diff --git a/.changeset/patch-move-actions-to-opt-gh-aw.md b/.changeset/patch-move-actions-to-opt-gh-aw.md new file mode 100644 index 0000000000..2591e6d433 --- /dev/null +++ b/.changeset/patch-move-actions-to-opt-gh-aw.md @@ -0,0 +1,6 @@ +--- +"gh-aw": patch +--- + +Move action setup and compiler paths from `/tmp/gh-aw` to `/opt/gh-aw` so agent access is read-only; updates setup action, compiler constants, tests, and AWF mounts. + diff --git a/.changeset/patch-move-setup-to-opt-gh-aw.md b/.changeset/patch-move-setup-to-opt-gh-aw.md new file mode 100644 index 0000000000..223ac89dae --- /dev/null +++ b/.changeset/patch-move-setup-to-opt-gh-aw.md @@ -0,0 +1,9 @@ +--- +"gh-aw": patch +--- + +Move action setup and compiler paths from `/tmp/gh-aw` to `/opt/gh-aw` so agent access is +read-only; updates setup action, compiler constants, tests, and AWF mounts. + +This is an internal/tooling change and does not change the public API. + diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 175cd73092..8f394f64a4 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "agent-performance-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -118,7 +118,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -139,12 +139,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -174,10 +174,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -193,12 +193,13 @@ jobs: gh aw --version - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":10},"create_discussion":{"max":2},"create_issue":{"max":5},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created.", @@ -333,7 +334,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -489,7 +490,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -564,14 +565,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -1125,12 +1126,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1236,7 +1237,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1258,21 +1259,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1310,9 +1311,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1337,9 +1338,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1363,9 +1364,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1390,9 +1391,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1436,7 +1437,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1469,9 +1470,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1482,9 +1483,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1500,9 +1501,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1525,7 +1526,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1551,9 +1552,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1602,7 +1603,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1652,9 +1653,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1680,7 +1681,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1689,9 +1690,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1712,7 +1713,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1750,9 +1751,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1784,7 +1785,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1805,8 +1806,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml index 3c03dae2e9..d19f6939ed 100644 --- a/.github/workflows/agentics-maintenance.yml +++ b/.github/workflows/agentics-maintenance.yml @@ -54,15 +54,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Close expired discussions uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/close_expired_discussions.cjs'); + const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); await main(); close-expired-issues: @@ -80,15 +80,15 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Close expired issues uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/close_expired_issues.cjs'); + const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); await main(); compile-workflows: diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 11fa625498..f7ed9c5470 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -70,16 +70,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "ai-moderator.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -87,9 +87,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/lock-issue.cjs'); + const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); await main(); agent: @@ -100,8 +100,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -117,13 +117,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -144,12 +144,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -179,18 +179,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_labels":{"allowed":["spam","ai-generated","link-spam","ai-inspected"],"max":3},"hide_comment":{"allowed_reasons":["spam"],"max":5},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead. CONSTRAINTS: Only these labels are allowed: [spam ai-generated link-spam ai-inspected]. Target: *.", @@ -289,7 +290,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_labels": { "defaultMax": 5, @@ -377,7 +378,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -452,7 +453,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -464,7 +465,7 @@ jobs: GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -599,7 +600,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -616,12 +617,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -697,7 +698,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -719,7 +720,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -731,21 +732,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --model gpt-5-mini --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -782,9 +783,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -809,9 +810,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -835,9 +836,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -853,9 +854,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -949,7 +950,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -982,9 +983,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -995,9 +996,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1012,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); - name: Unlock issue after agent workflow id: unlock-issue @@ -1022,9 +1023,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/unlock-issue.cjs'); + const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); await main(); pre_activation: @@ -1043,7 +1044,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1053,9 +1054,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1086,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1107,8 +1108,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index cb07554895..b63756130d 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -80,25 +80,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "archie.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -111,9 +111,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📊 *Diagram rendered by [{workflow_name}]({run_url})*\",\"runStarted\":\"📐 Archie here! [{workflow_name}]({run_url}) is sketching the architecture on this {event_type}...\",\"runSuccess\":\"🎨 Blueprint complete! [{workflow_name}]({run_url}) has visualized the connections. The architecture speaks for itself! ✅\",\"runFailure\":\"📐 Drafting interrupted! [{workflow_name}]({run_url}) {status}. The diagram remains incomplete...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -127,8 +127,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -144,7 +144,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -162,7 +162,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -183,12 +183,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -218,18 +218,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -298,7 +299,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -385,7 +386,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -466,7 +467,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -478,7 +479,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Archie - Mermaid Diagram Generator @@ -674,7 +675,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -691,12 +692,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -772,7 +773,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -794,7 +795,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -806,14 +807,14 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -835,7 +836,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -873,9 +874,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -901,9 +902,9 @@ jobs: GH_AW_COMMAND: archie with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -927,9 +928,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -945,9 +946,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -990,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1023,9 +1024,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1036,9 +1037,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1055,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1078,7 +1079,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1104,9 +1105,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1155,7 +1156,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1205,9 +1206,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1242,7 +1243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1251,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1262,9 +1263,9 @@ jobs: GH_AW_COMMANDS: "[\"archie\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1297,7 +1298,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1318,8 +1319,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 128f690957..59813d22f5 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "artifacts-summary.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -83,8 +83,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -100,13 +100,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -127,12 +127,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -162,18 +162,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -246,7 +247,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -345,7 +346,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -420,7 +421,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -428,7 +429,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -508,7 +509,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -521,12 +522,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -602,7 +603,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -625,14 +626,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -654,7 +655,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -692,9 +693,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -719,9 +720,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -745,9 +746,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -763,9 +764,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -808,7 +809,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 @@ -854,9 +855,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -867,9 +868,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -885,9 +886,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.app-token.outputs.token != '' @@ -923,7 +924,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -949,9 +950,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1000,7 +1001,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1050,9 +1051,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1089,7 +1090,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1121,9 +1122,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.app-token.outputs.token != '' diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 8960e1f35b..dff5f7f3e6 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "audit-workflows.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -92,8 +92,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -109,13 +109,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -162,7 +162,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -180,7 +180,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -201,12 +201,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -231,18 +231,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -332,7 +333,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -443,7 +444,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -510,7 +511,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -518,7 +519,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -799,7 +800,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -812,12 +813,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -948,7 +949,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -971,14 +972,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1056,7 +1057,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1083,9 +1084,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1111,9 +1112,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1129,9 +1130,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1160,7 +1161,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1171,9 +1172,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1219,7 +1220,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1253,9 +1254,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1267,9 +1268,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1286,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1311,7 +1312,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1337,9 +1338,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1388,7 +1389,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1442,9 +1443,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1472,7 +1473,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1510,9 +1511,9 @@ jobs: FILE_GLOB_FILTER: "memory/audit-workflows/*.json memory/audit-workflows/*.jsonl memory/audit-workflows/*.csv memory/audit-workflows/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1543,7 +1544,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1564,9 +1565,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1587,7 +1588,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1622,7 +1623,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1644,12 +1645,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1675,8 +1676,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index c9e5dedff7..fc097d6c39 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "blog-auditor.