diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 767dcd6e27..13156845b2 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -23,7 +23,7 @@ "actions/create-github-app-token@v2": { "repo": "actions/create-github-app-token", "version": "v2", - "sha": "7e473efe3cb98aa54f8d4bac15400b15fad77d94" + "sha": "29824e69f54612133e76f7eaac726eef6c875baf" }, "actions/download-artifact@v6": { "repo": "actions/download-artifact", diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 840d19fe6d..0f3523450a 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -218,8 +218,8 @@ # Pinned GitHub Actions: # - actions/checkout@v5 (93cb6efe18208431cddfb8368fd83d5badbf9bfd) # https://github.com/actions/checkout/commit/93cb6efe18208431cddfb8368fd83d5badbf9bfd -# - actions/create-github-app-token@v2 (7e473efe3cb98aa54f8d4bac15400b15fad77d94) -# https://github.com/actions/create-github-app-token/commit/7e473efe3cb98aa54f8d4bac15400b15fad77d94 +# - actions/create-github-app-token@v2 (29824e69f54612133e76f7eaac726eef6c875baf) +# https://github.com/actions/create-github-app-token/commit/29824e69f54612133e76f7eaac726eef6c875baf # - actions/download-artifact@v6 (018cc2cf5baa6db3ef3c5f8a56943fffe632ef53) # https://github.com/actions/download-artifact/commit/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # - actions/github-script@v8 (ed597411d8f924073f98dfc5c65a23a2325f34cd) @@ -5103,7 +5103,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} @@ -5604,7 +5604,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index a5f7ae9e01..7c51cd7a4b 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -316,8 +316,8 @@ # Pinned GitHub Actions: # - actions/checkout@v5 (93cb6efe18208431cddfb8368fd83d5badbf9bfd) # https://github.com/actions/checkout/commit/93cb6efe18208431cddfb8368fd83d5badbf9bfd -# - actions/create-github-app-token@v2 (7e473efe3cb98aa54f8d4bac15400b15fad77d94) -# https://github.com/actions/create-github-app-token/commit/7e473efe3cb98aa54f8d4bac15400b15fad77d94 +# - actions/create-github-app-token@v2 (29824e69f54612133e76f7eaac726eef6c875baf) +# https://github.com/actions/create-github-app-token/commit/29824e69f54612133e76f7eaac726eef6c875baf # - actions/download-artifact@v6 (018cc2cf5baa6db3ef3c5f8a56943fffe632ef53) # https://github.com/actions/download-artifact/commit/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # - actions/github-script@v8 (ed597411d8f924073f98dfc5c65a23a2325f34cd) @@ -5586,7 +5586,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} @@ -6379,7 +6379,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} @@ -6893,7 +6893,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index b7344707cf..b6d2f077f6 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -380,8 +380,8 @@ # Pinned GitHub Actions: # - actions/checkout@v5 (93cb6efe18208431cddfb8368fd83d5badbf9bfd) # https://github.com/actions/checkout/commit/93cb6efe18208431cddfb8368fd83d5badbf9bfd -# - actions/create-github-app-token@v2 (7e473efe3cb98aa54f8d4bac15400b15fad77d94) -# https://github.com/actions/create-github-app-token/commit/7e473efe3cb98aa54f8d4bac15400b15fad77d94 +# - actions/create-github-app-token@v2 (29824e69f54612133e76f7eaac726eef6c875baf) +# https://github.com/actions/create-github-app-token/commit/29824e69f54612133e76f7eaac726eef6c875baf # - actions/download-artifact@v6 (018cc2cf5baa6db3ef3c5f8a56943fffe632ef53) # https://github.com/actions/download-artifact/commit/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # - actions/github-script@v8 (ed597411d8f924073f98dfc5c65a23a2325f34cd) @@ -4934,7 +4934,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} @@ -5439,7 +5439,7 @@ jobs: steps: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index a922e420be..4629b3af72 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -804,10 +804,11 @@ jobs: server.debugError(` [${toolName}] Warning: Could not make shell script executable: `, chmodError); } } - function createShellHandler(server, toolName, scriptPath) { + function createShellHandler(server, toolName, scriptPath, timeoutSeconds = 60) { return async args => { server.debug(` [${toolName}] Invoking shell handler: ${scriptPath}`); server.debug(` [${toolName}] Shell handler args: ${JSON.stringify(args)}`); + server.debug(` [${toolName}] Timeout: ${timeoutSeconds}s`); const env = { ...process.env }; for (const [key, value] of Object.entries(args || {})) { const envKey = `INPUT_${key.toUpperCase().replace(/-/g, "_")}`; @@ -825,7 +826,7 @@ jobs: [], { env, - timeout: 300000, + timeout: timeoutSeconds * 1000, maxBuffer: 10 * 1024 * 1024, }, (error, stdout, stderr) => { @@ -893,9 +894,10 @@ jobs: }); }; } - tool.handler = createShellHandler(server, toolName, resolvedPath); + const timeout = tool.timeout || 60; + tool.handler = createShellHandler(server, toolName, resolvedPath, timeout); loadedCount++; - server.debug(` [${toolName}] Shell handler created successfully`); + server.debug(` [${toolName}] Shell handler created successfully with timeout: ${timeout}s`); } else if (ext === ".py") { server.debug(` [${toolName}] Detected Python script handler`); try { @@ -909,10 +911,11 @@ jobs: server.debugError(` [${toolName}] Warning: Could not make Python script executable: `, chmodError); } } - function createPythonHandler(server, toolName, scriptPath) { + function createPythonHandler(server, toolName, scriptPath, timeoutSeconds = 60) { return async args => { server.debug(` [${toolName}] Invoking Python handler: ${scriptPath}`); server.debug(` [${toolName}] Python handler args: ${JSON.stringify(args)}`); + server.debug(` [${toolName}] Timeout: ${timeoutSeconds}s`); const inputJson = JSON.stringify(args || {}); server.debug( ` [${toolName}] Input JSON (${inputJson.length} bytes): ${inputJson.substring(0, 200)}${inputJson.length > 200 ? "..." : ""}` @@ -924,7 +927,7 @@ jobs: [scriptPath], { env: process.env, - timeout: 300000, + timeout: timeoutSeconds * 1000, maxBuffer: 10 * 1024 * 1024, }, (error, stdout, stderr) => { @@ -968,9 +971,10 @@ jobs: }); }; } - tool.handler = createPythonHandler(server, toolName, resolvedPath); + const timeout = tool.timeout || 60; + tool.handler = createPythonHandler(server, toolName, resolvedPath, timeout); loadedCount++; - server.debug(` [${toolName}] Python handler created successfully`); + server.debug(` [${toolName}] Python handler created successfully with timeout: ${timeout}s`); } else { server.debug(` [${toolName}] Loading JavaScript handler module`); const handlerModule = require(resolvedPath); diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index bfddcfddf9..0ba6e35b97 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -5973,19 +5973,19 @@ jobs: - name: Download Go modules run: go mod download - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0 + uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 with: artifact-name: sbom.spdx.json format: spdx-json output-file: sbom.spdx.json - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0 + uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 with: artifact-name: sbom.cdx.json format: cyclonedx-json output-file: sbom.cdx.json - name: Upload SBOM artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: sbom-artifacts path: | diff --git a/pkg/cli/mcp_inspect_playwright_live_integration_test.go b/pkg/cli/mcp_inspect_playwright_live_integration_test.go index f0430f9f2e..4b18529d64 100644 --- a/pkg/cli/mcp_inspect_playwright_live_integration_test.go +++ b/pkg/cli/mcp_inspect_playwright_live_integration_test.go @@ -38,7 +38,7 @@ func TestMCPInspectPlaywrightLiveIntegration(t *testing.T) { defer setup.cleanup() // Find an available port for our test web server - port, err := findAvailablePort() + port, err := findAvailableTestPort() if err != nil { t.Fatalf("Failed to find available port: %v", err) } @@ -319,8 +319,8 @@ URL: ` + docsURL + `/gh-aw/ // This allows the test to work in environments where docker is slow or restricted } -// findAvailablePort finds an available TCP port on localhost -func findAvailablePort() (int, error) { +// findAvailableTestPort finds an available TCP port on localhost +func findAvailableTestPort() (int, error) { listener, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { return 0, err diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index 767dcd6e27..13156845b2 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -23,7 +23,7 @@ "actions/create-github-app-token@v2": { "repo": "actions/create-github-app-token", "version": "v2", - "sha": "7e473efe3cb98aa54f8d4bac15400b15fad77d94" + "sha": "29824e69f54612133e76f7eaac726eef6c875baf" }, "actions/download-artifact@v6": { "repo": "actions/download-artifact", diff --git a/pkg/workflow/safe_inputs.go b/pkg/workflow/safe_inputs.go index 57a822a4a9..aea82810c0 100644 --- a/pkg/workflow/safe_inputs.go +++ b/pkg/workflow/safe_inputs.go @@ -179,9 +179,7 @@ func parseSafeInputsMap(safeInputsMap map[string]any) (*SafeInputsConfig, bool) toolConfig.Timeout = int(t) case string: // Try to parse string as integer - if timeoutInt, err := fmt.Sscanf(t, "%d", &toolConfig.Timeout); err == nil && timeoutInt == 1 { - // Successfully parsed - } + _, _ = fmt.Sscanf(t, "%d", &toolConfig.Timeout) } } @@ -744,9 +742,7 @@ func (c *Compiler) mergeSafeInputs(main *SafeInputsConfig, importedConfigs []str toolConfig.Timeout = int(t) case string: // Try to parse string as integer - if timeoutInt, err := fmt.Sscanf(t, "%d", &toolConfig.Timeout); err == nil && timeoutInt == 1 { - // Successfully parsed - } + _, _ = fmt.Sscanf(t, "%d", &toolConfig.Timeout) } } diff --git a/pkg/workflow/step_summary_test.go b/pkg/workflow/step_summary_test.go index 35c7f818e2..5cd28cfcd7 100644 --- a/pkg/workflow/step_summary_test.go +++ b/pkg/workflow/step_summary_test.go @@ -258,8 +258,17 @@ This workflow tests the workflow overview for Claude engine. } // Verify model is present in aw_info.json - if !strings.Contains(lockContent, "model: \""+tt.expectModel+"\"") { - t.Errorf("Expected model: %q in aw_info.json", tt.expectModel) + if tt.expectModel == "" { + // For empty model, check for the environment variable expression + if !strings.Contains(lockContent, "model: process.env.GH_AW_MODEL_AGENT_COPILOT || \"\"") && + !strings.Contains(lockContent, "model: process.env.GH_AW_MODEL_DETECTION_COPILOT || \"\"") { + t.Errorf("Expected model to use environment variable with empty string fallback in aw_info.json") + } + } else { + // For non-empty model, check for the literal value + if !strings.Contains(lockContent, "model: \""+tt.expectModel+"\"") { + t.Errorf("Expected model: %q in aw_info.json", tt.expectModel) + } } // Verify firewall status in aw_info.json diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 6c32d11d8e..448c7bce08 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -1000,14 +1000,20 @@ func TestCopilotDetectionDefaultModel(t *testing.T) { allSteps := strings.Join(steps, "") if tt.shouldContainModel { - // Check if the expected model is present in the steps - if !strings.Contains(allSteps, tt.expectedModel) { - t.Errorf("Expected steps to contain model %q, but it was not found.\nGenerated steps:\n%s", tt.expectedModel, allSteps) - } - // Also check for --model flag + // Check for --model flag if !strings.Contains(allSteps, "--model") { t.Errorf("Expected steps to contain --model flag, but it was not found.\nGenerated steps:\n%s", allSteps) } + + // For detection jobs, check if either: + // 1. The model is explicitly specified in the command (for custom models) + // 2. The environment variable GH_AW_MODEL_DETECTION_COPILOT is used (for default model) + hasExplicitModel := strings.Contains(allSteps, "--model "+tt.expectedModel) + hasEnvVar := strings.Contains(allSteps, "GH_AW_MODEL_DETECTION_COPILOT") + + if !hasExplicitModel && !hasEnvVar { + t.Errorf("Expected steps to contain either explicit model %q or GH_AW_MODEL_DETECTION_COPILOT environment variable, but neither was found.\nGenerated steps:\n%s", tt.expectedModel, allSteps) + } } }) }