diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 745bc142f1..18dafaff04 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -129,6 +129,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -184,7 +187,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -619,7 +622,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Agent Performance Analyzer - Meta-Orchestrator", experimental: false, supports_tools_allowlist: true, @@ -1201,7 +1204,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index ec9c5b8c14..0728c32fb3 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -129,6 +129,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -186,7 +189,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -513,7 +516,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Agent Persona Explorer", experimental: false, supports_tools_allowlist: true, @@ -1072,7 +1075,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index e75da84a1c..37a5c788cb 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -164,7 +164,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -468,7 +468,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "AI Moderator", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 6aa65e8afb..0777742707 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -183,7 +183,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -466,7 +466,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Archie", experimental: false, supports_tools_allowlist: true, @@ -960,7 +960,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 2fc3c55f77..699cb0e467 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -436,7 +436,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Artifacts Summary", experimental: false, supports_tools_allowlist: true, @@ -1000,7 +1000,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 525e93ef34..d1b569c307 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -128,6 +128,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -228,7 +231,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -579,7 +582,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Agentic Workflow Audit Agent", experimental: false, supports_tools_allowlist: true, @@ -1374,7 +1377,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index b6fe6efaa0..249a6c1d31 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -147,7 +147,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -475,7 +475,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Auto-Triage Issues", experimental: false, supports_tools_allowlist: true, @@ -1036,7 +1036,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 69504520b9..2a262c8317 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -152,7 +152,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -457,7 +457,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Blog Auditor", experimental: false, supports_tools_allowlist: true, @@ -1100,7 +1100,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 1755ac23f0..8d1c688125 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -174,7 +174,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -460,7 +460,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Brave Web Search Agent", experimental: false, supports_tools_allowlist: true, @@ -945,7 +945,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 3fd2eeceb1..1a5e854ab0 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -145,7 +145,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -458,7 +458,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Breaking Change Checker", experimental: false, supports_tools_allowlist: true, @@ -1029,7 +1029,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 32fa8342eb..8c4fd776fe 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -189,7 +189,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -561,7 +561,7 @@ jobs: engine_name: "Codex", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Changeset Generator", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index bc5f41211e..09e732f041 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -142,7 +142,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -240,7 +240,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Chroma Issue Indexer", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 2b52970b5d..1564355626 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -197,7 +197,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -499,7 +499,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "CI Optimization Coach", experimental: false, supports_tools_allowlist: true, @@ -1436,7 +1436,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 2db91d26f2..80c80124c5 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -166,7 +166,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -514,7 +514,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "CI Failure Doctor", experimental: false, supports_tools_allowlist: true, @@ -1005,7 +1005,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 9f9f6367d5..831c14860e 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -160,7 +160,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -448,7 +448,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Claude Code User Documentation Review", experimental: false, supports_tools_allowlist: true, @@ -993,7 +993,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 5a5b7fe923..77251606cc 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -140,7 +140,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -453,7 +453,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "CLI Consistency Checker", experimental: false, supports_tools_allowlist: true, @@ -925,7 +925,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index e77e2bed0c..af65b10edc 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -167,7 +167,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -476,7 +476,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "CLI Version Checker", experimental: false, supports_tools_allowlist: true, @@ -1175,7 +1175,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index f4a0228575..f7ccfffa90 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -190,6 +190,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -259,7 +262,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -659,7 +662,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "/cloclo", experimental: false, supports_tools_allowlist: true, @@ -1353,7 +1356,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 8bba1d58de..eeff5f5008 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -160,7 +160,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -498,7 +498,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Code Scanning Fixer", experimental: false, supports_tools_allowlist: true, @@ -1033,7 +1033,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 8a071c8973..8ea2e7a3c2 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -147,7 +147,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -449,7 +449,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Code Simplifier", experimental: false, supports_tools_allowlist: true, @@ -1014,7 +1014,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 7af1073415..9fd3fe2e8f 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -130,7 +130,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -220,7 +220,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Codex GitHub Remote MCP Test", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 09c40266c6..59b90fcdb5 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -154,7 +154,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -442,7 +442,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Commit Changes Analyzer", experimental: false, supports_tools_allowlist: true, @@ -1041,7 +1041,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index c81a828d2d..256b5d1d2c 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -184,7 +184,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -472,7 +472,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Copilot Agent PR Analysis", experimental: false, supports_tools_allowlist: true, @@ -1234,7 +1234,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 114b0ab8d0..33ae2a99da 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -155,7 +155,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -447,7 +447,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Copilot CLI Deep Research Agent", experimental: false, supports_tools_allowlist: true, @@ -1051,7 +1051,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index f2f0b83e55..69a0626489 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -145,7 +145,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Download container images @@ -528,7 +528,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Copilot PR Merged Report", experimental: false, supports_tools_allowlist: true, @@ -1027,7 +1027,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 76460dd28d..b8dcbef268 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -28,7 +28,7 @@ # - shared/python-dataviz.md # - shared/reporting.md # -# frontmatter-hash: bec978437452c1fb240df07354f2b40ee77acce619bca67902ff5cb79f2a1240 +# frontmatter-hash: f4a489b173291cb259fee27500d061b423b9a987c5238f9267455896c29a4fb3 name: "Copilot PR Conversation NLP Analysis" "on": @@ -151,7 +151,7 @@ jobs: name: Fetch PR comments for detailed analysis run: "# Create comments directory\nmkdir -p /tmp/gh-aw/pr-comments\n\n# Fetch detailed comments for each PR from the pre-fetched data\nPR_COUNT=$(jq 'length' /tmp/gh-aw/pr-data/copilot-prs.json)\necho \"Fetching comments for $PR_COUNT PRs...\"\n\njq -r '.[].number' /tmp/gh-aw/pr-data/copilot-prs.json | while read -r PR_NUM; do\n echo \"Fetching comments for PR #${PR_NUM}\"\n gh pr view \"${PR_NUM}\" \\\n --json comments,reviews,reviewComments \\\n > \"/tmp/gh-aw/pr-comments/pr-${PR_NUM}.json\" 2>/dev/null || echo \"{}\" > \"/tmp/gh-aw/pr-comments/pr-${PR_NUM}.json\"\n sleep 0.5 # Rate limiting\ndone\n\necho \"Comment data saved to /tmp/gh-aw/pr-comments/\"\n" - name: Install NLP libraries - run: "pip install --user --quiet nltk scikit-learn textblob wordcloud\n\n# Download required NLTK data (using punkt_tab for NLTK 3.9+)\npython3 -c \"import nltk; nltk.download('punkt_tab', quiet=True); nltk.download('stopwords', quiet=True); nltk.download('vader_lexicon', quiet=True); nltk.download('averaged_perceptron_tagger_eng', quiet=True)\"\n\n# Verify installations\npython3 -c \"import nltk; print(f'NLTK {nltk.__version__} installed')\"\npython3 -c \"import sklearn; print(f'scikit-learn {sklearn.__version__} installed')\"\npython3 -c \"import textblob; print(f'TextBlob {textblob.__version__} installed')\"\npython3 -c \"import wordcloud; print(f'WordCloud {wordcloud.__version__} installed')\"\n\necho \"All NLP libraries installed successfully\"\n" + run: "pip install --user --quiet nltk scikit-learn textblob wordcloud\n\n# Download required NLTK data (using punkt_tab for NLTK 3.9+)\npython3 -c \"import nltk; nltk.download('punkt_tab', quiet=True); nltk.download('stopwords', quiet=True); nltk.download('vader_lexicon', quiet=True); nltk.download('averaged_perceptron_tagger_eng', quiet=True)\"\n\n# Verify installations\npython3 -c \"import nltk; print(f'NLTK {nltk.__version__} installed')\"\npython3 -c \"import sklearn; print(f'scikit-learn {sklearn.__version__} installed')\"\npython3 -c \"from importlib.metadata import version; print(f'TextBlob {version(\\\"textblob\\\")} installed')\"\npython3 -c \"import wordcloud; print(f'WordCloud {wordcloud.__version__} installed')\"\n\necho \"All NLP libraries installed successfully\"\n" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory @@ -205,7 +205,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -526,7 +526,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Copilot PR Conversation NLP Analysis", experimental: false, supports_tools_allowlist: true, @@ -1469,7 +1469,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/copilot-pr-nlp-analysis.md b/.github/workflows/copilot-pr-nlp-analysis.md index 8e9636d31c..85706d7e6b 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.md +++ b/.github/workflows/copilot-pr-nlp-analysis.md @@ -80,7 +80,7 @@ steps: # Verify installations python3 -c "import nltk; print(f'NLTK {nltk.__version__} installed')" python3 -c "import sklearn; print(f'scikit-learn {sklearn.__version__} installed')" - python3 -c "import textblob; print(f'TextBlob {textblob.__version__} installed')" + python3 -c "from importlib.metadata import version; print(f'TextBlob {version(\"textblob\")} installed')" python3 -c "import wordcloud; print(f'WordCloud {wordcloud.__version__} installed')" echo "All NLP libraries installed successfully" diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 5ff886f25c..02b7fd10f4 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -176,7 +176,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -468,7 +468,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Copilot PR Prompt Pattern Analysis", experimental: false, supports_tools_allowlist: true, @@ -1150,7 +1150,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index cb653b735d..572eff8129 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -208,7 +208,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -525,7 +525,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Copilot Session Insights", experimental: false, supports_tools_allowlist: true, @@ -1856,7 +1856,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 53d9bd98c7..c123af4cde 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -175,7 +175,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -498,7 +498,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Workflow Craft Agent", experimental: false, supports_tools_allowlist: true, @@ -978,7 +978,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 9dc0e3ae85..b3e929a49d 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -139,7 +139,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -463,7 +463,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Auto-Assign Issue", experimental: false, supports_tools_allowlist: true, @@ -935,7 +935,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 1047f2b87c..d5406fe004 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -147,7 +147,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -414,7 +414,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Daily Choice Type Test", experimental: false, supports_tools_allowlist: true, @@ -943,7 +943,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index ba0664e931..eef3e5f977 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -154,7 +154,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -637,7 +637,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily CLI Performance Agent", experimental: false, supports_tools_allowlist: true, @@ -1266,7 +1266,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index cea3492f34..6194f17810 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -197,7 +197,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -514,7 +514,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Daily Code Metrics and Trend Tracking Agent", experimental: false, supports_tools_allowlist: true, @@ -1600,7 +1600,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 591a182dcb..87f432f623 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -155,7 +155,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -455,7 +455,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Compiler Quality Check", experimental: false, supports_tools_allowlist: true, @@ -1038,7 +1038,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 4295002d88..de4ac05e9c 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -222,7 +222,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -543,7 +543,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Copilot Token Consumption Report", experimental: false, supports_tools_allowlist: true, @@ -1402,7 +1402,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 90f32a87c1..5e51bd88dc 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -159,7 +159,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -457,7 +457,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Daily Documentation Updater", experimental: false, supports_tools_allowlist: true, @@ -1039,7 +1039,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 1340d5f6b4..05e30a33d3 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -21,7 +21,7 @@ # # Posts a daily poetic verse about the gh-aw project to a discussion thread # -# frontmatter-hash: 05ceb55b271159d43142652da63b7deb9d047d76ce3f46d38db0857adf32506b +# frontmatter-hash: 1c7734c2a56766a64613f4db8d53ca84127705f40ca1574a8edef469cd0e5ccd name: "Daily Fact About gh-aw" "on": @@ -46,7 +46,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c + uses: github/gh-aw/actions/setup@c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 # c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -89,7 +89,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c + uses: github/gh-aw/actions/setup@c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 # c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -135,7 +135,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -433,7 +433,7 @@ jobs: engine_name: "Codex", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Daily Fact About gh-aw", experimental: false, supports_tools_allowlist: true, @@ -730,7 +730,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c + uses: github/gh-aw/actions/setup@c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 # c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -836,7 +836,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c + uses: github/gh-aw/actions/setup@c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 # c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -884,7 +884,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail @@ -942,7 +942,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c + uses: github/gh-aw/actions/setup@c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 # c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/daily-fact.md b/.github/workflows/daily-fact.md index dac05e17c2..8be5672ce8 100644 --- a/.github/workflows/daily-fact.md +++ b/.github/workflows/daily-fact.md @@ -17,7 +17,7 @@ engine: strict: true timeout-minutes: 15 features: - action-tag: "623e612ff6a684e9a8634449508bdda21e2c178c" + action-tag: "c4e091835c7a94dc7d3acb8ed3ae145afb4995f3" network: allowed: diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 90991dc634..2f88940e59 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -147,7 +147,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -468,7 +468,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily File Diet", experimental: false, supports_tools_allowlist: true, @@ -1040,7 +1040,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 0ea281a301..f1d178672a 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -129,6 +129,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -210,7 +213,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -566,7 +569,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Firewall Logs Collector and Reporter", experimental: false, supports_tools_allowlist: true, @@ -1184,7 +1187,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 3b0de39838..2c9d5028ef 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -199,7 +199,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -600,7 +600,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Daily Issues Report Generator", experimental: false, supports_tools_allowlist: true, @@ -1755,7 +1755,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index b968139294..e8741ea075 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -477,7 +477,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Malicious Code Scan Agent", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml new file mode 100644 index 0000000000..853a61046e --- /dev/null +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -0,0 +1,1238 @@ +# +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by gh-aw. DO NOT EDIT. +# +# To update this file, edit the corresponding .md file and run: +# gh aw compile +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# +# Performs deep-dive concurrency analysis on each safe-outputs MCP server tool to ensure thread-safety and detect race conditions +# +# Resolved workflow manifest: +# Imports: +# - shared/reporting.md +# - shared/safe-output-app.md +# +# frontmatter-hash: 5765ae9ba5004b023e4faac7e9dd99034645dc3267d9ed0962cb3ba9b41e519a + +name: "Daily MCP Tool Concurrency Analysis" +"on": + schedule: + - cron: "0 9 * * 1-5" + workflow_dispatch: + +permissions: {} + +concurrency: + group: "gh-aw-${{ github.workflow }}" + +run-name: "Daily MCP Tool Concurrency Analysis" + +jobs: + activation: + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + comment_id: "" + comment_repo: "" + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Check workflow file timestamps + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_WORKFLOW_FILE: "daily-mcp-concurrency-analysis.lock.yml" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + await main(); + + agent: + needs: activation + runs-on: ubuntu-latest + permissions: + contents: read + issues: read + pull-requests: read + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + outputs: + checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + has_patch: ${{ steps.collect_output.outputs.has_patch }} + model: ${{ steps.generate_aw_info.outputs.model }} + output: ${{ steps.collect_output.outputs.output }} + output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false + - name: Create gh-aw temp directory + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + # Cache memory file share configuration from frontmatter processed below + - name: Create cache-memory directory + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + - name: Restore cache-memory file share data + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: memory-${{ github.workflow }}-${{ github.run_id }} + path: /tmp/gh-aw/cache-memory + restore-keys: | + memory-${{ github.workflow }}- + memory- + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Checkout PR branch + id: checkout-pr + if: | + github.event.pull_request + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + await main(); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 + - name: Install awf binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + - name: Determine automatic lockdown mode for GitHub MCP server + id: determine-automatic-lockdown + env: + TOKEN_CHECK: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + if: env.TOKEN_CHECK != '' + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest node:lts-alpine + - name: Write Safe Outputs Config + run: | + mkdir -p /opt/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' + {"create_agent_session":{"max":3},"create_issue":{"expires":168,"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + EOF + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' + [ + { + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[concurrency] \". Labels [bug concurrency thread-safety automated-analysis cookie] will be automatically added.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "body": { + "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.", + "type": "string" + }, + "labels": { + "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.", + "items": { + "type": "string" + }, + "type": "array" + }, + "parent": { + "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run.", + "type": [ + "number", + "string" + ] + }, + "temporary_id": { + "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.", + "type": "string" + }, + "title": { + "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.", + "type": "string" + } + }, + "required": [ + "title", + "body" + ], + "type": "object" + }, + "name": "create_issue" + }, + { + "description": "Create a GitHub Copilot agent session to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead. CONSTRAINTS: Maximum 3 agent task(s) can be created.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "body": { + "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained.", + "type": "string" + } + }, + "required": [ + "body" + ], + "type": "object" + }, + "name": "create_agent_session" + }, + { + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "reason": { + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", + "type": "string" + }, + "tool": { + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "type": "string" + } + }, + "required": [ + "reason" + ], + "type": "object" + }, + "name": "missing_tool" + }, + { + "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "message": { + "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", + "type": "string" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" + } + ] + EOF + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' + { + "create_agent_session": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + }, + "create_issue": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "labels": { + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "parent": { + "issueOrPRNumber": true + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "temporary_id": { + "type": "string" + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "missing_tool": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 512 + }, + "reason": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "tool": { + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + } + } + EOF + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + DEBUG: '*' + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export DEBUG + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + run: | + set -eo pipefail + mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" + mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export DEBUG="*" + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.103' + + mkdir -p /home/runner/.copilot + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + { + "mcpServers": { + "github": { + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.3", + "env": { + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" + } + }, + "safeoutputs": { + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + } + }, + "serena": { + "type": "stdio", + "container": "ghcr.io/github/serena-mcp-server:latest", + "args": ["--network", "host"], + "entrypoint": "serena", + "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "${{ github.workspace }}"], + "mounts": ["${{ github.workspace }}:${{ github.workspace }}:rw"] + } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}", + "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" + } + } + MCPCONFIG_EOF + - name: Generate agentic run info + id: generate_aw_info + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const fs = require('fs'); + + const awInfo = { + engine_id: "copilot", + engine_name: "GitHub Copilot CLI", + model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", + version: "", + agent_version: "0.0.405", + workflow_name: "Daily MCP Tool Concurrency Analysis", + experimental: false, + supports_tools_allowlist: true, + supports_http_transport: true, + run_id: context.runId, + run_number: context.runNumber, + run_attempt: process.env.GITHUB_RUN_ATTEMPT, + repository: context.repo.owner + '/' + context.repo.repo, + ref: context.ref, + sha: context.sha, + actor: context.actor, + event_name: context.eventName, + staged: false, + allowed_domains: ["defaults"], + firewall_enabled: true, + awf_version: "v0.13.7", + awmg_version: "v0.0.103", + steps: { + firewall: "squid" + }, + created_at: new Date().toISOString() + }; + + // Write to /tmp/gh-aw directory to avoid inclusion in PR + const tmpPath = '/tmp/gh-aw/aw_info.json'; + fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); + console.log('Generated aw_info.json at:', tmpPath); + console.log(JSON.stringify(awInfo, null, 2)); + + // Set model as output for reuse in other steps/jobs + core.setOutput('model', awInfo.model); + - name: Generate workflow overview + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); + await generateWorkflowOverview(core); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" + + PROMPT_EOF + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + GitHub API Access Instructions + + The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. + + + To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. + + Discover available tools from the safeoutputs MCP server. + + **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. + + **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. + + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + ## Report Structure Guidelines + + ### 1. Header Levels + **Use h3 (###) or lower for all headers in your issue report to maintain proper document hierarchy.** + + When creating GitHub issues or discussions: + - Use `###` (h3) for main sections (e.g., "### Test Summary") + - Use `####` (h4) for subsections (e.g., "#### Device-Specific Results") + - Never use `##` (h2) or `#` (h1) in reports - these are reserved for titles + + ### 2. Progressive Disclosure + **Wrap detailed test results in `
Section Name` tags to improve readability and reduce scrolling.** + + Use collapsible sections for: + - Verbose details (full test logs, raw data) + - Secondary information (minor warnings, extra context) + - Per-item breakdowns when there are many items + + Always keep critical information visible (summary, critical issues, key metrics). + + ### 3. Report Structure Pattern + + 1. **Overview**: 1-2 paragraphs summarizing key findings + 2. **Critical Information**: Show immediately (summary stats, critical issues) + 3. **Details**: Use `
Section Name` for expanded content + 4. **Context**: Add helpful metadata (workflow run, date, trigger) + + ### Design Principles (Airbnb-Inspired) + + Reports should: + - **Build trust through clarity**: Most important info immediately visible + - **Exceed expectations**: Add helpful context like trends, comparisons + - **Create delight**: Use progressive disclosure to reduce overwhelm + - **Maintain consistency**: Follow patterns across all reports + + ### Example Report Structure + + ```markdown + ### Summary + - Key metric 1: value + - Key metric 2: value + - Status: ✅/⚠️/❌ + + ### Critical Issues + [Always visible - these are important] + +
+ View Detailed Results + + [Comprehensive details, logs, traces] + +
+ +
+ View All Warnings + + [Minor issues and potential problems] + +
+ + ### Recommendations + [Actionable next steps - keep visible] + ``` + + ## Workflow Run References + + - Format run IDs as links: `[§12345](https://github.com/owner/repo/actions/runs/12345)` + - Include up to 3 most relevant run URLs at end under `**References:**` + - Do NOT add footer attribution (system adds automatically) + + + + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import .github/workflows/daily-mcp-concurrency-analysis.md}} + PROMPT_EOF + - name: Substitute placeholders + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + with: + script: | + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE + } + }); + - name: Interpolate variables and render templates + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool github + # --allow-tool safeoutputs + # --allow-tool shell(cat actions/setup/js/*.cjs) + # --allow-tool shell(cat pkg/workflow/js/safe_outputs_tools.json) + # --allow-tool shell(cat) + # --allow-tool shell(date) + # --allow-tool shell(echo) + # --allow-tool shell(find actions/setup/js -name '*.cjs' ! -name '*.test.cjs' -type f) + # --allow-tool shell(grep -r 'let \|var \|const ' actions/setup/js --include='*.cjs') + # --allow-tool shell(grep -r 'module.exports' actions/setup/js --include='*.cjs') + # --allow-tool shell(grep) + # --allow-tool shell(head -n * actions/setup/js/*.cjs) + # --allow-tool shell(head) + # --allow-tool shell(ls) + # --allow-tool shell(pwd) + # --allow-tool shell(sort) + # --allow-tool shell(tail) + # --allow-tool shell(uniq) + # --allow-tool shell(wc) + # --allow-tool shell(yq) + # --allow-tool write + timeout-minutes: 45 + run: | + set -o pipefail + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat actions/setup/js/*.cjs)'\'' --allow-tool '\''shell(cat pkg/workflow/js/safe_outputs_tools.json)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find actions/setup/js -name '\''\'\'''\''*.cjs'\''\'\'''\'' ! -name '\''\'\'''\''*.test.cjs'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''let \|var \|const '\''\'\'''\'' actions/setup/js --include='\''\'\'''\''*.cjs'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''module.exports'\''\'\'''\'' actions/setup/js --include='\''\'\'''\''*.cjs'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head -n * actions/setup/js/*.cjs)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + 2>&1 | tee /tmp/gh-aw/agent-stdio.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Copy Copilot session state files to logs + if: always() + continue-on-error: true + run: | + # Copy Copilot session state files to logs folder for artifact collection + # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them + SESSION_STATE_DIR="$HOME/.copilot/session-state" + LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" + + if [ -d "$SESSION_STATE_DIR" ]; then + echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" + mkdir -p "$LOGS_DIR" + cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true + echo "Session state files copied successfully" + else + echo "No session-state directory found at $SESSION_STATE_DIR" + fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + - name: Redact secrets in logs + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + await main(); + env: + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload Safe Outputs + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: safe-output + path: ${{ env.GH_AW_SAFE_OUTPUTS }} + if-no-files-found: warn + - name: Ingest agent output + id: collect_output + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + await main(); + - name: Upload sanitized agent output + if: always() && env.GH_AW_AGENT_OUTPUT + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: agent-output + path: ${{ env.GH_AW_AGENT_OUTPUT }} + if-no-files-found: warn + - name: Upload engine output files + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: agent_outputs + path: | + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log + if-no-files-found: ignore + - name: Parse agent logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + await main(); + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs + if: always() + continue-on-error: true + env: + AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + - name: Upload cache-memory data as artifact + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + if: always() + with: + name: cache-memory + path: /tmp/gh-aw/cache-memory + - name: Upload agent artifacts + if: always() + continue-on-error: true + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: agent-artifacts + path: | + /tmp/gh-aw/aw-prompts/prompt.txt + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/mcp-logs/ + /tmp/gh-aw/sandbox/firewall/logs/ + /tmp/gh-aw/agent-stdio.log + /tmp/gh-aw/agent/ + if-no-files-found: ignore + + conclusion: + needs: + - activation + - agent + - detection + - safe_outputs + - update_cache_memory + if: (always()) && (needs.agent.result != 'skipped') + runs-on: ubuntu-slim + permissions: + contents: read + discussions: write + issues: write + pull-requests: write + outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} + tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} + total_count: ${{ steps.missing_tool.outputs.total_count }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Debug job inputs + env: + COMMENT_ID: ${{ needs.activation.outputs.comment_id }} + COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} + AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} + AGENT_CONCLUSION: ${{ needs.agent.result }} + run: | + echo "Comment ID: $COMMENT_ID" + echo "Comment Repo: $COMMENT_REPO" + echo "Agent Output Types: $AGENT_OUTPUT_TYPES" + echo "Agent Conclusion: $AGENT_CONCLUSION" + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: 1 + GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" + GH_AW_TRACKER_ID: "mcp-concurrency-analysis" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); + - name: Record Missing Tool + id: missing_tool + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" + GH_AW_TRACKER_ID: "mcp-concurrency-analysis" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" + GH_AW_TRACKER_ID: "mcp-concurrency-analysis" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Update reaction comment with completion status + id: conclusion + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }} + GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" + GH_AW_TRACKER_ID: "mcp-concurrency-analysis" + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + await main(); + + detection: + needs: agent + if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' + runs-on: ubuntu-latest + permissions: {} + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + timeout-minutes: 10 + outputs: + success: ${{ steps.parse_results.outputs.success }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Download agent artifacts + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-artifacts + path: /tmp/gh-aw/threat-detection/ + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-output + path: /tmp/gh-aw/threat-detection/ + - name: Echo agent output types + env: + AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} + run: | + echo "Agent output-types: $AGENT_OUTPUT_TYPES" + - name: Setup threat detection + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" + WORKFLOW_DESCRIPTION: "Performs deep-dive concurrency analysis on each safe-outputs MCP server tool to ensure thread-safety and detect race conditions" + HAS_PATCH: ${{ needs.agent.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" + mkdir -p /tmp/ + mkdir -p /tmp/gh-aw/ + mkdir -p /tmp/gh-aw/agent/ + mkdir -p /tmp/gh-aw/sandbox/agent/logs/ + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_results + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: threat-detection.log + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + + safe_outputs: + needs: + - agent + - detection + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') + runs-on: ubuntu-slim + permissions: + contents: read + issues: write + timeout-minutes: 15 + env: + GH_AW_ENGINE_ID: "copilot" + GH_AW_TRACKER_ID: "mcp-concurrency-analysis" + GH_AW_WORKFLOW_ID: "daily-mcp-concurrency-analysis" + GH_AW_WORKFLOW_NAME: "Daily MCP Tool Concurrency Analysis" + outputs: + create_agent_session_session_number: ${{ steps.create_agent_session.outputs.session_number }} + create_agent_session_session_url: ${{ steps.create_agent_session.outputs.session_url }} + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} + process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} + process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process Safe Outputs + id: process_safe_outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"expires\":168,\"labels\":[\"bug\",\"concurrency\",\"thread-safety\",\"automated-analysis\",\"cookie\"],\"max\":5,\"title_prefix\":\"[concurrency] \"},\"missing_data\":{},\"missing_tool\":{}}" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + await main(); + - name: Create Agent Session + id: create_agent_session + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (contains(needs.agent.outputs.output_types, 'create_agent_session')) + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + with: + github-token: ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); + + update_cache_memory: + needs: + - agent + - detection + if: always() && needs.detection.outputs.success == 'true' + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Download cache-memory artifact (default) + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + continue-on-error: true + with: + name: cache-memory + path: /tmp/gh-aw/cache-memory + - name: Save cache-memory to cache (default) + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: memory-${{ github.workflow }}-${{ github.run_id }} + path: /tmp/gh-aw/cache-memory + diff --git a/.github/workflows/daily-mcp-concurrency-analysis.md b/.github/workflows/daily-mcp-concurrency-analysis.md new file mode 100644 index 0000000000..f6a8befaca --- /dev/null +++ b/.github/workflows/daily-mcp-concurrency-analysis.md @@ -0,0 +1,539 @@ +--- +name: Daily MCP Tool Concurrency Analysis +description: Performs deep-dive concurrency analysis on each safe-outputs MCP server tool to ensure thread-safety and detect race conditions +on: + schedule: + - cron: "0 9 * * 1-5" # Weekdays at 9 AM UTC + workflow_dispatch: + +permissions: + contents: read + issues: read + pull-requests: read + +tracker-id: mcp-concurrency-analysis +engine: copilot + +imports: + - shared/reporting.md + - shared/safe-output-app.md + +safe-outputs: + create-issue: + expires: 7d + title-prefix: "[concurrency] " + labels: [bug, concurrency, thread-safety, automated-analysis, cookie] + max: 5 + create-agent-session: + max: 3 + +tools: + serena: ["go", "typescript"] + cache-memory: true + github: + toolsets: [default] + edit: + bash: + - "cat pkg/workflow/js/safe_outputs_tools.json" + - "find actions/setup/js -name '*.cjs' ! -name '*.test.cjs' -type f" + - "cat actions/setup/js/*.cjs" + - "grep -r 'let \\|var \\|const ' actions/setup/js --include='*.cjs'" + - "grep -r 'module.exports' actions/setup/js --include='*.cjs'" + - "head -n * actions/setup/js/*.cjs" + +timeout-minutes: 45 +strict: true +--- + +{{#runtime-import? .github/shared-instructions.md}} + +# Daily MCP Tool Concurrency Analysis Agent 🔒 + +You are the **MCP Concurrency Analyzer** - a specialized concurrency expert that performs deep security and thread-safety analysis on MCP server tools. Your mission is to ensure all tools exposed in the safe-outputs MCP server component are safe to run concurrently without data races, race conditions, or data corruption. + +## Mission + +Analyze each tool in the safe-outputs MCP server for concurrency safety using best-in-class software engineering techniques. Identify potential issues with: +- **Global state**: Module-level or shared mutable state +- **Mutable data structures**: Especially those accessed concurrently +- **Missing synchronization**: Mutations not protected by locks or proper coordination +- **Race conditions**: Time-of-check vs time-of-use bugs +- **Shared resources**: File system, network, database access without coordination + +When issues are identified, create detailed issues with specific recommendations and optionally create agent sessions for fixes. When no problems are found for a tool, record the result and continue to the next tool. + +## Current Context + +- **Repository**: ${{ github.repository }} +- **Analysis Date**: $(date +%Y-%m-%d) +- **Workspace**: ${{ github.workspace }} +- **Tools Location**: `actions/setup/js/*.cjs` +- **Tool Definitions**: `pkg/workflow/js/safe_outputs_tools.json` + +## Analysis Process + +### Step 1: Load Round-Robin State from Cache + +Use the cache-memory tool to track which tools you've recently analyzed. + +Check your cache for: +- `last_analyzed_tool`: The most recently analyzed tool +- `analyzed_tools`: Map of tools with their analysis timestamps (format: `[{"tool": "", "analyzed_at": "", "status": "clean|issues_found"}, ...]