diff --git a/docs/public/editor/autocomplete-data.json b/docs/public/editor/autocomplete-data.json index 2253e56031..ec51e64877 100644 --- a/docs/public/editor/autocomplete-data.json +++ b/docs/public/editor/autocomplete-data.json @@ -1490,6 +1490,12 @@ "enum": [true, false], "leaf": true }, + "private": { + "type": "boolean", + "desc": "Mark the workflow as private, preventing it from being added to other repositories via 'gh aw add'.", + "enum": [true, false], + "leaf": true + }, "safe-inputs": { "type": "object", "desc": "Safe inputs configuration for defining custom lightweight MCP tools as JavaScript, shell scripts, or Python scripts." @@ -1537,6 +1543,7 @@ "bots", "rate-limit", "strict", + "private", "safe-inputs", "runtimes", "jobs" diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md index 30f5d1e860..e33690735b 100644 --- a/docs/src/content/docs/reference/frontmatter-full.md +++ b/docs/src/content/docs/reference/frontmatter-full.md @@ -565,10 +565,17 @@ on: query: "example-value" # Maximum number of items that must be matched for the workflow to be skipped. - # Defaults to 1 if not specified. + # Defaults to 1 if not specified. Supports integer or GitHub Actions expression + # (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Conditionally skip workflow execution when a GitHub search query has no matches # (or fewer than minimum). Can be a string (query only, implies min=1) or an # object with 'query' and optional 'min' fields. @@ -1526,31 +1533,16 @@ tools: # (optional) # This field supports multiple formats (oneOf): - # Option 1: Enable Playwright tool with default settings (localhost access only - # for security) + # Option 1: Enable Playwright tool with default settings playwright: null - # Option 2: Playwright tool configuration with custom version and domain - # restrictions + # Option 2: Playwright tool configuration with custom version and arguments playwright: # Optional Playwright container version (e.g., 'v1.41.0', 1.41, 20). Numeric # values are automatically converted to strings at runtime. # (optional) version: null - # Domains allowed for Playwright browser network access. Defaults to localhost - # only for security. - # (optional) - # This field supports multiple formats (oneOf): - - # Option 1: List of allowed domains or patterns (e.g., ['github.com', - # '*.example.com']) - allowed_domains: [] - # Array items: string - - # Option 2: Single allowed domain (e.g., 'github.com') - allowed_domains: "example-value" - # Optional additional arguments to append to the generated MCP server command # (optional) args: [] @@ -1937,10 +1929,17 @@ safe-outputs: assignees: [] # Array items: string - # Maximum number of issues to create (default: 1) + # Maximum number of issues to create (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository issue creation. # Takes precedence over trial target repo settings. # (optional) @@ -2006,10 +2005,17 @@ safe-outputs: # (optional) base: "example-value" - # Maximum number of agent sessions to create (default: 1) + # Maximum number of agent sessions to create (default: 1) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository agent session # creation. Takes precedence over trial target repo settings. # (optional) @@ -2045,10 +2051,17 @@ safe-outputs: # (optional) base: "example-value" - # Maximum number of agent sessions to create (default: 1) + # Maximum number of agent sessions to create (default: 1) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository agent session # creation. Takes precedence over trial target repo settings. # (optional) @@ -2091,10 +2104,17 @@ safe-outputs: # operation=create_fields), view (view config object when operation=create_view). update-project: # Maximum number of project operations to perform (default: 10). Each operation - # may add a project item, or update its fields. + # may add a project item, or update its fields. Supports integer or GitHub Actions + # expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Overrides global github-token # if specified. # (optional) @@ -2163,10 +2183,17 @@ safe-outputs: # and optional field_definitions. Returns a temporary project ID for use in # subsequent update_project operations. create-project: - # Maximum number of create operations to perform (default: 1). + # Maximum number of create operations to perform (default: 1). Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Must have Projects write # permission. Overrides global github-token if specified. # (optional) @@ -2248,10 +2275,17 @@ safe-outputs: # inactive), dates, and progress details. create-project-status-update: # Maximum number of status updates to create (default: 1). Typically 1 per - # orchestrator run. + # orchestrator run. Supports integer or GitHub Actions expression (e.g. '${{ + # inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Overrides global github-token # if specified. Must have Projects: Read+Write permission. # (optional) @@ -2301,10 +2335,17 @@ safe-outputs: allowed-labels: [] # Array of strings - # Maximum number of discussions to create (default: 1) + # Maximum number of discussions to create (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository discussion # creation. Takes precedence over trial target repo settings. # (optional) @@ -2386,10 +2427,17 @@ safe-outputs: # (optional) target: "example-value" - # Maximum number of discussions to close (default: 1) + # Maximum number of discussions to close (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository operations. Takes # precedence over trial target repo settings. # (optional) @@ -2430,10 +2478,17 @@ safe-outputs: allowed-labels: [] # Array of strings - # Maximum number of discussions to update (default: 1) + # Maximum number of discussions to update (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository discussion # updates. Takes precedence over trial target repo settings. # (optional) @@ -2470,10 +2525,17 @@ safe-outputs: # (optional) target: "example-value" - # Maximum number of issues to close (default: 1) + # Maximum number of issues to close (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository operations. Takes # precedence over trial target repo settings. # (optional) @@ -2512,10 +2574,17 @@ safe-outputs: # (optional) target: "example-value" - # Maximum number of pull requests to close (default: 1) + # Maximum number of pull requests to close (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository operations. Takes # precedence over trial target repo settings. # (optional) @@ -2556,10 +2625,17 @@ safe-outputs: # (optional) target: "example-value" - # Maximum number of pull requests to mark as ready (default: 1) + # Maximum number of pull requests to mark as ready (default: 1) Supports integer + # or GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository operations. Takes # precedence over trial target repo settings. # (optional) @@ -2583,10 +2659,17 @@ safe-outputs: # Option 1: Configuration for automatically creating GitHub issue or pull request # comments from AI workflow output. The main job does not need write permissions. add-comment: - # Maximum number of comments to create (default: 1) + # Maximum number of comments to create (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target for comments: 'triggering' (default), '*' (any issue), or explicit issue # number # (optional) @@ -2636,10 +2719,17 @@ safe-outputs: # output. Supports creating multiple PRs in a single run when max > 1. create-pull-request: # Maximum number of pull requests to create (default: 1). Each PR requires - # distinct changes on a separate branch. + # distinct changes on a separate branch. Supports integer or GitHub Actions + # expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Optional prefix for the pull request title # (optional) title-prefix: "example-value" @@ -2673,9 +2763,10 @@ safe-outputs: reviewers: [] # Array items: string - # Whether to create pull request as draft (defaults to true) + # Whether to create pull request as draft (defaults to true). Accepts a boolean or + # a GitHub Actions expression. # (optional) - draft: true + draft: null # Behavior when no changes to push: 'warn' (default - log warning but succeed), # 'error' (fail the action), or 'ignore' (silent success) @@ -2756,10 +2847,17 @@ safe-outputs: # Option 1: Configuration for creating GitHub pull request review comments from # agentic workflow output create-pull-request-review-comment: - # Maximum number of review comments to create (default: 10) + # Maximum number of review comments to create (default: 10) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Side of the diff for comments: 'LEFT' or 'RIGHT' (default: 'RIGHT') # (optional) side: "LEFT" @@ -2801,10 +2899,17 @@ safe-outputs: # create-pull-request-review-comment outputs are collected and submitted as part # of this review. submit-pull-request-review: - # Maximum number of reviews to submit (default: 1) + # Maximum