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -128,12 +128,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -158,18 +158,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[audit] \". Discussions will be created in category \"Audits\".", @@ -242,7 +243,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -355,7 +356,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -422,7 +423,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -432,7 +433,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -717,7 +718,7 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -732,17 +733,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -818,7 +819,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -843,14 +844,14 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -964,7 +965,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,githubnext.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.githubnext.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,githubnext.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.githubnext.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat *),Bash(cat),Bash(date *),Bash(date),Bash(echo *),Bash(echo),Bash(find * -maxdepth 1),Bash(gh aw compile *),Bash(grep),Bash(head),Bash(ls),Bash(mktemp *),Bash(pwd),Bash(rm *),Bash(sort),Bash(tail),Bash(test *),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -987,9 +988,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1015,9 +1016,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1033,9 +1034,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1051,9 +1052,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1096,7 +1097,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1130,9 +1131,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1144,9 +1145,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1163,9 +1164,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1188,7 +1189,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1214,9 +1215,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1265,7 +1266,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1319,9 +1320,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1359,7 +1360,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1380,8 +1381,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index e2326ae59f..fc33833d52 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -71,25 +71,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "brave.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -102,9 +102,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🦁 *Search results brought to you by [{workflow_name}]({run_url})*\",\"runStarted\":\"🔍 Brave Search activated! [{workflow_name}]({run_url}) is venturing into the web on this {event_type}...\",\"runSuccess\":\"🦁 Mission accomplished! [{workflow_name}]({run_url}) has returned with the findings. Knowledge acquired! 🏆\",\"runFailure\":\"🔍 Search interrupted! [{workflow_name}]({run_url}) {status}. The web remains unexplored...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -117,8 +117,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -134,13 +134,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -161,12 +161,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -196,18 +196,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -276,7 +277,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -381,7 +382,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -456,7 +457,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -467,7 +468,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -584,7 +585,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -600,12 +601,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -681,7 +682,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -703,7 +704,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -714,21 +715,21 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -766,9 +767,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'BRAVE_API_KEY,COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -795,9 +796,9 @@ jobs: GH_AW_COMMAND: brave with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -821,9 +822,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -839,9 +840,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -884,7 +885,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -917,9 +918,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -930,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -949,9 +950,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -972,7 +973,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -998,9 +999,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1049,7 +1050,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1099,9 +1100,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1130,7 +1131,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1139,9 +1140,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1150,9 +1151,9 @@ jobs: GH_AW_COMMANDS: "[\"brave\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1185,7 +1186,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1206,8 +1207,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index ecb598f45e..fed26ff909 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -57,16 +57,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "breaking-change-checker.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,13 +97,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -124,12 +124,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -159,18 +159,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [copilot] will be automatically assigned.", @@ -257,7 +258,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -363,7 +364,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -438,7 +439,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -448,7 +449,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Breaking Change Checker @@ -620,7 +621,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -635,12 +636,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -716,7 +717,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -741,14 +742,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -775,7 +776,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(cat:*)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git diff:*)' --allow-tool 'shell(git log:*)' --allow-tool 'shell(git show:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(grep:*)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -813,9 +814,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -840,9 +841,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -866,9 +867,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -884,9 +885,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -929,7 +930,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -963,9 +964,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -977,9 +978,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -997,9 +998,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1022,7 +1023,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1048,9 +1049,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1099,7 +1100,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1149,9 +1150,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1177,7 +1178,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1186,9 +1187,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1199,9 +1200,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1233,7 +1234,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1254,8 +1255,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/campaign-generator.lock.yml b/.github/workflows/campaign-generator.lock.yml index bed0cfe90a..1d63351912 100644 --- a/.github/workflows/campaign-generator.lock.yml +++ b/.github/workflows/campaign-generator.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "campaign-generator.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -86,9 +86,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎯 *Campaign coordination by [{workflow_name}]({run_url})*\",\"runStarted\":\"🚀 Campaign Generator starting! [{workflow_name}]({run_url}) is processing your campaign request for this {event_type}...\",\"runSuccess\":\"✅ Campaign setup complete! [{workflow_name}]({run_url}) has successfully coordinated your campaign creation. Your project is ready! 📊\",\"runFailure\":\"⚠️ Campaign setup interrupted! [{workflow_name}]({run_url}) {status}. Please check the details and try again...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -96,9 +96,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/lock-issue.cjs'); + const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); await main(); agent: @@ -111,8 +111,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -128,13 +128,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -155,12 +155,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -190,18 +190,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":5},"assign_to_agent":{},"copy_project":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 5 comment(s) can be added.", @@ -324,7 +325,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -425,7 +426,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -500,7 +501,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -508,7 +509,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -607,7 +608,7 @@ jobs: GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -620,12 +621,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -701,7 +702,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -724,21 +725,21 @@ jobs: GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -776,9 +777,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -803,9 +804,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -829,9 +830,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -847,9 +848,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -892,7 +893,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -925,9 +926,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -938,9 +939,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -957,9 +958,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); - name: Unlock issue after agent workflow id: unlock-issue @@ -967,9 +968,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/unlock-issue.cjs'); + const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); await main(); detection: @@ -990,7 +991,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1016,9 +1017,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1067,7 +1068,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1117,9 +1118,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1146,7 +1147,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1155,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1191,7 +1192,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1212,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign To Agent id: assign_to_agent @@ -1225,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); await main(); - name: Copy Project id: copy_project @@ -1240,8 +1241,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/copy_project.cjs'); + const { main } = require('/opt/gh-aw/actions/copy_project.cjs'); await main(); diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index ca5d1a7588..bb53abd04b 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -78,25 +78,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "changeset.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add rocket reaction to the triggering item id: react @@ -107,9 +107,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Changeset Generator" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -122,8 +122,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -139,13 +139,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" @@ -169,12 +169,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -199,18 +199,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0},"update_pull_request":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Update an existing GitHub pull request's title or body. Supports replacing, appending to, or prepending content to the body. Title is always replaced. Only the fields you specify will be updated; other fields remain unchanged. CONSTRAINTS: Maximum 1 pull request(s) can be updated.", @@ -319,7 +320,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -440,7 +441,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -492,7 +493,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -502,7 +503,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Changeset Format Reference @@ -732,7 +733,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -747,12 +748,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -828,7 +829,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -853,20 +854,20 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex -c model=gpt-5-mini exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -885,9 +886,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -913,9 +914,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -939,9 +940,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -957,9 +958,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1003,7 +1004,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 @@ -1049,9 +1050,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1062,9 +1063,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1080,9 +1081,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.app-token.outputs.token != '' @@ -1116,7 +1117,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1142,9 +1143,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1198,9 +1199,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1230,7 +1231,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1239,9 +1240,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1274,7 +1275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1332,9 +1333,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.app-token.outputs.token != '' diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index c15ebe0a57..31b7f5fbf7 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "ci-coach.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,7 +105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -118,7 +118,7 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} name: Download CI workflow runs from last 7 days @@ -153,7 +153,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -182,12 +182,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -217,18 +217,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ci-coach] \".", @@ -308,7 +309,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -410,7 +411,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -485,7 +486,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -494,7 +495,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # CI Data Analysis @@ -964,7 +965,7 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1167,7 +1168,7 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1181,12 +1182,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1287,7 +1288,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1311,21 +1312,21 @@ jobs: GH_AW_GITHUB_RUN_NUMBER: ${{ github.run_number }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1363,9 +1364,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1390,9 +1391,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1416,9 +1417,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1440,9 +1441,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1487,7 +1488,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1521,9 +1522,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1535,9 +1536,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1554,9 +1555,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1579,7 +1580,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1605,9 +1606,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1656,7 +1657,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1706,9 +1707,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1748,7 +1749,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1794,9 +1795,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1817,7 +1818,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 99c666b1b4..4380a0d35d 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -72,16 +72,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "ci-doctor.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -97,8 +97,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -114,16 +114,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -152,12 +152,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -187,18 +187,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[CI Failure Doctor] \".", @@ -307,7 +308,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -427,7 +428,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -502,7 +503,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -516,7 +517,7 @@ jobs: GH_AW_GITHUB_EVENT_WORKFLOW_RUN_RUN_NUMBER: ${{ github.event.workflow_run.run_number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # CI Failure Doctor @@ -686,7 +687,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -705,12 +706,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -811,7 +812,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -840,21 +841,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -892,9 +893,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -919,9 +920,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -945,9 +946,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -969,9 +970,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1015,7 +1016,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1050,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1065,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1084,9 +1085,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1109,7 +1110,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1135,9 +1136,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1186,7 +1187,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1236,9 +1237,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1265,7 +1266,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1274,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check stop-time limit id: check_stop_time @@ -1286,9 +1287,9 @@ jobs: GH_AW_WORKFLOW_NAME: "CI Failure Doctor" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_stop_time.cjs'); + const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1323,7 +1324,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1344,9 +1345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1367,7 +1368,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index f56c880bb1..58a4e25798 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "cli-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -81,8 +81,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -98,13 +98,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -125,12 +125,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -160,18 +160,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":5},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[cli-consistency] \". Labels [automation cli documentation] will be automatically added.", @@ -258,7 +259,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -364,7 +365,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -439,7 +440,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -448,7 +449,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # CLI Consistency Checker @@ -629,7 +630,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -643,12 +644,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -724,7 +725,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -748,21 +749,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -800,9 +801,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -827,9 +828,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -853,9 +854,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -871,9 +872,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -916,7 +917,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -949,9 +950,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -962,9 +963,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -980,9 +981,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1005,7 +1006,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1031,9 +1032,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1082,7 +1083,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1132,9 +1133,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1171,7 +1172,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1192,8 +1193,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index e7420c2162..b46674c6f5 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "cli-version-checker.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,19 +101,19 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -142,12 +142,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -172,18 +172,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ca] \". Labels [automation dependencies] will be automatically added.", @@ -270,7 +271,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -372,7 +373,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -439,7 +440,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -448,7 +449,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -790,7 +791,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -804,12 +805,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -910,7 +911,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -934,14 +935,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1020,7 +1021,7 @@ jobs: timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,WebFetch,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1043,9 +1044,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1071,9 +1072,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1089,9 +1090,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1113,9 +1114,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1159,7 +1160,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1192,9 +1193,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1205,9 +1206,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1223,9 +1224,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1248,7 +1249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1274,9 +1275,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1325,7 +1326,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1379,9 +1380,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1418,7 +1419,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1439,9 +1440,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1462,7 +1463,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 1759c743d2..24f2418ddd 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -107,25 +107,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "cloclo.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -138,9 +138,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎤 *Magnifique! Performance by [{workflow_name}]({run_url})*\",\"runStarted\":\"🎵 Comme d'habitude! [{workflow_name}]({run_url}) takes the stage on this {event_type}...\",\"runSuccess\":\"🎤 Bravo! [{workflow_name}]({run_url}) has delivered a stunning performance! Standing ovation! 🌟\",\"runFailure\":\"🎵 Intermission... [{workflow_name}]({run_url}) {status}. The show must go on... eventually!\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -155,8 +155,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -172,7 +172,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -190,7 +190,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install dependencies run: make deps-dev - env: @@ -206,7 +206,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -236,12 +236,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -266,18 +266,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -379,7 +380,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -513,7 +514,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -593,7 +594,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -610,7 +611,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -869,7 +870,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -891,17 +892,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1002,7 +1003,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1024,7 +1025,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1041,14 +1042,14 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1168,7 +1169,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 100 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(date),Bash(echo),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep),Bash(head),Bash(jq *),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1192,9 +1193,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1221,9 +1222,9 @@ jobs: GH_AW_COMMAND: cloclo with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1239,9 +1240,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1263,9 +1264,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1310,7 +1311,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1343,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1356,9 +1357,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1375,9 +1376,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1398,7 +1399,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1424,9 +1425,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1475,7 +1476,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1530,9 +1531,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1575,7 +1576,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1584,9 +1585,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1595,9 +1596,9 @@ jobs: GH_AW_COMMANDS: "[\"cloclo\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1631,7 +1632,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1677,9 +1678,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1700,7 +1701,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index ede86f176d..8f5db633a6 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -62,16 +62,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "commit-changes-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -130,12 +130,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -160,18 +160,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\".", @@ -244,7 +245,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -339,7 +340,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -406,7 +407,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -416,7 +417,7 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_COMMIT_URL: ${{ github.event.inputs.commit_url }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -669,7 +670,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -684,12 +685,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -765,7 +766,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -790,14 +791,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -871,7 +872,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 100 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -895,9 +896,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -923,9 +924,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -941,9 +942,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -959,9 +960,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1004,7 +1005,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1037,9 +1038,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1050,9 +1051,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1068,9 +1069,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1093,7 +1094,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1119,9 +1120,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1170,7 +1171,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1225,9 +1226,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1264,7 +1265,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1285,8 +1286,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 601fd49392..60bb261609 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "copilot-agent-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,13 +105,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -122,7 +122,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -140,7 +140,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -161,12 +161,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -191,18 +191,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-agent-analysis] \". Discussions will be created in category \"audits\".", @@ -275,7 +276,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -370,7 +371,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -437,7 +438,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -445,7 +446,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -916,7 +917,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1014,7 +1015,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1027,12 +1028,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1163,7 +1164,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1186,14 +1187,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1296,7 +1297,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(cp *),Bash(date *),Bash(date),Bash(echo),Bash(find .github -maxdepth 1 -ls),Bash(find .github -name '\''*.md'\''),Bash(find .github -type f -exec cat {} +),Bash(gh api *),Bash(gh pr list *),Bash(gh search prs *),Bash(git diff),Bash(git log --oneline),Bash(grep),Bash(head),Bash(jq *),Bash(ln *),Bash(ls),Bash(mkdir *),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1319,9 +1320,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1347,9 +1348,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1365,9 +1366,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1398,9 +1399,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1445,7 +1446,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1478,9 +1479,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1491,9 +1492,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1509,9 +1510,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1534,7 +1535,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1560,9 +1561,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1611,7 +1612,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1665,9 +1666,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1695,7 +1696,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1733,9 +1734,9 @@ jobs: FILE_GLOB_FILTER: "memory/copilot-agent-analysis/*.json memory/copilot-agent-analysis/*.jsonl memory/copilot-agent-analysis/*.csv memory/copilot-agent-analysis/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1765,7 +1766,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1786,9 +1787,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1809,7 +1810,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 96f67f48a7..9b1d48dc49 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "copilot-pr-merged-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -130,12 +130,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -159,12 +159,13 @@ jobs: awf --version - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-pr-merged-report] \". Discussions will be created in category \"audits\".", @@ -237,7 +238,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -302,12 +303,12 @@ jobs: EOF - name: Setup Safe Inputs Config run: | - mkdir -p /tmp/gh-aw/safe-inputs/logs - cat > /tmp/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' + mkdir -p /opt/gh-aw/safe-inputs/logs + cat > /opt/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' { "serverName": "safeinputs", "version": "1.0.0", - "logDir": "/tmp/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/safe-inputs/logs", "tools": [ { "name": "gh", @@ -334,7 +335,7 @@ jobs: ] } EOF_TOOLS_JSON - cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' + cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' const path = require("path"); const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -343,17 +344,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: false, - logDir: "/tmp/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); process.exit(1); }); EOFSI - chmod +x /tmp/gh-aw/safe-inputs/mcp-server.cjs + chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs - name: Setup Safe Inputs Tool Files run: | - cat > /tmp/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' + cat > /opt/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' #!/bin/bash # Auto-generated safe-input tool: gh # Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -365,7 +366,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS EOFSH_gh - chmod +x /tmp/gh-aw/safe-inputs/gh.sh + chmod +x /opt/gh-aw/safe-inputs/gh.sh - name: Generate Safe Inputs MCP Server Config id: safe-inputs-config @@ -394,7 +395,7 @@ jobs: export GH_AW_SAFE_INPUTS_PORT export GH_AW_SAFE_INPUTS_API_KEY - bash /tmp/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_safe_inputs_server.sh - name: Setup MCPs env: @@ -424,7 +425,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -499,7 +500,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -508,7 +509,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" **IMPORTANT**: Always use the `safeinputs-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `safeinputs-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default. @@ -768,7 +769,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -782,12 +783,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -815,21 +816,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -868,9 +869,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -895,9 +896,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -921,18 +922,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Parse safe-inputs logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); await main(); - name: Firewall summary if: always() @@ -948,9 +949,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -994,7 +995,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1027,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1040,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1058,9 +1059,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1083,7 +1084,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1109,9 +1110,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1160,7 +1161,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1210,9 +1211,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1249,7 +1250,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1270,8 +1271,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index b4f22a81cd..d613ed193d 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "copilot-pr-nlp-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -91,8 +91,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -108,13 +108,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -154,7 +154,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -172,7 +172,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -193,12 +193,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -228,18 +228,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nlp-analysis] \". Discussions will be created in category \"audit\".", @@ -329,7 +330,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -440,7 +441,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -515,7 +516,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -524,7 +525,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -1037,7 +1038,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1318,7 +1319,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1332,12 +1333,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1468,7 +1469,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1492,21 +1493,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1547,9 +1548,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1574,9 +1575,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1600,9 +1601,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1631,7 +1632,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1642,9 +1643,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1690,7 +1691,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1723,9 +1724,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1736,9 +1737,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1754,9 +1755,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1779,7 +1780,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1805,9 +1806,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1856,7 +1857,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1906,9 +1907,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1936,7 +1937,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1974,9 +1975,9 @@ jobs: FILE_GLOB_FILTER: "memory/nlp-analysis/*.json memory/nlp-analysis/*.jsonl memory/nlp-analysis/*.csv memory/nlp-analysis/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -2006,7 +2007,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2027,9 +2028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2050,7 +2051,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2085,7 +2086,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2107,12 +2108,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2137,8 +2138,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index c0e03f33ca..687a3e7ea7 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "copilot-pr-prompt-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,13 +105,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -122,7 +122,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -140,7 +140,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -161,12 +161,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -196,18 +196,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-analysis] \". Discussions will be created in category \"audits\".", @@ -280,7 +281,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -379,7 +380,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -454,7 +455,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -463,7 +464,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -834,7 +835,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -848,12 +849,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -984,7 +985,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1008,21 +1009,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1060,9 +1061,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1087,9 +1088,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1113,9 +1114,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1146,9 +1147,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1193,7 +1194,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1226,9 +1227,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1239,9 +1240,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1257,9 +1258,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1282,7 +1283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1308,9 +1309,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1359,7 +1360,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1409,9 +1410,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1439,7 +1440,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1477,9 +1478,9 @@ jobs: FILE_GLOB_FILTER: "memory/prompt-analysis/*.json memory/prompt-analysis/*.jsonl memory/prompt-analysis/*.csv memory/prompt-analysis/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1509,7 +1510,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1530,9 +1531,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1553,7 +1554,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 78b03c7847..0cc490a158 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -66,16 +66,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "copilot-session-insights.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -94,8 +94,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -111,13 +111,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -150,7 +150,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -167,7 +167,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -188,12 +188,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -218,18 +218,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[copilot-session-insights] \". Discussions will be created in category \"audits\".", @@ -319,7 +320,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -426,7 +427,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -493,7 +494,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -503,7 +504,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -1031,7 +1032,7 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1569,7 +1570,7 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1584,12 +1585,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1720,7 +1721,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1745,14 +1746,14 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1830,7 +1831,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,anaconda.org,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,cdn.playwright.dev,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,anaconda.org,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,cdn.playwright.dev,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1856,9 +1857,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1884,9 +1885,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1902,9 +1903,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1933,7 +1934,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1944,9 +1945,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1992,7 +1993,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -2025,9 +2026,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -2038,9 +2039,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -2056,9 +2057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -2081,7 +2082,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2107,9 +2108,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -2158,7 +2159,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -2212,9 +2213,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -2242,7 +2243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2280,9 +2281,9 @@ jobs: FILE_GLOB_FILTER: "memory/session-insights/*.json memory/session-insights/*.jsonl memory/session-insights/*.csv memory/session-insights/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -2312,7 +2313,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2333,9 +2334,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2356,7 +2357,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2391,7 +2392,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2413,12 +2414,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2443,8 +2444,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 28df32600e..f8e3636ec9 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -67,25 +67,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "craft.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -98,9 +98,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e ⚒️ *Crafted with care by [{workflow_name}]({run_url})*\",\"runStarted\":\"🛠️ Master Crafter at work! [{workflow_name}]({run_url}) is forging a new workflow on this {event_type}...\",\"runSuccess\":\"⚒️ Masterpiece complete! [{workflow_name}]({run_url}) has crafted your workflow. May it serve you well! 🎖️\",\"runFailure\":\"🛠️ Forge cooling down! [{workflow_name}]({run_url}) {status}. The anvil awaits another attempt...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -113,8 +113,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -130,13 +130,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install gh-aw extension run: |- gh extension remove gh-aw || true @@ -162,12 +162,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -197,18 +197,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -305,7 +306,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -412,7 +413,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -487,7 +488,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -497,7 +498,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Workflow Craft Agent @@ -758,7 +759,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -773,12 +774,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -854,7 +855,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -876,7 +877,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -886,21 +887,21 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -938,9 +939,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -966,9 +967,9 @@ jobs: GH_AW_COMMAND: craft with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -992,9 +993,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1010,9 +1011,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1056,7 +1057,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1089,9 +1090,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1102,9 +1103,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1121,9 +1122,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1144,7 +1145,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1170,9 +1171,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1221,7 +1222,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1271,9 +1272,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1301,7 +1302,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1310,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1321,9 +1322,9 @@ jobs: GH_AW_COMMANDS: "[\"craft\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1357,7 +1358,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1403,8 +1404,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 69046a4f42..b757c74596 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -55,16 +55,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-assign-issue-to-user.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -79,8 +79,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -96,13 +96,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -123,12 +123,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -158,18 +158,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1,"target":"*"},"assign_to_user":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *.", @@ -269,7 +270,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -374,7 +375,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -449,14 +450,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -482,12 +483,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -563,7 +564,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -585,21 +586,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -637,9 +638,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -664,9 +665,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -690,9 +691,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -708,9 +709,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -753,7 +754,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -786,9 +787,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -799,9 +800,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -817,9 +818,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -842,7 +843,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -868,9 +869,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -919,7 +920,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -969,9 +970,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1011,7 +1012,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1032,8 +1033,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 90b0c380cc..9207b97843 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -54,16 +54,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-choice-test.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -77,8 +77,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -94,13 +94,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -121,12 +121,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -151,18 +151,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1},"test_environment":{"description":"A test job with choice input","inputs":{"environment":{"default":null,"description":"Target environment","options":["staging","production"],"required":true,"type":"choice"},"test_type":{"default":null,"description":"Type of test to run","options":["smoke","integration","e2e"],"required":true,"type":"choice"}},"output":"Environment test completed successfully"}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -240,7 +241,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -309,7 +310,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -376,14 +377,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Daily Choice Type Test @@ -406,12 +407,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -487,7 +488,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -509,14 +510,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -590,7 +591,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --model claude-opus-4.5 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -613,9 +614,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -641,9 +642,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -659,9 +660,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -677,9 +678,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -722,7 +723,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -756,9 +757,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -770,9 +771,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -789,9 +790,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -814,7 +815,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -840,9 +841,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -891,7 +892,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -944,9 +945,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -970,11 +971,11 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output - path: /tmp/gh-aw/safe-jobs/ + path: /opt/gh-aw/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/tmp/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" + find "/opt/gh-aw/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" - name: Display test configuration run: |- if [ -f "$GH_AW_AGENT_OUTPUT" ]; then diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 10dbce33eb..71a7e82cdc 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-cli-performance.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -116,7 +116,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -137,12 +137,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -172,18 +172,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":5},"create_issue":{"max":3},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 3 issue(s) can be created. Title will be prefixed with \"[performance] \". Labels [performance automation] will be automatically added.", @@ -292,7 +293,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -412,7 +413,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -487,7 +488,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -497,7 +498,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -1013,7 +1014,7 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1057,7 +1058,7 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1072,12 +1073,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1183,7 +1184,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1208,14 +1209,14 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1237,7 +1238,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1275,9 +1276,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1302,9 +1303,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1328,9 +1329,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1355,9 +1356,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1401,7 +1402,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1435,9 +1436,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1449,9 +1450,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1468,9 +1469,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1493,7 +1494,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1519,9 +1520,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1570,7 +1571,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1620,9 +1621,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1650,7 +1651,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1688,9 +1689,9 @@ jobs: FILE_GLOB_FILTER: "memory/cli-performance/*.json memory/cli-performance/*.jsonl memory/cli-performance/*.txt" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1723,7 +1724,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1744,8 +1745,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index d0a5bc182f..f95253ef20 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -62,16 +62,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-code-metrics.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -89,8 +89,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -106,13 +106,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -138,7 +138,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -155,7 +155,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -176,12 +176,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -206,18 +206,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -307,7 +308,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -414,7 +415,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -481,14 +482,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -1291,12 +1292,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1427,7 +1428,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1449,14 +1450,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1534,7 +1535,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1560,9 +1561,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1588,9 +1589,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1606,9 +1607,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1637,7 +1638,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1648,9 +1649,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1696,7 +1697,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1730,9 +1731,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1744,9 +1745,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1763,9 +1764,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1788,7 +1789,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1814,9 +1815,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1865,7 +1866,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1919,9 +1920,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1949,7 +1950,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1987,9 +1988,9 @@ jobs: FILE_GLOB_FILTER: "*.json *.jsonl *.csv *.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -2020,7 +2021,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2041,9 +2042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2064,7 +2065,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2099,7 +2100,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2121,12 +2122,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2152,8 +2153,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 61be1bd761..a2e79fd5b3 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-copilot-token-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -89,8 +89,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -106,13 +106,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -153,7 +153,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -170,7 +170,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -191,12 +191,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -226,18 +226,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -327,7 +328,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -438,7 +439,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -513,7 +514,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -521,7 +522,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -1054,7 +1055,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1432,7 +1433,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1445,12 +1446,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1581,7 +1582,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1604,21 +1605,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1659,9 +1660,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1686,9 +1687,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1712,9 +1713,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1743,7 +1744,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1754,9 +1755,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1802,7 +1803,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1836,9 +1837,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1850,9 +1851,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1869,9 +1870,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1894,7 +1895,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1920,9 +1921,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1971,7 +1972,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -2021,9 +2022,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -2051,7 +2052,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2089,9 +2090,9 @@ jobs: FILE_GLOB_FILTER: "memory/token-metrics/*.json memory/token-metrics/*.jsonl memory/token-metrics/*.csv memory/token-metrics/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -2122,7 +2123,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2143,9 +2144,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2166,7 +2167,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2201,7 +2202,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2223,12 +2224,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2254,8 +2255,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 2c82e6ab32..d3889327d7 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-doc-updater.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,16 +97,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -135,12 +135,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -165,18 +165,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Reviewers [copilot] will be assigned.", @@ -256,7 +257,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -354,7 +355,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -421,7 +422,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -429,7 +430,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -602,7 +603,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -615,12 +616,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -721,7 +722,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -744,14 +745,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -852,7 +853,7 @@ jobs: timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat),Bash(date),Bash(echo),Bash(find docs -maxdepth 1 -ls),Bash(find docs -name '\''*.md'\'' -exec cat {} +),Bash(find docs -name '\''*.md'\'' -o -name '\''*.mdx'\''),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -r '\''*'\'' docs),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -875,9 +876,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -903,9 +904,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -921,9 +922,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -945,9 +946,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -992,7 +993,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1026,9 +1027,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1040,9 +1041,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1059,9 +1060,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1084,7 +1085,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1110,9 +1111,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1161,7 +1162,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1215,9 +1216,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1257,7 +1258,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1303,9 +1304,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1326,7 +1327,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index ad2e7741d8..cdabcefd43 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -51,16 +51,16 @@ jobs: - name: Setup Scripts uses: githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-fact.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -77,8 +77,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -88,13 +88,13 @@ jobs: - name: Setup Scripts uses: githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -115,12 +115,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -145,18 +145,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1,"target":"4750"},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: 4750.", @@ -225,7 +226,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -313,7 +314,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -365,7 +366,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -373,7 +374,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -445,7 +446,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -458,12 +459,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -539,7 +540,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -562,20 +563,20 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex -c model=gpt-5-mini exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -594,9 +595,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -622,9 +623,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -648,9 +649,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -666,9 +667,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -705,7 +706,7 @@ jobs: - name: Setup Scripts uses: githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -739,9 +740,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -753,9 +754,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -773,9 +774,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -792,7 +793,7 @@ jobs: - name: Setup Scripts uses: githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -818,9 +819,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -869,7 +870,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -901,9 +902,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -939,7 +940,7 @@ jobs: - name: Setup Scripts uses: githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c # 623e612ff6a684e9a8634449508bdda21e2c178c with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -960,8 +961,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 8a4c9971fd..12ff4d9cf5 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-file-diet.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -87,8 +87,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -104,7 +104,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -122,7 +122,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -143,12 +143,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -178,18 +178,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[file-diet] \". Labels [refactoring code-health automated-analysis] will be automatically added.", @@ -276,7 +277,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -382,7 +383,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -463,7 +464,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -472,7 +473,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -703,7 +704,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -717,12 +718,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -798,7 +799,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -822,14 +823,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -857,7 +858,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat pkg/**/*.go)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find pkg -name '\''*.go'\'' ! -name '\''*_test.go'\'' -type f -exec wc -l {} \; | sort -rn)' --allow-tool 'shell(find pkg/ -maxdepth 1 -ls)' --allow-tool 'shell(grep -r '\''func '\'' pkg --include='\''*.go'\'')' --allow-tool 'shell(grep)' --allow-tool 'shell(head -n * pkg/**/*.go)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc -l pkg/**/*.go)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -895,9 +896,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -922,9 +923,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -948,9 +949,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -966,9 +967,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1011,7 +1012,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 @@ -1058,9 +1059,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1072,9 +1073,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1091,9 +1092,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.app-token.outputs.token != '' @@ -1129,7 +1130,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1155,9 +1156,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1206,7 +1207,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1256,9 +1257,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1284,7 +1285,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1293,9 +1294,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1306,9 +1307,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1339,7 +1340,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1371,9 +1372,9 @@ jobs: with: github-token: ${{ steps.app-token.outputs.token }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Invalidate GitHub App token if: always() && steps.app-token.outputs.token != '' diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index f9614e9464..c6e21f79bc 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-firewall-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -91,8 +91,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -108,13 +108,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -155,7 +155,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -173,7 +173,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -194,12 +194,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -229,18 +229,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -330,7 +331,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -458,7 +459,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -533,14 +534,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -902,12 +903,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1037,7 +1038,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1059,21 +1060,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1114,9 +1115,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1141,9 +1142,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1167,9 +1168,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1198,7 +1199,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1209,9 +1210,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1257,7 +1258,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1291,9 +1292,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1305,9 +1306,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1324,9 +1325,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1349,7 +1350,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1375,9 +1376,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1426,7 +1427,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1476,9 +1477,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1506,7 +1507,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1543,9 +1544,9 @@ jobs: MAX_FILE_COUNT: 100 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1576,7 +1577,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1597,9 +1598,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1620,7 +1621,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1655,7 +1656,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1677,12 +1678,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1708,8 +1709,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index cc61428a2a..0d1d3170ef 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -68,16 +68,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-issues-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -97,8 +97,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -114,13 +114,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -153,7 +153,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -182,12 +182,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -212,18 +212,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"close_discussion":{"max":10},"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily issues] \". Discussions will be created in category \"General\".", @@ -347,7 +348,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "close_discussion": { "defaultMax": 1, @@ -482,7 +483,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -534,7 +535,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -543,7 +544,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -1100,7 +1101,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1502,7 +1503,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1516,12 +1517,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1622,7 +1623,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1646,20 +1647,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1682,9 +1683,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1710,9 +1711,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1736,9 +1737,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1758,7 +1759,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1769,9 +1770,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1816,7 +1817,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1850,9 +1851,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1864,9 +1865,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1883,9 +1884,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1908,7 +1909,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1934,9 +1935,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1985,7 +1986,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -2018,9 +2019,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -2046,7 +2047,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -2055,9 +2056,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -2088,7 +2089,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2109,9 +2110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2132,7 +2133,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2167,7 +2168,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2189,12 +2190,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2220,8 +2221,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 73a28aa2d3..ae3f943902 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-malicious-code-scan.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,13 +97,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -124,12 +124,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -159,18 +159,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_code_scanning_alert":{"max":0},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a code scanning alert for security vulnerabilities, code quality issues, or other findings. Alerts appear in the repository's Security tab and integrate with GitHub's security features. Use this for automated security analysis results.", @@ -269,7 +270,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_code_scanning_alert": { "defaultMax": 40, @@ -383,7 +384,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -458,7 +459,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -466,7 +467,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -766,7 +767,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -779,12 +780,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -860,7 +861,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -883,14 +884,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -912,7 +913,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -950,9 +951,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -977,9 +978,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1003,9 +1004,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1021,9 +1022,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1065,7 +1066,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1099,9 +1100,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1113,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1131,9 +1132,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); safe_outputs: @@ -1162,7 +1163,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1182,8 +1183,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 5b25a1961d..add6f75f2e 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-multi-device-docs-tester.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,13 +105,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -132,12 +132,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -162,18 +162,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -277,7 +278,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -409,7 +410,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -476,7 +477,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -487,7 +488,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -596,7 +597,7 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -612,17 +613,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -698,7 +699,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -724,14 +725,14 @@ jobs: GH_AW_INPUTS_DEVICES: ${{ inputs.devices }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -847,7 +848,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 30 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat),Bash(cd*),Bash(curl*),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(kill*),Bash(ls),Bash(ls*),Bash(lsof*),Bash(npm install*),Bash(npm run build*),Bash(npm run preview*),Bash(npx playwright*),Bash(pwd),Bash(pwd*),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -874,9 +875,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -902,9 +903,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -920,9 +921,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -936,7 +937,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -947,9 +948,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -993,7 +994,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1027,9 +1028,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1041,9 +1042,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1060,9 +1061,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1085,7 +1086,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1111,9 +1112,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1162,7 +1163,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1217,9 +1218,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1257,7 +1258,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1278,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); upload_assets: @@ -1305,7 +1306,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1327,12 +1328,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1358,8 +1359,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 2d0c532c31..f627ae8ea9 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -65,16 +65,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-news.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -94,8 +94,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -111,13 +111,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Setup Python environment @@ -211,7 +211,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -228,7 +228,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -249,12 +249,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -284,18 +284,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"daily-news\".", @@ -385,7 +386,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -496,7 +497,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -584,14 +585,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -1315,12 +1316,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1451,7 +1452,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1473,21 +1474,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1529,9 +1530,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -1557,9 +1558,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1583,9 +1584,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1614,7 +1615,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1625,9 +1626,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1673,7 +1674,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1707,9 +1708,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1721,9 +1722,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1740,9 +1741,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1765,7 +1766,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1791,9 +1792,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1842,7 +1843,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1892,9 +1893,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1922,7 +1923,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1960,9 +1961,9 @@ jobs: FILE_GLOB_FILTER: "memory/daily-news/*.json memory/daily-news/*.jsonl memory/daily-news/*.csv memory/daily-news/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1993,7 +1994,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2014,9 +2015,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2037,7 +2038,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2072,7 +2073,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2094,12 +2095,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2125,8 +2126,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 0a3cb7a620..ba78088d58 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-performance-summary.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -93,8 +93,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -110,13 +110,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: | mkdir -p /tmp/gh-aw/python/{data,charts,artifacts} @@ -142,7 +142,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -172,12 +172,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -202,18 +202,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"close_discussion":{"max":10},"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily performance] \". Discussions will be created in category \"General\".", @@ -337,7 +338,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "close_discussion": { "defaultMax": 1, @@ -434,12 +435,12 @@ jobs: EOF - name: Setup Safe Inputs Config run: | - mkdir -p /tmp/gh-aw/safe-inputs/logs - cat > /tmp/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' + mkdir -p /opt/gh-aw/safe-inputs/logs + cat > /opt/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' { "serverName": "safeinputs", "version": "1.0.0", - "logDir": "/tmp/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/safe-inputs/logs", "tools": [ { "name": "github-discussion-query", @@ -530,7 +531,7 @@ jobs: ] } EOF_TOOLS_JSON - cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' + cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' const path = require("path"); const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -539,17 +540,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: false, - logDir: "/tmp/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); process.exit(1); }); EOFSI - chmod +x /tmp/gh-aw/safe-inputs/mcp-server.cjs + chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs - name: Setup Safe Inputs Tool Files run: | - cat > /tmp/gh-aw/safe-inputs/github-discussion-query.sh << 'EOFSH_github-discussion-query' + cat > /opt/gh-aw/safe-inputs/github-discussion-query.sh << 'EOFSH_github-discussion-query' #!/bin/bash # Auto-generated safe-input tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -625,8 +626,8 @@ jobs: fi EOFSH_github-discussion-query - chmod +x /tmp/gh-aw/safe-inputs/github-discussion-query.sh - cat > /tmp/gh-aw/safe-inputs/github-issue-query.sh << 'EOFSH_github-issue-query' + chmod +x /opt/gh-aw/safe-inputs/github-discussion-query.sh + cat > /opt/gh-aw/safe-inputs/github-issue-query.sh << 'EOFSH_github-issue-query' #!/bin/bash # Auto-generated safe-input tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -706,8 +707,8 @@ jobs: EOFSH_github-issue-query - chmod +x /tmp/gh-aw/safe-inputs/github-issue-query.sh - cat > /tmp/gh-aw/safe-inputs/github-pr-query.sh << 'EOFSH_github-pr-query' + chmod +x /opt/gh-aw/safe-inputs/github-issue-query.sh + cat > /opt/gh-aw/safe-inputs/github-pr-query.sh << 'EOFSH_github-pr-query' #!/bin/bash # Auto-generated safe-input tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. @@ -793,7 +794,7 @@ jobs: EOFSH_github-pr-query - chmod +x /tmp/gh-aw/safe-inputs/github-pr-query.sh + chmod +x /opt/gh-aw/safe-inputs/github-pr-query.sh - name: Generate Safe Inputs MCP Server Config id: safe-inputs-config @@ -821,7 +822,7 @@ jobs: export GH_AW_SAFE_INPUTS_PORT export GH_AW_SAFE_INPUTS_API_KEY - bash /tmp/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_safe_inputs_server.sh - name: Setup MCPs env: @@ -871,7 +872,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -923,7 +924,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -932,7 +933,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -1445,7 +1446,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1459,12 +1460,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1565,7 +1566,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1589,20 +1590,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains api.openai.com,openai.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.openai.com,openai.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1626,9 +1627,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1654,9 +1655,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1680,18 +1681,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Parse safe-inputs logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); await main(); - name: Firewall summary if: always() @@ -1711,7 +1712,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1722,9 +1723,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1770,7 +1771,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1804,9 +1805,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1818,9 +1819,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1837,9 +1838,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1862,7 +1863,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1888,9 +1889,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1939,7 +1940,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1972,9 +1973,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -2012,7 +2013,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2033,9 +2034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2056,7 +2057,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2091,7 +2092,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2113,12 +2114,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2144,8 +2145,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index c3f5f55879..76b49a3059 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -62,16 +62,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-repo-chronicle.