`) +- `known_issues`: List of tools with known concurrency issues + +If this is the first run or cache is empty, start fresh with the complete tool list. + +### Step 2: Get List of All MCP Server Tools + +Extract the complete list of tools from the safe-outputs MCP server configuration: + +```bash +# Get all tool names from the JSON schema +cat pkg/workflow/js/safe_outputs_tools.json | jq -r '.[].name' | sort +``` + +This will give you the complete list of ~32 tools to analyze. + +### Step 3: Select Today's Tool for Analysis + +Using a **round-robin scheme with priority for recently modified tools**: + +1. Get the list of all tools from Step 2 +2. For each tool, find its corresponding implementation file: + - Most tools map to `actions/setup/js/.cjs` + - Some tools may be handled in `safe_outputs_handlers.cjs` or other files +3. Check git history to see when each tool was last modified: + ```bash + git log -1 --format="%ai" -- actions/setup/js/.cjs + ``` +4. Sort tools by: + - Tools never analyzed (highest priority) + - Tools modified since last analysis + - Tools not analyzed in last 30 days + - Oldest analysis date first +5. Select the highest priority tool from the sorted list + +If all tools have been analyzed recently (within 30 days) and no modifications detected, reset the cache and start over. + +### Step 4: Analyze the Selected Tool with Serena + +For the selected tool, perform comprehensive concurrency analysis: + +#### 4.1 Locate Implementation File(s) + +```bash +# Find the main implementation file +TOOL_FILE="actions/setup/js/${TOOL_NAME}.cjs" + +# Check if it exists +if [ -f "$TOOL_FILE" ]; then + echo "Found: $TOOL_FILE" +else + # Look in handlers or other locations + grep -r "HANDLER_TYPE = \"${TOOL_NAME}\"" actions/setup/js/*.cjs +fi +``` + +#### 4.2 Read and Understand the Tool + +Use Serena to: +- Read the tool implementation file completely +- Identify all functions exported or used +- Map out data flow and state management +- Find all dependencies and imports + +#### 4.3 Concurrency Safety Analysis + +Analyze the tool for these specific concurrency issues: + +**A. Global/Module-Level State** +```bash +# Search for module-level mutable state +grep -E "^(let|var) " "$TOOL_FILE" +``` + +Look for: +- Module-level `let` or `var` declarations (mutable) +- Exported mutable objects or arrays +- Shared caches or registries +- State that persists between tool invocations + +**Example issue pattern:** +```javascript +// ❌ UNSAFE: Module-level mutable state +let issuesToAssignCopilotGlobal = []; + +function getIssuesToAssignCopilot() { + return issuesToAssignCopilotGlobal; // Multiple concurrent calls share state! +} +``` + +**B. Mutable Data Structures** + +Identify: +- Arrays or objects modified after creation +- Shared data structures passed between functions +- In-place mutations (`.push()`, `.splice()`, property assignments) +- Accumulator patterns without proper isolation + +**Example issue pattern:** +```javascript +// ❌ UNSAFE: Shared mutable array +const results = []; +function processItem(item) { + results.push(item); // Race condition if concurrent calls + return results; +} +``` + +**C. Missing Synchronization** + +Check for: +- File system operations without locks +- Read-modify-write patterns +- Async operations with shared state +- Critical sections without protection + +**Example issue pattern:** +```javascript +// ❌ UNSAFE: Read-modify-write race condition +async function updateConfig() { + const config = JSON.parse(fs.readFileSync('config.json')); // Read + config.count += 1; // Modify + fs.writeFileSync('config.json', JSON.stringify(config)); // Write + // Another concurrent call could read old value before write completes! +} +``` + +**D. Time-of-Check vs Time-of-Use (TOCTOU)** + +Look for: +- File existence checks followed by operations +- Validation separated from usage +- Async gaps between check and use + +**Example issue pattern:** +```javascript +// ❌ UNSAFE: TOCTOU race condition +if (fs.existsSync(file)) { // Check + await someAsyncOperation(); + const content = fs.readFileSync(file); // Use - file might be deleted! +} +``` + +**E. Shared Resource Access** + +Analyze: +- File system access patterns +- Network requests to same endpoints +- Database or external service calls +- Temporary file creation with predictable names + +#### 4.4 Use Serena for Deeper Analysis + +Leverage Serena's semantic understanding: + +```typescript +// Ask Serena to find all mutations +serena-find_referencing_code_snippets: Look for all places where this variable is modified + +// Ask Serena to trace data flow +serena-find_symbol: Search for all usages of this shared state variable + +// Ask Serena for complexity analysis +serena-get_symbols_overview: Get function structure and identify critical sections +``` + +### Step 5: Categorize Findings + +For each identified issue, classify by severity: + +**CRITICAL** - High probability of data corruption or race condition: +- Module-level mutable state accessed by multiple tool invocations +- Unprotected read-modify-write sequences +- File operations without coordination + +**HIGH** - Potential race condition depending on usage: +- Shared mutable data structures +- Async operations with shared state +- TOCTOU patterns + +**MEDIUM** - Theoretical risk, unlikely in practice: +- Idempotent operations on shared resources +- Read-only shared state +- Coordinator patterns with single writer + +**LOW** - Minor code quality issue: +- Unnecessary mutable state +- Could be const but declared as let + +### Step 6: Generate Issue or Agent Session + +If issues were found (CRITICAL, HIGH, or MEDIUM severity): + +#### Create Detailed Issue + +Use the following template: + +```markdown +### Concurrency Safety Issue in \`${TOOL_NAME}\` + +**Severity**: [CRITICAL/HIGH/MEDIUM] +**Tool**: \`${TOOL_NAME}\` +**File**: \`${TOOL_FILE}\` +**Analysis Date**: $(date +%Y-%m-%d) + +#### Summary + +[Brief 2-3 sentence summary of the concurrency issue] + +#### Issue Details + +**Type**: [Global State / Mutable Data Structure / Missing Synchronization / TOCTOU / Shared Resource] + +**Location**: \`${TOOL_FILE}:${LINE_NUMBER}\` + +**Code Pattern**: +\`\`\`javascript +[Show the problematic code] +\`\`\` + +**Race Condition Scenario**: +1. Thread A calls tool at time T +2. Thread B calls tool at time T+1ms +3. [Describe the race condition that can occur] +4. Result: [Data corruption / lost updates / incorrect behavior] + +
+Detailed Analysis + +#### Root Cause + +[Explain why this is a concurrency issue using concurrency theory] + +#### Concurrent Execution Example + +\`\`\`javascript +// Timeline of concurrent calls: +// T=0ms: Call 1 reads shared state (value=0) +// T=1ms: Call 2 reads shared state (value=0) +// T=2ms: Call 1 increments and writes (value=1) +// T=3ms: Call 2 increments and writes (value=1) ❌ Lost update! Should be 2 +\`\`\` + +#### Impact Assessment + +- **Data Integrity**: [Description of potential data corruption] +- **Reliability**: [Description of reliability impact] +- **Security**: [Any security implications] + +
+ +#### Recommended Fix + +**Approach**: [State isolation / Synchronization / Redesign] + +\`\`\`javascript +// ✅ SAFE: Proper fix +[Show corrected code] +\`\`\` + +**Explanation**: [Explain why this fix resolves the race condition] + +**Implementation Steps**: +1. [Step 1] +2. [Step 2] +3. [Step 3] + +
+Alternative Solutions + +**Option 1: [Alternative approach 1]** +- Pros: [Benefits] +- Cons: [Drawbacks] + +**Option 2: [Alternative approach 2]** +- Pros: [Benefits] +- Cons: [Drawbacks] + +
+ +#### Testing Strategy + +To verify the fix: + +\`\`\`javascript +// Test concurrent execution +describe('${TOOL_NAME} concurrency safety', () => { + test('handles concurrent calls without race conditions', async () => { + // Launch 10 concurrent calls + const promises = Array(10).fill(0).map(() => handleTool(args)); + const results = await Promise.all(promises); + + // Verify no data corruption + expect(results).toBeDefined(); + // Add specific assertions based on tool behavior + }); +}); +\`\`\` + +#### References + +- **JavaScript Concurrency Model**: [Event loop, non-blocking I/O] +- **Node.js Best Practices**: [Link to relevant docs] +- **Related Issues**: [Link to similar issues if any] + +--- + +**Priority**: [P0-Critical / P1-High / P2-Medium] +**Effort**: [Small / Medium / Large] +**Expected Impact**: Prevents data races and ensures safe concurrent execution +``` + +#### Optionally Create Agent Session + +For CRITICAL or HIGH severity issues, consider creating a Copilot agent session: + +```markdown +Fix the concurrency safety issue in \`${TOOL_NAME}\` tool. + +**File**: \`actions/setup/js/${TOOL_NAME}.cjs\` + +**Issue**: [Brief description from issue] + +**Required Changes**: +1. [Specific change 1] +2. [Specific change 2] + +**Testing**: Add concurrency tests to verify the fix handles concurrent invocations safely. + +**Constraints**: +- Maintain backward compatibility +- Ensure all existing tests pass +- Follow existing code patterns in the repository +``` + +### Step 7: Handle Clean Tools (No Issues Found) + +If no concurrency issues were found: + +```markdown +✅ Tool \`${TOOL_NAME}\` passed concurrency analysis + +**Analysis Date**: $(date +%Y-%m-%d) +**File**: \`${TOOL_FILE}\` +**Status**: CLEAN - No concurrency issues detected + +The tool follows safe patterns: +- ✅ No module-level mutable state +- ✅ No shared mutable data structures +- ✅ Proper state isolation +- ✅ No race conditions identified +- ✅ Safe resource access patterns + +Continue to next tool. +``` + +### Step 8: Update Cache Memory + +Save your progress to cache-memory: + +- Update `last_analyzed_tool` to today's tool name +- Add/update entry in `analyzed_tools` with: + - `tool`: Tool name + - `analyzed_at`: ISO 8601 timestamp + - `status`: "clean" or "issues_found" + - `severity`: If issues found, highest severity level + - `file`: Implementation file path +- If issues found, add to `known_issues` list +- Remove entries older than 90 days from cache + +Example cache structure: +```json +{ + "last_analyzed_tool": "create_issue", + "analyzed_tools": [ + { + "tool": "create_issue", + "analyzed_at": "2026-02-06T09:00:00Z", + "status": "issues_found", + "severity": "CRITICAL", + "file": "actions/setup/js/create_issue.cjs" + }, + { + "tool": "noop", + "analyzed_at": "2026-02-05T09:00:00Z", + "status": "clean", + "file": "actions/setup/js/noop.cjs" + } + ], + "known_issues": ["create_issue"] +} +``` + +## Output Requirements + +Your output MUST include: + +1. **Tool Selection Rationale**: Explain which tool was selected and why +2. **Analysis Results**: Either: + - Detailed issue report if problems found (create issue + optional agent session) + - Clean tool confirmation if no problems found +3. **Cache Update Confirmation**: Confirm cache was updated with results + +## Concurrency Analysis Best Practices + +**State Isolation**: +- ✅ Each tool invocation should have isolated state +- ✅ Use function parameters and return values +- ✅ Avoid module-level mutable variables +- ✅ Prefer `const` over `let` when possible + +**Safe Patterns**: +- ✅ Pure functions without side effects +- ✅ Immutable data structures +- ✅ Copy-on-write for shared data +- ✅ Async/await without shared mutable state + +**Unsafe Patterns**: +- ❌ Module-level `let` or `var` declarations +- ❌ Exported mutable objects +- ❌ In-place array/object mutations on shared data +- ❌ File operations without coordination +- ❌ Read-modify-write without atomicity + +## Important Guidelines + +- **Be Thorough**: Don't just scan for obvious issues - use Serena's semantic analysis +- **Be Specific**: Reference exact line numbers and code snippets +- **Be Practical**: Focus on real concurrency issues, not theoretical ones +- **Be Helpful**: Provide clear, actionable fixes with examples +- **Track Progress**: Always update cache to maintain round-robin state +- **One Tool Per Run**: Analyze exactly ONE tool per workflow run for deep analysis + +## Serena Configuration + +The Serena MCP server is configured for this workspace with: +- **Languages**: Go, TypeScript/JavaScript +- **Project Root**: ${{ github.workspace }} +- **Memory**: `/tmp/gh-aw/cache-memory/serena/` + +Use Serena to: +- Perform semantic code analysis +- Find all references to variables +- Trace data flow through functions +- Identify mutation points +- Understand complex control flow + +## Begin Analysis + +Start your analysis now: + +1. Load cache to check analysis state +2. Get complete tool list from `safe_outputs_tools.json` +3. Select the next tool to analyze based on priority +4. Perform deep concurrency analysis with Serena +5. Create issue if problems found, or record clean result +6. Update cache with analysis results + +Focus on finding **real concurrency bugs** that could cause data races or corruption in production. diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index d5ea7568de..70db9b4239 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -158,7 +158,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -513,7 +513,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Multi-Device Docs Tester", experimental: false, supports_tools_allowlist: true, @@ -1232,7 +1232,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 1df06b75e3..7f1d8333ff 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -260,7 +260,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -595,7 +595,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily News", experimental: false, supports_tools_allowlist: true, @@ -1718,7 +1718,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index b930d10f5c..36516357b6 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -129,6 +129,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -181,7 +184,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -592,7 +595,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Daily Observability Report for AWF Firewall and MCP Gateway", experimental: false, supports_tools_allowlist: true, @@ -1129,7 +1132,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index d40be3243d..c70d254ebd 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -189,7 +189,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -1062,7 +1062,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Daily Project Performance Summary Generator (Using Safe Inputs)", experimental: false, supports_tools_allowlist: true, @@ -1678,7 +1678,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 68ee904c35..9a6962da04 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -147,7 +147,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -963,7 +963,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Regulatory Report Generator", experimental: false, supports_tools_allowlist: true, @@ -1526,7 +1526,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index b1c4ad2b13..f7fd3abc28 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -180,7 +180,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -501,7 +501,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "The Daily Repository Chronicle", experimental: false, supports_tools_allowlist: true, @@ -1497,7 +1497,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index f2d6b5b93a..1985386255 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -130,6 +130,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -202,7 +205,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -545,7 +548,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Daily Safe Output Tool Optimizer", experimental: false, supports_tools_allowlist: true, @@ -1257,7 +1260,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index a383a664c8..5f41c99d33 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -145,7 +145,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -494,7 +494,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Secrets Analysis Agent", experimental: false, supports_tools_allowlist: true, @@ -1060,7 +1060,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 9ac19241d2..9b50d0d7eb 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -145,7 +145,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -491,7 +491,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Semgrep Scan", experimental: false, supports_tools_allowlist: true, @@ -968,7 +968,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index b8f0a4b434..678f1e8d3f 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -457,7 +457,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Syntax Error Quality Check", experimental: false, supports_tools_allowlist: true, @@ -1027,7 +1027,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 1b1e03e627..4465b453f7 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -154,7 +154,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -442,7 +442,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Daily Team Evolution Insights", experimental: false, supports_tools_allowlist: true, @@ -1044,7 +1044,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 9c829181a2..21306f40fd 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -153,7 +153,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -466,7 +466,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Team Status", experimental: false, supports_tools_allowlist: true, @@ -1028,7 +1028,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 197c70757c..e45bba8c47 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -157,7 +157,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -478,7 +478,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Testify Uber Super Expert", experimental: false, supports_tools_allowlist: true, @@ -1084,7 +1084,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 142b9e99ed..41630568b7 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -140,7 +140,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -442,7 +442,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Daily Workflow Updater", experimental: false, supports_tools_allowlist: true, @@ -962,7 +962,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 6a5f20e43a..2dac5d3240 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -129,6 +129,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -210,7 +213,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -666,7 +669,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "DeepReport - Intelligence Gathering Agent", experimental: false, supports_tools_allowlist: true, @@ -1448,7 +1451,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 1f0d9a8f65..ad880d8528 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -158,7 +158,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -523,7 +523,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Delight", experimental: false, supports_tools_allowlist: true, @@ -1219,7 +1219,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 66579faa37..915b7f54b4 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -141,7 +141,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -492,7 +492,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Dependabot Dependency Checker", experimental: false, supports_tools_allowlist: true, @@ -964,7 +964,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index fb87f1dfe9..e847c4c14c 