diff --git a/.github/workflows/dev.firewall.lock.yml b/.github/workflows/dev.firewall.lock.yml index 64c1bd31b7..7232998a2e 100644 --- a/.github/workflows/dev.firewall.lock.yml +++ b/.github/workflows/dev.firewall.lock.yml @@ -118,6 +118,19 @@ jobs: uses: actions/setup-node@v4 with: node-version: '24' + - name: Install awf binary + run: | + LATEST_TAG=$(gh release view --repo githubnext/gh-aw-firewall --json tagName --jq .tagName) + echo "Installing awf from release: $LATEST_TAG" + curl -L https://github.com/githubnext/gh-aw-firewall/releases/download/${LATEST_TAG}/awf-linux-x64 -o awf + chmod +x awf + sudo mv awf /usr/local/bin/ + which awf + awf --version + env: + GH_TOKEN: ${{ github.token }} + - name: Cleanup any existing awf resources + run: ./scripts/ci/cleanup.sh || true - name: Install GitHub Copilot CLI run: npm install -g @github/copilot@0.0.347 - name: Downloading container images @@ -343,7 +356,7 @@ jobs: if-no-files-found: warn - name: Capture agent version run: | - VERSION_OUTPUT=$(copilot --version 2>&1 || echo "unknown") + VERSION_OUTPUT=$(npx -y @github/copilot@0.0.347 --version 2>&1 || echo "unknown") # Extract semantic version pattern (e.g., 1.2.3, v1.2.3-beta) CLEAN_VERSION=$(echo "$VERSION_OUTPUT" | grep -oE 'v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?' | head -n1 || echo "unknown") echo "AGENT_VERSION=$CLEAN_VERSION" >> $GITHUB_ENV @@ -395,12 +408,20 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - COPILOT_CLI_INSTRUCTION=$(cat /tmp/gh-aw/aw-prompts/prompt.txt) - mkdir -p /tmp/ - mkdir -p /tmp/gh-aw/ - mkdir -p /tmp/gh-aw/agent/ - mkdir -p /tmp/gh-aw/.copilot/logs/ - copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/.copilot/logs/ --disable-builtin-mcps --allow-tool github --prompt "$COPILOT_CLI_INSTRUCTION" 2>&1 | tee /tmp/gh-aw/agent-stdio.log + sudo -E awf --env-all \ + --allow-domains api.enterprise.githubcopilot.com,api.github.com,github.com,raw.githubusercontent.com,registry.npmjs.org \ + --log-level debug \ + 'npx -y @github/copilot@0.0.347 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --allow-tool github --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' \ + 2>&1 | tee /tmp/gh-aw/agent-stdio.log + + # Move preserved Copilot logs to expected location + COPILOT_LOGS_DIR=$(ls -td /tmp/copilot-logs-* 2>/dev/null | head -1) + if [ -n "$COPILOT_LOGS_DIR" ] && [ -d "$COPILOT_LOGS_DIR" ]; then + echo "Moving Copilot logs from $COPILOT_LOGS_DIR to /tmp/gh-aw/.copilot/logs/" + mkdir -p /tmp/gh-aw/.copilot/logs/ + mv "$COPILOT_LOGS_DIR"/* /tmp/gh-aw/.copilot/logs/ || true + rmdir "$COPILOT_LOGS_DIR" || true + fi env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json @@ -538,6 +559,24 @@ jobs: name: mcp-logs path: /tmp/gh-aw/mcp-logs/ if-no-files-found: ignore + - name: Agent Firewall logs + if: always() + run: | + # Squid logs are preserved in timestamped directories + SQUID_LOGS_DIR=$(ls -td /tmp/squid-logs-* 2>/dev/null | head -1) + if [ -n "$SQUID_LOGS_DIR" ] && [ -d "$SQUID_LOGS_DIR" ]; then + echo "Found Squid logs at: $SQUID_LOGS_DIR" + mkdir -p /tmp/gh-aw/squid-logs-dev-firewall/ + sudo cp -r "$SQUID_LOGS_DIR"/* /tmp/gh-aw/squid-logs-dev-firewall/ || true + sudo chmod -R a+r /tmp/gh-aw/squid-logs-dev-firewall/ || true + fi + - name: Upload Squid logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: squid-logs-dev-firewall + path: /tmp/gh-aw/squid-logs-dev-firewall/ + if-no-files-found: ignore - name: Parse agent logs for step summary if: always() uses: actions/github-script@v8 @@ -1367,6 +1406,9 @@ jobs: name: agent-stdio.log path: /tmp/gh-aw/agent-stdio.log if-no-files-found: warn + - name: Cleanup awf resources + if: always() + run: ./scripts/ci/cleanup.sh || true - name: Validate agent logs for errors if: always() uses: actions/github-script@v8 diff --git a/.github/workflows/shared/genaiscript.md b/.github/workflows/shared/genaiscript.md index 014b7a58c8..539dcde23f 100644 --- a/.github/workflows/shared/genaiscript.md +++ b/.github/workflows/shared/genaiscript.md @@ -3,13 +3,13 @@ engine: id: custom env: GH_AW_AGENT_VERSION: "2.5.1" - GH_AW_AGENT_MODEL_VERSION: "openai:gpt-4.1" + GH_AW_AGENT_MODEL_VERSION: "openai:gpt-4o" steps: - name: Validate OPENAI_API_KEY secret run: | if [ -z "$OPENAI_API_KEY" ]; then echo "Error: OPENAI_API_KEY secret is not set" - echo "The GenAIScript engine with openai:gpt-4.1 model requires OPENAI_API_KEY secret to be configured." + echo "The GenAIScript engine with openai:gpt-4o model requires OPENAI_API_KEY secret to be configured." echo "Please configure this secret in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/" exit 1 @@ -72,7 +72,7 @@ imports: **Note**: - This workflow requires internet access to install npm packages - The genaiscript version can be customized by setting the `GH_AW_AGENT_VERSION` environment variable (default: `2.5.1`) -- The AI model can be customized by setting the `GH_AW_AGENT_MODEL_VERSION` environment variable (default: `openai:gpt-4.1`) +- The AI model can be customized by setting the `GH_AW_AGENT_MODEL_VERSION` environment variable (default: `openai:gpt-4o`) - MCP server configuration is automatically passed if configured in the workflow - When using `openai:` models, ensure the `OPENAI_API_KEY` secret is configured in your repository settings --> diff --git a/.github/workflows/smoke-genaiscript.lock.yml b/.github/workflows/smoke-genaiscript.lock.yml index 254b4cc1fc..a9dc4917e0 100644 --- a/.github/workflows/smoke-genaiscript.lock.yml +++ b/.github/workflows/smoke-genaiscript.lock.yml @@ -1110,14 +1110,14 @@ jobs: run: | if [ -z "$OPENAI_API_KEY" ]; then echo "Error: OPENAI_API_KEY secret is not set" - echo "The GenAIScript engine with openai:gpt-4.1 model requires OPENAI_API_KEY secret to be configured." + echo "The GenAIScript engine with openai:gpt-4o model requires OPENAI_API_KEY secret to be configured." echo "Please configure this secret in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/" exit 1 fi echo "OPENAI_API_KEY secret is configured" env: - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1128,7 +1128,7 @@ jobs: - name: Install GenAIScript run: npm install -g genaiscript@${GH_AW_AGENT_VERSION} && genaiscript --version env: - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1147,7 +1147,7 @@ jobs: echo "Generated GenAI prompt file:" cat /tmp/gh-aw/aw-prompts/prompt.genai.md env: - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1159,7 +1159,7 @@ jobs: run: genaiscript run /tmp/gh-aw/aw-prompts/prompt.genai.md --mcp-config $GH_AW_MCP_CONFIG --out /tmp/gh-aw/genaiscript-output.md env: DEBUG: genaiscript:* - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -2521,14 +2521,14 @@ jobs: run: | if [ -z "$OPENAI_API_KEY" ]; then echo "Error: OPENAI_API_KEY secret is not set" - echo "The GenAIScript engine with openai:gpt-4.1 model requires OPENAI_API_KEY secret to be configured." + echo "The GenAIScript engine with openai:gpt-4o model requires OPENAI_API_KEY secret to be configured." echo "Please configure this secret in your repository settings." echo "Documentation: https://githubnext.github.io/gh-aw/reference/engines/" exit 1 fi echo "OPENAI_API_KEY secret is configured" env: - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -2539,7 +2539,7 @@ jobs: - name: Install GenAIScript run: npm install -g genaiscript@${GH_AW_AGENT_VERSION} && genaiscript --version env: - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -2558,7 +2558,7 @@ jobs: echo "Generated GenAI prompt file:" cat /tmp/gh-aw/aw-prompts/prompt.genai.md env: - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -2570,7 +2570,7 @@ jobs: run: genaiscript run /tmp/gh-aw/aw-prompts/prompt.genai.md --mcp-config $GH_AW_MCP_CONFIG --out /tmp/gh-aw/genaiscript-output.md env: DEBUG: genaiscript:* - GH_AW_AGENT_MODEL_VERSION: openai:gpt-4.1 + GH_AW_AGENT_MODEL_VERSION: openai:gpt-4o GH_AW_AGENT_VERSION: 2.5.1 GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/mcp-servers.json GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt