From d98d005660f55d9d15804ee5a0e0b764ea5a71a3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:35:15 +0000 Subject: [PATCH 1/7] Initial plan From b80d30ce7a2e9fef04744678bcaac458221c6b73 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:41:14 +0000 Subject: [PATCH 2/7] Initial plan: Remove anonymous bash tool syntax support Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/daily-cli-tools-tester.lock.yml | 8 ++++---- .github/workflows/dependabot-project-manager.lock.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index b8b3d5a1b0..f87c36718a 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -173,7 +173,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -185,7 +185,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.12 ghcr.io/github/gh-aw-firewall/squid:0.13.12 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -535,7 +535,7 @@ jobs: staged: false, allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.13.7", + awf_version: "v0.13.12", awmg_version: "v0.0.103", steps: { firewall: "squid" @@ -681,7 +681,7 @@ jobs: timeout-minutes: 60 run: | set -o pipefail - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 327bed5682..6115e810a1 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -140,7 +140,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -152,7 +152,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.12 ghcr.io/github/gh-aw-firewall/squid:0.13.12 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -751,7 +751,7 @@ jobs: staged: false, allowed_domains: ["defaults","github"], firewall_enabled: true, - awf_version: "v0.13.7", + awf_version: "v0.13.12", awmg_version: "v0.0.103", steps: { firewall: "squid" @@ -913,7 +913,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq *)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: From dad871f20ef52a78acda0bac07ba9f7955507c49 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:44:55 +0000 Subject: [PATCH 3/7] Add validation and codemod for anonymous bash tool syntax Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/codemod_bash_anonymous.go | 121 +++++++++++++ pkg/cli/codemod_bash_anonymous_test.go | 238 +++++++++++++++++++++++++ pkg/cli/fix_codemods.go | 1 + pkg/workflow/compiler.go | 6 + pkg/workflow/tools_parser.go | 24 ++- pkg/workflow/tools_validation.go | 29 +++ pkg/workflow/tools_validation_test.go | 155 ++++++++++++++++ 7 files changed, 571 insertions(+), 3 deletions(-) create mode 100644 pkg/cli/codemod_bash_anonymous.go create mode 100644 pkg/cli/codemod_bash_anonymous_test.go create mode 100644 pkg/workflow/tools_validation.go create mode 100644 pkg/workflow/tools_validation_test.go diff --git a/pkg/cli/codemod_bash_anonymous.go b/pkg/cli/codemod_bash_anonymous.go new file mode 100644 index 0000000000..0dbaeae31e --- /dev/null +++ b/pkg/cli/codemod_bash_anonymous.go @@ -0,0 +1,121 @@ +//go:build !integration + +package cli + +import "github.com/github/gh-aw/pkg/logger" + +var bashAnonymousCodemodLog = logger.New("cli:codemod_bash_anonymous") + +// getBashAnonymousRemovalCodemod creates a codemod for removing anonymous bash tool syntax +func getBashAnonymousRemovalCodemod() Codemod { + return Codemod{ + ID: "bash-anonymous-removal", + Name: "Replace anonymous bash tool syntax with explicit false", + Description: "Replaces 'bash:' (anonymous/nil syntax) with 'bash: false' to make configuration explicit", + IntroducedIn: "0.9.0", + Apply: func(content string, frontmatter map[string]any) (string, bool, error) { + // Check if tools.bash exists + toolsValue, hasTools := frontmatter["tools"] + if !hasTools { + return content, false, nil + } + + toolsMap, ok := toolsValue.(map[string]any) + if !ok { + return content, false, nil + } + + // Check if bash field exists and is nil + bashValue, hasBash := toolsMap["bash"] + if !hasBash { + return content, false, nil + } + + // Only modify if bash is nil (anonymous syntax) + if bashValue != nil { + return content, false, nil + } + + // Parse frontmatter to get raw lines + frontmatterLines, markdown, err := parseFrontmatterLines(content) + if err != nil { + return content, false, err + } + + // Replace the bash field from anonymous to explicit false + modifiedLines, modified := replaceBashAnonymousWithFalse(frontmatterLines) + if !modified { + return content, false, nil + } + + // Reconstruct the content + newContent := reconstructContent(modifiedLines, markdown) + bashAnonymousCodemodLog.Print("Applied bash anonymous removal, replaced with 'bash: false'") + return newContent, true, nil + }, + } +} + +// replaceBashAnonymousWithFalse replaces 'bash:' with 'bash: false' in the tools block +func replaceBashAnonymousWithFalse(lines []string) ([]string, bool) { + var result []string + var modified bool + var inToolsBlock bool + var toolsIndent string + + for _, line := range lines { + trimmedLine := line + + // Trim to check content but preserve original spacing + trimmed := trimLine(trimmedLine) + + // Track if we're in the tools block + if trimmed == "tools:" { + inToolsBlock = true + toolsIndent = getIndentation(line) + result = append(result, line) + continue + } + + // Check if we've left the tools block + if inToolsBlock && len(trimmed) > 0 && !startsWith(trimmed, "#") { + if hasExitedBlock(line, toolsIndent) { + inToolsBlock = false + } + } + + // Replace bash: with bash: false if in tools block + if inToolsBlock && (trimmed == "bash:" || startsWith(trimmed, "bash: ")) { + // Check if it's just 'bash:' with nothing after the colon + if trimmed == "bash:" { + indent := getIndentation(line) + result = append(result, indent+"bash: false") + modified = true + bashAnonymousCodemodLog.Printf("Replaced 'bash:' with 'bash: false'") + continue + } + } + + result = append(result, line) + } + + return result, modified +} + +// Helper function to trim whitespace +func trimLine(s string) string { + start := 0 + for start < len(s) && (s[start] == ' ' || s[start] == '\t') { + start++ + } + end := len(s) + for end > start && (s[end-1] == ' ' || s[end-1] == '\t' || s[end-1] == '\n' || s[end-1] == '\r') { + end-- + } + return s[start:end] +} + +// Helper function to check if string starts with prefix +func startsWith(s, prefix string) bool { + return len(s) >= len(prefix) && s[:len(prefix)] == prefix +} diff --git a/pkg/cli/codemod_bash_anonymous_test.go b/pkg/cli/codemod_bash_anonymous_test.go new file mode 100644 index 0000000000..d49f0022da --- /dev/null +++ b/pkg/cli/codemod_bash_anonymous_test.go @@ -0,0 +1,238 @@ +//go:build !integration + +package cli + +import ( + "strings" + "testing" + + "github.com/github/gh-aw/pkg/parser" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestBashAnonymousRemovalCodemod(t *testing.T) { + codemod := getBashAnonymousRemovalCodemod() + + tests := []struct { + name string + input string + expectApply bool + expectError bool + }{ + { + name: "replaces anonymous bash with bash: false", + input: `--- +name: Test Workflow +tools: + bash: + github: +--- +# Test workflow`, + expectApply: true, + }, + { + name: "does not modify bash: true", + input: `--- +name: Test Workflow +tools: + bash: true + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify bash: false", + input: `--- +name: Test Workflow +tools: + bash: false + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify bash with array", + input: `--- +name: Test Workflow +tools: + bash: ["echo", "ls"] + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify when bash is not present", + input: `--- +name: Test Workflow +tools: + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify when tools is not present", + input: `--- +name: Test Workflow +--- +# Test workflow`, + expectApply: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Parse frontmatter to get the map + result, err := parser.ExtractFrontmatterFromContent(tt.input) + require.NoError(t, err, "Failed to parse test input frontmatter") + + // Apply the codemod + output, applied, err := codemod.Apply(tt.input, result.Frontmatter) + + if tt.expectError { + assert.Error(t, err) + return + } + + require.NoError(t, err) + assert.Equal(t, tt.expectApply, applied, "Applied status mismatch") + + if tt.expectApply { + // Verify the output contains the replacement + assert.Contains(t, output, "bash: false", "Output should contain 'bash: false'") + assert.NotContains(t, output, "bash:\n", "Output should not contain anonymous bash:") + assert.NotContains(t, output, "bash: \n", "Output should not contain bash with space") + + // Verify the markdown body is preserved + assert.Contains(t, output, "# Test workflow", "Markdown body should be preserved") + } else { + // If not applied, output should be unchanged + assert.Equal(t, tt.input, output, "Output should be unchanged when not applied") + } + }) + } +} + +func TestBashAnonymousCodemodWithComments(t *testing.T) { + codemod := getBashAnonymousRemovalCodemod() + + input := `--- +name: Test Workflow +tools: + # Enable bash + bash: + github: +--- +# Test workflow` + + result, err := parser.ExtractFrontmatterFromContent(input) + require.NoError(t, err) + + output, applied, err := codemod.Apply(input, result.Frontmatter) + require.NoError(t, err) + assert.True(t, applied, "Should apply when bash: is present") + assert.Contains(t, output, "bash: false", "Should replace with bash: false") + assert.Contains(t, output, "# Enable