number of reviews to submit (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Controls when AI-generated footer is added to the review body. Accepts boolean # (true/false) or string ('always', 'none', 'if-body'). The 'if-body' mode is # useful for clean approval reviews without body text. Defaults to 'always'. @@ -2841,10 +2946,17 @@ safe-outputs: # Option 1: Configuration for replying to existing pull request review comments reply-to-pull-request-review-comment: - # Maximum number of replies to create (default: 10) + # Maximum number of replies to create (default: 10) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target for replies: 'triggering' (default), '*' (any PR), or explicit PR number # (optional) target: "example-value" @@ -2880,10 +2992,17 @@ safe-outputs: # Resolution is scoped to the triggering PR only — threads on other PRs cannot be # resolved. resolve-pull-request-review-thread: - # Maximum number of review threads to resolve (default: 10) + # Maximum number of review threads to resolve (default: 10) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Overrides global github-token # if specified. # (optional) @@ -2900,10 +3019,17 @@ safe-outputs: # Option 1: Configuration for creating repository security advisories (SARIF # format) from agentic workflow output create-code-scanning-alert: - # Maximum number of security findings to include (default: unlimited) + # Maximum number of security findings to include (default: unlimited) Supports + # integer or GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Driver name for SARIF tool.driver.name field (default: 'GitHub Agentic Workflows # Security Scanner') # (optional) @@ -2925,10 +3051,17 @@ safe-outputs: # Option 1: Configuration for creating autofixes for code scanning alerts autofix-code-scanning-alert: - # Maximum number of autofixes to create (default: 10) + # Maximum number of autofixes to create (default: 10) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Overrides global github-token # if specified. # (optional) @@ -2964,10 +3097,17 @@ safe-outputs: blocked: [] # Array of strings - # Optional maximum number of labels to add (default: 3) + # Optional maximum number of labels to add (default: 3) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target for labels: 'triggering' (default), '*' (any issue/PR), or explicit # issue/PR number # (optional) @@ -3014,10 +3154,17 @@ safe-outputs: blocked: [] # Array of strings - # Optional maximum number of labels to remove (default: 3) + # Optional maximum number of labels to remove (default: 3) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target for labels: 'triggering' (default), '*' (any issue/PR), or explicit # issue/PR number # (optional) @@ -3049,10 +3196,17 @@ safe-outputs: reviewers: [] # Array of strings - # Optional maximum number of reviewers to add (default: 3) + # Optional maximum number of reviewers to add (default: 3) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target for reviewers: 'triggering' (default), '*' (any PR), or explicit PR # number # (optional) @@ -3085,10 +3239,17 @@ safe-outputs: allowed: [] # Array of strings - # Optional maximum number of milestone assignments (default: 1) + # Optional maximum number of milestone assignments (default: 1) Supports integer + # or GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository milestone # assignment. Takes precedence over trial target repo settings. # (optional) @@ -3137,10 +3298,17 @@ safe-outputs: allowed: [] # Array of strings - # Optional maximum number of agent assignments (default: 1) + # Optional maximum number of agent assignments (default: 1) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target issue/PR to assign agents to. Use 'triggering' (default) for the # triggering issue/PR, '*' to require explicit issue_number/pull_number, or a # specific issue/PR number. With 'triggering', auto-resolves from @@ -3210,10 +3378,17 @@ safe-outputs: blocked: [] # Array of strings - # Optional maximum number of user assignments (default: 1) + # Optional maximum number of user assignments (default: 1) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target issue to assign users to. Use 'triggering' (default) for the triggering # issue, '*' to allow any issue, or a specific issue number. # (optional) @@ -3258,10 +3433,17 @@ safe-outputs: blocked: [] # Array of strings - # Optional maximum number of unassignment operations (default: 1) + # Optional maximum number of unassignment