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -131,6 +131,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -177,7 +180,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -487,7 +490,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Dev Hawk", experimental: false, supports_tools_allowlist: true, @@ -977,7 +980,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index e1a9cecc43..ed75308c8f 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -137,7 +137,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -439,7 +439,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Dev", experimental: false, supports_tools_allowlist: true, @@ -926,7 +926,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index b4efd92910..216e7fb709 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -165,7 +165,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -531,7 +531,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Developer Documentation Consolidator", experimental: false, supports_tools_allowlist: true, @@ -1184,7 +1184,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index b489cc4fcf..df03ba1e71 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -143,7 +143,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -445,7 +445,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Dictation Prompt Generator", experimental: false, supports_tools_allowlist: true, @@ -1005,7 +1005,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 8899e723c6..3a0bd9fde2 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -158,7 +158,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -506,7 +506,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Discussion Task Miner - Code Quality Improvement Agent", experimental: false, supports_tools_allowlist: true, @@ -1198,7 +1198,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 6e97efd0df..9b1da1c385 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -472,7 +472,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Documentation Noob Tester", experimental: false, supports_tools_allowlist: true, @@ -1025,7 +1025,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index f2d1fae5f6..6c9d453edf 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -139,7 +139,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -474,7 +474,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Draft PR Cleanup", experimental: false, supports_tools_allowlist: true, @@ -964,7 +964,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 15ed1e4331..6a27576d05 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -146,7 +146,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -514,7 +514,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Duplicate Code Detector", experimental: false, supports_tools_allowlist: true, @@ -972,7 +972,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/example-custom-error-patterns.lock.yml b/.github/workflows/example-custom-error-patterns.lock.yml index b657cb8dca..352ee196d8 100644 --- a/.github/workflows/example-custom-error-patterns.lock.yml +++ b/.github/workflows/example-custom-error-patterns.lock.yml @@ -126,7 +126,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -200,7 +200,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Example: Custom Error Patterns", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index fa0090caf2..b3ac6b1fa8 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -125,7 +125,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -198,7 +198,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Example: Properly Provisioned Permissions", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 74b0163581..9c267e093d 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -126,6 +126,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -180,7 +183,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -502,7 +505,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Weekly Workflow Analysis", experimental: false, supports_tools_allowlist: true, @@ -1100,7 +1103,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 209d438291..51a5d9b089 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -170,7 +170,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -462,7 +462,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "The Great Escapi", experimental: false, supports_tools_allowlist: true, @@ -984,7 +984,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 14256bad04..1db676abb3 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -125,7 +125,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -199,7 +199,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Firewall Test Agent", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 64de126c25..2b0de6071f 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -143,7 +143,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -445,7 +445,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Functional Pragmatist", experimental: false, supports_tools_allowlist: true, @@ -1010,7 +1010,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 4a6effd660..2875302963 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -189,7 +189,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -506,7 +506,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "GitHub MCP Structural Analysis", experimental: false, supports_tools_allowlist: true, @@ -1381,7 +1381,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index d8ecb6ac0b..7ce18b1f46 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -166,7 +166,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -517,7 +517,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "GitHub MCP Remote Server Tools Report Generator", experimental: false, supports_tools_allowlist: true, @@ -1146,7 +1146,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index f82ded9530..9dc187c263 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -140,7 +140,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -441,7 +441,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "GitHub Remote MCP Authentication Test", experimental: false, supports_tools_allowlist: true, @@ -914,7 +914,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index ad760ed0c8..7d3dbf4c44 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -167,7 +167,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -477,7 +477,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Glossary Maintainer", experimental: false, supports_tools_allowlist: true, @@ -1503,7 +1503,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index be51a88c80..1066e7818a 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -163,7 +163,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -467,7 +467,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Go Fan", experimental: false, supports_tools_allowlist: true, @@ -1103,7 +1103,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 5405e5aca4..2ae7bc6f0a 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -179,7 +179,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -612,7 +612,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Go Logger Enhancement", experimental: false, supports_tools_allowlist: true, @@ -1225,7 +1225,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 9fe53784c8..1c6a7890bf 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -154,7 +154,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -467,7 +467,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Go Pattern Detector", experimental: false, supports_tools_allowlist: true, @@ -1062,7 +1062,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 44ce90163f..831bfb2cef 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -185,7 +185,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -535,7 +535,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Grumpy Code Reviewer 🔥", experimental: false, supports_tools_allowlist: true, @@ -1026,7 +1026,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index e69ed7342b..c6432ddec1 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -180,7 +180,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -482,7 +482,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "CI Cleaner", experimental: false, supports_tools_allowlist: true, @@ -1310,7 +1310,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index f3987a5e70..d32c7cf145 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -159,7 +159,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -457,7 +457,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Instructions Janitor", experimental: false, supports_tools_allowlist: true, @@ -1034,7 +1034,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 01b09a1ef6..99cea089eb 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -157,7 +157,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -587,7 +587,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Issue Arborist", experimental: false, supports_tools_allowlist: true, @@ -1136,7 +1136,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index c029f2e083..c8b2c91ef4 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -150,7 +150,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -470,7 +470,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Issue Monster", experimental: false, supports_tools_allowlist: true, @@ -945,7 +945,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 9efdbdee86..7fe2dbd845 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -127,7 +127,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -438,7 +438,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Issue Triage Agent", experimental: false, supports_tools_allowlist: true, @@ -983,7 +983,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 63e5026074..346347bcc3 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -161,7 +161,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -471,7 +471,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "jsweep - JavaScript Unbloater", experimental: false, supports_tools_allowlist: true, @@ -975,7 +975,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 81a0d25d93..d8e1e659cb 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -148,7 +148,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -450,7 +450,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Layout Specification Maintainer", experimental: false, supports_tools_allowlist: true, @@ -971,7 +971,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 76ab71760e..2409a1ddb2 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -163,7 +163,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -451,7 +451,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Lockfile Statistics Analysis Agent", experimental: false, supports_tools_allowlist: true, @@ -1076,7 +1076,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index f14723ecaf..cac09b7fe5 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -140,6 +140,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -208,7 +211,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -768,7 +771,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "MCP Inspector Agent", experimental: false, supports_tools_allowlist: true, @@ -1563,7 +1566,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index afb8fbcb07..b1ab183142 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -162,7 +162,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -450,7 +450,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Mergefest", experimental: false, supports_tools_allowlist: true, @@ -967,7 +967,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index c1f5924c2d..edd31d8e7e 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -113,6 +113,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -168,7 +171,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -277,7 +280,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Metrics Collector - Infrastructure Agent", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index a000d4319d..836ad9b316 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -146,7 +146,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -417,7 +417,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Issue Summary to Notion", experimental: false, supports_tools_allowlist: true, @@ -896,7 +896,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index c62dce416f..24460a7e78 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -184,7 +184,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Download container images @@ -494,7 +494,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Organization Health Report", experimental: false, supports_tools_allowlist: true, @@ -1400,7 +1400,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index bcf60e7fab..faefe7a11c 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -204,7 +204,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -538,7 +538,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Resource Summarizer Agent", experimental: false, supports_tools_allowlist: true, @@ -1036,7 +1036,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index c0d98444c3..b67af34414 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -174,7 +174,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -544,7 +544,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Plan Command", experimental: false, supports_tools_allowlist: true, @@ -1021,7 +1021,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 9bb8cb09bf..5c3f81f975 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -193,7 +193,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -1027,7 +1027,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Poem Bot - A Creative Agentic Workflow", experimental: false, supports_tools_allowlist: true, @@ -1647,7 +1647,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 1ec3b3fb6b..7a52526dd1 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -128,6 +128,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -217,7 +220,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -573,7 +576,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Automated Portfolio Analyst", experimental: false, supports_tools_allowlist: true, @@ -1277,7 +1280,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 4320f24560..37a8e3bd8f 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -203,7 +203,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -605,7 +605,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "PR Nitpick Reviewer 🔍", experimental: false, supports_tools_allowlist: true, @@ -1171,7 +1171,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 448e46aae4..9f2306bf60 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -148,7 +148,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -532,7 +532,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "PR Triage Agent", experimental: false, supports_tools_allowlist: true, @@ -1041,7 +1041,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 8c8ac024dc..6e55702fb0 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -131,6 +131,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -247,7 +250,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -569,7 +572,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Copilot Agent Prompt Clustering Analysis", experimental: false, supports_tools_allowlist: true, @@ -1313,7 +1316,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 53c0a1aab0..5fb9006e50 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -125,6 +125,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -205,7 +208,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -561,7 +564,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Python Data Visualization Generator", experimental: false, supports_tools_allowlist: true, @@ -1887,7 +1890,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 7bd55b7c50..1ad33fa022 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -181,6 +181,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -238,7 +241,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -618,7 +621,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Q", experimental: false, supports_tools_allowlist: true, @@ -1128,7 +1131,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index f8837b661c..e9600620d3 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -159,7 +159,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -456,7 +456,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Release", experimental: false, supports_tools_allowlist: true, @@ -1034,7 +1034,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 944547d4cf..6c73c738ad 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -161,7 +161,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -453,7 +453,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Repository Audit & Agentic Workflow Opportunity Analyzer", experimental: false, supports_tools_allowlist: true, @@ -1031,7 +1031,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 0b3cb80003..f0f211e812 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -436,7 +436,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Repository Tree Map Generator", experimental: false, supports_tools_allowlist: true, @@ -983,7 +983,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 3bbd759745..5417c821f5 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -157,7 +157,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -457,7 +457,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Repository Quality Improvement Agent", experimental: false, supports_tools_allowlist: true, @@ -1032,7 +1032,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 4b1ee7db0f..91b1609c2c 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -147,7 +147,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -453,7 +453,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Basic Research Agent", experimental: false, supports_tools_allowlist: true, @@ -1004,7 +1004,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 74264f8436..e7ccba655d 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -127,6 +127,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -199,7 +202,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -521,7 +524,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Safe Output Health Monitor", experimental: false, supports_tools_allowlist: true, @@ -1235,7 +1238,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index f4e13875ce..2c75d4c5de 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -166,7 +166,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -455,7 +455,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Schema Consistency Checker", experimental: false, supports_tools_allowlist: true, @@ -1069,7 +1069,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index aaceffe752..529b0fc035 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -239,7 +239,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -534,7 +534,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Scout", experimental: false, supports_tools_allowlist: true, @@ -1272,7 +1272,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index ad179920d6..1d1523f2de 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -155,7 +155,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -468,7 +468,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Security Compliance Campaign", experimental: false, supports_tools_allowlist: true, @@ -973,7 +973,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml new file mode 100644 index 0000000000..68ea4073a9 --- /dev/null +++ b/.github/workflows/security-fix-pr.lock.yml @@ -0,0 +1,1227 @@ +# +# ___ _ _ +# / _ \ | | (_) +# | |_| | __ _ ___ _ __ | |_ _ ___ +# | _ |/ _` |/ _ \ '_ \| __| |/ __| +# | | | | (_| | __/ | | | |_| | (__ +# \_| |_/\__, |\___|_| |_|\__|_|\___| +# __/ | +# _ _ |___/ +# | | | | / _| | +# | | | | ___ _ __ _ __| |_| | _____ ____ +# | |/\| |/ _ \ '__| |/ /| _| |/ _ \ \ /\ / / ___| +# \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ +# \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ +# +# This file was automatically generated by gh-aw. DO NOT EDIT. +# +# To update this file, edit the corresponding .md file and run: +# gh aw compile +# For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md +# +# Identifies and automatically fixes code security issues by creating autofixes via GitHub Code Scanning +# +# frontmatter-hash: 2c0874c7d5caae7ad004f661800b012b5e12571c5c4ba5f776cd3e7eb8c0d484 + +name: "Security Fix PR" +"on": + # skip-if-match: is:pr is:open in:title "[security-fix]" # Skip-if-match processed as search check in pre-activation job + workflow_dispatch: + inputs: + security_url: + default: "" + description: Security alert URL (e.g., https://github.com/owner/repo/security/code-scanning/123) + required: false + +permissions: {} + +concurrency: + group: "gh-aw-${{ github.workflow }}" + +run-name: "Security Fix PR" + +jobs: + activation: + needs: pre_activation + if: needs.pre_activation.outputs.activated == 'true' + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + comment_id: "" + comment_repo: "" + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Check workflow file timestamps + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_WORKFLOW_FILE: "security-fix-pr.lock.yml" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); + await main(); + + agent: + needs: activation + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + security-events: read + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + env: + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GH_AW_ASSETS_ALLOWED_EXTS: "" + GH_AW_ASSETS_BRANCH: "" + GH_AW_ASSETS_MAX_SIZE_KB: 0 + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + GH_AW_SAFE_OUTPUTS: /opt/gh-aw/safeoutputs/outputs.jsonl + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + outputs: + checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }} + has_patch: ${{ steps.collect_output.outputs.has_patch }} + model: ${{ steps.generate_aw_info.outputs.model }} + output: ${{ steps.collect_output.outputs.output }} + output_types: ${{ steps.collect_output.outputs.output_types }} + secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false + - name: Create gh-aw temp directory + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + # Cache memory file share configuration from frontmatter processed below + - name: Create cache-memory directory + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh + - name: Restore cache-memory file share data + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: memory-${{ github.workflow }}-${{ github.run_id }} + path: /tmp/gh-aw/cache-memory + restore-keys: | + memory-${{ github.workflow }}- + memory- + # Repo memory git-based storage configuration from frontmatter processed below + - name: Clone repo-memory branch (campaigns) + env: + GH_TOKEN: ${{ github.token }} + BRANCH_NAME: memory/campaigns + TARGET_REPO: ${{ github.repository }} + MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns + CREATE_ORPHAN: true + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Checkout PR branch + id: checkout-pr + if: | + github.event.pull_request + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); + await main(); + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 + - name: Install awf binary + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + - name: Determine automatic lockdown mode for GitHub MCP server + id: determine-automatic-lockdown + env: + TOKEN_CHECK: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + if: env.TOKEN_CHECK != '' + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + script: | + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); + - name: Download container images + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + - name: Write Safe Outputs Config + run: | + mkdir -p /opt/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/safeoutputs + mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' + {"add_labels":{"allowed":["agentic-campaign","z_campaign_security-alert-burndown"],"max":3},"autofix_code_scanning_alert":{"max":5},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + EOF + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' + [ + { + "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead. CONSTRAINTS: Only these labels are allowed: [agentic-campaign z_campaign_security-alert-burndown].", + "inputSchema": { + "additionalProperties": false, + "properties": { + "item_number": { + "description": "Issue or PR number to add labels to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/issues/456). If omitted, adds labels to the item that triggered this workflow.", + "type": "number" + }, + "labels": { + "description": "Label names to add (e.g., ['bug', 'priority-high']). Labels must exist in the repository.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "name": "add_labels" + }, + { + "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "reason": { + "description": "Explanation of why this tool is needed or what information you want to share about the limitation (max 256 characters).", + "type": "string" + }, + "tool": { + "description": "Optional: Name or description of the missing tool or capability (max 128 characters). Be specific about what functionality is needed.", + "type": "string" + } + }, + "required": [ + "reason" + ], + "type": "object" + }, + "name": "missing_tool" + }, + { + "description": "Log a transparency message when no significant actions are needed. Use this to confirm workflow completion and provide visibility when analysis is complete but no changes or outputs are required (e.g., 'No issues found', 'All checks passed'). This ensures the workflow produces human-visible output even when no other actions are taken.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "message": { + "description": "Status or completion message to log. Should explain what was analyzed and the outcome (e.g., 'Code review complete - no issues found', 'Analysis complete - all tests passing').", + "type": "string" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "name": "noop" + }, + { + "description": "Report that data or information needed to complete the task is not available. Use this when you cannot accomplish what was requested because required data, context, or information is missing.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alternatives": { + "description": "Any workarounds, manual steps, or alternative approaches the user could take (max 256 characters).", + "type": "string" + }, + "context": { + "description": "Additional context about the missing data or where it should come from (max 256 characters).", + "type": "string" + }, + "data_type": { + "description": "Type or description of the missing data or information (max 128 characters). Be specific about what data is needed.", + "type": "string" + }, + "reason": { + "description": "Explanation of why this data is needed to complete the task (max 256 characters).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "name": "missing_data" + }, + { + "description": "Create an autofix for a code scanning alert. Use this to provide automated fixes for security vulnerabilities detected by code scanning tools. The fix should contain the corrected code that resolves the security issue.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "alert_number": { + "description": "The security alert number to create an autofix for. This is the numeric ID from the code scanning alert (e.g., 42 in github.com/owner/repo/security/code-scanning/42).", + "type": [ + "number", + "string" + ] + }, + "fix_code": { + "description": "The code changes to apply as the autofix. This should be the corrected code that resolves the security vulnerability. Example for SQL injection fix: 'query = db.prepare(\"SELECT * FROM users WHERE id = ?\").bind(userId)'", + "type": "string" + }, + "fix_description": { + "description": "Clear description of the fix being applied. Explain what security issue is being resolved and how the fix addresses it. Example: 'Sanitize user input to prevent SQL injection by using parameterized queries instead of string concatenation.'", + "type": "string" + } + }, + "required": [ + "alert_number", + "fix_description", + "fix_code" + ], + "type": "object" + }, + "name": "autofix_code_scanning_alert" + } + ] + EOF + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' + { + "add_labels": { + "defaultMax": 5, + "fields": { + "item_number": { + "issueOrPRNumber": true + }, + "labels": { + "required": true, + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + } + } + }, + "missing_tool": { + "defaultMax": 20, + "fields": { + "alternatives": { + "type": "string", + "sanitize": true, + "maxLength": 512 + }, + "reason": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 256 + }, + "tool": { + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, + "noop": { + "defaultMax": 1, + "fields": { + "message": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + } + } + } + } + EOF + - name: Generate Safe Outputs MCP Server Config + id: safe-outputs-config + run: | + # Generate a secure random API key (360 bits of entropy, 40+ chars) + API_KEY="" + API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + PORT=3001 + + # Register API key as secret to mask it from logs + echo "::add-mask::${API_KEY}" + + # Set outputs for next steps + { + echo "safe_outputs_api_key=${API_KEY}" + echo "safe_outputs_port=${PORT}" + } >> "$GITHUB_OUTPUT" + + echo "Safe Outputs MCP server will run on port ${PORT}" + + - name: Start Safe Outputs MCP HTTP Server + id: safe-outputs-start + env: + DEBUG: '*' + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs + run: | + # Environment variables are set above to prevent template injection + export DEBUG + export GH_AW_SAFE_OUTPUTS_PORT + export GH_AW_SAFE_OUTPUTS_API_KEY + export GH_AW_SAFE_OUTPUTS_TOOLS_PATH + export GH_AW_SAFE_OUTPUTS_CONFIG_PATH + export GH_AW_MCP_LOG_DIR + + bash /opt/gh-aw/actions/start_safe_outputs_server.sh + + - name: Start MCP gateway + id: start-mcp-gateway + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} + GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} + GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} + GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -eo pipefail + mkdir -p /tmp/gh-aw/mcp-config + + # Export gateway environment variables for MCP config and gateway script + export MCP_GATEWAY_PORT="80" + export MCP_GATEWAY_DOMAIN="host.docker.internal" + MCP_GATEWAY_API_KEY="" + MCP_GATEWAY_API_KEY=$(openssl rand -base64 45 | tr -d '/+=') + export MCP_GATEWAY_API_KEY + export MCP_GATEWAY_PAYLOAD_DIR="/tmp/gh-aw/mcp-payloads" + mkdir -p "${MCP_GATEWAY_PAYLOAD_DIR}" + export DEBUG="*" + + # Register API key as secret to mask it from logs + echo "::add-mask::${MCP_GATEWAY_API_KEY}" + export GH_AW_ENGINE="copilot" + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.103' + + mkdir -p /home/runner/.copilot + cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh + { + "mcpServers": { + "github": { + "type": "stdio", + "container": "ghcr.io/github/github-mcp-server:v0.30.3", + "env": { + "GITHUB_LOCKDOWN_MODE": "$GITHUB_MCP_LOCKDOWN", + "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", + "GITHUB_READ_ONLY": "1", + "GITHUB_TOOLSETS": "context,repos,code_security,pull_requests" + } + }, + "safeoutputs": { + "type": "http", + "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", + "headers": { + "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + } + } + }, + "gateway": { + "port": $MCP_GATEWAY_PORT, + "domain": "${MCP_GATEWAY_DOMAIN}", + "apiKey": "${MCP_GATEWAY_API_KEY}", + "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" + } + } + MCPCONFIG_EOF + - name: Generate agentic run info + id: generate_aw_info + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const fs = require('fs'); + + const awInfo = { + engine_id: "copilot", + engine_name: "GitHub Copilot CLI", + model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", + version: "", + agent_version: "0.0.405", + workflow_name: "Security Fix PR", + experimental: false, + supports_tools_allowlist: true, + supports_http_transport: true, + run_id: context.runId, + run_number: context.runNumber, + run_attempt: process.env.GITHUB_RUN_ATTEMPT, + repository: context.repo.owner + '/' + context.repo.repo, + ref: context.ref, + sha: context.sha, + actor: context.actor, + event_name: context.eventName, + staged: false, + allowed_domains: ["defaults"], + firewall_enabled: true, + awf_version: "v0.13.7", + awmg_version: "v0.0.103", + steps: { + firewall: "squid" + }, + created_at: new Date().toISOString() + }; + + // Write to /tmp/gh-aw directory to avoid inclusion in PR + const tmpPath = '/tmp/gh-aw/aw_info.json'; + fs.writeFileSync(tmpPath, JSON.stringify(awInfo, null, 2)); + console.log('Generated aw_info.json at:', tmpPath); + console.log(JSON.stringify(awInfo, null, 2)); + + // Set model as output for reuse in other steps/jobs + core.setOutput('model', awInfo.model); + - name: Generate workflow overview + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); + await generateWorkflowOverview(core); + - name: Create prompt with built-in context + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + bash /opt/gh-aw/actions/create_prompt_first.sh + cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" + + PROMPT_EOF + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/markdown.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/cache_memory_prompt.md" >> "$GH_AW_PROMPT" + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + --- + + ## Repo Memory Locations Available + + You have access to persistent repo memory folders where you can read and write files that are stored in git branches: + + - **campaigns**: `/tmp/gh-aw/repo-memory/campaigns/` (branch: `memory/campaigns`) + + - **Read/Write Access**: You can freely read from and write to any files in these folders + - **Git Branch Storage**: Each memory is stored in its own git branch + - **Automatic Push**: Changes are automatically committed and pushed after the workflow completes + - **Merge Strategy**: In case of conflicts, your changes (current version) win + - **Persistence**: Files persist across workflow runs via git branch storage + + Examples of what you can store: + - `/tmp/gh-aw/repo-memory/notes.md` - general notes and observations + - `/tmp/gh-aw/repo-memory/state.json` - structured state data + - `/tmp/gh-aw/repo-memory/history/` - organized history files + + Feel free to create, read, update, and organize files in these folders as needed for your tasks. + + + GitHub API Access Instructions + + The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations. + + + To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. + + Discover available tools from the safeoutputs MCP server. + + **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. + + **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. + + + + The following GitHub context information is available for this workflow: + {{#if __GH_AW_GITHUB_ACTOR__ }} + - **actor**: __GH_AW_GITHUB_ACTOR__ + {{/if}} + {{#if __GH_AW_GITHUB_REPOSITORY__ }} + - **repository**: __GH_AW_GITHUB_REPOSITORY__ + {{/if}} + {{#if __GH_AW_GITHUB_WORKSPACE__ }} + - **workspace**: __GH_AW_GITHUB_WORKSPACE__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ }} + - **issue-number**: #__GH_AW_GITHUB_EVENT_ISSUE_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ }} + - **discussion-number**: #__GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ }} + - **pull-request-number**: #__GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER__ + {{/if}} + {{#if __GH_AW_GITHUB_EVENT_COMMENT_ID__ }} + - **comment-id**: __GH_AW_GITHUB_EVENT_COMMENT_ID__ + {{/if}} + {{#if __GH_AW_GITHUB_RUN_ID__ }} + - **workflow-run-id**: __GH_AW_GITHUB_RUN_ID__ + {{/if}} + + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + {{#runtime-import .github/workflows/security-fix-pr.md}} + PROMPT_EOF + - name: Substitute placeholders + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_CACHE_DESCRIPTION: ${{ '' }} + GH_AW_CACHE_DIR: ${{ '/tmp/gh-aw/cache-memory/' }} + GH_AW_GITHUB_ACTOR: ${{ github.actor }} + GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }} + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }} + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} + GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} + GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} + with: + script: | + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_CACHE_DESCRIPTION: process.env.GH_AW_CACHE_DESCRIPTION, + GH_AW_CACHE_DIR: process.env.GH_AW_CACHE_DIR, + GH_AW_GITHUB_ACTOR: process.env.GH_AW_GITHUB_ACTOR, + GH_AW_GITHUB_EVENT_COMMENT_ID: process.env.GH_AW_GITHUB_EVENT_COMMENT_ID, + GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: process.env.GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER, + GH_AW_GITHUB_EVENT_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_ISSUE_NUMBER, + GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, + GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, + GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, + GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE + } + }); + - name: Interpolate variables and render templates + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); + await main(); + - name: Validate prompt placeholders + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/validate_prompt_placeholders.sh + - name: Print prompt + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + run: bash /opt/gh-aw/actions/print_prompt_summary.sh + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + timeout-minutes: 20 + run: | + set -o pipefail + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + 2>&1 | tee /tmp/gh-aw/agent-stdio.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json + GH_AW_MODEL_AGENT_COPILOT: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Copy Copilot session state files to logs + if: always() + continue-on-error: true + run: | + # Copy Copilot session state files to logs folder for artifact collection + # This ensures they are in /tmp/gh-aw/ where secret redaction can scan them + SESSION_STATE_DIR="$HOME/.copilot/session-state" + LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs" + + if [ -d "$SESSION_STATE_DIR" ]; then + echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR" + mkdir -p "$LOGS_DIR" + cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true + echo "Session state files copied successfully" + else + echo "No session-state directory found at $SESSION_STATE_DIR" + fi + - name: Stop MCP gateway + if: always() + continue-on-error: true + env: + MCP_GATEWAY_PORT: ${{ steps.start-mcp-gateway.outputs.gateway-port }} + MCP_GATEWAY_API_KEY: ${{ steps.start-mcp-gateway.outputs.gateway-api-key }} + GATEWAY_PID: ${{ steps.start-mcp-gateway.outputs.gateway-pid }} + run: | + bash /opt/gh-aw/actions/stop_mcp_gateway.sh "$GATEWAY_PID" + - name: Redact secrets in logs + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); + await main(); + env: + GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' + SECRET_COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + SECRET_GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + SECRET_GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload Safe Outputs + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: safe-output + path: ${{ env.GH_AW_SAFE_OUTPUTS }} + if-no-files-found: warn + - name: Ingest agent output + id: collect_output + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_API_URL: ${{ github.api_url }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); + await main(); + - name: Upload sanitized agent output + if: always() && env.GH_AW_AGENT_OUTPUT + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: agent-output + path: ${{ env.GH_AW_AGENT_OUTPUT }} + if-no-files-found: warn + - name: Upload engine output files + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: agent_outputs + path: | + /tmp/gh-aw/sandbox/agent/logs/ + /tmp/gh-aw/redacted-urls.log + if-no-files-found: ignore + - name: Parse agent logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); + await main(); + - name: Parse MCP gateway logs for step summary + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_mcp_gateway_log.cjs'); + await main(); + - name: Print firewall logs + if: always() + continue-on-error: true + env: + AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs + run: | + # Fix permissions on firewall logs so they can be uploaded as artifacts + # AWF runs with sudo, creating files owned by root + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" + # Upload repo memory as artifacts for push job + - name: Upload repo-memory artifact (campaigns) + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: repo-memory-campaigns + path: /tmp/gh-aw/repo-memory/campaigns + retention-days: 1 + if-no-files-found: ignore + - name: Upload cache-memory data as artifact + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + if: always() + with: + name: cache-memory + path: /tmp/gh-aw/cache-memory + - name: Upload agent artifacts + if: always() + continue-on-error: true + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: agent-artifacts + path: | + /tmp/gh-aw/aw-prompts/prompt.txt + /tmp/gh-aw/aw_info.json + /tmp/gh-aw/mcp-logs/ + /tmp/gh-aw/sandbox/firewall/logs/ + /tmp/gh-aw/agent-stdio.log + /tmp/gh-aw/agent/ + if-no-files-found: ignore + + conclusion: + needs: + - activation + - agent + - detection + - push_repo_memory + - safe_outputs + - update_cache_memory + if: (always()) && (needs.agent.result != 'skipped') + runs-on: ubuntu-slim + permissions: + contents: read + discussions: write + issues: write + pull-requests: write + outputs: + noop_message: ${{ steps.noop.outputs.noop_message }} + tools_reported: ${{ steps.missing_tool.outputs.tools_reported }} + total_count: ${{ steps.missing_tool.outputs.total_count }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Debug job inputs + env: + COMMENT_ID: ${{ needs.activation.outputs.comment_id }} + COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} + AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} + AGENT_CONCLUSION: ${{ needs.agent.result }} + run: | + echo "Comment ID: $COMMENT_ID" + echo "Comment Repo: $COMMENT_REPO" + echo "Agent Output Types: $AGENT_OUTPUT_TYPES" + echo "Agent Conclusion: $AGENT_CONCLUSION" + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process No-Op Messages + id: noop + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_NOOP_MAX: 1 + GH_AW_WORKFLOW_NAME: "Security Fix PR" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); + await main(); + - name: Record Missing Tool + id: missing_tool + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Security Fix PR" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); + await main(); + - name: Handle Agent Failure + id: handle_agent_failure + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_WORKFLOW_NAME: "Security Fix PR" + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.agent.outputs.secret_verification_result }} + GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); + await main(); + - name: Update reaction comment with completion status + id: conclusion + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }} + GH_AW_COMMENT_REPO: ${{ needs.activation.outputs.comment_repo }} + GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + GH_AW_WORKFLOW_NAME: "Security Fix PR" + GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} + GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.result }} + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); + await main(); + + detection: + needs: agent + if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' + runs-on: ubuntu-latest + permissions: {} + concurrency: + group: "gh-aw-copilot-${{ github.workflow }}" + timeout-minutes: 10 + outputs: + success: ${{ steps.parse_results.outputs.success }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Download agent artifacts + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-artifacts + path: /tmp/gh-aw/threat-detection/ + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-output + path: /tmp/gh-aw/threat-detection/ + - name: Echo agent output types + env: + AGENT_OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }} + run: | + echo "Agent output-types: $AGENT_OUTPUT_TYPES" + - name: Setup threat detection + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + WORKFLOW_NAME: "Security Fix PR" + WORKFLOW_DESCRIPTION: "Identifies and automatically fixes code security issues by creating autofixes via GitHub Code Scanning" + HAS_PATCH: ${{ needs.agent.outputs.has_patch }} + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); + await main(); + - name: Ensure threat-detection directory and log + run: | + mkdir -p /tmp/gh-aw/threat-detection + touch /tmp/gh-aw/threat-detection/detection.log + - name: Validate COPILOT_GITHUB_TOKEN secret + id: validate-secret + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default + env: + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + - name: Install GitHub Copilot CLI + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 + - name: Execute GitHub Copilot CLI + id: agentic_execution + # Copilot CLI tool arguments (sorted): + # --allow-tool shell(cat) + # --allow-tool shell(grep) + # --allow-tool shell(head) + # --allow-tool shell(jq) + # --allow-tool shell(ls) + # --allow-tool shell(tail) + # --allow-tool shell(wc) + timeout-minutes: 20 + run: | + set -o pipefail + COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" + mkdir -p /tmp/ + mkdir -p /tmp/gh-aw/ + mkdir -p /tmp/gh-aw/agent/ + mkdir -p /tmp/gh-aw/sandbox/agent/logs/ + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool 'shell(cat)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(jq)' --allow-tool 'shell(ls)' --allow-tool 'shell(tail)' --allow-tool 'shell(wc)' --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} 2>&1 | tee /tmp/gh-aw/threat-detection/detection.log + env: + COPILOT_AGENT_RUNNER_TYPE: STANDALONE + COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} + GH_AW_MODEL_DETECTION_COPILOT: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }} + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GITHUB_HEAD_REF: ${{ github.head_ref }} + GITHUB_REF_NAME: ${{ github.ref_name }} + GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }} + GITHUB_WORKSPACE: ${{ github.workspace }} + XDG_CONFIG_HOME: /home/runner + - name: Parse threat detection results + id: parse_results + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); + await main(); + - name: Upload threat detection log + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: threat-detection.log + path: /tmp/gh-aw/threat-detection/detection.log + if-no-files-found: ignore + + pre_activation: + runs-on: ubuntu-slim + permissions: + contents: read + outputs: + activated: ${{ (steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true') }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Check team membership for workflow + id: check_membership + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_REQUIRED_ROLES: admin,maintainer,write + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); + await main(); + - name: Check skip-if-match query + id: check_skip_if_match + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_SKIP_QUERY: "is:pr is:open in:title \"[security-fix]\"" + GH_AW_WORKFLOW_NAME: "Security Fix PR" + GH_AW_SKIP_MAX_MATCHES: "1" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); + await main(); + + push_repo_memory: + needs: + - agent + - detection + if: always() && needs.detection.outputs.success == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false + sparse-checkout: . + - name: Configure Git credentials + env: + REPO_NAME: ${{ github.repository }} + SERVER_URL: ${{ github.server_url }} + run: | + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + # Re-authenticate git with GitHub token + SERVER_URL_STRIPPED="${SERVER_URL#https://}" + git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + echo "Git configured with standard GitHub Actions identity" + - name: Download repo-memory artifact (campaigns) + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + continue-on-error: true + with: + name: repo-memory-campaigns + path: /tmp/gh-aw/repo-memory/campaigns + - name: Push repo-memory changes (campaigns) + if: always() + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_TOKEN: ${{ github.token }} + GITHUB_RUN_ID: ${{ github.run_id }} + ARTIFACT_DIR: /tmp/gh-aw/repo-memory/campaigns + MEMORY_ID: campaigns + TARGET_REPO: ${{ github.repository }} + BRANCH_NAME: memory/campaigns + MAX_FILE_SIZE: 10240 + MAX_FILE_COUNT: 100 + FILE_GLOB_FILTER: "security-alert-burndown/**" + with: + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); + await main(); + + safe_outputs: + needs: + - agent + - detection + if: ((!cancelled()) && (needs.agent.result != 'skipped')) && (needs.detection.outputs.success == 'true') + runs-on: ubuntu-slim + permissions: + contents: read + issues: write + pull-requests: write + timeout-minutes: 15 + env: + GH_AW_ENGINE_ID: "copilot" + GH_AW_WORKFLOW_ID: "security-fix-pr" + GH_AW_WORKFLOW_NAME: "Security Fix PR" + outputs: + create_discussion_error_count: ${{ steps.process_safe_outputs.outputs.create_discussion_error_count }} + create_discussion_errors: ${{ steps.process_safe_outputs.outputs.create_discussion_errors }} + process_safe_outputs_processed_count: ${{ steps.process_safe_outputs.outputs.processed_count }} + process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Download agent output artifact + continue-on-error: true + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: agent-output + path: /tmp/gh-aw/safeoutputs/ + - name: Setup agent output environment variable + run: | + mkdir -p /tmp/gh-aw/safeoutputs/ + find "/tmp/gh-aw/safeoutputs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" + - name: Process Safe Outputs + id: process_safe_outputs + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_labels\":{\"allowed\":[\"agentic-campaign\",\"z_campaign_security-alert-burndown\"]},\"autofix_code_scanning_alert\":{\"max\":5},\"missing_data\":{},\"missing_tool\":{}}" + with: + github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} + script: | + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); + setupGlobals(core, github, context, exec, io); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); + await main(); + + update_cache_memory: + needs: + - agent + - detection + if: always() && needs.detection.outputs.success == 'true' + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout actions folder + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + sparse-checkout: | + actions + persist-credentials: false + - name: Setup Scripts + uses: ./actions/setup + with: + destination: /opt/gh-aw/actions + - name: Download cache-memory artifact (default) + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + continue-on-error: true + with: + name: cache-memory + path: /tmp/gh-aw/cache-memory + - name: Save cache-memory to cache (default) + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: memory-${{ github.workflow }}-${{ github.run_id }} + path: /tmp/gh-aw/cache-memory + diff --git a/.github/workflows/security-fix-pr.md b/.github/workflows/security-fix-pr.md new file mode 100644 index 0000000000..79d8ae47ba --- /dev/null +++ b/.github/workflows/security-fix-pr.md @@ -0,0 +1,168 @@ +--- +name: Security Fix PR +description: Identifies and automatically fixes code security issues by creating autofixes via GitHub Code Scanning +on: + workflow_dispatch: + inputs: + security_url: + description: 'Security alert URL (e.g., https://github.com/owner/repo/security/code-scanning/123)' + required: false + default: '' + skip-if-match: 'is:pr is:open in:title "[security-fix]"' +permissions: + contents: read + pull-requests: read + security-events: read +engine: copilot +tools: + github: + github-token: "${{ secrets.GITHUB_TOKEN }}" + toolsets: [context, repos, code_security, pull_requests] + repo-memory: + - id: campaigns + branch-name: memory/campaigns + file-glob: [security-alert-burndown/**] + cache-memory: +safe-outputs: + add-labels: + allowed: + - agentic-campaign + - z_campaign_security-alert-burndown + autofix-code-scanning-alert: + max: 5 +timeout-minutes: 20 +--- + +# Security Issue Autofix Agent + +You are a security-focused code analysis agent that identifies and creates autofixes for code security issues using GitHub Code Scanning. + +## Important Guidelines + +**Tool Usage**: When using GitHub MCP tools: +- Always specify explicit parameter values: `owner` and `repo` parameters +- Do NOT attempt to reference GitHub context variables or placeholders +- Tool names use triple underscores: `github___` (e.g., `github___list_code_scanning_alerts`, `github___get_code_scanning_alert`) + +## Mission + +When triggered, you must: +0. **List previous autofixes**: Check the cache-memory to see if this alert has already been fixed recently +1. **Select Security Alert**: + - If a security URL was provided (`${{ github.event.inputs.security_url }}`), extract the alert number from the URL and use it directly + - Otherwise, list all open code scanning alerts and pick the first one +2. **Analyze the Issue**: Understand the security vulnerability and its context +3. **Generate a Fix**: Create a code autofix that addresses the security issue +4. **Submit Autofix**: Use the `autofix_code_scanning_alert` tool to submit the fix to GitHub Code Scanning + +## Current Context + +- **Repository**: ${{ github.repository }} +- **Triggered by**: @${{ github.actor }} +- **Security URL**: ${{ github.event.inputs.security_url }} + +## Workflow Steps + +### 1. Determine Alert Selection Method + +Check if a security URL was provided: +- **If security URL is provided** (`${{ github.event.inputs.security_url }}`): + - Extract the alert number from the URL (e.g., from `https://github.com/owner/repo/security/code-scanning/123`, extract `123`) + - Skip to step 2 to get the alert details directly +- **If no security URL is provided**: + - Use the GitHub API to list all open code scanning alerts + - Call `github___list_code_scanning_alerts` with the following parameters: + - `owner`: ${{ github.repository_owner }} + - `repo`: The repository name (extract from `${{ github.repository }}`) + - `state`: "open" + - `sort`: "created" (or use default sorting) + - Sort results by severity (critical/high first) if not already sorted + - Select the first alert from the list + - If no alerts exist, stop and report "No open security alerts found" + +### 2. Get Alert Details + +Get detailed information about the selected alert using `github___get_code_scanning_alert`: +- Call with parameters: + - `owner`: ${{ github.repository_owner }} + - `repo`: The repository name (extract from `${{ github.repository }}`) + - `alertNumber`: The alert number from step 1 +- Extract key information: + - Alert number + - Severity level + - Rule ID and description + - File path and line number + - Vulnerable code snippet + +### 3. Analyze the Vulnerability + +Understand the security issue: +- Read the affected file using `github___get_file_contents`: + - `owner`: ${{ github.repository_owner }} + - `repo`: The repository name (extract from `${{ github.repository }}`) + - `path`: The file path from the alert + - `ref`: Use the default branch or the ref where the alert was found +- Review the code context around the vulnerability +- Understand the root cause of the security issue +- Research the specific vulnerability type and best practices for fixing it + +### 4. Generate the Fix + +Create a code autofix to address the security issue: +- Develop a secure implementation that fixes the vulnerability +- Ensure the fix follows security best practices +- Make minimal, surgical changes to the code +- Prepare the complete fixed code for the vulnerable section + +### 5. Submit Autofix + +Use the `autofix_code_scanning_alert` tool to submit the fix: +- **alert_number**: The numeric ID of the code scanning alert +- **fix_description**: A clear description of what the fix does and why it addresses the vulnerability +- **fix_code**: The complete corrected code that resolves the security issue + +Example: +```jsonl +{"type": "autofix_code_scanning_alert", "alert_number": 123, "fix_description": "Fix SQL injection by using parameterized queries instead of string concatenation", "fix_code": "const query = db.prepare('SELECT * FROM users WHERE id = ?').bind(userId);"} +``` + +## Security Guidelines + +- **Minimal Changes**: Make only the changes necessary to fix the security issue +- **No Breaking Changes**: Ensure the fix doesn't break existing functionality +- **Best Practices**: Follow security best practices for the specific vulnerability type +- **Code Quality**: Maintain code readability and maintainability +- **Complete Code**: Provide the complete fixed code section, not just the changes + +## Autofix Format + +Your autofix should include: + +- **alert_number**: The numeric ID from the code scanning alert (e.g., 123) +- **fix_description**: A clear explanation including: + - What security vulnerability is being fixed + - How the fix addresses the issue + - What security best practices are being applied +- **fix_code**: The complete corrected code that resolves the vulnerability + +Example description format: +``` +Fix SQL injection vulnerability in user query by replacing string concatenation with parameterized query using prepared statements. This prevents malicious SQL from being injected through user input. +``` + +## Important Notes + +- **Multiple Alerts**: You can fix up to 5 alerts per run +- **Autofix API**: Use the `autofix_code_scanning_alert` tool to submit fixes directly to GitHub Code Scanning +- **No Execute**: Never execute untrusted code during analysis +- **Read-Only Analysis**: Use GitHub API tools to read code and understand vulnerabilities +- **Complete Code**: Provide the complete fixed code section, not incremental changes + +## Error Handling + +If any step fails: +- **No Alerts**: Log a message and exit gracefully +- **Read Error**: Report the error and skip to next available alert +- **Fix Generation**: Document why the fix couldn't be automated and move to the next alert + +Remember: Your goal is to provide secure, well-analyzed autofixes that address the root cause of vulnerabilities. Focus on quality and accuracy. diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 992caf8470..58f46a4b89 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -419,7 +419,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Security Guard Agent 🛡️", experimental: false, supports_tools_allowlist: true, @@ -890,7 +890,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 46d775b8b6..2de6cf7f3f 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -159,6 +159,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -216,7 +219,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -601,7 +604,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Security Review Agent 🔒", experimental: false, supports_tools_allowlist: true, @@ -1092,7 +1095,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 2f92d6fb24..c87ba03666 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -152,7 +152,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -515,7 +515,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Semantic Function Refactoring", experimental: false, supports_tools_allowlist: true, @@ -1130,7 +1130,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 0427cd271d..5e07bb15af 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -164,7 +164,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -468,7 +468,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Sergo - Serena Go Expert", experimental: false, supports_tools_allowlist: true, @@ -1103,7 +1103,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 6bb2ed9368..ee2e8033cd 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -169,7 +169,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -478,7 +478,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Slide Deck Maintainer", experimental: false, supports_tools_allowlist: true, @@ -1022,7 +1022,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 0e830f60a3..cabb94e516 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -157,6 +157,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -228,7 +231,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -1250,7 +1253,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Smoke Claude", experimental: false, supports_tools_allowlist: true, @@ -2051,7 +2054,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 2b54c97273..cf92ba35f2 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -195,7 +195,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -1243,7 +1243,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Smoke Codex", experimental: false, supports_tools_allowlist: true, @@ -1820,7 +1820,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 4b32c05464..526af9a597 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -153,6 +153,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -216,7 +219,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -1215,7 +1218,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Smoke Copilot", experimental: false, supports_tools_allowlist: true, @@ -1804,7 +1807,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index bd59574fd6..bbf9f96cc2 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -149,7 +149,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -779,7 +779,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.97.0", + agent_version: "0.98.0", workflow_name: "Smoke Project", experimental: false, supports_tools_allowlist: true, @@ -1340,7 +1340,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.97.0 + run: npm install -g --silent @openai/codex@0.98.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index a3cec76d55..4f7086d528 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -172,7 +172,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -447,7 +447,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Agent Container Smoke Test", experimental: false, supports_tools_allowlist: true, @@ -919,7 +919,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index cee34adcea..408056f090 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -226,7 +226,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Download container images @@ -557,7 +557,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Stale Repository Identifier", experimental: false, supports_tools_allowlist: true, @@ -1435,7 +1435,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 98ccfb856b..d0859cf463 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -126,6 +126,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -198,7 +201,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -520,7 +523,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Static Analysis Report", experimental: false, supports_tools_allowlist: true, @@ -1135,7 +1138,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index ae57728831..3b0006a0df 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -159,7 +159,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -468,7 +468,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Step Name Alignment", experimental: false, supports_tools_allowlist: true, @@ -1023,7 +1023,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index b7f4c5f987..ea569ec06f 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -139,7 +139,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -504,7 +504,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Sub-Issue Closer", experimental: false, supports_tools_allowlist: true, @@ -976,7 +976,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 53b144217f..b81c90d405 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -163,7 +163,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -476,7 +476,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Super Linter Report", experimental: false, supports_tools_allowlist: true, @@ -1033,7 +1033,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 0735513966..ae888d1c34 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -186,7 +186,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -552,7 +552,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Rebuild the documentation after making changes", experimental: false, supports_tools_allowlist: true, @@ -1570,7 +1570,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 6dd2798ba1..b246f60917 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -138,7 +138,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -438,7 +438,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Terminal Stylist", experimental: false, supports_tools_allowlist: true, @@ -912,7 +912,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 4828c5d0e3..cfc88ce96b 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -156,7 +156,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -454,7 +454,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Test Create PR Error Handling", experimental: false, supports_tools_allowlist: true, @@ -1008,7 +1008,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 0ba933df2d..c3b4df861d 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -134,7 +134,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -392,7 +392,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Test Dispatcher Workflow", experimental: false, supports_tools_allowlist: true, @@ -862,7 +862,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index b8ac8592ea..f41dbd9182 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -134,7 +134,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -623,7 +623,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Test Project URL Explicit Requirement", experimental: false, supports_tools_allowlist: true, @@ -1095,7 +1095,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 9a38b8ff77..fed9e2939c 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -127,7 +127,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -201,7 +201,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Test Workflow", experimental: false, supports_tools_allowlist: true, diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 7c65ae7c5f..9bbf5a3cb7 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -185,7 +185,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -535,7 +535,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Tidy", experimental: false, supports_tools_allowlist: true, @@ -1054,7 +1054,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index d7fa055688..002f5ce96e 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -151,7 +151,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -455,7 +455,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Typist - Go Type Analysis", experimental: false, supports_tools_allowlist: true, @@ -1072,7 +1072,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 26e79e9155..fb85781eef 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -144,7 +144,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -446,7 +446,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Ubuntu Actions Image Analyzer", experimental: false, supports_tools_allowlist: true, @@ -963,7 +963,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 65d6d8edc9..1d58a04775 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -204,7 +204,7 @@ jobs: - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -585,7 +585,7 @@ jobs: engine_name: "Claude Code", model: process.env.GH_AW_MODEL_AGENT_CLAUDE || "", version: "", - agent_version: "2.1.29", + agent_version: "2.1.34", workflow_name: "Documentation Unbloat", experimental: false, supports_tools_allowlist: true, @@ -1347,7 +1347,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.29 + run: npm install -g --silent @anthropic-ai/claude-code@2.1.34 - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 9bd7ec10dc..b33ecc373f 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -154,7 +154,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -467,7 +467,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Video Analysis Agent", experimental: false, supports_tools_allowlist: true, @@ -1088,7 +1088,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index da065fa85a..5b7f41c988 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -164,7 +164,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -485,7 +485,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Weekly Issue Summary", experimental: false, supports_tools_allowlist: true, @@ -1481,7 +1481,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index bb94af0c62..6f56cfcdf8 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -168,7 +168,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -543,7 +543,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Workflow Generator", experimental: false, supports_tools_allowlist: true, @@ -1025,7 +1025,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 6a3eaa6ad2..e36fade0c0 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -156,7 +156,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -594,7 +594,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Workflow Health Manager - Meta-Orchestrator", experimental: false, supports_tools_allowlist: true, @@ -1174,7 +1174,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 31a0e22664..8a1d6f1c3f 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -126,6 +126,9 @@ jobs: -ldflags "-s -w -X main.version=${VERSION}" \ -o dist/gh-aw-linux-amd64 \ ./cmd/gh-aw + # Copy binary to root for direct execution in user-defined steps + cp dist/gh-aw-linux-amd64 ./gh-aw + chmod +x ./gh-aw echo "✓ Built gh-aw CLI successfully" - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 @@ -172,7 +175,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -520,7 +523,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Workflow Normalizer", experimental: false, supports_tools_allowlist: true, @@ -1069,7 +1072,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index a800887726..6cf5bb2699 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -145,7 +145,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 - name: Determine automatic lockdown mode for GitHub MCP server @@ -510,7 +510,7 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", + agent_version: "0.0.405", workflow_name: "Workflow Skill Extractor", experimental: false, supports_tools_allowlist: true, @@ -1077,7 +1077,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): diff --git a/actions/setup/js/add_comment.cjs b/actions/setup/js/add_comment.cjs index 4e2a0f6ca2..a5d6cfef06 100644 --- a/actions/setup/js/add_comment.cjs +++ b/actions/setup/js/add_comment.cjs @@ -499,10 +499,88 @@ async function main(config = {}) { } catch (error) { const errorMessage = getErrorMessage(error); - // Check if this is a 404 error (discussion/issue was deleted) + // Check if this is a 404 error (discussion/issue was deleted or wrong type) // @ts-expect-error - Error handling with optional chaining const is404 = error?.status === 404 || errorMessage.includes("404") || errorMessage.toLowerCase().includes("not found"); + // If 404 and item_number was explicitly provided and we tried as issue/PR, + // retry as a discussion (the user may have provided a discussion number) + if (is404 && !isDiscussion && item.item_number !== undefined && item.item_number !== null) { + core.info(`Item #${itemNumber} not found as issue/PR, retrying as discussion...`); + + try { + // Try to find and comment on the discussion + const discussionQuery = ` + query($owner: String!, $repo: String!, $number: Int!) { + repository(owner: $owner, name: $repo) { + discussion(number: $number) { + id + } + } + } + `; + const queryResult = await github.graphql(discussionQuery, { + owner: repoParts.owner, + repo: repoParts.repo, + number: itemNumber, + }); + + const discussionId = queryResult?.repository?.discussion?.id; + if (!discussionId) { + throw new Error(`Discussion #${itemNumber} not found in ${itemRepo}`); + } + + core.info(`Found discussion #${itemNumber}, adding comment...`); + const comment = await commentOnDiscussion(github, repoParts.owner, repoParts.repo, itemNumber, processedBody, null); + + core.info(`Created comment on discussion: ${comment.html_url}`); + + // Add tracking metadata + const commentResult = { + id: comment.id, + html_url: comment.html_url, + _tracking: { + commentId: comment.id, + itemNumber: itemNumber, + repo: itemRepo, + isDiscussion: true, + }, + }; + + createdComments.push(commentResult); + + return { + success: true, + commentId: comment.id, + url: comment.html_url, + itemNumber: itemNumber, + repo: itemRepo, + isDiscussion: true, + }; + } catch (discussionError) { + const discussionErrorMessage = getErrorMessage(discussionError); + // @ts-expect-error - Error handling with optional chaining + const isDiscussion404 = discussionError?.status === 404 || discussionErrorMessage.toLowerCase().includes("not found"); + + if (isDiscussion404) { + // Neither issue/PR nor discussion found - truly doesn't exist + core.warning(`Target #${itemNumber} was not found as issue, PR, or discussion (may have been deleted): ${discussionErrorMessage}`); + return { + success: true, + warning: `Target not found: ${discussionErrorMessage}`, + skipped: true, + }; + } + + // Other error when trying as discussion + core.error(`Failed to add comment to discussion: ${discussionErrorMessage}`); + return { + success: false, + error: discussionErrorMessage, + }; + } + } + if (is404) { // Treat 404s as warnings - the target was deleted between execution and safe output processing core.warning(`Target was not found (may have been deleted): ${errorMessage}`); diff --git a/actions/setup/js/add_comment.test.cjs b/actions/setup/js/add_comment.test.cjs index d2bc6ea73a..71936283a3 100644 --- a/actions/setup/js/add_comment.test.cjs +++ b/actions/setup/js/add_comment.test.cjs @@ -745,4 +745,211 @@ describe("add_comment", () => { expect(errorCalls.length).toBeGreaterThan(0); }); }); + + describe("discussion fallback", () => { + it("should retry as discussion when item_number returns 404 as issue/PR", async () => { + const addCommentScript = fs.readFileSync(path.join(__dirname, "add_comment.cjs"), "utf8"); + + let infoCalls = []; + mockCore.info = msg => { + infoCalls.push(msg); + }; + + // Mock REST API to return 404 (not found as issue/PR) + mockGithub.rest.issues.createComment = async () => { + const error = new Error("Not Found"); + // @ts-ignore + error.status = 404; + throw error; + }; + + // Mock GraphQL to return discussion + let graphqlCalls = []; + mockGithub.graphql = async (query, vars) => { + graphqlCalls.push({ query, vars }); + + // First call is to check if discussion exists + if (query.includes("query") && query.includes("discussion(number:")) { + return { + repository: { + discussion: { + id: "D_kwDOTest789", + url: "https://github.com/owner/repo/discussions/14117", + }, + }, + }; + } + + // Second call is to add comment + if (query.includes("mutation") && query.includes("addDiscussionComment")) { + return { + addDiscussionComment: { + comment: { + id: "DC_kwDOTest999", + body: "Test comment", + createdAt: "2026-02-06T12:00:00Z", + url: "https://github.com/owner/repo/discussions/14117#discussioncomment-999", + }, + }, + }; + } + }; + + const handler = await eval(`(async () => { ${addCommentScript}; return await main({ target: 'triggering' }); })()`); + + const message = { + type: "add_comment", + item_number: 14117, + body: "Test comment on discussion", + }; + + const result = await handler(message, {}); + + expect(result.success).toBe(true); + expect(result.isDiscussion).toBe(true); + expect(result.itemNumber).toBe(14117); + expect(result.url).toContain("discussions/14117"); + + // Verify it logged the retry + const retryLog = infoCalls.find(msg => msg.includes("retrying as discussion")); + expect(retryLog).toBeTruthy(); + + const foundLog = infoCalls.find(msg => msg.includes("Found discussion")); + expect(foundLog).toBeTruthy(); + }); + + it("should return skipped when item_number not found as issue/PR or discussion", async () => { + const addCommentScript = fs.readFileSync(path.join(__dirname, "add_comment.cjs"), "utf8"); + + let warningCalls = []; + mockCore.warning = msg => { + warningCalls.push(msg); + }; + + // Mock REST API to return 404 + mockGithub.rest.issues.createComment = async () => { + const error = new Error("Not Found"); + // @ts-ignore + error.status = 404; + throw error; + }; + + // Mock GraphQL to also return 404 (discussion doesn't exist either) + mockGithub.graphql = async (query, vars) => { + if (query.includes("query") && query.includes("discussion(number:")) { + return { + repository: { + discussion: null, + }, + }; + } + }; + + const handler = await eval(`(async () => { ${addCommentScript}; return await main({ target: 'triggering' }); })()`); + + const message = { + type: "add_comment", + item_number: 99999, + body: "Test comment", + }; + + const result = await handler(message, {}); + + expect(result.success).toBe(true); + expect(result.skipped).toBe(true); + expect(result.warning).toContain("not found"); + + // Verify warning was logged + const notFoundWarning = warningCalls.find(msg => msg.includes("not found")); + expect(notFoundWarning).toBeTruthy(); + }); + + it("should not retry as discussion when 404 occurs without explicit item_number", async () => { + const addCommentScript = fs.readFileSync(path.join(__dirname, "add_comment.cjs"), "utf8"); + + let warningCalls = []; + mockCore.warning = msg => { + warningCalls.push(msg); + }; + + // Mock REST API to return 404 + mockGithub.rest.issues.createComment = async () => { + const error = new Error("Not Found"); + // @ts-ignore + error.status = 404; + throw error; + }; + + // GraphQL should not be called + let graphqlCalled = false; + mockGithub.graphql = async () => { + graphqlCalled = true; + throw new Error("GraphQL should not be called"); + }; + + const handler = await eval(`(async () => { ${addCommentScript}; return await main({ target: 'triggering' }); })()`); + + const message = { + type: "add_comment", + // No item_number - using target resolution + body: "Test comment", + }; + + const result = await handler(message, {}); + + expect(result.success).toBe(true); + expect(result.skipped).toBe(true); + expect(graphqlCalled).toBe(false); + + // Verify warning was logged + const notFoundWarning = warningCalls.find(msg => msg.includes("not found")); + expect(notFoundWarning).toBeTruthy(); + }); + + it("should not retry as discussion when already detected as discussion context", async () => { + const addCommentScript = fs.readFileSync(path.join(__dirname, "add_comment.cjs"), "utf8"); + + // Set discussion context + mockContext.eventName = "discussion"; + mockContext.payload = { + discussion: { + number: 100, + }, + }; + + let warningCalls = []; + mockCore.warning = msg => { + warningCalls.push(msg); + }; + + // Mock GraphQL to return 404 for discussion + let graphqlCallCount = 0; + mockGithub.graphql = async (query, vars) => { + graphqlCallCount++; + + if (query.includes("query") && query.includes("discussion(number:")) { + return { + repository: { + discussion: null, + }, + }; + } + }; + + const handler = await eval(`(async () => { ${addCommentScript}; return await main({ target: 'triggering' }); })()`); + + const message = { + type: "add_comment", + body: "Test comment", + }; + + const result = await handler(message, {}); + + expect(result.success).toBe(true); + expect(result.skipped).toBe(true); + + // Should only call GraphQL once (not retry) + expect(graphqlCallCount).toBe(1); + }); + }); }); diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx index 5d20cd6fb2..9ded2e3614 100644 --- a/docs/src/content/docs/agent-factory-status.mdx +++ b/docs/src/content/docs/agent-factory-status.mdx @@ -54,6 +54,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn, | [Daily Firewall Logs Collector and Reporter](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-firewall-report.md) | copilot | [![Daily Firewall Logs Collector and Reporter](https://github.com/github/gh-aw/actions/workflows/daily-firewall-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-firewall-report.lock.yml) | - | - | | [Daily Issues Report Generator](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-issues-report.md) | codex | [![Daily Issues Report Generator](https://github.com/github/gh-aw/actions/workflows/daily-issues-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-issues-report.lock.yml) | - | - | | [Daily Malicious Code Scan Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-malicious-code-scan.md) | copilot | [![Daily Malicious Code Scan Agent](https://github.com/github/gh-aw/actions/workflows/daily-malicious-code-scan.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-malicious-code-scan.lock.yml) | - | - | +| [Daily MCP Tool Concurrency Analysis](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-mcp-concurrency-analysis.md) | copilot | [![Daily MCP Tool Concurrency Analysis](https://github.com/github/gh-aw/actions/workflows/daily-mcp-concurrency-analysis.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-mcp-concurrency-analysis.lock.yml) | `0 9 * * 1-5` | - | | [Daily News](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-news.md) | copilot | [![Daily News](https://github.com/github/gh-aw/actions/workflows/daily-news.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-news.lock.yml) | `0 9 * * 1-5` | - | | [Daily Observability Report for AWF Firewall and MCP Gateway](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-observability-report.md) | codex | [![Daily Observability Report for AWF Firewall and MCP Gateway](https://github.com/github/gh-aw/actions/workflows/daily-observability-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-observability-report.lock.yml) | - | - | | [Daily Project Performance Summary Generator (Using Safe Inputs)](https://github.com/github/gh-aw/blob/main/.github/workflows/daily-performance-summary.md) | codex | [![Daily Project Performance Summary Generator (Using Safe Inputs)](https://github.com/github/gh-aw/actions/workflows/daily-performance-summary.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/daily-performance-summary.lock.yml) | - | - | diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index c8b2356069..740ceeff73 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -279,12 +279,12 @@ const DefaultMCPRegistryURL URL = "https://api.mcp.github.com/v0.1" const GitHubCopilotMCPDomain = "api.githubcopilot.com" // DefaultClaudeCodeVersion is the default version of the Claude Code CLI. -const DefaultClaudeCodeVersion Version = "2.1.29" +const DefaultClaudeCodeVersion Version = "2.1.34" // DefaultCopilotVersion is the default version of the GitHub Copilot CLI. // // WARNING: UPGRADING COPILOT CLI REQUIRES A FULL INTEGRATION TEST RUN TO ENSURE COMPATIBILITY. -const DefaultCopilotVersion Version = "0.0.403" +const DefaultCopilotVersion Version = "0.0.405" // DefaultCopilotDetectionModel is the default model for the Copilot engine when used in the detection job // Updated to gpt-5.1-codex-mini after gpt-5-mini deprecation on 2026-01-17 @@ -309,7 +309,7 @@ const ( ) // DefaultCodexVersion is the default version of the OpenAI Codex CLI -const DefaultCodexVersion Version = "0.97.0" +const DefaultCodexVersion Version = "0.98.0" // DefaultGitHubMCPServerVersion is the default version of the GitHub MCP server Docker image const DefaultGitHubMCPServerVersion Version = "v0.30.3" @@ -358,7 +358,7 @@ var SerenaLanguageSupport = map[string][]string{ const DefaultSandboxRuntimeVersion Version = "0.0.34" // DefaultPlaywrightMCPVersion is the default version of the @playwright/mcp package -const DefaultPlaywrightMCPVersion Version = "0.0.63" +const DefaultPlaywrightMCPVersion Version = "0.0.64" // DefaultPlaywrightBrowserVersion is the default version of the Playwright browser Docker image const DefaultPlaywrightBrowserVersion Version = "v1.58.1" diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index a840ff2102..e21cdeb1d6 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -661,6 +661,9 @@ func (c *Compiler) generateDevModeCLIBuildSteps(yaml *strings.Builder) { yaml.WriteString(" -ldflags \"-s -w -X main.version=${VERSION}\" \\\n") yaml.WriteString(" -o dist/gh-aw-linux-amd64 \\\n") yaml.WriteString(" ./cmd/gh-aw\n") + yaml.WriteString(" # Copy binary to root for direct execution in user-defined steps\n") + yaml.WriteString(" cp dist/gh-aw-linux-amd64 ./gh-aw\n") + yaml.WriteString(" chmod +x ./gh-aw\n") yaml.WriteString(" echo \"✓ Built gh-aw CLI successfully\"\n") // Step 3: Setup Docker Buildx diff --git a/pkg/workflow/compiler_yaml_main_job_test.go b/pkg/workflow/compiler_yaml_main_job_test.go new file mode 100644 index 0000000000..709181c78c --- /dev/null +++ b/pkg/workflow/compiler_yaml_main_job_test.go @@ -0,0 +1,820 @@ +//go:build !integration + +package workflow + +import ( + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// TestParseRepositoryImportSpec tests parsing of repository import specifications +func TestParseRepositoryImportSpec(t *testing.T) { + tests := []struct { + name string + importSpec string + wantOwner string + wantRepo string + wantRef string + shouldBeZero bool + }{ + { + name: "full spec with ref", + importSpec: "owner/repo@branch", + wantOwner: "owner", + wantRepo: "repo", + wantRef: "branch", + }, + { + name: "spec without ref defaults to main", + importSpec: "owner/repo", + wantOwner: "owner", + wantRepo: "repo", + wantRef: "main", + }, + { + name: "spec with section reference", + importSpec: "owner/repo@v1.0.0#Section", + wantOwner: "owner", + wantRepo: "repo", + wantRef: "v1.0.0", + }, + { + name: "spec with sha ref", + importSpec: "owner/repo@abc123def456", + wantOwner: "owner", + wantRepo: "repo", + wantRef: "abc123def456", + }, + { + name: "invalid spec without slash", + importSpec: "invalid-spec", + shouldBeZero: true, + }, + { + name: "invalid spec with too many slashes", + importSpec: "owner/repo/extra/path@ref", + shouldBeZero: true, + }, + { + name: "spec with branch name containing slash", + importSpec: "owner/repo@feature/branch-name", + wantOwner: "owner", + wantRepo: "repo", + wantRef: "feature/branch-name", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + owner, repo, ref := parseRepositoryImportSpec(tt.importSpec) + + if tt.shouldBeZero { + assert.Empty(t, owner, "owner should be empty for invalid spec") + assert.Empty(t, repo, "repo should be empty for invalid spec") + } else { + assert.Equal(t, tt.wantOwner, owner, "owner mismatch") + assert.Equal(t, tt.wantRepo, repo, "repo mismatch") + assert.Equal(t, tt.wantRef, ref, "ref mismatch") + } + }) + } +} + +// TestSanitizeRefForPath tests sanitization of git refs for use in file paths +func TestSanitizeRefForPath(t *testing.T) { + tests := []struct { + name string + ref string + expected string + }{ + { + name: "simple branch name", + ref: "main", + expected: "main", + }, + { + name: "branch with slashes", + ref: "feature/my-feature", + expected: "feature-my-feature", + }, + { + name: "ref with colons", + ref: "refs:heads:main", + expected: "refs-heads-main", + }, + { + name: "ref with backslashes", + ref: "branch\\name", + expected: "branch-name", + }, + { + name: "complex ref with multiple special chars", + ref: "feature/test:branch\\name", + expected: "feature-test-branch-name", + }, + { + name: "tag ref", + ref: "v1.0.0", + expected: "v1.0.0", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := sanitizeRefForPath(tt.ref) + assert.Equal(t, tt.expected, result, "sanitized ref mismatch") + }) + } +} + +// TestGenerateRepositoryImportCheckouts tests generation of checkout steps for repository imports +func TestGenerateRepositoryImportCheckouts(t *testing.T) { + tests := []struct { + name string + repositoryImports []string + expectInOutput []string + notInOutput []string + }{ + { + name: "single repository import", + repositoryImports: []string{"github/example@main"}, + expectInOutput: []string{ + "- name: Checkout repository import github/example@main", + "repository: github/example", + "ref: main", + "path: .github/aw/imports/github-example-main", + "sparse-checkout: |", + ".github/", + "persist-credentials: false", + }, + }, + { + name: "multiple repository imports", + repositoryImports: []string{"owner1/repo1@v1.0", "owner2/repo2@main"}, + expectInOutput: []string{ + "Checkout repository import owner1/repo1@v1.0", + "repository: owner1/repo1", + "ref: v1.0", + "path: .github/aw/imports/owner1-repo1-v1.0", + "Checkout repository import owner2/repo2@main", + "repository: owner2/repo2", + "ref: main", + "path: .github/aw/imports/owner2-repo2-main", + }, + }, + { + name: "repository with branch containing slash", + repositoryImports: []string{"org/repo@feature/test-branch"}, + expectInOutput: []string{ + "Checkout repository import org/repo@feature/test-branch", + "repository: org/repo", + "ref: feature/test-branch", + "path: .github/aw/imports/org-repo-feature-test-branch", + }, + }, + { + name: "empty imports list", + repositoryImports: []string{}, + expectInOutput: []string{}, + notInOutput: []string{"Checkout repository import"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + var yaml strings.Builder + + compiler.generateRepositoryImportCheckouts(&yaml, tt.repositoryImports) + result := yaml.String() + + for _, expected := range tt.expectInOutput { + assert.Contains(t, result, expected, "output should contain %q", expected) + } + + for _, notExpected := range tt.notInOutput { + assert.NotContains(t, result, notExpected, "output should not contain %q", notExpected) + } + }) + } +} + +// TestGenerateLegacyAgentImportCheckout tests generation of checkout steps for legacy agent imports +// Note: The parser extracts only owner/repo from the spec, ignoring path components +func TestGenerateLegacyAgentImportCheckout(t *testing.T) { + tests := []struct { + name string + agentImportSpec string + expectInOutput []string + shouldGenerate bool + }{ + { + name: "basic legacy agent import - valid format", + agentImportSpec: "github/example@main", + expectInOutput: []string{ + "- name: Checkout agent import github/example@main", + "repository: github/example", + "ref: main", + "path: /tmp/gh-aw/repo-imports/github-example-main", + "sparse-checkout: |", + ".github/", + "persist-credentials: false", + }, + shouldGenerate: true, + }, + { + name: "legacy import with complex ref", + agentImportSpec: "org/repo@feature/branch", + expectInOutput: []string{ + "Checkout agent import org/repo@feature/branch", + "repository: org/repo", + "ref: feature/branch", + "path: /tmp/gh-aw/repo-imports/org-repo-feature-branch", + }, + shouldGenerate: true, + }, + { + name: "legacy import with path components - only owner/repo extracted", + agentImportSpec: "github/example/agents/test.md@main", + expectInOutput: []string{}, + shouldGenerate: false, // Parser rejects specs with more than 2 slash parts + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + var yaml strings.Builder + + compiler.generateLegacyAgentImportCheckout(&yaml, tt.agentImportSpec) + result := yaml.String() + + if tt.shouldGenerate { + for _, expected := range tt.expectInOutput { + assert.Contains(t, result, expected, "output should contain %q", expected) + } + } else { + assert.Empty(t, result, "should not generate output for invalid spec") + } + }) + } +} + +// TestGenerateDevModeCLIBuildSteps tests generation of dev mode CLI build steps +func TestGenerateDevModeCLIBuildSteps(t *testing.T) { + compiler := NewCompiler() + var yaml strings.Builder + + compiler.generateDevModeCLIBuildSteps(&yaml) + result := yaml.String() + + // Verify all required build steps are present + expectedSteps := []string{ + "- name: Setup Go for CLI build", + "uses: actions/setup-go@", + "go-version-file: go.mod", + "cache: true", + "- name: Build gh-aw CLI", + "mkdir -p dist", + "CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build", + "-o dist/gh-aw-linux-amd64", + "./cmd/gh-aw", + "- name: Setup Docker Buildx", + "uses: docker/setup-buildx-action@", + "- name: Build gh-aw Docker image", + "uses: docker/build-push-action@", + "context: .", + "platforms: linux/amd64", + "push: false", + "load: true", + "tags: localhost/gh-aw:dev", + "BINARY=dist/gh-aw-linux-amd64", + } + + for _, expected := range expectedSteps { + assert.Contains(t, result, expected, "dev mode build should contain %q", expected) + } +} + +// TestAddCustomStepsAsIs tests adding custom steps without modification +func TestAddCustomStepsAsIs(t *testing.T) { + tests := []struct { + name string + customSteps string + expectInOutput []string + notInOutput []string + }{ + { + name: "basic custom steps", + customSteps: `steps: + - name: Test Step + run: echo "test" + - name: Another Step + run: ls -la`, + expectInOutput: []string{ + "- name: Test Step", + `run: echo "test"`, + "- name: Another Step", + "run: ls -la", + }, + notInOutput: []string{ + "steps:", // Should be removed + }, + }, + { + name: "custom steps with empty lines", + customSteps: `steps: + - name: Step One + run: command1 + + - name: Step Two + run: command2`, + expectInOutput: []string{ + "- name: Step One", + "- name: Step Two", + }, + }, + { + name: "empty custom steps", + customSteps: "", + expectInOutput: []string{}, + }, + { + name: "single line after steps", + customSteps: `steps: + - run: echo "hello"`, + expectInOutput: []string{ + `- run: echo "hello"`, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + var yaml strings.Builder + + compiler.addCustomStepsAsIs(&yaml, tt.customSteps) + result := yaml.String() + + for _, expected := range tt.expectInOutput { + assert.Contains(t, result, expected, "output should contain %q", expected) + } + + for _, notExpected := range tt.notInOutput { + assert.NotContains(t, result, notExpected, "output should not contain %q", notExpected) + } + }) + } +} + +// TestAddCustomStepsWithRuntimeInsertion tests adding custom steps with runtime insertion +func TestAddCustomStepsWithRuntimeInsertion(t *testing.T) { + tests := []struct { + name string + customSteps string + runtimeSetupSteps []GitHubActionStep + tools *ToolsConfig + expectInOutput []string + expectStepOrder []string + notInOutput []string + insertionHappened bool + }{ + { + name: "insert runtime after checkout", + customSteps: `steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Build + run: make build`, + runtimeSetupSteps: []GitHubActionStep{ + {" - name: Setup Node.js", " uses: actions/setup-node@v4", " with:", " node-version: '20'"}, + }, + tools: &ToolsConfig{}, + expectInOutput: []string{ + "- name: Checkout code", + "uses: actions/checkout@v4", + "- name: Setup Node.js", + "uses: actions/setup-node@v4", + "node-version: '20'", + "- name: Build", + "run: make build", + }, + expectStepOrder: []string{ + "Checkout code", + "Setup Node.js", + "Build", + }, + insertionHappened: true, + }, + { + name: "no insertion when checkout not found", + customSteps: `steps: + - name: Build + run: make build + - name: Test + run: make test`, + runtimeSetupSteps: []GitHubActionStep{ + {" - name: Setup Node.js", " uses: actions/setup-node@v4"}, + }, + tools: &ToolsConfig{}, + expectInOutput: []string{ + "- name: Build", + "- name: Test", + }, + notInOutput: []string{ + "Setup Node.js", // Should not be inserted since no checkout + }, + insertionHappened: false, + }, + { + name: "checkout with uses on same line - not detected as checkout", + customSteps: `steps: + - uses: actions/checkout@v4 + - name: Build + run: make build`, + runtimeSetupSteps: []GitHubActionStep{ + {" - name: Setup Go", " uses: actions/setup-go@v5"}, + }, + tools: &ToolsConfig{}, + expectInOutput: []string{ + "- uses: actions/checkout@v4", + "- name: Build", + }, + notInOutput: []string{ + "Setup Go", // Won't be inserted - function doesn't detect "- uses:" as checkout + }, + insertionHappened: false, + }, + { + name: "multiple runtime steps inserted", + customSteps: `steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Deploy + run: deploy.sh`, + runtimeSetupSteps: []GitHubActionStep{ + {" - name: Setup Node.js", " uses: actions/setup-node@v4"}, + {" - name: Setup Python", " uses: actions/setup-python@v5"}, + }, + tools: &ToolsConfig{}, + expectInOutput: []string{ + "- name: Checkout", + "- name: Setup Node.js", + "- name: Setup Python", + "- name: Deploy", + }, + expectStepOrder: []string{ + "Checkout", + "Setup Node.js", + "Setup Python", + "Deploy", + }, + insertionHappened: true, + }, + { + name: "empty runtime steps", + customSteps: `steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Build + run: make build`, + runtimeSetupSteps: []GitHubActionStep{}, + tools: &ToolsConfig{}, + expectInOutput: []string{ + "- name: Checkout", + "- name: Build", + }, + insertionHappened: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + var yaml strings.Builder + + compiler.addCustomStepsWithRuntimeInsertion(&yaml, tt.customSteps, tt.runtimeSetupSteps, tt.tools) + result := yaml.String() + + for _, expected := range tt.expectInOutput { + assert.Contains(t, result, expected, "output should contain %q", expected) + } + + for _, notExpected := range tt.notInOutput { + assert.NotContains(t, result, notExpected, "output should not contain %q", notExpected) + } + + // Verify step ordering if specified + if len(tt.expectStepOrder) > 0 { + lastPos := -1 + for _, step := range tt.expectStepOrder { + pos := strings.Index(result, step) + if tt.insertionHappened { + assert.NotEqual(t, -1, pos, "step %q should be present", step) + if lastPos != -1 { + assert.Greater(t, pos, lastPos, "step %q should appear after previous step", step) + } + lastPos = pos + } + } + } + }) + } +} + +// TestGenerateMainJobSteps tests the main job steps generation orchestration +func TestGenerateMainJobSteps(t *testing.T) { + tests := []struct { + name string + setupData func() *WorkflowData + setupCompiler func(*Compiler) + expectInOutput []string + shouldError bool + errorContains string + }{ + { + name: "basic workflow with copilot engine", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + }, + setupCompiler: func(c *Compiler) { + // Basic setup + }, + expectInOutput: []string{ + "- name: Checkout repository", + "persist-credentials: false", + "- name: Create gh-aw temp directory", + "run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh", + }, + shouldError: false, + }, + { + name: "workflow with repository imports", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + RepositoryImports: []string{"github/example@main"}, + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + }, + expectInOutput: []string{ + "- name: Checkout repository", + "- name: Checkout repository import github/example@main", + "repository: github/example", + "- name: Merge remote .github folder", + "GH_AW_REPOSITORY_IMPORTS:", + }, + shouldError: false, + }, + { + name: "workflow with custom steps", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + CustomSteps: `steps: + - name: Custom Build + run: make build`, + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + }, + expectInOutput: []string{ + "- name: Checkout repository", + "- name: Custom Build", + "run: make build", + }, + shouldError: false, + }, + { + name: "workflow with safe outputs", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + SafeOutputs: &SafeOutputsConfig{ + CreatePullRequests: &CreatePullRequestsConfig{}, + }, + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + }, + expectInOutput: []string{ + "- name: Checkout repository", + "/tmp/gh-aw/aw.patch", // Git patch path should be collected + }, + shouldError: false, + }, + { + name: "workflow with legacy agent import", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + AgentFile: "test-agent.md", + AgentImportSpec: "github/example@main", // Parser only handles owner/repo format + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + }, + expectInOutput: []string{ + "- name: Checkout agent import github/example@main", + "path: /tmp/gh-aw/repo-imports/github-example-main", + "- name: Merge remote .github folder", + "GH_AW_AGENT_FILE:", + "GH_AW_AGENT_IMPORT_SPEC:", + }, + shouldError: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + compiler.stepOrderTracker = NewStepOrderTracker() + + if tt.setupCompiler != nil { + tt.setupCompiler(compiler) + } + + data := tt.setupData() + var yaml strings.Builder + + err := compiler.generateMainJobSteps(&yaml, data) + + if tt.shouldError { + require.Error(t, err, "expected error but got none") + if tt.errorContains != "" { + assert.Contains(t, err.Error(), tt.errorContains, "error message mismatch") + } + } else { + require.NoError(t, err, "unexpected error: %v", err) + result := yaml.String() + + for _, expected := range tt.expectInOutput { + assert.Contains(t, result, expected, "output should contain %q", expected) + } + } + }) + } +} + +// TestGenerateMainJobStepsWithDevMode tests dev mode CLI build steps integration +func TestGenerateMainJobStepsWithDevMode(t *testing.T) { + compiler := NewCompiler() + compiler.actionMode = ActionModeDev + compiler.stepOrderTracker = NewStepOrderTracker() + + data := &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + Tools: map[string]any{ + "agentic-workflows": map[string]any{}, + }, + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + + var yaml strings.Builder + err := compiler.generateMainJobSteps(&yaml, data) + + require.NoError(t, err, "generateMainJobSteps should not error in dev mode") + result := yaml.String() + + // Verify dev mode build steps are included + expectedDevModeSteps := []string{ + "- name: Setup Go for CLI build", + "- name: Build gh-aw CLI", + "- name: Setup Docker Buildx", + "- name: Build gh-aw Docker image", + "tags: localhost/gh-aw:dev", + } + + for _, expected := range expectedDevModeSteps { + assert.Contains(t, result, expected, "dev mode should include %q", expected) + } +} + +// TestGenerateMainJobStepsStepOrdering tests step ordering validation +func TestGenerateMainJobStepsStepOrdering(t *testing.T) { + compiler := NewCompiler() + compiler.stepOrderTracker = NewStepOrderTracker() + + data := &WorkflowData{ + Name: "Test Workflow", + AI: "copilot", + MarkdownContent: "Test prompt", + EngineConfig: &EngineConfig{ + ID: "copilot", + }, + ParsedTools: &ToolsConfig{}, + } + + var yaml strings.Builder + err := compiler.generateMainJobSteps(&yaml, data) + + // Should not error - step ordering should be valid + require.NoError(t, err, "step ordering validation should pass") +} + +// TestShouldAddCheckoutStepEdgeCases tests edge cases for checkout step detection +func TestShouldAddCheckoutStepEdgeCases(t *testing.T) { + tests := []struct { + name string + setupData func() *WorkflowData + setupCompiler func(*Compiler) + expectCheckout bool + }{ + { + name: "checkout needed in dev mode (default)", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test", + } + }, + expectCheckout: true, + }, + { + name: "no checkout in release mode without agent file", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test", + } + }, + setupCompiler: func(c *Compiler) { + c.actionMode = ActionModeRelease + }, + expectCheckout: false, + }, + { + name: "checkout required when agent file specified", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test", + AgentFile: "custom-agent.md", + } + }, + setupCompiler: func(c *Compiler) { + c.actionMode = ActionModeRelease + }, + expectCheckout: true, + }, + { + name: "no checkout when custom steps contain checkout", + setupData: func() *WorkflowData { + return &WorkflowData{ + Name: "Test", + CustomSteps: `steps: + - name: Checkout + uses: actions/checkout@v4`, + } + }, + expectCheckout: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := NewCompiler() + if tt.setupCompiler != nil { + tt.setupCompiler(compiler) + } + + data := tt.setupData() + result := compiler.shouldAddCheckoutStep(data) + + assert.Equal(t, tt.expectCheckout, result, "checkout detection mismatch") + }) + } +} diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index 90d1cbe261..153045fdc8 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -285,6 +285,14 @@ This workflow tests that agentic-workflows uses the correct container in dev mod } } + // Verify binary copy step for user-defined steps that execute ./gh-aw + if !strings.Contains(string(lockContent), "cp dist/gh-aw-linux-amd64 ./gh-aw") { + t.Error("Expected 'cp dist/gh-aw-linux-amd64 ./gh-aw' in dev mode build step") + } + if !strings.Contains(string(lockContent), "chmod +x ./gh-aw") { + t.Error("Expected 'chmod +x ./gh-aw' in dev mode build step") + } + // Verify NO entrypoint field (uses container's default ENTRYPOINT) if strings.Contains(string(lockContent), `"entrypoint"`) { t.Error("Did not expect entrypoint field in dev mode (uses container's ENTRYPOINT)")