bash", "Should preserve comments") +} + +func TestBashAnonymousCodemodPreservesIndentation(t *testing.T) { + codemod := getBashAnonymousRemovalCodemod() + + input := `--- +name: Test Workflow +tools: + bash: + github: + mode: remote +--- +# Test workflow` + + result, err := parser.ExtractFrontmatterFromContent(input) + require.NoError(t, err) + + output, applied, err := codemod.Apply(input, result.Frontmatter) + require.NoError(t, err) + assert.True(t, applied, "Should apply") + + // Check indentation is preserved + lines := strings.Split(output, "\n") + var foundBash bool + for _, line := range lines { + if strings.Contains(line, "bash: false") { + foundBash = true + // Should have 2-space indentation + assert.True(t, strings.HasPrefix(line, " bash: false"), "Should have proper indentation") + } + } + assert.True(t, foundBash, "Should find bash: false in output") +} + +func TestReplaceBashAnonymousWithFalse(t *testing.T) { + tests := []struct { + name string + lines []string + expectLines []string + modified bool + }{ + { + name: "replaces bash: in tools block", + lines: []string{ + "name: Test", + "tools:", + " bash:", + " github:", + }, + expectLines: []string{ + "name: Test", + "tools:", + " bash: false", + " github:", + }, + modified: true, + }, + { + name: "does not modify outside tools block", + lines: []string{ + "name: Test", + "bash:", + "tools:", + " github:", + }, + expectLines: []string{ + "name: Test", + "bash:", + "tools:", + " github:", + }, + modified: false, + }, + { + name: "does not modify bash with value", + lines: []string{ + "name: Test", + "tools:", + " bash: true", + " github:", + }, + expectLines: []string{ + "name: Test", + "tools:", + " bash: true", + " github:", + }, + modified: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, modified := replaceBashAnonymousWithFalse(tt.lines) + assert.Equal(t, tt.modified, modified, "Modified status mismatch") + assert.Equal(t, tt.expectLines, result, "Output lines mismatch") + }) + } +} diff --git a/pkg/cli/fix_codemods.go b/pkg/cli/fix_codemods.go index 9b49ea2158..c323d241b1 100644 --- a/pkg/cli/fix_codemods.go +++ b/pkg/cli/fix_codemods.go @@ -34,5 +34,6 @@ func GetAllCodemods() []Codemod { getDiscussionFlagRemovalCodemod(), getMCPModeToTypeCodemod(), getInstallScriptURLCodemod(), + getBashAnonymousRemovalCodemod(), // Replace bash: with bash: false } } diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index ea2d80e046..8cfa340efe 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -180,6 +180,12 @@ func (c *Compiler) CompileWorkflowData(workflowData *WorkflowData, markdownPath return formatCompilerError(markdownPath, "error", err.Error()) } + // Validate bash tool configuration + log.Printf("Validating bash tool configuration") + if err := validateBashToolConfig(workflowData.ParsedTools, workflowData.Name); err != nil { + return formatCompilerError(markdownPath, "error", err.Error()) + } + // Validate safe-outputs target configuration log.Printf("Validating safe-outputs target fields") if err := validateSafeOutputsTarget(workflowData.SafeOutputs); err != nil { diff --git a/pkg/workflow/tools_parser.go b/pkg/workflow/tools_parser.go index 26758d4419..f5fea96142 100644 --- a/pkg/workflow/tools_parser.go +++ b/pkg/workflow/tools_parser.go @@ -84,6 +84,10 @@ func NewTools(toolsMap map[string]any) *Tools { } if val, exists := toolsMap["bash"]; exists { tools.Bash = parseBashTool(val) + // Check if parsing returned nil - this indicates invalid configuration + if tools.Bash == nil { + toolsParserLog.Print("Warning: bash tool configuration is invalid (nil/anonymous syntax not supported)") + } } if val, exists := toolsMap["web-fetch"]; exists { tools.WebFetch = parseWebFetchTool(val) @@ -241,8 +245,21 @@ func parseGitHubTool(val any) *GitHubToolConfig { // parseBashTool converts raw bash tool configuration to BashToolConfig func parseBashTool(val any) *BashToolConfig { if val == nil { - // nil means all commands allowed - return &BashToolConfig{} + // nil is no longer supported - return nil to indicate invalid configuration + // The compiler will handle this as a validation error + return nil + } + + // Handle boolean values + if boolVal, ok := val.(bool); ok { + if boolVal { + // bash: true means all commands allowed + return &BashToolConfig{} + } + // bash: false means explicitly disabled + return &BashToolConfig{ + AllowedCommands: []string{}, // Empty slice indicates explicitly disabled + } } // Handle array of allowed commands @@ -258,7 +275,8 @@ func parseBashTool(val any) *BashToolConfig { return config } - return &BashToolConfig{} + // Invalid configuration + return nil } // parsePlaywrightTool converts raw playwright tool configuration to PlaywrightToolConfig diff --git a/pkg/workflow/tools_validation.go b/pkg/workflow/tools_validation.go new file mode 100644 index 0000000000..c2cc237fdc --- /dev/null +++ b/pkg/workflow/tools_validation.go @@ -0,0 +1,29 @@ +//go:build !integration + +package workflow + +import ( + "fmt" + + "github.com/github/gh-aw/pkg/logger" +) + +var toolsValidationLog = logger.New("workflow:tools_validation") + +// validateBashToolConfig validates that bash tool configuration is explicit (not nil/anonymous) +func validateBashToolConfig(tools *Tools, workflowName string) error { + if tools == nil { + return nil + } + + // Check if bash is present in the raw map but Bash field is nil + // This indicates the anonymous syntax (bash:) was used + if rawMap := tools.ToMap(); rawMap != nil { + if _, hasBash := rawMap["bash"]; hasBash && tools.Bash == nil { + toolsValidationLog.Printf("Invalid bash tool configuration in workflow: %s", workflowName) + return fmt.Errorf("invalid bash tool configuration: anonymous syntax 'bash:' is not supported. Use 'bash: true' (enable all commands), 'bash: false' (disable), or 'bash: [\"cmd1\", \"cmd2\"]' (specific commands). Run 'gh aw fix' to automatically migrate") + } + } + + return nil +} diff --git a/pkg/workflow/tools_validation_test.go b/pkg/workflow/tools_validation_test.go new file mode 100644 index 0000000000..1cfff8da1b --- /dev/null +++ b/pkg/workflow/tools_validation_test.go @@ -0,0 +1,155 @@ +//go:build !integration + +package workflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestValidateBashToolConfig(t *testing.T) { + tests := []struct { + name string + toolsMap map[string]any + shouldError bool + errorMsg string + }{ + { + name: "nil tools config is valid", + toolsMap: nil, + shouldError: false, + }, + { + name: "no bash tool is valid", + toolsMap: map[string]any{"github": nil}, + shouldError: false, + }, + { + name: "bash: true is valid", + toolsMap: map[string]any{"bash": true}, + shouldError: false, + }, + { + name: "bash: false is valid", + toolsMap: map[string]any{"bash": false}, + shouldError: false, + }, + { + name: "bash with array is valid", + toolsMap: map[string]any{"bash": []any{"echo", "ls"}}, + shouldError: false, + }, + { + name: "bash with wildcard is valid", + toolsMap: map[string]any{"bash": []any{"*"}}, + shouldError: false, + }, + { + name: "anonymous bash (nil) is invalid", + toolsMap: map[string]any{"bash": nil}, + shouldError: true, + errorMsg: "anonymous syntax 'bash:' is not supported", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tools := NewTools(tt.toolsMap) + err := validateBashToolConfig(tools, "test-workflow") + + if tt.shouldError { + assert.Error(t, err, "Expected error for %s", tt.name) + if tt.errorMsg != "" { + assert.Contains(t, err.Error(), tt.errorMsg, "Error message should contain expected text") + } + } else { + assert.NoError(t, err, "Expected no error for %s", tt.name) + } + }) + } +} + +func TestParseBashToolWithBoolean(t *testing.T) { + tests := []struct { + name string + input any + expected *BashToolConfig + }{ + { + name: "bash: true enables all commands", + input: true, + expected: &BashToolConfig{AllowedCommands: nil}, + }, + { + name: "bash: false explicitly disables", + input: false, + expected: &BashToolConfig{AllowedCommands: []string{}}, + }, + { + name: "bash: nil is invalid", + input: nil, + expected: nil, + }, + { + name: "bash with array", + input: []any{"echo", "ls"}, + expected: &BashToolConfig{ + AllowedCommands: []string{"echo", "ls"}, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := parseBashTool(tt.input) + + if tt.expected == nil { + assert.Nil(t, result, "Expected nil result") + } else { + require.NotNil(t, result, "Expected non-nil result") + if tt.expected.AllowedCommands == nil { + assert.Nil(t, result.AllowedCommands, "Expected nil AllowedCommands (all allowed)") + } else { + assert.Equal(t, tt.expected.AllowedCommands, result.AllowedCommands, "AllowedCommands should match") + } + } + }) + } +} + +func TestNewToolsWithInvalidBash(t *testing.T) { + t.Run("detects invalid bash configuration", func(t *testing.T) { + toolsMap := map[string]any{ + "bash": nil, // Anonymous syntax + } + + tools := NewTools(toolsMap) + + // The parser should set Bash to nil for invalid config + assert.Nil(t, tools.Bash, "Bash should be nil for invalid config") + + // Validation should catch this + err := validateBashToolConfig(tools, "test-workflow") + assert.Error(t, err, "Expected validation error") + assert.Contains(t, err.Error(), "anonymous syntax", "Error should mention anonymous