operations (default: 1) Supports integer + # or GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target issue to unassign users from. Use 'triggering' (default) for the # triggering issue, '*' to allow any issue, or a specific issue number. # (optional) @@ -3294,10 +3476,17 @@ safe-outputs: # Option 2: Configuration for linking issues as sub-issues from agentic workflow # output link-sub-issue: - # Maximum number of sub-issue links to create (default: 5) + # Maximum number of sub-issue links to create (default: 5) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Optional list of labels that parent issues must have to be eligible for linking # (optional) parent-required-labels: [] @@ -3358,10 +3547,17 @@ safe-outputs: # (optional) footer: true - # Maximum number of issues to update (default: 1) + # Maximum number of issues to update (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository issue updates. # Takes precedence over trial target repo settings. # (optional) @@ -3401,10 +3597,23 @@ safe-outputs: # (optional) operation: "append" - # Maximum number of pull requests to update (default: 1) + # Controls whether AI-generated footer is added when updating the pull request + # body. When false, the visible footer content is omitted but XML markers are + # still included. Defaults to true. Only applies when 'body' is enabled. # (optional) + footer: true + + # Maximum number of pull requests to update (default: 1) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). + # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository pull request # updates. Takes precedence over trial target repo settings. # (optional) @@ -3432,10 +3641,17 @@ safe-outputs: # workflow output. Supports pushing to multiple PRs in a single run when max > 1. push-to-pull-request-branch: # Maximum number of push operations to perform (default: 1). Each push targets a - # different pull request branch. + # different pull request branch. Supports integer or GitHub Actions expression + # (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # The branch to push changes to (defaults to 'triggering') # (optional) branch: "example-value" @@ -3487,10 +3703,17 @@ safe-outputs: # Option 2: Configuration for hiding comments on GitHub issues, pull requests, or # discussions from agentic workflow output hide-comment: - # Maximum number of comments to hide (default: 5) + # Maximum number of comments to hide (default: 5) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository in format 'owner/repo' for cross-repository comment hiding. # Takes precedence over trial target repo settings. # (optional) @@ -3523,9 +3746,16 @@ safe-outputs: # Array of strings # Maximum number of workflow dispatch operations per run (default: 1, max: 50) + # Supports integer or GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for dispatching workflows. Overrides global github-token if # specified. # (optional) @@ -3543,10 +3773,17 @@ safe-outputs: # Option 1: Configuration for reporting missing tools from agentic workflow output missing-tool: - # Maximum number of missing tool reports (default: unlimited) + # Maximum number of missing tool reports (default: unlimited) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Whether to create or update GitHub issues when tools are missing (default: true) # (optional) create-issue: true @@ -3582,10 +3819,17 @@ safe-outputs: # goals. Encourages AI agents to be truthful about data gaps instead of # hallucinating information. missing-data: - # Maximum number of missing data reports (default: unlimited) + # Maximum number of missing data reports (default: unlimited) Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Whether to create or update GitHub issues when data is missing (default: true) # (optional) create-issue: true @@ -3620,10 +3864,17 @@ safe-outputs: # Option 1: Configuration for no-op safe output (logging only, no GitHub API # calls). Always available as a fallback to ensure human-visible artifacts. noop: - # Maximum number of noop messages (default: 1) + # Maximum number of noop messages (default: 1) Supports integer or GitHub Actions + # expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Overrides global github-token # if specified. # (optional) @@ -3661,10 +3912,17 @@ safe-outputs: allowed-exts: [] # Array of strings - # Maximum number of assets to upload (default: 10) + # Maximum number of assets to upload (default: 10) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # GitHub token to use for this specific output type. Overrides global github-token # if specified. # (optional) @@ -3680,10 +3938,17 @@ safe-outputs: # Option 1: Configuration for updating GitHub release descriptions update-release: - # Maximum number of releases to update (default: 1) + # Maximum number of releases to update (default: 1) Supports integer or GitHub + # Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Target repository for cross-repo release updates (format: owner/repo). If not # specified, updates releases in the workflow's repository. # (optional) @@ -3895,10 +4160,17 @@ safe-outputs: allowed: [] # Array of strings - # Maximum number of mentions allowed per message. Default: 50 + # Maximum number of mentions allowed per message. Default: 50 Supports integer or + # GitHub Actions expression (e.g. '${{ inputs.max }}'). # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Global footer control for all safe outputs. When false, omits visible # AI-generated footer content from all created/updated entities (issues, PRs, # discussions, releases) while still including XML markers for searchability. @@ -3913,6 +4185,18 @@ safe-outputs: # (optional) group-reports: true + # Maximum number of bot trigger references (e.g. 'fixes #123', 'closes #456') + # allowed in output before all of them are neutralized. Default: 10. Supports + # integer or GitHub Actions expression (e.g. '${{ inputs.max-bot-mentions }}'). + # (optional) + # This field supports multiple formats (oneOf): + + # Option 1: integer + max-bot-mentions: 1 + + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max-bot-mentions: "example-value" + # Runner specification for all safe-outputs jobs (activation, create-issue, # add-comment, etc.). Single runner label (e.g., 'ubuntu-slim', 'ubuntu-latest', # 'windows-latest', 'self-hosted'). Defaults to 'ubuntu-slim'. See @@ -3942,9 +4226,16 @@ bots: [] # (optional) rate-limit: # Maximum number of workflow runs allowed per user within the time window. - # Required field. + # Required field. Supports integer or GitHub Actions expression (e.g. '${{ + # inputs.max }}'). + # This field supports multiple formats (oneOf): + + # Option 1: integer max: 1 + # Option 2: GitHub Actions expression that resolves to an integer at runtime + max: "example-value" + # Time window in minutes for rate limiting. Defaults to 60 (1 hour). Maximum: 180 # (3 hours). # (optional) @@ -3980,6 +4271,12 @@ rate-limit: # (optional) strict: true +# Mark the workflow as private, preventing it from being added to other +# repositories via 'gh aw add'. A workflow with private: true is not meant to be +# shared outside its repository. +# (optional) +private: true + # Safe inputs configuration for defining custom lightweight MCP tools as # JavaScript, shell scripts, or Python scripts. Tools are mounted in an MCP server # and have access to secrets specified by the user. Only one of 'script' diff --git a/pkg/cli/add_private_test.go b/pkg/cli/add_private_test.go new file mode 100644 index 0000000000..b6b17bb93f --- /dev/null +++ b/pkg/cli/add_private_test.go @@ -0,0 +1,63 @@ +//go:build !integration + +package cli + +import ( + "testing" +) + +// TestExtractWorkflowPrivate tests the ExtractWorkflowPrivate function +func TestExtractWorkflowPrivate(t *testing.T) { + tests := []struct { + name string + content string + expected bool + }{ + { + name: "workflow with private: true", + content: `--- +name: Test Workflow +private: true +on: push +--- + +# Test Workflow`, + expected: true, + }, + { + name: "workflow with private: false", + content: `--- +name: Test Workflow +private: false +on: push +--- + +# Test Workflow`, + expected: false, + }, + { + name: "workflow without private field", + content: `--- +name: Test Workflow +on: push +--- + +# Test Workflow`, + expected: false, + }, + { + name: "workflow without frontmatter", + content: "# Test Workflow\n\nThis is the workflow content.", + expected: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := ExtractWorkflowPrivate(tt.content) + if result != tt.expected { + t.Errorf("ExtractWorkflowPrivate() = %v, want %v", result, tt.expected) + } + }) + } +} diff --git a/pkg/cli/add_workflow_resolution.go b/pkg/cli/add_workflow_resolution.go index e552fc5f31..f5b45ad0ef 100644 --- a/pkg/cli/add_workflow_resolution.go +++ b/pkg/cli/add_workflow_resolution.go @@ -28,6 +28,8 @@ type ResolvedWorkflow struct { Engine string // HasWorkflowDispatch indicates if the workflow has