efficiency Trends - **Token efficiency**: [Analysis of avg tokens per turn or per workflow] - **Cost efficiency**: [Analysis of cost trends and efficiency improvements] - **Run patterns**: [Any patterns in when workflows run or how often they succeed] - ## πŸ“… Historical Comparison +
+ +
+ Historical Comparison | Metric | Last 7 Days | Previous 7 Days | Change | Last 30 Days | |--------|-------------|-----------------|--------|--------------| @@ -1498,8 +1550,12 @@ jobs: | Total Runs | [n] | [n] | [+/-]% | [n] | | Avg Cost/Run | $[n] | $[n] | [+/-]% | $[n] | - ## πŸ”§ Methodology +
+ +
+ Methodology & Data Quality Notes + #### Methodology - **Data Source**: GitHub Actions workflow run artifacts from last 30 days - **Engine Filter**: Copilot engine only - **Memory Storage**: `/tmp/gh-aw/repo-memory/default/` @@ -1507,8 +1563,7 @@ jobs: - **Historical Data**: [N] days of trend data - **Cost Model**: Based on Copilot token pricing - ## πŸ“Š Data Quality Notes - + #### Data Quality Notes - [Any caveats about data completeness] - [Note about workflows without cost data] - [Any filtering or exclusions applied] @@ -1551,6 +1606,8 @@ jobs: ### Resource Efficiency - **Batch operations**: Process all data in single passes + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - **Cache results**: Store processed data to avoid recomputation - **Timeout awareness**: Complete within 20-minute limit - **Error handling**: Continue even if some workflows have incomplete data diff --git a/.github/workflows/daily-copilot-token-report.md b/.github/workflows/daily-copilot-token-report.md index b21907918c..51627ea78a 100644 --- a/.github/workflows/daily-copilot-token-report.md +++ b/.github/workflows/daily-copilot-token-report.md @@ -75,6 +75,56 @@ Generate a comprehensive daily report of Copilot token consumption with: - **Visual trends**: Charts showing token usage and cost trends - **Actionable insights**: Identify high-cost workflows and optimization opportunities +**CRITICAL**: Follow these formatting guidelines to create well-structured, readable reports: + +### 1. Header Levels +**Use h3 (###) or lower for all headers in your report to maintain proper document hierarchy.** + +The discussion title serves as h1, so all content headers should start at h3: +- Use `###` for main sections (e.g., "### Token Consumption Overview", "### Per-Workflow Statistics") +- Use `####` for subsections (e.g., "#### Top 10 Most Expensive Workflows", "#### Cost Trends") +- Never use `##` (h2) or `#` (h1) in the report body + +### 2. Progressive Disclosure +**Wrap detailed sections in `
Section Name` tags to improve readability and reduce scrolling.** + +Use collapsible sections for: +- Per-workflow detailed statistics tables +- Full workflow run lists +- Historical comparison data +- Verbose metrics breakdowns + +Example: +```markdown +
+Per-Workflow Detailed Statistics + +| Workflow | Runs | Total Tokens | Avg Tokens | Total Cost | Avg Cost | +|----------|------|--------------|------------|------------|----------| +| workflow-1 | 25 | 1,234,567 | 49,382 | $1.23 | $0.05 | +| ... | ... | ... | ... | ... | ... | + +
+``` + +### 3. Report Structure Pattern + +Your report should follow this structure for optimal readability: + +1. **Executive Summary** (always visible): Brief overview of total token usage, costs, and key findings +2. **Key Highlights** (always visible): Top 5 most expensive workflows, notable cost increases/decreases +3. **Visual Trends** (always visible): Embedded charts showing token usage and cost trends +4. **Detailed Per-Workflow Statistics** (in `
` tags): Complete breakdown for all workflows +5. **Recommendations** (always visible): Actionable suggestions for optimization + +### Design Principles + +Create reports that: +- **Build trust through clarity**: Most important info (summary, top consumers, trends) immediately visible +- **Exceed expectations**: Add helpful context like week-over-week comparisons, cost projections +- **Create delight**: Use progressive disclosure to reduce overwhelm while keeping details accessible +- **Maintain consistency**: Follow the same patterns as other reporting workflows like `daily-issues-report` and `daily-team-status` + ## Current Context - **Repository**: ${{ github.repository }} @@ -505,36 +555,33 @@ Create a comprehensive discussion report with all findings. ```markdown # πŸ“Š Daily Copilot Token Consumption Report - [DATE] -## Executive Summary +### Executive Summary Over the last 30 days, Copilot-powered agentic workflows consumed **[TOTAL_TOKENS]** tokens at an estimated cost of **$[TOTAL_COST]**, across **[TOTAL_RUNS]** workflow runs covering **[NUM_WORKFLOWS]** unique workflows. -**Key Highlights:** +#### Key Highlights: - **Highest consuming workflow**: [WORKFLOW_NAME] ([TOKENS] tokens, $[COST]) - **Most active workflow**: [WORKFLOW_NAME] ([RUN_COUNT] runs) - **Average cost per run**: $[AVG_COST] - **Trend**: Token usage is [increasing/decreasing/stable] by [PERCENT]% over the last 7 days -