syntax") + }) + + t.Run("accepts valid bash configurations", func(t *testing.T) { + validConfigs := []map[string]any{ + {"bash": true}, + {"bash": false}, + {"bash": []any{"echo"}}, + {"bash": []any{"*"}}, + } + + for _, toolsMap := range validConfigs { + tools := NewTools(toolsMap) + assert.NotNil(t, tools.Bash, "Bash should not be nil for valid config") + + err := validateBashToolConfig(tools, "test-workflow") + assert.NoError(t, err, "Expected no validation error for valid config") + } + }) +} From ddc66cf252d840d1f8aab897759a28570add8a97 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:55:20 +0000 Subject: [PATCH 4/7] Update tests and migrate workflows to explicit bash syntax Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/archie.lock.yml | 16 ++-------------- .github/workflows/archie.md | 4 ++-- .github/workflows/artifacts-summary.lock.yml | 16 ++-------------- .github/workflows/artifacts-summary.md | 2 +- .github/workflows/code-scanning-fixer.lock.yml | 5 ++--- .github/workflows/code-scanning-fixer.md | 4 ++-- .../workflows/daily-cli-performance.lock.yml | 16 ++-------------- .github/workflows/daily-cli-performance.md | 4 ++-- .github/workflows/daily-code-metrics.lock.yml | 2 +- .github/workflows/daily-code-metrics.md | 5 ++--- .../daily-malicious-code-scan.lock.yml | 16 ++-------------- .github/workflows/daily-malicious-code-scan.md | 4 ++-- .../workflows/daily-secrets-analysis.lock.yml | 16 ++-------------- .github/workflows/daily-secrets-analysis.md | 4 ++-- .github/workflows/lockfile-stats.lock.yml | 18 ++---------------- .github/workflows/lockfile-stats.md | 4 ++-- .github/workflows/mcp-inspector.lock.yml | 16 ++-------------- .github/workflows/mcp-inspector.md | 4 ++-- .github/workflows/q.lock.yml | 5 ++--- .github/workflows/q.md | 4 ++-- .../workflows/technical-doc-writer.lock.yml | 5 ++--- .github/workflows/technical-doc-writer.md | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .github/workflows/video-analyzer.md | 5 ++--- docs/src/content/docs/agent-factory-status.mdx | 1 + pkg/cli/fix_codemods_test.go | 3 ++- pkg/workflow/tools_validation_test.go | 4 ++-- 27 files changed, 49 insertions(+), 138 deletions(-) diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 696f1dd4b0..9036c541d4 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -21,7 +21,7 @@ # # Generates Mermaid diagrams to visualize issue and pull request relationships when invoked with the /archie command # -# frontmatter-hash: baba8456db1f8b524a33a8bff0b322343f1cb00e4a54e7cbf1d70a3ae4fd9107 +# frontmatter-hash: 05a6f57cbfbd12bd18738e642998930d658b80a8165a47c8353dd887bdf2303f name: "Archie" "on": @@ -633,24 +633,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) # --allow-tool write timeout-minutes: 10 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/archie.md b/.github/workflows/archie.md index 69e40328f2..610ed72416 100644 --- a/.github/workflows/archie.md +++ b/.github/workflows/archie.md @@ -19,7 +19,7 @@ tools: toolsets: - default edit: - bash: + bash: false safe-outputs: add-comment: max: 1 @@ -213,4 +213,4 @@ A successful Archie run: ## Begin Your Analysis -Examine the current context, analyze any linked references, generate your Mermaid diagrams using Serena, validate them, and post your visualization comment! +Examine the current context, analyze any linked references, generate your Mermaid diagrams using Serena, validate them, and post your visualization comment! \ No newline at end of file diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 2fb245683a..279e7a0042 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -26,7 +26,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# frontmatter-hash: 0b0e8ff9ce885125b359364aa3d61b6cb25e5b7a0337dee5f1d16e501b8c72d1 +# frontmatter-hash: a63ecf0f6cd87d09b9de63bf1f2d0bd70e3436da217a2df090f00368d92dd4e1 name: "Artifacts Summary" "on": @@ -672,24 +672,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/artifacts-summary.md b/.github/workflows/artifacts-summary.md index c16522f637..6ffe8149e6 100644 --- a/.github/workflows/artifacts-summary.md +++ b/.github/workflows/artifacts-summary.md @@ -15,7 +15,7 @@ sandbox: agent: awf # Firewall enabled (migrated from network.firewall) tools: edit: - bash: + bash: false github: toolsets: [actions, repos] safe-outputs: diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 013fb0b5a1..c86f7e3559 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -21,7 +21,7 @@ # # Automatically fixes code scanning alerts by creating pull requests with remediation # -# frontmatter-hash: db23396c88368a8a4ae67a081c2670a29099890ce486d349da5fa1e69d5c244c +# frontmatter-hash: a28a220012ddf2530deaba2a06b97ea4536184c331dda1f653c77f2b57d1005e name: "Code Scanning Fixer" "on": @@ -686,13 +686,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md index c5982d9a5f..90e97427d5 100644 --- a/.github/workflows/code-scanning-fixer.md +++ b/.github/workflows/code-scanning-fixer.md @@ -18,7 +18,7 @@ tools: branch-name: memory/campaigns file-glob: [security-alert-burndown/**] edit: - bash: + bash: false cache-memory: safe-outputs: add-labels: @@ -217,4 +217,4 @@ If any step fails: - **Never Execute Untrusted Code**: Use read-only analysis tools - **Track Progress**: Cache ensures no duplicate work -Remember: Your goal is to provide a secure, well-tested fix that can be reviewed and merged safely. Focus on quality and correctness over speed. +Remember: Your goal is to provide a secure, well-tested fix that can be reviewed and merged safely. Focus on quality and correctness over speed. \ No newline at end of file diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 832051336d..5d3b9d4344 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -26,7 +26,7 @@ # - shared/go-make.md # - shared/reporting.md # -# frontmatter-hash: 18a4a615748963ed8fdadc07d89f4437bbfc0ca57c8c92e9c16a71e18994e829 +# frontmatter-hash: 9c428932688d10c346023206a0f7dba6531b5c809f0b60dc550cf80b439871f8 name: "Daily CLI Performance Agent" "on": @@ -916,24 +916,12 @@ jobs: # --allow-tool github # --allow-tool safeinputs # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeinputs --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeinputs --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-cli-performance.md b/.github/workflows/daily-cli-performance.md index 703935840c..fdeb85edbb 100644 --- a/.github/workflows/daily-cli-performance.md +++ b/.github/workflows/daily-cli-performance.md @@ -15,7 +15,7 @@ tools: description: "Historical CLI compilation performance benchmark results" file-glob: ["memory/cli-performance/*.json", "memory/cli-performance/*.jsonl", "memory/cli-performance/*.txt"] max-file-size: 512000 # 500KB - bash: + bash: false edit: github: toolsets: [default, issues] @@ -679,4 +679,4 @@ Each entry contains: } ``` -Begin your daily performance analysis now! +Begin your daily performance analysis now! \ No newline at end of file diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index dfd836e2ab..3286935646 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -27,7 +27,7 @@ # - shared/reporting.md # - shared/trends.md # -# frontmatter-hash: 624fd4665a245a054f9c6ebf7ad42316a4f71a101b783eb2df6c7e21614794af +# frontmatter-hash: c3b7addca65dc3f4ac8e0ccb35b3ecb3c1d6c4ab815d1bb3d1fd66557f144114 name: "Daily Code Metrics and Trend Tracking Agent" "on": diff --git a/.github/workflows/daily-code-metrics.md b/.github/workflows/daily-code-metrics.md index 2383822558..906659a3ff 100644 --- a/.github/workflows/daily-code-metrics.md +++ b/.github/workflows/daily-code-metrics.md @@ -15,7 +15,7 @@ tools: description: "Historical code quality and health metrics" file-glob: ["*.json", "*.jsonl", "*.csv", "*.md"] max-file-size: 102400 # 100KB - bash: + bash: false safe-outputs: upload-asset: create-discussion: @@ -455,5 +455,4 @@ This ensures the quality score reflects actionable source code volatility, not n - Generate all 6 required visualization charts - Upload charts as assets for permanent URLs - Embed charts in discussion report with analysis -- Store metrics to repo memory, create discussion report with visualizations - +- Store metrics to repo memory, create discussion report with visualizations \ No newline at end of file diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index fa90c9c23f..dda5717d39 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: a2d2939025b8cd01ec317ff980fc6209e433e71c69e2e3a10a8a84f06f364c79 +# frontmatter-hash: 7105ade391f2837e4a7974b02b9b40e1648b47b10c963f05c30bfb69db0d9802 name: "Daily Malicious Code Scan Agent" "on": @@ -711,24 +711,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-malicious-code-scan.md b/.github/workflows/daily-malicious-code-scan.md index 3290d4c5b4..1969d374d1 100644 --- a/.github/workflows/daily-malicious-code-scan.md +++ b/.github/workflows/daily-malicious-code-scan.md @@ -12,7 +12,7 @@ engine: copilot tools: github: toolsets: [repos, code_security] - bash: + bash: false safe-outputs: create-code-scanning-alert: driver: "Malicious Code Scanner" @@ -322,4 +322,4 @@ Your output MUST: **The workflow WILL FAIL if you don't call one of these tools.