workflow_dispatch trigger HasWorkflowDispatch bool + // IsPrivate indicates if the workflow has private: true in its frontmatter + IsPrivate bool } // ResolvedWorkflows contains all resolved workflows ready to be added @@ -126,6 +128,12 @@ func ResolveWorkflows(workflows []string, verbose bool) (*ResolvedWorkflows, err // Extract engine from content (if specified in frontmatter) engine := ExtractWorkflowEngine(string(fetched.Content)) + // Check if workflow is private - private workflows cannot be added to other repositories + isPrivate := ExtractWorkflowPrivate(string(fetched.Content)) + if isPrivate { + return nil, fmt.Errorf("workflow '%s' is private and cannot be added to other repositories", spec.String()) + } + // Check for workflow_dispatch trigger in content workflowHasDispatch := checkWorkflowHasDispatchFromContent(string(fetched.Content)) if workflowHasDispatch { @@ -139,6 +147,7 @@ func ResolveWorkflows(workflows []string, verbose bool) (*ResolvedWorkflows, err Description: description, Engine: engine, HasWorkflowDispatch: workflowHasDispatch, + IsPrivate: isPrivate, }) } diff --git a/pkg/cli/packages.go b/pkg/cli/packages.go index c4ffc4e436..c825fea32b 100644 --- a/pkg/cli/packages.go +++ b/pkg/cli/packages.go @@ -267,6 +267,23 @@ func ExtractWorkflowEngine(content string) string { return "" } +// ExtractWorkflowPrivate extracts the private field from workflow content string. +// Returns true if the workflow has private: true in its frontmatter. +func ExtractWorkflowPrivate(content string) bool { + result, err := parser.ExtractFrontmatterFromContent(content) + if err != nil { + return false + } + + if private, ok := result.Frontmatter["private"]; ok { + if privateBool, ok := private.(bool); ok { + return privateBool + } + } + + return false +} + // ExtractWorkflowDescriptionFromFile extracts the description field from a workflow file func ExtractWorkflowDescriptionFromFile(filePath string) string { content, err := os.ReadFile(filePath) diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index cecb12b4ce..43518b3c30 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -6953,6 +6953,12 @@ "description": "Enable strict mode validation for enhanced security and compliance. Strict mode enforces: (1) Write Permissions - refuses contents:write, issues:write, pull-requests:write; requires safe-outputs instead, (2) Network Configuration - requires explicit network configuration with no standalone wildcard '*' in allowed domains (patterns like '*.example.com' are allowed), (3) Action Pinning - enforces actions pinned to commit SHAs instead of tags/branches, (4) MCP Network - requires network configuration for custom MCP servers with containers, (5) Deprecated Fields - refuses deprecated frontmatter fields. Can be enabled per-workflow via 'strict: true' in frontmatter, or disabled via 'strict: false'. CLI flag takes precedence over frontmatter (gh aw compile --strict enforces strict mode). Defaults to true. See: https://github.github.com/gh-aw/reference/frontmatter/#strict-mode-strict", "examples": [true, false] }, + "private": { + "type": "boolean", + "default": false, + "description": "Mark the workflow as private, preventing it from being added to other repositories via 'gh aw add'. A workflow with private: true is not meant to be shared outside its repository.", + "examples": [true, false] + }, "safe-inputs": { "type": "object", "description": "Safe inputs configuration for defining custom lightweight MCP tools as JavaScript, shell scripts, or Python scripts. Tools are mounted in an MCP server and have access to secrets specified by the user. Only one of 'script' (JavaScript), 'run' (shell), or 'py' (Python) must be specified per tool.", diff --git a/pkg/workflow/frontmatter_types.go b/pkg/workflow/frontmatter_types.go index 08373ac742..f95ca746f3 100644 --- a/pkg/workflow/frontmatter_types.go +++ b/pkg/workflow/frontmatter_types.go @@ -99,7 +99,8 @@ type FrontmatterConfig struct { TrackerID string `json:"tracker-id,omitempty"` Version string `json:"version,omitempty"` TimeoutMinutes int `json:"timeout-minutes,omitempty"` - Strict *bool `json:"strict,omitempty"` // Pointer to distinguish unset from false + Strict *bool `json:"strict,omitempty"` // Pointer to distinguish unset from false + Private *bool `json:"private,omitempty"` // If true, workflow cannot be added to other repositories Labels []string `json:"labels,omitempty"` // Configuration sections - using strongly-typed structs