-Full Report Details - -## πŸ“ˆ Token Usage Trends +### πŸ“ˆ Token Usage Trends -### Overall Trends +#### Overall Trends ![Token Usage Trends](URL_FROM_UPLOAD_ASSET_CHART_1) The chart above shows daily token consumption over the last 30 days. [Brief analysis of the trend: are we increasing, decreasing, or stable? Any spikes or anomalies?] -### Cost Trends +#### Cost Trends ![Cost Trends](URL_FROM_UPLOAD_ASSET_CHART_2) Daily cost trends show [analysis of cost patterns, efficiency, and notable changes]. -## πŸ† Top Workflows by Token Consumption +### πŸ† Top Workflows by Token Consumption ![Top Workflows](URL_FROM_UPLOAD_ASSET_CHART_3) -### Detailed Breakdown +#### Top 10 Most Expensive Workflows | Rank | Workflow | Total Tokens | Total Cost | Runs | Avg Tokens/Run | Avg Cost/Run | |------|----------|--------------|------------|------|----------------|--------------| @@ -542,10 +589,8 @@ Daily cost trends show [analysis of cost patterns, efficiency, and notable chang | 2 | [name] | [tokens] | $[cost] | [n] | [avg] | $[avg] | | ... | ... | ... | ... | ... | ... | ... | -## πŸ“Š Per-Workflow Statistics (All Workflows) -
-View All Workflows +Per-Workflow Detailed Statistics (All Workflows) | Workflow | Total Tokens | Total Cost | Runs | Avg Tokens | Avg Cost | Avg Turns | Avg Duration | |----------|--------------|------------|------|------------|----------|-----------|--------------| @@ -554,9 +599,9 @@ Daily cost trends show [analysis of cost patterns, efficiency, and notable chang
-## πŸ’‘ Insights & Recommendations +### πŸ’‘ Insights & Recommendations -### High-Cost Workflows +#### High-Cost Workflows The following workflows account for the majority of token consumption: @@ -568,7 +613,8 @@ The following workflows account for the majority of token consumption: - **Observation**: [Analysis] - **Recommendation**: [Suggestion] -### Optimization Opportunities +
+Optimization Opportunities 1. **[Opportunity 1]**: [Description] - **Affected Workflows**: [list] @@ -580,13 +626,19 @@ The following workflows account for the majority of token consumption: - **Potential Savings**: ~$[amount] per month - **Action**: [Specific steps to implement] -### Efficiency Trends +
+ +
+Efficiency Trends - **Token efficiency**: [Analysis of avg tokens per turn or per workflow] - **Cost efficiency**: [Analysis of cost trends and efficiency improvements] - **Run patterns**: [Any patterns in when workflows run or how often they succeed] -## πŸ“… Historical Comparison +
+ +
+Historical Comparison | Metric | Last 7 Days | Previous 7 Days | Change | Last 30 Days | |--------|-------------|-----------------|--------|--------------| @@ -595,8 +647,12 @@ The following workflows account for the majority of token consumption: | Total Runs | [n] | [n] | [+/-]% | [n] | | Avg Cost/Run | $[n] | $[n] | [+/-]% | $[n] | -## πŸ”§ Methodology +
+
+Methodology & Data Quality Notes + +#### Methodology - **Data Source**: GitHub Actions workflow run artifacts from last 30 days - **Engine Filter**: Copilot engine only - **Memory Storage**: `/tmp/gh-aw/repo-memory/default/` @@ -604,8 +660,7 @@ The following workflows account for the majority of token consumption: - **Historical Data**: [N] days of trend data - **Cost Model**: Based on Copilot token pricing -## πŸ“Š Data Quality Notes - +#### Data Quality Notes - [Any caveats about data completeness] - [Note about workflows without cost data] - [Any filtering or exclusions applied] diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 411f3c71a1..b018103525 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -155,7 +155,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.20 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -174,7 +174,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"create_pull_request":{"auto_merge":true},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"create_pull_request":{"auto_merge":true,"expires":168},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -447,7 +447,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.20", + agent_version: "2.1.22", workflow_name: "Daily Documentation Updater", experimental: true, supports_tools_allowlist: true, @@ -1237,7 +1237,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.20 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 600a5750fb..20d6fac720 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -136,7 +136,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server @@ -157,7 +157,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"create_pull_request":{},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"create_pull_request":{"expires":168},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -432,7 +432,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.395", + agent_version: "0.0.397", workflow_name: "Daily Workflow Updater", experimental: false, supports_tools_allowlist: true, @@ -1150,7 +1150,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index eef4f34119..ad2b931a6d 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -133,7 +133,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server @@ -154,7 +154,7 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"create_pull_request":{},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"create_pull_request":{"expires":2},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ @@ -429,7 +429,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.395", + agent_version: "0.0.397", workflow_name: "Dev", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 923c9030bd..cb56201092 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1359,13 +1359,13 @@ jobs: - name: Download Go modules run: go mod download - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0 + uses: anchore/sbom-action@62ad5284b8ced813296287a0b63906cb364b73ee # v0 with: artifact-name: sbom.spdx.json format: spdx-json output-file: sbom.spdx.json - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0 + uses: anchore/sbom-action@62ad5284b8ced813296287a0b63906cb364b73ee # v0 with: artifact-name: sbom.cdx.json format: cyclonedx-json @@ -1399,7 +1399,7 @@ jobs: - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index 8e3a06c3a2..33e56c6520 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -1009,6 +1009,726 @@ jobs: - PRs: open only - Limit updates to 100 items per run to respect rate limits (prioritize highest severity/most recent first) + + + --- + # WORKFLOW EXECUTION (PHASE 0) + --- + # Workflow Execution + + This campaign references the following campaign workers. These workers follow the first-class worker pattern: they are dispatch-only workflows with standardized input contracts. + + **IMPORTANT: Workers are orchestrated, not autonomous. They accept `campaign_id` and `payload` inputs via workflow_dispatch.** + + --- + + ## Campaign Workers + + + + **Worker Pattern**: All workers MUST: + - Use `workflow_dispatch` as the ONLY trigger (no schedule/push/pull_request) + - Accept `campaign_id` (string) and `payload` (string; JSON) inputs + - Implement idempotency via deterministic work item keys + - Label all created items with `z_campaign_security-alert-burndown` + + --- + + ## Workflow Creation Guardrails + + ### Before Creating Any Worker Workflow, Ask: + + 1. **Does this workflow already exist?** - Check `.github/workflows/` thoroughly + 2. **Can an existing workflow be adapted?** - Even if not perfect, existing is safer + 3. **Is the requirement clear?** - Can you articulate exactly what it should do? + 4. **Is it testable?** - Can you verify it works with test inputs? + 5. **Is it reusable?** - Could other campaigns benefit from this worker? + + ### Only Create New Workers When: + + βœ… **All these conditions are met:** + - No existing workflow does the required task + - The campaign objective explicitly requires this capability + - You have a clear, specific design for the worker + - The worker has a focused, single-purpose scope + - You can test it independently before campaign use + + ❌ **Never create workers when:** + - You're unsure about requirements + - An existing workflow "mostly" works + - The worker would be complex or multi-purpose + - You haven't verified it doesn't already exist + - You can't clearly explain what it does in one sentence + + --- + + ## Worker Creation Template + + If you must create a new worker (only after checking ALL guardrails above), use this template: + + **Create the workflow file at `.github/workflows/.md`:** + + ```yaml + --- + name: + description: + + on: + workflow_dispatch: + inputs: + campaign_id: + description: 'Campaign identifier' + required: true + type: string + payload: + description: 'JSON payload with work item details' + required: true + type: string + + tracker-id: + + tools: + github: + toolsets: [default] + # Add minimal additional tools as needed + + safe-outputs: + create-pull-request: + max: 1 # Start conservative + add-comment: + max: 2 + --- + + # + + You are a campaign worker that processes work items. + + ## Input Contract + + Parse inputs: + ```javascript + const campaignId = context.payload.inputs.campaign_id; + const payload = JSON.parse(context.payload.inputs.payload); + ``` + + Expected payload structure: + ```json + { + "repository": "owner/repo", + "work_item_id": "unique-id", + "target_ref": "main", + // Additional context... + } + ``` + + ## Idempotency Requirements + + 1. **Generate deterministic key**: + ``` + const workKey = `campaign-${campaignId}-${payload.repository}-${payload.work_item_id}`; + ``` + + 2. **Check for existing work**: + - Search for PRs/issues with `workKey` in title + - Filter by label: `z_campaign_${campaignId}` + - If found: Skip or update + - If not: Create new + + 3. **Label all created items**: + - Apply `z_campaign_${campaignId}` label + - This enables discovery by orchestrator + + ## Task + + + + ## Output + + Report: + - Link to created/updated PR or issue + - Whether work was skipped (exists) or completed + - Any errors or blockers + ``` + + **After creating:** + - Compile: `gh aw compile .md` + - **CRITICAL: Test with sample inputs** (see testing requirements below) + + --- + + ## Worker Testing (MANDATORY) + + **Why test?