** Writing a message in your output text is NOT sufficient - you must actually invoke the tool. -Begin your daily malicious code scan now. Analyze all code changes from the last 3 days, identify suspicious patterns, and generate appropriate code-scanning alerts for any threats detected. +Begin your daily malicious code scan now. Analyze all code changes from the last 3 days, identify suspicious patterns, and generate appropriate code-scanning alerts for any threats detected. \ No newline at end of file diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 55ba0acf83..f6991b7f78 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 39da83d7edb2fb90a6f8b3bf93d0a925fd70eae853c8ecdec648e2bcd49e319b +# frontmatter-hash: 253b2d05bc3507d543dd79d58d454dfaf28d9da8ae75dba222088cee87e1bf8e name: "Daily Secrets Analysis Agent" "on": @@ -728,24 +728,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-secrets-analysis.md b/.github/workflows/daily-secrets-analysis.md index 37d338f481..ac14416c85 100644 --- a/.github/workflows/daily-secrets-analysis.md +++ b/.github/workflows/daily-secrets-analysis.md @@ -14,7 +14,7 @@ tracker-id: daily-secrets-analysis tools: github: toolsets: [default, discussions] - bash: + bash: false safe-outputs: create-discussion: expires: 3d @@ -295,4 +295,4 @@ For detailed information about secret usage patterns, see: - Highlight **security concerns** prominently - Keep the report **concise but comprehensive** - Use **tables and formatting** for readability -- Include **actionable recommendations** +- Include **actionable recommendations** \ No newline at end of file diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index d7a35c1d6f..94d50bb5a2 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 4200b413651f1eb03f0cc150b48b84b5bc9ac70c59249372beb5658e0b3d1e52 +# frontmatter-hash: 835c012288b401ac2255733e2c34649d8d1b8d5c8b49a9e4c870b2904afbe4d2 name: "Lockfile Statistics Analysis Agent" "on": @@ -688,25 +688,11 @@ jobs: - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): - # - Bash(cat) - # - Bash(date) - # - Bash(echo) - # - Bash(grep) - # - Bash(head) - # - Bash(ls) - # - Bash(pwd) - # - Bash(sort) - # - Bash(tail) - # - Bash(uniq) - # - Bash(wc) - # - Bash(yq) - # - BashOutput # - Edit # - Edit(/tmp/gh-aw/cache-memory/*) # - ExitPlanMode # - Glob # - Grep - # - KillBash # - LS # - MultiEdit # - MultiEdit(/tmp/gh-aw/cache-memory/*) @@ -774,7 +760,7 @@ jobs: run: | set -o pipefail sudo -E awf --enable-chroot --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} BASH_DEFAULT_TIMEOUT_MS: 60000 diff --git a/.github/workflows/lockfile-stats.md b/.github/workflows/lockfile-stats.md index 6b70776a90..270ce1bbe2 100644 --- a/.github/workflows/lockfile-stats.md +++ b/.github/workflows/lockfile-stats.md @@ -10,7 +10,7 @@ permissions: engine: claude tools: cache-memory: true - bash: + bash: false safe-outputs: create-discussion: category: "audits" @@ -354,4 +354,4 @@ Your output MUST: 5. Highlight interesting patterns and anomalies 6. Store successful scripts and patterns in cache memory -Begin your analysis now. Collect the data systematically, perform thorough statistical analysis, and generate an insightful report that helps understand the structure and patterns of agentic workflows in this repository. +Begin your analysis now. Collect the data systematically, perform thorough statistical analysis, and generate an insightful report that helps understand the structure and patterns of agentic workflows in this repository. \ No newline at end of file diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 9758704f4b..40bb6dbe74 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -39,7 +39,7 @@ # - shared/mcp/tavily.md # - shared/reporting.md # -# frontmatter-hash: b4a7ec5fd0e804617e948319ce798ddc7e6c1c042426e4ee41e2494f22ae946c +# frontmatter-hash: d4e128ece9d98fd00a7488837d01625ceb2cba6bdee7d193007ba2f2bf02450d name: "MCP Inspector Agent" "on": @@ -1211,18 +1211,6 @@ jobs: # --allow-tool sentry(search_events) # --allow-tool sentry(search_issues) # --allow-tool sentry(whoami) - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) # --allow-tool tavily # --allow-tool tavily(*) # --allow-tool write @@ -1230,7 +1218,7 @@ jobs: run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,learn.microsoft.com,mcp.datadoghq.com,mcp.deepwiki.com,mcp.tavily.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool arxiv --allow-tool '\''arxiv(get_paper_details)'\'' --allow-tool '\''arxiv(get_paper_pdf)'\'' --allow-tool '\''arxiv(search_arxiv)'\'' --allow-tool ast-grep --allow-tool '\''ast-grep(*)'\'' --allow-tool brave-search --allow-tool '\''brave-search(*)'\'' --allow-tool context7 --allow-tool '\''context7(query-docs)'\'' --allow-tool '\''context7(resolve-library-id)'\'' --allow-tool datadog --allow-tool '\''datadog(get_datadog_metric)'\'' --allow-tool '\''datadog(search_datadog_dashboards)'\'' --allow-tool '\''datadog(search_datadog_metrics)'\'' --allow-tool '\''datadog(search_datadog_slos)'\'' --allow-tool deepwiki --allow-tool '\''deepwiki(ask_question)'\'' --allow-tool '\''deepwiki(read_wiki_contents)'\'' --allow-tool '\''deepwiki(read_wiki_structure)'\'' --allow-tool fabric-rti --allow-tool '\''fabric-rti(get_eventstream)'\'' --allow-tool '\''fabric-rti(get_eventstream_definition)'\'' --allow-tool '\''fabric-rti(kusto_get_entities_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_function_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_shots)'\'' --allow-tool '\''fabric-rti(kusto_get_table_schema)'\'' --allow-tool '\''fabric-rti(kusto_known_services)'\'' --allow-tool '\''fabric-rti(kusto_list_databases)'\'' --allow-tool '\''fabric-rti(kusto_list_tables)'\'' --allow-tool '\''fabric-rti(kusto_query)'\'' --allow-tool '\''fabric-rti(kusto_sample_function_data)'\'' --allow-tool '\''fabric-rti(kusto_sample_table_data)'\'' --allow-tool '\''fabric-rti(list_eventstreams)'\'' --allow-tool github --allow-tool markitdown --allow-tool '\''markitdown(*)'\'' --allow-tool memory --allow-tool '\''memory(delete_memory)'\'' --allow-tool '\''memory(list_memories)'\'' --allow-tool '\''memory(retrieve_memory)'\'' --allow-tool '\''memory(store_memory)'\'' --allow-tool microsoftdocs --allow-tool '\''microsoftdocs(*)'\'' --allow-tool notion --allow-tool '\''notion(get_database)'\'' --allow-tool '\''notion(get_page)'\'' --allow-tool '\''notion(query_database)'\'' --allow-tool '\''notion(search_pages)'\'' --allow-tool safeoutputs --allow-tool sentry --allow-tool '\''sentry(analyze_issue_with_seer)'\'' --allow-tool '\''sentry(find_dsns)'\'' --allow-tool '\''sentry(find_organizations)'\'' --allow-tool '\''sentry(find_projects)'\'' --allow-tool '\''sentry(find_releases)'\'' --allow-tool '\''sentry(find_teams)'\'' --allow-tool '\''sentry(get_doc)'\'' --allow-tool '\''sentry(get_event_attachment)'\'' --allow-tool '\''sentry(get_issue_details)'\'' --allow-tool '\''sentry(get_trace_details)'\'' --allow-tool '\''sentry(search_docs requires SENTRY_OPENAI_API_KEY)'\'' --allow-tool '\''sentry(search_events)'\'' --allow-tool '\''sentry(search_issues)'\'' --allow-tool '\''sentry(whoami)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool tavily --allow-tool '\''tavily(*)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool arxiv --allow-tool '\''arxiv(get_paper_details)'\'' --allow-tool '\''arxiv(get_paper_pdf)'\'' --allow-tool '\''arxiv(search_arxiv)'\'' --allow-tool ast-grep --allow-tool '\''ast-grep(*)'\'' --allow-tool brave-search --allow-tool '\''brave-search(*)'\'' --allow-tool context7 --allow-tool '\''context7(query-docs)'\'' --allow-tool '\''context7(resolve-library-id)'\'' --allow-tool datadog --allow-tool '\''datadog(get_datadog_metric)'\'' --allow-tool '\''datadog(search_datadog_dashboards)'\'' --allow-tool '\''datadog(search_datadog_metrics)'\'' --allow-tool '\''datadog(search_datadog_slos)'\'' --allow-tool deepwiki --allow-tool '\''deepwiki(ask_question)'\'' --allow-tool '\''deepwiki(read_wiki_contents)'\'' --allow-tool '\''deepwiki(read_wiki_structure)'\'' --allow-tool fabric-rti --allow-tool '\''fabric-rti(get_eventstream)'\'' --allow-tool '\''fabric-rti(get_eventstream_definition)'\'' --allow-tool '\''fabric-rti(kusto_get_entities_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_function_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_shots)'\'' --allow-tool '\''fabric-rti(kusto_get_table_schema)'\'' --allow-tool '\''fabric-rti(kusto_known_services)'\'' --allow-tool '\''fabric-rti(kusto_list_databases)'\'' --allow-tool '\''fabric-rti(kusto_list_tables)'\'' --allow-tool '\''fabric-rti(kusto_query)'\'' --allow-tool '\''fabric-rti(kusto_sample_function_data)'\'' --allow-tool '\''fabric-rti(kusto_sample_table_data)'\'' --allow-tool '\''fabric-rti(list_eventstreams)'\'' --allow-tool github --allow-tool markitdown --allow-tool '\''markitdown(*)'\'' --allow-tool memory --allow-tool '\''memory(delete_memory)'\'' --allow-tool '\''memory(list_memories)'\'' --allow-tool '\''memory(retrieve_memory)'\'' --allow-tool '\''memory(store_memory)'\'' --allow-tool microsoftdocs --allow-tool '\''microsoftdocs(*)'\'' --allow-tool notion --allow-tool '\''notion(get_database)'\'' --allow-tool '\''notion(get_page)'\'' --allow-tool '\''notion(query_database)'\'' --allow-tool '\''notion(search_pages)'\'' --allow-tool safeoutputs --allow-tool sentry --allow-tool '\''sentry(analyze_issue_with_seer)'\'' --allow-tool '\''sentry(find_dsns)'\'' --allow-tool '\''sentry(find_organizations)'\'' --allow-tool '\''sentry(find_projects)'\'' --allow-tool '\''sentry(find_releases)'\'' --allow-tool '\''sentry(find_teams)'\'' --allow-tool '\''sentry(get_doc)'\'' --allow-tool '\''sentry(get_event_attachment)'\'' --allow-tool '\''sentry(get_issue_details)'\'' --allow-tool '\''sentry(get_trace_details)'\'' --allow-tool '\''sentry(search_docs requires SENTRY_OPENAI_API_KEY)'\'' --allow-tool '\''sentry(search_events)'\'' --allow-tool '\''sentry(search_issues)'\'' --allow-tool '\''sentry(whoami)'\'' --allow-tool tavily --allow-tool '\''tavily(*)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/mcp-inspector.md b/.github/workflows/mcp-inspector.md index 442be4d7e0..7550c0e49a 100644 --- a/.github/workflows/mcp-inspector.md +++ b/.github/workflows/mcp-inspector.md @@ -47,7 +47,7 @@ tools: agentic-workflows: serena: ["go"] edit: - bash: + bash: false cache-memory: true --- @@ -92,4 +92,4 @@ Generate: 1. [Issue or improvement] ``` -Save to `/tmp/gh-aw/cache-memory/mcp-inspections/[DATE].json` and create discussion in "audits" category. +Save to `/tmp/gh-aw/cache-memory/mcp-inspections/[DATE].json` and create discussion in "audits" category. \ No newline at end of file diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 5e741c64cb..e35f367b34 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -21,7 +21,7 @@ # # Intelligent assistant that answers questions, analyzes repositories, and can create PRs for workflow optimizations # -# frontmatter-hash: 3cc89a80359117eb057e150dae41c45f5bd96f157452131579cc117aa46d1605 +# frontmatter-hash: de35b9e28a79e36a5507ca37018df9bb0cd47c5e540a6dfced2e28cf5a9d366e name: "Q" "on": @@ -793,13 +793,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/q.md b/.github/workflows/q.md index 3b970c9567..270fe08285 100644 --- a/.github/workflows/q.md +++ b/.github/workflows/q.md @@ -22,7 +22,7 @@ tools: - actions - discussions edit: - bash: + bash: false cache-memory: true safe-outputs: add-comment: @@ -404,4 +404,4 @@ A successful Q mission: You are Q - the expert who provides agents with the best tools for their missions. Make workflows more effective, efficient, and reliable based on real data. Keep changes minimal and well-validated. Let the automation handle lock file compilation. -Begin your investigation now. Gather live data, analyze it thoroughly, make targeted improvements, validate your changes, and create a pull request with your optimizations. +Begin your investigation now. Gather live data, analyze it thoroughly, make targeted improvements, validate your changes, and create a pull request with your optimizations. \ No newline at end of file diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index ee7c546b33..cd5cd12d47 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -26,7 +26,7 @@ # - ../../skills/documentation/SKILL.md # - ../agents/technical-doc-writer.agent.md # -# frontmatter-hash: 221b633fcec6437dab0b5e158d24913f3fce98b408512a2ac21f2375b6c0d5bd +# frontmatter-hash: 63d36a0def545b25d802e807f3981ec33758e7eed97f94342eca687ec29e502f name: "Rebuild the documentation after making changes" "on": @@ -1218,13 +1218,12 @@ jobs: # Copilot CLI tool arguments (sorted): # --allow-tool github # --allow-tool safeoutputs - # --allow-tool shell # --allow-tool write timeout-minutes: 10 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md index f1acae9f6d..07e695546f 100644 --- a/.github/workflows/technical-doc-writer.md +++ b/.github/workflows/technical-doc-writer.md @@ -66,7 +66,7 @@ tools: github: toolsets: [default] edit: - bash: + bash: false timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 636215358c..1db30937a9 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/ffmpeg.md # -# frontmatter-hash: f44f3b560ee1193c36ae5b31a8c41f6e296d95416daade0733e5a5359dc111ab +# frontmatter-hash: 31026a1d520b47526ca2d0f8986895ecad623e0d48d864ddaff4759cb834ccc3 name: "Video Analysis Agent" "on": diff --git a/.github/workflows/video-analyzer.md b/.github/workflows/video-analyzer.md index c716a4da04..8d02bbc068 100644 --- a/.github/workflows/video-analyzer.md +++ b/.github/workflows/video-analyzer.md @@ -19,7 +19,7 @@ imports: - shared/ffmpeg.md tools: - bash: + bash: false safe-outputs: create-issue: @@ -166,5 +166,4 @@ Create your issue with the following markdown structure: --- *Generated using ffmpeg via GitHub Agentic Workflows* -``` - +``` \ No newline at end of file diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx index 2d66565b11..950a8d5f72 100644 --- a/docs/src/content/docs/agent-factory-status.mdx +++ b/docs/src/content/docs/agent-factory-status.mdx @@ -71,6 +71,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn, | [DeepReport - Intelligence Gathering Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/deep-report.md) | codex | [![DeepReport - Intelligence Gathering Agent](https://github.com/github/gh-aw/actions/workflows/deep-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/deep-report.lock.yml) | `0 15 * * 1-5` | - | | [Delight](https://github.com/github/gh-aw/blob/main/.github/workflows/delight.md) | copilot | [![Delight](https://github.com/github/gh-aw/actions/workflows/delight.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/delight.lock.yml) | - | - | | [Dependabot Dependency Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-go-checker.md) | copilot | [![Dependabot Dependency Checker](https://github.com/github/gh-aw/actions/workflows/dependabot-go-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-go-checker.lock.yml) | `0 9 * * 1,3,5` | - | +| [Dependabot Project Manager](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-project-manager.md) | copilot | [![Dependabot Project Manager](https://github.com/github/gh-aw/actions/workflows/dependabot-project-manager.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-project-manager.lock.yml) | - | - | | [Dev](https://github.com/github/gh-aw/blob/main/.github/workflows/dev.md) | copilot | [![Dev](https://github.com/github/gh-aw/actions/workflows/dev.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dev.lock.yml) | - | - | | [Dev Hawk](https://github.com/github/gh-aw/blob/main/.github/workflows/dev-hawk.md) | copilot | [![Dev Hawk](https://github.com/github/gh-aw/actions/workflows/dev-hawk.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dev-hawk.lock.yml) | - | - | | [Developer Documentation Consolidator](https://github.com/github/gh-aw/blob/main/.github/workflows/developer-docs-consolidator.md) | claude | [![Developer Documentation Consolidator](https://github.com/github/gh-aw/actions/workflows/developer-docs-consolidator.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/developer-docs-consolidator.lock.yml) | - | - | diff --git a/pkg/cli/fix_codemods_test.go b/pkg/cli/fix_codemods_test.go index e1c357da91..8182258c11 100644 --- a/pkg/cli/fix_codemods_test.go +++ b/pkg/cli/fix_codemods_test.go @@ -43,7 +43,7 @@ func TestGetAllCodemods_ReturnsAllCodemods(t *testing.T) { codemods := GetAllCodemods() // Verify we have the expected number of codemods - expectedCount := 16 + expectedCount := 17 assert.Len(t, codemods, expectedCount, "Should return all %d codemods", expectedCount) // Verify all codemods have required fields @@ -120,6 +120,7 @@ func TestGetAllCodemods_InExpectedOrder(t *testing.T) { "add-comment-discussion-removal", "mcp-mode-to-type-migration", "install-script-url-migration", + "bash-anonymous-removal", } require.Len(t, codemods, len(expectedOrder), "Should have expected number of codemods") diff --git a/pkg/workflow/tools_validation_test.go b/pkg/workflow/tools_validation_test.go index 1cfff8da1b..a9a4559a1c 100644 --- a/pkg/workflow/tools_validation_test.go +++ b/pkg/workflow/tools_validation_test.go @@ -60,7 +60,7 @@ func TestValidateBashToolConfig(t *testing.T) { err := validateBashToolConfig(tools, "test-workflow") if tt.shouldError { - assert.Error(t, err, "Expected error for %s", tt.name) + require.Error(t, err, "Expected error for %s", tt.name) if tt.errorMsg != "" { assert.Contains(t, err.Error(), tt.errorMsg, "Error message should contain expected text") } @@ -132,7 +132,7 @@ func TestNewToolsWithInvalidBash(t *testing.T) { // Validation should catch this err := validateBashToolConfig(tools, "test-workflow") - assert.Error(t, err, "Expected validation error") + require.Error(t, err, "Expected validation error") assert.Contains(t, err.Error(), "anonymous syntax", "Error should mention anonymous syntax") }) From f4593cc765fd71f85084711e80d617d23b022bba Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 21:00:12 +0000 Subject: [PATCH 5/7] Fix validation timing and add compiler integration tests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../bash_anonymous_validation_test.go | 100 ++++++++++++++++++ pkg/workflow/compiler.go | 6 -- .../compiler_orchestrator_workflow.go | 6 ++ 3 files changed, 106 insertions(+), 6 deletions(-) create mode 100644 pkg/workflow/bash_anonymous_validation_test.go diff --git a/pkg/workflow/bash_anonymous_validation_test.go b/pkg/workflow/bash_anonymous_validation_test.go new file mode 100644 index 0000000000..4b40e3ec7a --- /dev/null +++ b/pkg/workflow/bash_anonymous_validation_test.go @@ -0,0 +1,100 @@ +//go:build !integration + +package workflow + +import ( + "os" + "path/filepath" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestCompilerRejectsAnonymousBashSyntax(t *testing.T) { + // Create a temporary directory for test workflows + tmpDir := t.TempDir() + + // Create a test workflow with anonymous bash syntax + workflowContent := `--- +name: Test Workflow +engine: copilot +on: + workflow_dispatch: +tools: + bash: + github: +--- +# Test workflow +This is a test workflow with anonymous bash syntax. +` + + workflowPath := filepath.Join(tmpDir, "test-workflow.md") + err := os.WriteFile(workflowPath, []byte(workflowContent), 0644) + require.NoError(t, err, "Failed to create test workflow file") + + // Create compiler + compiler := NewCompiler() + compiler.SetSkipValidation(false) // Enable validation + + // Try to compile - should fail + err = compiler.CompileWorkflow(workflowPath) + + // Verify that compilation fails with the expected error + require.Error(t, err, "Compilation should fail for anonymous bash syntax") + assert.Contains(t, err.Error(), "anonymous syntax 'bash:' is not supported", "Error should mention anonymous syntax") + assert.Contains(t, err.Error(), "bash: true", "Error should suggest bash: true") + assert.Contains(t, err.Error(), "bash: false", "Error should suggest bash: false") + assert.Contains(t, err.Error(), "gh aw fix", "Error should suggest using gh aw fix") +} + +func TestCompilerAcceptsExplicitBashSyntax(t *testing.T) { + tmpDir := t.TempDir() + + tests := []struct { + name string + bashConfig string + }{ + { + name: "bash: true", + bashConfig: "bash: true", + }, + { + name: "bash: false", + bashConfig: "bash: false", + }, + { + name: "bash with array", + bashConfig: "bash: [\"echo\", \"ls\"]", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + workflowContent := `--- +name: Test Workflow +engine: copilot +on: + workflow_dispatch: +tools: + ` + tt.bashConfig + ` + github: +--- +# Test workflow +This is a test workflow. +` + + workflowPath := filepath.Join(tmpDir, strings.ReplaceAll(tt.name, " ", "-")+".md") + err := os.WriteFile(workflowPath, []byte(workflowContent), 0644) + require.NoError(t, err, "Failed to create test workflow file") + + compiler := NewCompiler() + compiler.SetSkipValidation(false) + + // Should compile successfully + err = compiler.CompileWorkflow(workflowPath) + assert.NoError(t, err, "Compilation should succeed for explicit bash syntax: %s", tt.bashConfig) + }) + } +} diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go index 8cfa340efe..ea2d80e046 100644 --- a/pkg/workflow/compiler.go +++ b/pkg/workflow/compiler.go @@ -180,12 +180,6 @@ func (c *Compiler) CompileWorkflowData(workflowData *WorkflowData, markdownPath return formatCompilerError(markdownPath, "error", err.Error()) } - // Validate bash tool configuration - log.Printf("Validating bash tool configuration") - if err := validateBashToolConfig(workflowData.ParsedTools, workflowData.Name); err != nil { - return formatCompilerError(markdownPath, "error", err.Error()) - } - // Validate safe-outputs target configuration log.Printf("Validating safe-outputs target fields") if err := validateSafeOutputsTarget(workflowData.SafeOutputs); err != nil { diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go index bf97ff4b0a..ab6c9c7044 100644 --- a/pkg/workflow/compiler_orchestrator_workflow.go +++ b/pkg/workflow/compiler_orchestrator_workflow.go @@ -51,6 +51,12 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error) // Store a stable workflow identifier derived from the file name. workflowData.WorkflowID = GetWorkflowIDFromPath(cleanPath) + // Validate bash tool configuration BEFORE applying defaults + // This must happen before applyDefaults() which converts nil bash to default commands + if err := validateBashToolConfig(workflowData.ParsedTools, workflowData.Name); err != nil { + return nil, fmt.Errorf("%s: %w", cleanPath, err) + } + // Use shared action cache and resolver from the compiler actionCache, actionResolver := c.getSharedActionResolver() workflowData.ActionCache = actionCache From dbc7d0c56cb2e361c5a4d8cb7e4e51d16f347069 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 21:01:57 +0000 Subject: [PATCH 6/7] Remove incorrect build constraints from production code Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/codemod_bash_anonymous.go | 2 -- pkg/workflow/tools_validation.go | 2 -- 2 files changed, 4 deletions(-) diff --git a/pkg/cli/codemod_bash_anonymous.go b/pkg/cli/codemod_bash_anonymous.go index 0dbaeae31e..5d3b3ced42 100644 --- a/pkg/cli/codemod_bash_anonymous.go +++ b/pkg/cli/codemod_bash_anonymous.go @@ -1,5 +1,3 @@ -//go:build !integration - package cli import "github.com/github/gh-aw/pkg/logger" diff --git a/pkg/workflow/tools_validation.go b/pkg/workflow/tools_validation.go index c2cc237fdc..61421a86eb 100644 --- a/pkg/workflow/tools_validation.go +++ b/pkg/workflow/tools_validation.go @@ -1,5 +1,3 @@ -//go:build !integration - package workflow import ( From 84c208ab65621e817367c737871cd257a53ea05b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 21:14:56 +0000 Subject: [PATCH 7/7] Change codemod to use bash: true instead of bash: false Updated codemod to convert anonymous bash: syntax to bash: true (enable all commands) instead of bash: false. This is more semantically equivalent to the original behavior where anonymous bash: was converted to default commands. - Updated getBashAnonymousRemovalCodemod to use bash: true - Renamed replaceBashAnonymousWithFalse to replaceBashAnonymousWithTrue - Updated all tests to expect bash: true - Re-migrated 12 workflows from bash: false to bash: true - Recompiled all workflow lock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/archie.lock.yml | 7 +- .github/workflows/archie.md | 2 +- .github/workflows/artifacts-summary.lock.yml | 7 +- .github/workflows/artifacts-summary.md | 2 +- .../workflows/code-scanning-fixer.lock.yml | 7 +- .github/workflows/code-scanning-fixer.md | 2 +- .../workflows/daily-cli-performance.lock.yml | 8 +-- .github/workflows/daily-cli-performance.md | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .github/workflows/daily-code-metrics.md | 2 +- .../daily-malicious-code-scan.lock.yml | 7 +- .../workflows/daily-malicious-code-scan.md | 2 +- .../workflows/daily-secrets-analysis.lock.yml | 7 +- .github/workflows/daily-secrets-analysis.md | 2 +- .github/workflows/lockfile-stats.lock.yml | 7 +- .github/workflows/lockfile-stats.md | 2 +- .github/workflows/mcp-inspector.lock.yml | 72 +------------------ .github/workflows/mcp-inspector.md | 2 +- .github/workflows/q.lock.yml | 7 +- .github/workflows/q.md | 2 +- .../workflows/technical-doc-writer.lock.yml | 7 +- .github/workflows/technical-doc-writer.md | 2 +- .github/workflows/video-analyzer.lock.yml | 2 +- .github/workflows/video-analyzer.md | 2 +- pkg/cli/codemod_bash_anonymous.go | 20 +++--- pkg/cli/codemod_bash_anonymous_test.go | 18 ++--- 26 files changed, 56 insertions(+), 146 deletions(-) diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 9036c541d4..2fb4310522 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -21,7 +21,7 @@ # # Generates Mermaid diagrams to visualize issue and pull request relationships when invoked with the /archie command # -# frontmatter-hash: 05a6f57cbfbd12bd18738e642998930d658b80a8165a47c8353dd887bdf2303f +# frontmatter-hash: 64ffad2e62d589ff586ce1a944a8fd0e9e5a71edd9eea661b55657df350b6930 name: "Archie" "on": @@ -631,14 +631,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 10 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/archie.md b/.github/workflows/archie.md index 610ed72416..7a1c9ab4c1 100644 --- a/.github/workflows/archie.md +++ b/.github/workflows/archie.md @@ -19,7 +19,7 @@ tools: toolsets: - default edit: - bash: false + bash: true safe-outputs: add-comment: max: 1 diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 279e7a0042..d21607524b 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -26,7 +26,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# frontmatter-hash: a63ecf0f6cd87d09b9de63bf1f2d0bd70e3436da217a2df090f00368d92dd4e1 +# frontmatter-hash: f32074b45081af12d316ed299d774cd3b3864da6bdcd3bf3927880fbfef19501 name: "Artifacts Summary" "on": @@ -670,14 +670,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/artifacts-summary.md b/.github/workflows/artifacts-summary.md index 6ffe8149e6..68169376a3 100644 --- a/.github/workflows/artifacts-summary.md +++ b/.github/workflows/artifacts-summary.md @@ -15,7 +15,7 @@ sandbox: agent: awf # Firewall enabled (migrated from network.firewall) tools: edit: - bash: false + bash: true github: toolsets: [actions, repos] safe-outputs: diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index c86f7e3559..a3f7f7e25a 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -21,7 +21,7 @@ # # Automatically fixes code scanning alerts by creating pull requests with remediation # -# frontmatter-hash: a28a220012ddf2530deaba2a06b97ea4536184c331dda1f653c77f2b57d1005e +# frontmatter-hash: 0597ad0df613bbb3cb159272bda8297794f7ae994dbcaa20b7ae721c8b6b8158 name: "Code Scanning Fixer" "on": @@ -684,14 +684,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md index 90e97427d5..660925eaf7 100644 --- a/.github/workflows/code-scanning-fixer.md +++ b/.github/workflows/code-scanning-fixer.md @@ -18,7 +18,7 @@ tools: branch-name: memory/campaigns file-glob: [security-alert-burndown/**] edit: - bash: false + bash: true