** - Untested workers may fail during campaign execution. Test with sample inputs first to catch issues early. + + **Testing steps:** + + 1. **Prepare test payload**: + ```json + { + "repository": "test-org/test-repo", + "work_item_id": "test-1", + "target_ref": "main" + } + ``` + + 2. **Trigger test run**: + ```bash + gh workflow run .yml \ + -f campaign_id=security-alert-burndown \ + -f payload='{"repository":"test-org/test-repo","work_item_id":"test-1"}' + ``` + + Or via GitHub MCP: + ```javascript + mcp__github__run_workflow( + workflow_id: "", + ref: "main", + inputs: { + campaign_id: "security-alert-burndown", + payload: JSON.stringify({repository: "test-org/test-repo", work_item_id: "test-1"}) + } + ) + ``` + + 3. **Wait for completion**: Poll until status is "completed" + + 4. **Verify success**: + - Check that workflow succeeded + - Verify idempotency: Run again with same inputs, should skip/update + - Review created items have correct labels + - Confirm deterministic keys are used + + 5. **Test failure actions**: + - DO NOT use the worker if testing fails + - Analyze failure logs + - Make corrections + - Recompile and retest + - If unfixable after 2 attempts, report in status and skip + + **Note**: Workflows that accept `workflow_dispatch` inputs can receive parameters from the orchestrator. This enables the orchestrator to provide context, priorities, or targets based on its decisions. See [DispatchOps documentation](https://githubnext.github.io/gh-aw/guides/dispatchops/#with-input-parameters) for input parameter examples. + + --- + + ## Orchestration Guidelines + + **Execution pattern:** + - Workers are **orchestrated, not autonomous** + - Orchestrator discovers work items via discovery manifest + - Orchestrator decides which workers to run and with what inputs + - Workers receive `campaign_id` and `payload` via workflow_dispatch + - Sequential vs parallel execution is orchestrator's decision + + **Worker dispatch:** + - Parse discovery manifest (`./.gh-aw/campaign.discovery.json`) + - For each work item needing processing: + 1. Determine appropriate worker for this item type + 2. Construct payload with work item details + 3. Dispatch worker via workflow_dispatch with campaign_id and payload + 4. Track dispatch status + + **Input construction:** + ```javascript + // Example: Dispatching security-fix worker + const workItem = discoveryManifest.items[0]; + const payload = { + repository: workItem.repo, + work_item_id: `alert-${workItem.number}`, + target_ref: "main", + alert_type: "sql-injection", + file_path: "src/db.go", + line_number: 42 + }; + + await github.actions.createWorkflowDispatch({ + owner: context.repo.owner, + repo: context.repo.repo, + workflow_id: "security-fix-worker.yml", + ref: "main", + inputs: { + campaign_id: "security-alert-burndown", + payload: JSON.stringify(payload) + } + }); + ``` + + **Idempotency by design:** + - Workers implement their own idempotency checks + - Orchestrator doesn't need to track what's been processed + - Can safely re-dispatch work items across runs + - Workers will skip or update existing items + + **Failure handling:** + - If a worker dispatch fails, note it but continue + - Worker failures don't block entire campaign + - Report all failures in status update with context + - Humans can intervene if needed + + --- + + ## After Worker Orchestration + + Once workers have been dispatched (or new workers created and tested), proceed with normal orchestrator steps: + + 1. **Discovery** - Read state from discovery manifest and project board + 2. **Planning** - Determine what needs updating on project board + 3. **Project Updates** - Write state changes to project board + 4. **Status Reporting** - Report progress, worker dispatches, failures, next steps + + --- + + ## Key Differences from Fusion Approach + + **Old fusion approach (REMOVED)**: + - Workers had mixed triggers (schedule + workflow_dispatch) + - Fusion dynamically added workflow_dispatch to existing workflows + - Workers stored in campaign-specific folders + - Ambiguous ownership and trigger precedence + + **New first-class worker approach**: + - Workers are dispatch-only (on: workflow_dispatch) + - Standardized input contract (campaign_id, payload) + - Explicit idempotency via deterministic keys + - Clear ownership: workers are orchestrated, not autonomous + - Workers stored with regular workflows (not campaign-specific folders) + - Orchestration policy kept explicit in orchestrator + + This eliminates duplicate execution problems and makes orchestration concerns explicit. + --- + # ORCHESTRATOR INSTRUCTIONS + --- + # Orchestrator Instructions + + This orchestrator coordinates a single campaign by discovering worker outputs and making deterministic decisions. + + **Scope:** orchestration + project sync + reporting (discovery, planning, pacing, writing, reporting). + **Actuation model:** **hybrid** β€” the orchestrator may update campaign state directly (Projects and status updates) and may also dispatch allowlisted worker workflows. + **Write authority:** the orchestrator may write GitHub state when explicitly allowlisted via safe outputs; delegate repo/code changes (e.g., PRs) to workers unless this campaign explicitly defines otherwise. + + --- + + ## Traffic and Rate Limits (Required) + + - Minimize API calls; avoid full rescans when possible. + - Prefer incremental discovery with deterministic ordering (e.g., by `updatedAt`, tie-break by ID). + - Enforce strict pagination budgets; if a query requires many pages, stop early and continue next run. + - Use a durable cursor/checkpoint so the next run continues without rescanning. + - On throttling (HTTP 429 / rate-limit 403), do not retry aggressively; back off and end the run after reporting what remains. + + + **Cursor file (repo-memory)**: `memory/campaigns/security-alert-burndown/cursor.json` + **File system path**: `/tmp/gh-aw/repo-memory/campaigns/security-alert-burndown/cursor.json` + - If it exists: read first and continue from its boundary. + - If it does not exist: create it by end of run. + - Always write the updated cursor back to the same path. + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + + + **Metrics snapshots (repo-memory)**: `memory/campaigns/security-alert-burndown/metrics/*.json` + **File system path**: `/tmp/gh-aw/repo-memory/campaigns/security-alert-burndown/metrics/*.json` + - Persist one append-only JSON metrics snapshot per run (new file per run; do not rewrite history). + - Use UTC date (`YYYY-MM-DD`) in the filename (example: `metrics/2025-12-22.json`). + + + + + + --- + + ## Core Principles + + 1. Workers are immutable and campaign-agnostic + 2. The GitHub Project board is the authoritative campaign state + 3. Correlation is explicit (tracker-id AND labels) + 4. Reads and writes are separate steps (never interleave) + 5. Idempotent operation is mandatory (safe to re-run) + 6. Orchestrator writes must be deterministic and minimal + + --- + + ## Execution Steps (Required Order) + + ### Step 1 β€” Read State (Discovery) [NO WRITES] + + **IMPORTANT**: Discovery has been precomputed. Read the discovery manifest instead of performing GitHub-wide searches. + + 1) Read the precomputed discovery manifest: `./.gh-aw/campaign.discovery.json` + + 2) Parse discovered items from the manifest: + - Each item has: url, content_type (issue/pull_request/discussion), number, repo, created_at, updated_at, state + - Closed items have: closed_at (for issues) or merged_at (for PRs) + - Items are pre-sorted by updated_at for deterministic processing + + 3) Check the manifest summary for work counts. + + 4) Discovery cursor is maintained automatically in repo-memory; do not modify it manually. + + ### Step 2 β€” Make Decisions (Planning) [NO WRITES] + + 5) Determine desired `status` strictly from explicit GitHub state: + - Open β†’ `Todo` (or `In Progress` only if explicitly indicated elsewhere) + - Closed (issue/discussion) β†’ `Done` + - Merged (PR) β†’ `Done` + + 6) Calculate required date fields (for workers that sync Projects): + - `start_date`: format `created_at` as `YYYY-MM-DD` + - `end_date`: + - if closed/merged β†’ format `closed_at`/`merged_at` as `YYYY-MM-DD` + - if open β†’ **today's date** formatted `YYYY-MM-DD` + + 7) Reads and writes are separate steps (never interleave). + + ### Step 3 β€” Apply Updates (Execution) [WRITES] + + 8) Apply required GitHub state updates in a single write phase. + + Allowed writes (when allowlisted via safe outputs): + - Update the campaign Project board (add/update items and fields) + - Post status updates (e.g., update an issue or add a comment) + - Create Copilot agent sessions for repo-side work (use when you need code changes) + + Constraints: + - Use only allowlisted safe outputs. + - Keep within configured max counts and API budgets. + - Do not interleave reads and writes. + + ### Step 4 β€” Dispatch Workers (Optional) [DISPATCH] + + 9) For repo-side actions (e.g., code changes), dispatch allowlisted worker workflows using `dispatch-workflow`. + + Constraints: + - Only dispatch allowlisted workflows. + - Keep within the dispatch-workflow max for this run. + + ### Step 5 β€” Report + + 10) Summarize what you updated and/or dispatched, what remains, and what should run next. + + **Discovered:** 25 items (15 issues, 10 PRs) + **Processed:** 10 items added to project, 5 updated + **Completion:** 60% (30/50 total tasks) + + ## Most Important Findings + + 1. **Critical accessibility gaps identified**: 3 high-severity accessibility issues discovered in mobile navigation, requiring immediate attention + 2. **Documentation coverage acceleration**: Achieved 5% improvement in one week (best velocity so far) + 3. **Worker efficiency improving**: daily-doc-updater now processing 40% more items per run + + ## What Was Learned + + - Multi-device testing reveals issues that desktop-only testing misses - should be prioritized + - Documentation updates tied to code changes have higher accuracy and completeness + - Users report fewer issues when examples include error handling patterns + + ## Campaign Progress + + **Documentation Coverage** (Primary Metric): + - Baseline: 85% β†’ Current: 