cache-memory: safe-outputs: add-labels: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 5d3b9d4344..7e679f427b 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -26,7 +26,7 @@ # - shared/go-make.md # - shared/reporting.md # -# frontmatter-hash: 9c428932688d10c346023206a0f7dba6531b5c809f0b60dc550cf80b439871f8 +# frontmatter-hash: 6a7627dbf91cb157295287e0e2083f26fdda22959240f171b8a7e7cdfe0e390b name: "Daily CLI Performance Agent" "on": @@ -913,15 +913,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeinputs - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeinputs --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-cli-performance.md b/.github/workflows/daily-cli-performance.md index fdeb85edbb..407a17958c 100644 --- a/.github/workflows/daily-cli-performance.md +++ b/.github/workflows/daily-cli-performance.md @@ -15,7 +15,7 @@ tools: description: "Historical CLI compilation performance benchmark results" file-glob: ["memory/cli-performance/*.json", "memory/cli-performance/*.jsonl", "memory/cli-performance/*.txt"] max-file-size: 512000 # 500KB - bash: false + bash: true edit: github: toolsets: [default, issues] diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 3286935646..e8cf30d3f1 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -27,7 +27,7 @@ # - shared/reporting.md # - shared/trends.md # -# frontmatter-hash: c3b7addca65dc3f4ac8e0ccb35b3ecb3c1d6c4ab815d1bb3d1fd66557f144114 +# frontmatter-hash: 2093093330961528c7a428449d17d960ede3238c3029308021c5b6d9fe04047c name: "Daily Code Metrics and Trend Tracking Agent" "on": diff --git a/.github/workflows/daily-code-metrics.md b/.github/workflows/daily-code-metrics.md index 906659a3ff..2a893722d3 100644 --- a/.github/workflows/daily-code-metrics.md +++ b/.github/workflows/daily-code-metrics.md @@ -15,7 +15,7 @@ tools: description: "Historical code quality and health metrics" file-glob: ["*.json", "*.jsonl", "*.csv", "*.md"] max-file-size: 102400 # 100KB - bash: false + bash: true safe-outputs: upload-asset: create-discussion: diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index dda5717d39..6c14198a36 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 7105ade391f2837e4a7974b02b9b40e1648b47b10c963f05c30bfb69db0d9802 +# frontmatter-hash: b3d69c6ffb6e3176c8c580511717f3a0074e13af17b473dd497edaf732186ed6 name: "Daily Malicious Code Scan Agent" "on": @@ -709,14 +709,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-malicious-code-scan.md b/.github/workflows/daily-malicious-code-scan.md index 1969d374d1..bbf16203db 100644 --- a/.github/workflows/daily-malicious-code-scan.md +++ b/.github/workflows/daily-malicious-code-scan.md @@ -12,7 +12,7 @@ engine: copilot tools: github: toolsets: [repos, code_security] - bash: false + bash: true safe-outputs: create-code-scanning-alert: driver: "Malicious Code Scanner" diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index f6991b7f78..bf63bdf731 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 253b2d05bc3507d543dd79d58d454dfaf28d9da8ae75dba222088cee87e1bf8e +# frontmatter-hash: 5ad9f9b0378a3ab6e36feb0b59074643280051e45e8a0cd088773c307b5c5b47 name: "Daily Secrets Analysis Agent" "on": @@ -726,14 +726,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-secrets-analysis.md b/.github/workflows/daily-secrets-analysis.md index ac14416c85..68de5eead3 100644 --- a/.github/workflows/daily-secrets-analysis.md +++ b/.github/workflows/daily-secrets-analysis.md @@ -14,7 +14,7 @@ tracker-id: daily-secrets-analysis tools: github: toolsets: [default, discussions] - bash: false + bash: true safe-outputs: create-discussion: expires: 3d diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 94d50bb5a2..87cc8fa678 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 835c012288b401ac2255733e2c34649d8d1b8d5c8b49a9e4c870b2904afbe4d2 +# frontmatter-hash: df088f95c7fb764646a25cba7c15b97c423d4387c022b6369221d4b9ebead6f0 name: "Lockfile Statistics Analysis Agent" "on": @@ -688,11 +688,14 @@ jobs: - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): + # - Bash + # - BashOutput # - Edit # - Edit(/tmp/gh-aw/cache-memory/*) # - ExitPlanMode # - Glob # - Grep + # - KillBash # - LS # - MultiEdit # - MultiEdit(/tmp/gh-aw/cache-memory/*) @@ -760,7 +763,7 @@ jobs: run: | set -o pipefail sudo -E awf --enable-chroot --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} BASH_DEFAULT_TIMEOUT_MS: 60000 diff --git a/.github/workflows/lockfile-stats.md b/.github/workflows/lockfile-stats.md index 270ce1bbe2..8cc6d52984 100644 --- a/.github/workflows/lockfile-stats.md +++ b/.github/workflows/lockfile-stats.md @@ -10,7 +10,7 @@ permissions: engine: claude tools: cache-memory: true - bash: false + bash: true safe-outputs: create-discussion: category: "audits" diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 40bb6dbe74..b0871f8280 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -39,7 +39,7 @@ # - shared/mcp/tavily.md # - shared/reporting.md # -# frontmatter-hash: d4e128ece9d98fd00a7488837d01625ceb2cba6bdee7d193007ba2f2bf02450d +# frontmatter-hash: 628be2a853f60f9d5c04d7eddde96de120b6c816b60c720fc1d199155a2d6310 name: "MCP Inspector Agent" "on": @@ -1146,79 +1146,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool arxiv - # --allow-tool arxiv(get_paper_details) - # --allow-tool arxiv(get_paper_pdf) - # --allow-tool arxiv(search_arxiv) - # --allow-tool ast-grep - # --allow-tool ast-grep(*) - # --allow-tool brave-search - # --allow-tool brave-search(*) - # --allow-tool context7 - # --allow-tool context7(query-docs) - # --allow-tool context7(resolve-library-id) - # --allow-tool datadog - # --allow-tool datadog(get_datadog_metric) - # --allow-tool datadog(search_datadog_dashboards) - # --allow-tool datadog(search_datadog_metrics) - # --allow-tool datadog(search_datadog_slos) - # --allow-tool deepwiki - # --allow-tool deepwiki(ask_question) - # --allow-tool deepwiki(read_wiki_contents) - # --allow-tool deepwiki(read_wiki_structure) - # --allow-tool fabric-rti - # --allow-tool fabric-rti(get_eventstream) - # --allow-tool fabric-rti(get_eventstream_definition) - # --allow-tool fabric-rti(kusto_get_entities_schema) - # --allow-tool fabric-rti(kusto_get_function_schema) - # --allow-tool fabric-rti(kusto_get_shots) - # --allow-tool fabric-rti(kusto_get_table_schema) - # --allow-tool fabric-rti(kusto_known_services) - # --allow-tool fabric-rti(kusto_list_databases) - # --allow-tool fabric-rti(kusto_list_tables) - # --allow-tool fabric-rti(kusto_query) - # --allow-tool fabric-rti(kusto_sample_function_data) - # --allow-tool fabric-rti(kusto_sample_table_data) - # --allow-tool fabric-rti(list_eventstreams) - # --allow-tool github - # --allow-tool markitdown - # --allow-tool markitdown(*) - # --allow-tool memory - # --allow-tool memory(delete_memory) - # --allow-tool memory(list_memories) - # --allow-tool memory(retrieve_memory) - # --allow-tool memory(store_memory) - # --allow-tool microsoftdocs - # --allow-tool microsoftdocs(*) - # --allow-tool notion - # --allow-tool notion(get_database) - # --allow-tool notion(get_page) - # --allow-tool notion(query_database) - # --allow-tool notion(search_pages) - # --allow-tool safeoutputs - # --allow-tool sentry - # --allow-tool sentry(analyze_issue_with_seer) - # --allow-tool sentry(find_dsns) - # --allow-tool sentry(find_organizations) - # --allow-tool sentry(find_projects) - # --allow-tool sentry(find_releases) - # --allow-tool sentry(find_teams) - # --allow-tool sentry(get_doc) - # --allow-tool sentry(get_event_attachment) - # --allow-tool sentry(get_issue_details) - # --allow-tool sentry(get_trace_details) - # --allow-tool sentry(search_docs requires SENTRY_OPENAI_API_KEY) - # --allow-tool sentry(search_events) - # --allow-tool sentry(search_issues) - # --allow-tool sentry(whoami) - # --allow-tool tavily - # --allow-tool tavily(*) - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,learn.microsoft.com,mcp.datadoghq.com,mcp.deepwiki.com,mcp.tavily.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool arxiv --allow-tool '\''arxiv(get_paper_details)'\'' --allow-tool '\''arxiv(get_paper_pdf)'\'' --allow-tool '\''arxiv(search_arxiv)'\'' --allow-tool ast-grep --allow-tool '\''ast-grep(*)'\'' --allow-tool brave-search --allow-tool '\''brave-search(*)'\'' --allow-tool context7 --allow-tool '\''context7(query-docs)'\'' --allow-tool '\''context7(resolve-library-id)'\'' --allow-tool datadog --allow-tool '\''datadog(get_datadog_metric)'\'' --allow-tool '\''datadog(search_datadog_dashboards)'\'' --allow-tool '\''datadog(search_datadog_metrics)'\'' --allow-tool '\''datadog(search_datadog_slos)'\'' --allow-tool deepwiki --allow-tool '\''deepwiki(ask_question)'\'' --allow-tool '\''deepwiki(read_wiki_contents)'\'' --allow-tool '\''deepwiki(read_wiki_structure)'\'' --allow-tool fabric-rti --allow-tool '\''fabric-rti(get_eventstream)'\'' --allow-tool '\''fabric-rti(get_eventstream_definition)'\'' --allow-tool '\''fabric-rti(kusto_get_entities_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_function_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_shots)'\'' --allow-tool '\''fabric-rti(kusto_get_table_schema)'\'' --allow-tool '\''fabric-rti(kusto_known_services)'\'' --allow-tool '\''fabric-rti(kusto_list_databases)'\'' --allow-tool '\''fabric-rti(kusto_list_tables)'\'' --allow-tool '\''fabric-rti(kusto_query)'\'' --allow-tool '\''fabric-rti(kusto_sample_function_data)'\'' --allow-tool '\''fabric-rti(kusto_sample_table_data)'\'' --allow-tool '\''fabric-rti(list_eventstreams)'\'' --allow-tool github --allow-tool markitdown --allow-tool '\''markitdown(*)'\'' --allow-tool memory --allow-tool '\''memory(delete_memory)'\'' --allow-tool '\''memory(list_memories)'\'' --allow-tool '\''memory(retrieve_memory)'\'' --allow-tool '\''memory(store_memory)'\'' --allow-tool microsoftdocs --allow-tool '\''microsoftdocs(*)'\'' --allow-tool notion --allow-tool '\''notion(get_database)'\'' --allow-tool '\''notion(get_page)'\'' --allow-tool '\''notion(query_database)'\'' --allow-tool '\''notion(search_pages)'\'' --allow-tool safeoutputs --allow-tool sentry --allow-tool '\''sentry(analyze_issue_with_seer)'\'' --allow-tool '\''sentry(find_dsns)'\'' --allow-tool '\''sentry(find_organizations)'\'' --allow-tool '\''sentry(find_projects)'\'' --allow-tool '\''sentry(find_releases)'\'' --allow-tool '\''sentry(find_teams)'\'' --allow-tool '\''sentry(get_doc)'\'' --allow-tool '\''sentry(get_event_attachment)'\'' --allow-tool '\''sentry(get_issue_details)'\'' --allow-tool '\''sentry(get_trace_details)'\'' --allow-tool '\''sentry(search_docs requires SENTRY_OPENAI_API_KEY)'\'' --allow-tool '\''sentry(search_events)'\'' --allow-tool '\''sentry(search_issues)'\'' --allow-tool '\''sentry(whoami)'\'' --allow-tool tavily --allow-tool '\''tavily(*)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/mcp-inspector.md b/.github/workflows/mcp-inspector.md index 7550c0e49a..69d7d351c9 100644 --- a/.github/workflows/mcp-inspector.md +++ b/.github/workflows/mcp-inspector.md @@ -47,7 +47,7 @@ tools: agentic-workflows: serena: ["go"] edit: - bash: false + bash: true cache-memory: true --- diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index e35f367b34..ee2def2289 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -21,7 +21,7 @@ # # Intelligent assistant that answers questions, analyzes repositories, and can create PRs for workflow optimizations # -# frontmatter-hash: de35b9e28a79e36a5507ca37018df9bb0cd47c5e540a6dfced2e28cf5a9d366e +# frontmatter-hash: dd49646805be784cc280539e9bcaee4913e56b2b65cb9a5e08db25929fce4d59 name: "Q" "on": @@ -791,14 +791,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/q.md b/.github/workflows/q.md index 270fe08285..62de27092f 100644 --- a/.github/workflows/q.md +++ b/.github/workflows/q.md @@ -22,7 +22,7 @@ tools: - actions - discussions edit: - bash: false + bash: true cache-memory: true safe-outputs: add-comment: diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index cd5cd12d47..75d6a6d82e 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -26,7 +26,7 @@ # - ../../skills/documentation/SKILL.md # - ../agents/technical-doc-writer.agent.md # -# frontmatter-hash: 63d36a0def545b25d802e807f3981ec33758e7eed97f94342eca687ec29e502f +# frontmatter-hash: 42d7e348a6da94a574d4e0108c40481a23dabab96476f5ecedc52a91420594cf name: "Rebuild the documentation after making changes" "on": @@ -1216,14 +1216,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool write timeout-minutes: 10 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md index 07e695546f..6a8dc914f7 100644 --- a/.github/workflows/technical-doc-writer.md +++ b/.github/workflows/technical-doc-writer.md @@ -66,7 +66,7 @@ tools: github: toolsets: [default] edit: - bash: false + bash: true timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 1db30937a9..1f21ac3285 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/ffmpeg.md # -# frontmatter-hash: 31026a1d520b47526ca2d0f8986895ecad623e0d48d864ddaff4759cb834ccc3 +# frontmatter-hash: 94cc0589aede07110b1d6cf1389de05ec934688bb94f1c2d067d22c1b6b31915 name: "Video Analysis Agent" "on": diff --git a/.github/workflows/video-analyzer.md b/.github/workflows/video-analyzer.md index 8d02bbc068..7983dd783e 100644 --- a/.github/workflows/video-analyzer.md +++ b/.github/workflows/video-analyzer.md @@ -19,7 +19,7 @@ imports: - shared/ffmpeg.md tools: - bash: false + bash: true safe-outputs: create-issue: diff --git a/pkg/cli/codemod_bash_anonymous.go b/pkg/cli/codemod_bash_anonymous.go index 5d3b3ced42..a7a8deb835 100644 --- a/pkg/cli/codemod_bash_anonymous.go +++ b/pkg/cli/codemod_bash_anonymous.go @@ -8,8 +8,8 @@ var bashAnonymousCodemodLog = logger.New("cli:codemod_bash_anonymous") func getBashAnonymousRemovalCodemod() Codemod { return Codemod{ ID: "bash-anonymous-removal", - Name: "Replace anonymous bash tool syntax with explicit false", - Description: "Replaces 'bash:' (anonymous/nil syntax) with 'bash: false' to make configuration explicit", + Name: "Replace anonymous bash tool syntax with explicit true", + Description: "Replaces 'bash:' (anonymous/nil syntax) with 'bash: true' to make configuration explicit", IntroducedIn: "0.9.0", Apply: func(content string, frontmatter map[string]any) (string, bool, error) { // Check if tools.bash exists @@ -40,22 +40,22 @@ func getBashAnonymousRemovalCodemod() Codemod { return content, false, err } - // Replace the bash field from anonymous to explicit false - modifiedLines, modified := replaceBashAnonymousWithFalse(frontmatterLines) + // Replace the bash field from anonymous to explicit true + modifiedLines, modified := replaceBashAnonymousWithTrue(frontmatterLines) if !modified { return content, false, nil } // Reconstruct the content newContent := reconstructContent(modifiedLines, markdown) - bashAnonymousCodemodLog.Print("Applied bash anonymous removal, replaced with 'bash: false'") + bashAnonymousCodemodLog.Print("Applied bash anonymous removal, replaced with 'bash: true'") return newContent, true, nil }, } } -// replaceBashAnonymousWithFalse replaces 'bash:' with 'bash: false' in the tools block -func replaceBashAnonymousWithFalse(lines []string) ([]string, bool) { +// replaceBashAnonymousWithTrue replaces 'bash:' with 'bash: true' in the tools block +func replaceBashAnonymousWithTrue(lines []string) ([]string, bool) { var result []string var modified bool var inToolsBlock bool @@ -82,14 +82,14 @@ func replaceBashAnonymousWithFalse(lines []string) ([]string, bool) { } } - // Replace bash: with bash: false if in tools block + // Replace bash: with bash: true if in tools block if inToolsBlock && (trimmed == "bash:" || startsWith(trimmed, "bash: ")) { // Check if it's just 'bash:' with nothing after the colon if trimmed == "bash:" { indent := getIndentation(line) - result = append(result, indent+"bash: false") + result = append(result, indent+"bash: true") modified = true - bashAnonymousCodemodLog.Printf("Replaced 'bash:' with 'bash: false'") + bashAnonymousCodemodLog.Printf("Replaced 'bash:' with 'bash: true'") continue } } diff --git a/pkg/cli/codemod_bash_anonymous_test.go b/pkg/cli/codemod_bash_anonymous_test.go index d49f0022da..bc80df91f1 100644 --- a/pkg/cli/codemod_bash_anonymous_test.go +++ b/pkg/cli/codemod_bash_anonymous_test.go @@ -21,7 +21,7 @@ func TestBashAnonymousRemovalCodemod(t *testing.T) { expectError bool }{ { - name: "replaces anonymous bash with bash: false", + name: "replaces anonymous bash with bash: true", input: `--- name: Test Workflow tools: @@ -103,7 +103,7 @@ name: Test Workflow if tt.expectApply { // Verify the output contains the replacement - assert.Contains(t, output, "bash: false", "Output should contain 'bash: false'") + assert.Contains(t, output, "bash: true", "Output should contain 'bash: true'") assert.NotContains(t, output, "bash:\n", "Output should not contain anonymous bash:") assert.NotContains(t, output, "bash: \n", "Output should not contain bash with space") @@ -135,7 +135,7 @@ tools: output, applied, err := codemod.Apply(input, result.Frontmatter) require.NoError(t, err) assert.True(t, applied, "Should apply when bash: is present") - assert.Contains(t, output, "bash: false", "Should replace with bash: false") + assert.Contains(t, output, "bash: true", "Should replace with bash: true") assert.Contains(t, output, "# Enable bash", "Should preserve comments") } @@ -162,16 +162,16 @@ tools: lines := strings.Split(output, "\n") var foundBash bool for _, line := range lines { - if strings.Contains(line, "bash: false") { + if strings.Contains(line, "bash: true") { foundBash = true // Should have 2-space indentation - assert.True(t, strings.HasPrefix(line, " bash: false"), "Should have proper indentation") + assert.True(t, strings.HasPrefix(line, " bash: true"), "Should have proper indentation") } } - assert.True(t, foundBash, "Should find bash: false in output") + assert.True(t, foundBash, "Should find bash: true in output") } -func TestReplaceBashAnonymousWithFalse(t *testing.T) { +func TestReplaceBashAnonymousWithTrue(t *testing.T) { tests := []struct { name string lines []string @@ -189,7 +189,7 @@ func TestReplaceBashAnonymousWithFalse(t *testing.T) { expectLines: []string{ "name: Test", "tools:", - " bash: false", + " bash: true", " github:", }, modified: true, @@ -230,7 +230,7 @@ func TestReplaceBashAnonymousWithFalse(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result, modified := replaceBashAnonymousWithFalse(tt.lines) + result, modified := replaceBashAnonymousWithTrue(tt.lines) assert.Equal(t, tt.modified, modified, "Modified status mismatch") assert.Equal(t, tt.expectLines, result, "Output lines mismatch") })