88% β†’ Target: 95% + - Direction: ↑ Increasing (+3% this week, +1% velocity/week) + - Status: ON TRACK - At current velocity, will reach 95% in 7 weeks + + **Accessibility Score** (Supporting Metric): + - Baseline: 90% β†’ Current: 91% β†’ Target: 98% + - Direction: ↑ Increasing (+1% this month) + - Status: AT RISK - Slower progress than expected, may need dedicated focus + + **User-Reported Issues** (Supporting Metric): + - Baseline: 15/month β†’ Current: 12/month β†’ Target: 5/month + - Direction: ↓ Decreasing (-3 this month, -20% velocity) + - Status: ON TRACK - Trending toward target + + ## Next Steps + + 1. Address 3 critical accessibility issues identified this run (high priority) + 2. Continue processing remaining 15 discovered items + 3. Focus on accessibility improvements to accelerate supporting KPI + 4. Maintain current documentation coverage velocity + ``` + + 12) Report: + - counts discovered (by type) + - counts processed this run (by action: add/status_update/backfill/noop/failed) + - counts deferred due to budgets + - failures (with reasons) + - completion state (work items only) + - cursor advanced / remaining backlog estimate + + --- + + ## Authority + + If any instruction in this file conflicts with **Project Update Instructions**, the Project Update Instructions win for all project writes. + --- + # PROJECT UPDATE INSTRUCTIONS (AUTHORITATIVE FOR WRITES) + --- + # Project Update Instructions (Authoritative Write Contract) + + ## Project Board Integration + + This file defines the ONLY allowed rules for writing to the GitHub Project board. + If any other instructions conflict with this file, THIS FILE TAKES PRECEDENCE for all project writes. + + --- + + ## 0) Hard Requirements (Do Not Deviate) + + - Any workflow performing project writes (orchestrators or workers) MUST use only the `update-project` safe-output. + - All writes MUST target exactly: + - **Project URL**: `https://github.com/orgs/githubnext/projects/144` + - Every item MUST include: + - `campaign_id: "security-alert-burndown"` + + ## Campaign ID + + All campaign tracking MUST key off `campaign_id: "security-alert-burndown"`. + + --- + + ## 1) Required Project Fields (Must Already Exist) + + | Field | Type | Allowed / Notes | + |---|---|---| + | `status` | single-select | `Todo` / `In Progress` / `Review required` / `Blocked` / `Done` | + | `campaign_id` | text | Must equal `security-alert-burndown` | + | `worker_workflow` | text | workflow ID or `"unknown"` | + | `target_repo` | text | `owner/repo` | + | `priority` | single-select | `High` / `Medium` / `Low` | + | `size` | single-select | `Small` / `Medium` / `Large` | + | `start_date` | date | `YYYY-MM-DD` | + | `end_date` | date | `YYYY-MM-DD` | + + Field names are case-sensitive. + + --- + + ## 2) Content Identification (Mandatory) + + Use **content number** (integer), never the URL as an identifier. + + - Issue URL: `.../issues/123` β†’ `content_type: "issue"`, `content_number: 123` + - PR URL: `.../pull/456` β†’ `content_type: "pull_request"`, `content_number: 456` + + --- + + ## 3) Deterministic Field Rules (No Inference) + + These rules apply to any time you write fields: + + - `campaign_id`: always `security-alert-burndown` + - `worker_workflow`: workflow ID if known, else `"unknown"` + - `target_repo`: extract `owner/repo` from the issue/PR URL + - `priority`: default `Medium` unless explicitly known + - `size`: default `Medium` unless explicitly known + - `start_date`: issue/PR `created_at` formatted `YYYY-MM-DD` + - `end_date`: + - if closed/merged β†’ `closed_at` / `merged_at` formatted `YYYY-MM-DD` + - if open β†’ **today’s date** formatted `YYYY-MM-DD` (**required for roadmap view; do not leave blank**) + + For open items, `end_date` is a UI-required placeholder and does NOT represent actual completion. + + --- + + ## 4) Read-Write Separation (Prevents Read/Write Mixing) + + 1. **READ STEP (no writes)** β€” validate existence and gather metadata + 2. **WRITE STEP (writes only)** β€” execute `update-project` + + Never interleave reads and writes. + + --- + + ## 5) Adding an Issue or PR (First Write) + + ### Adding New Issues + + When first adding an item to the project, you MUST write ALL required fields. + + ```yaml + update-project: + project: "https://github.com/orgs/githubnext/projects/144" + campaign_id: "security-alert-burndown" + content_type: "issue" # or "pull_request" + content_number: 123 + fields: + status: "Todo" # "Done" if already closed/merged + campaign_id: "security-alert-burndown" + worker_workflow: "unknown" + target_repo: "owner/repo" + priority: "Medium" + size: "Medium" + start_date: "2025-12-15" + end_date: "2026-01-03" + ``` + + --- + + ## 6) Updating an Existing Item (Minimal Writes) + + ### Updating Existing Items + + Preferred behavior is minimal, idempotent writes: + + - If item exists and `status` is unchanged β†’ **No-op** + - If item exists and `status` differs β†’ **Update `status` only** + - If any required field is missing/empty/invalid β†’ **One-time full backfill** (repair only) + + ### Status-only Update (Default) + + ```yaml + update-project: + project: "https://github.com/orgs/githubnext/projects/144" + campaign_id: "security-alert-burndown" + content_type: "issue" # or "pull_request" + content_number: 123 + fields: + status: "Done" + ``` + + ### Full Backfill (Repair Only) + + ```yaml + update-project: + project: "https://github.com/orgs/githubnext/projects/144" + campaign_id: "security-alert-burndown" + content_type: "issue" # or "pull_request" + content_number: 123 + fields: + status: "Done" + campaign_id: "security-alert-burndown" + worker_workflow: "WORKFLOW_ID" + target_repo: "owner/repo" + priority: "Medium" + size: "Medium" + start_date: "2025-12-15" + end_date: "2026-01-02" + ``` + + --- + + ## 7) Idempotency Rules + + - Matching status already set β†’ **No-op** + - Different status β†’ **Status-only update** + - Invalid/deleted/inaccessible URL β†’ **Record failure and continue** + + ## Write Operation Rules + + All writes MUST conform to this file and use `update-project` only. + + --- + + ## 8) Logging + Failure Handling (Mandatory) + + For every attempted item, record: + + - `content_type`, `content_number`, `target_repo` + - action taken: `noop | add | status_update | backfill | failed` + - error details if failed + + Failures must not stop processing remaining items. + + --- + + ## 9) Worker Workflow Policy + + - Workers are campaign-agnostic. + - Orchestrator populates `worker_workflow`. + - If `worker_workflow` cannot be determined, it MUST remain `"unknown"` unless explicitly reclassified by the orchestrator. + + --- + + ## 10) Parent / Sub-Issue Rules (Campaign Hierarchy) + + - Each project board MUST have exactly **one Epic issue** representing the campaign. + - The Epic issue MUST: + - Be added to the project board + - Use the same `campaign_id` + - Use `worker_workflow: "unknown"` + + - All campaign work issues (non-epic) MUST be created as **sub-issues of the Epic**. + - Issues MUST NOT be re-parented based on worker assignment. + + - Pull requests cannot be sub-issues: + - PRs MUST reference their related issue via standard GitHub linking (e.g. β€œCloses #123”). + + - Worker grouping MUST be done via the `worker_workflow` project field, not via parent issues. + + - The Epic issue is narrative only. + - The project board is the sole authoritative source of campaign state. + + --- + + ## Appendix β€” Machine Check Checklist (Optional) + + This checklist is designed to validate outputs before executing project writes. + + ### A) Output Structure Checks + + - [ ] All writes use `update-project:` blocks (no other write mechanism). + - [ ] Each `update-project` block includes: + - [ ] `project: "https://github.com/orgs/githubnext/projects/144"` + - [ ] `campaign_id: "security-alert-burndown"` (top-level) + - [ ] `content_type` ∈ {`issue`, `pull_request`} + - [ ] `content_number` is an integer + - [ ] `fields` object is present + + ### B) Field Validity Checks + + - [ ] `fields.status` ∈ {`Todo`, `In Progress`, `Review required`, `Blocked`, `Done`} + - [ ] `fields.campaign_id` is present on first-add/backfill and equals `security-alert-burndown` + - [ ] `fields.worker_workflow` is present on first-add/backfill and is either a known workflow ID or `"unknown"` + - [ ] `fields.target_repo` matches `owner/repo` + - [ ] `fields.priority` ∈ {`High`, `Medium`, `Low`} + - [ ] `fields.size` ∈ {`Small`, `Medium`, `Large`} + - [ ] `fields.start_date` matches `YYYY-MM-DD` + - [ ] `fields.end_date` matches `YYYY-MM-DD` + + ### C) Update Semantics Checks + + - [ ] For existing items, payload is **status-only** unless explicitly doing a backfill repair. + - [ ] Backfill is used only when required fields are missing/empty/invalid. + - [ ] No payload overwrites `priority`/`size`/`worker_workflow` with defaults during a normal status update. + + ### D) Read-Write Separation Checks + + - [ ] All reads occur before any writes (no read/write interleaving). + - [ ] Writes are batched separately from discovery. + + ### E) Epic/Hierarchy Checks (Policy-Level) + + - [ ] Exactly one Epic exists for the campaign board. + - [ ] Epic is on the board and uses `worker_workflow: "unknown"`. + - [ ] All campaign work issues are sub-issues of the Epic (if supported by environment/tooling). + - [ ] PRs are linked to issues via GitHub linking (e.g. β€œCloses #123”). + + ### F) Failure Handling Checks + + - [ ] Invalid/deleted/inaccessible items are logged as failures and processing continues. + - [ ] Idempotency is delegated to the `update-project` tool; no pre-filtering by board presence. + --- + # CLOSING INSTRUCTIONS (HIGHEST PRIORITY) + --- + # Closing Instructions (Highest Priority) + + Execute all four steps in strict order: + + 1. Read State (no writes) + 2. Make Decisions (no writes) + 3. Apply Updates (writes) + 4. Report + + The following rules are mandatory and override inferred behavior: + + - The GitHub Project board is the single source of truth. + - All project writes MUST comply with the Project Update Instructions. + - State reads and state writes MUST NOT be interleaved. + - Do NOT infer missing data or invent values. + - Do NOT reorganize hierarchy. + - Do NOT overwrite fields except as explicitly allowed. + - Workers are immutable and campaign-agnostic. + + If any instruction conflicts, the Project Update Instructions take precedence for all writes. PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 18f0cea25c..4a469c1e32 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -166,7 +166,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Determine automatic lockdown mode for GitHub MCP server @@ -435,7 +435,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.395", + agent_version: "0.0.397", workflow_name: "Agent Container Smoke Test", experimental: false, supports_tools_allowlist: true, @@ -665,9 +665,10 @@ jobs: timeout-minutes: 5 run: | set -o pipefail - GH_AW_TOOL_BINS=""; [ -n "$GOROOT" ] && GH_AW_TOOL_BINS="$GOROOT/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - sudo -E awf --env-all --env 'ANDROID_HOME=${ANDROID_HOME}' --env 'ANDROID_NDK=${ANDROID_NDK}' --env 'ANDROID_NDK_HOME=${ANDROID_NDK_HOME}' --env 'ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}' --env 'ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}' --env 'ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}' --env 'AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}' --env 'CARGO_HOME=${CARGO_HOME}' --env 'CHROMEWEBDRIVER=${CHROMEWEBDRIVER}' --env 'CONDA=${CONDA}' --env 'DOTNET_ROOT=${DOTNET_ROOT}' --env 'EDGEWEBDRIVER=${EDGEWEBDRIVER}' --env 'GECKOWEBDRIVER=${GECKOWEBDRIVER}' --env 'GEM_HOME=${GEM_HOME}' --env 'GEM_PATH=${GEM_PATH}' --env 'GOPATH=${GOPATH}' --env 'GOROOT=${GOROOT}' --env 'HOMEBREW_CELLAR=${HOMEBREW_CELLAR}' --env 'HOMEBREW_PREFIX=${HOMEBREW_PREFIX}' --env 'HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}' --env 'JAVA_HOME=${JAVA_HOME}' --env 'JAVA_HOME_11_X64=${JAVA_HOME_11_X64}' --env 'JAVA_HOME_17_X64=${JAVA_HOME_17_X64}' --env 'JAVA_HOME_21_X64=${JAVA_HOME_21_X64}' --env 'JAVA_HOME_25_X64=${JAVA_HOME_25_X64}' --env 'JAVA_HOME_8_X64=${JAVA_HOME_8_X64}' --env 'NVM_DIR=${NVM_DIR}' --env 'PIPX_BIN_DIR=${PIPX_BIN_DIR}' --env 'PIPX_HOME=${PIPX_HOME}' --env 'RUSTUP_HOME=${RUSTUP_HOME}' --env 'SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}' --env 'SWIFT_PATH=${SWIFT_PATH}' --env 'VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}' --env 'GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS' --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,adoptium.net,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,bun.sh,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.oracle.com,files.pythonhosted.org,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,gradle.org,host.docker.internal,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.oracle.com,maven.pkg.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,pkg.go.dev,pkgs.dev.azure.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,proxy.golang.org,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo.yarnpkg.com,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ - -- 'export PATH="$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS + mkdir -p "$HOME/.cache" + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,adoptium.net,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,bun.sh,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.oracle.com,files.pythonhosted.org,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,gradle.org,host.docker.internal,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.oracle.com,maven.pkg.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,pkg.go.dev,pkgs.dev.azure.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,proxy.golang.org,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo.yarnpkg.com,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -1016,7 +1017,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.395 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index 11344e2bc6..80130e4a1a 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -65,7 +65,7 @@ "version": "v8.0.0", "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd" }, - "actions/setup-dotnet@v4": { + "actions/setup-dotnet@v4.3.1": { "repo": "actions/setup-dotnet", "version": "v4.3.1", "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9" @@ -80,7 +80,7 @@ "version": "v6.1.0", "sha": "4dc6199c7b1a012772edbd06daecab0f50c9053c" }, - "actions/setup-java@v4": { + "actions/setup-java@v4.8.0": { "repo": "actions/setup-java", "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" @@ -118,7 +118,7 @@ "anchore/sbom-action@v0": { "repo": "anchore/sbom-action", "version": "v0", - "sha": "deef08a0db64bfad603422135db61477b16cef56" + "sha": "62ad5284b8ced813296287a0b63906cb364b73ee" }, "anchore/sbom-action@v0.20.10": { "repo": "anchore/sbom-action", @@ -153,7 +153,7 @@ "docker/login-action@v3": { "repo": "docker/login-action", "version": "v3", - "sha": "c94ce9fb468520275223c153574b00df6fe4bcc9" + "sha": "5e57cd118135c172c3672efd75eb46360885c0ef" }, "docker/metadata-action@v5": { "repo": "docker/metadata-action",