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -90,8 +90,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -107,13 +107,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -139,7 +139,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -168,12 +168,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -203,18 +203,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"📰 \".", @@ -304,7 +305,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -415,7 +416,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -490,7 +491,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -498,7 +499,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -1027,7 +1028,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1123,7 +1124,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1136,12 +1137,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1242,7 +1243,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1265,21 +1266,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1320,9 +1321,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1347,9 +1348,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1373,9 +1374,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1395,7 +1396,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1406,9 +1407,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1453,7 +1454,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1487,9 +1488,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1501,9 +1502,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1520,9 +1521,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1545,7 +1546,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1571,9 +1572,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1622,7 +1623,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1672,9 +1673,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1712,7 +1713,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1733,9 +1734,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1756,7 +1757,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1791,7 +1792,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1813,12 +1814,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1844,8 +1845,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 31af611182..523667c290 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-secrets-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -130,12 +130,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -165,18 +165,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"close_discussion":{"max":10},"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[daily secrets] \". Discussions will be created in category \"audits\".", @@ -283,7 +284,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "close_discussion": { "defaultMax": 1, @@ -405,7 +406,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -480,7 +481,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -489,7 +490,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -777,7 +778,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -791,12 +792,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -872,7 +873,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -896,14 +897,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -925,7 +926,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -963,9 +964,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -990,9 +991,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1016,9 +1017,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1034,9 +1035,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1079,7 +1080,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1113,9 +1114,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1127,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1146,9 +1147,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1171,7 +1172,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1197,9 +1198,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1248,7 +1249,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1298,9 +1299,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1338,7 +1339,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1359,8 +1360,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 8ac5cff07f..c621e22a3b 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -69,16 +69,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-team-status.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -93,8 +93,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -110,13 +110,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -137,12 +137,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -172,18 +172,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[team-status] \".", @@ -270,7 +271,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -376,7 +377,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -451,14 +452,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Formatting @@ -566,12 +567,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -647,7 +648,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -669,21 +670,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -721,9 +722,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -748,9 +749,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -774,9 +775,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -792,9 +793,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -837,7 +838,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -873,9 +874,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -889,9 +890,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -908,9 +909,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -933,7 +934,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -959,9 +960,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1010,7 +1011,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1060,9 +1061,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1088,7 +1089,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check stop-time limit id: check_stop_time uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1097,9 +1098,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Daily Team Status" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_stop_time.cjs'); + const { main } = require('/opt/gh-aw/actions/check_stop_time.cjs'); await main(); safe_outputs: @@ -1132,7 +1133,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1153,8 +1154,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 92dc52baf5..e18f637c7a 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "daily-workflow-updater.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,13 +97,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -124,12 +124,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -159,18 +159,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[actions] \". Labels [dependencies automation] will be automatically added.", @@ -250,7 +251,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -352,7 +353,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -427,14 +428,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -600,12 +601,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -681,7 +682,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -703,14 +704,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -745,7 +746,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(gh aw update --verbose)' --allow-tool 'shell(git add .github/aw/actions-lock.json)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git diff .github/aw/actions-lock.json)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git push)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -783,9 +784,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -810,9 +811,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -836,9 +837,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -854,9 +855,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -900,7 +901,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -934,9 +935,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -948,9 +949,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -967,9 +968,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -992,7 +993,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1018,9 +1019,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1069,7 +1070,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1119,9 +1120,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1161,7 +1162,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1207,8 +1208,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index a1165b0287..489b719f41 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -65,16 +65,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "deep-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -95,8 +95,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -112,13 +112,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -144,7 +144,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -162,7 +162,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -183,12 +183,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -213,18 +213,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -314,7 +315,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -429,7 +430,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -481,14 +482,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -974,12 +975,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1110,7 +1111,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1132,20 +1133,20 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1168,9 +1169,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -1196,9 +1197,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1222,9 +1223,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1253,7 +1254,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1264,9 +1265,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1312,7 +1313,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1346,9 +1347,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1360,9 +1361,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1379,9 +1380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1404,7 +1405,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1430,9 +1431,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1481,7 +1482,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1514,9 +1515,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1544,7 +1545,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1582,9 +1583,9 @@ jobs: FILE_GLOB_FILTER: "memory/deep-report/*.md" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1615,7 +1616,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1636,9 +1637,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1659,7 +1660,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1694,7 +1695,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1716,12 +1717,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1747,8 +1748,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index ce1ae00676..e43bc6f423 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -57,16 +57,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "dependabot-go-checker.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -83,8 +83,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -100,13 +100,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -127,12 +127,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -162,18 +162,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"close_issue":{"max":20,"required_title_prefix":"[deps]"},"create_issue":{"max":10},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[deps]\". Labels [dependencies go] will be automatically added.", @@ -284,7 +285,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "close_issue": { "defaultMax": 1, @@ -404,7 +405,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -479,7 +480,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -487,7 +488,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Dependabot Dependency Checker @@ -916,7 +917,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -929,12 +930,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1010,7 +1011,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1033,21 +1034,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1085,9 +1086,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1112,9 +1113,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1138,9 +1139,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1156,9 +1157,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1201,7 +1202,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1234,9 +1235,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1247,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1265,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1290,7 +1291,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1316,9 +1317,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1367,7 +1368,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1417,9 +1418,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1456,7 +1457,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1477,8 +1478,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 05befad2a5..100323d902 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -70,16 +70,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "dev-hawk.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -94,8 +94,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -111,13 +111,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -154,12 +154,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -189,18 +189,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1,"target":"*"},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: *.", @@ -269,7 +270,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -373,7 +374,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -448,7 +449,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -462,7 +463,7 @@ jobs: GH_AW_GITHUB_EVENT_WORKFLOW_RUN_STATUS: ${{ github.event.workflow_run.status }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -682,7 +683,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -701,12 +702,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -782,7 +783,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -811,14 +812,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -842,7 +843,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool gh-aw --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(gh agent-task create *)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -880,9 +881,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -907,9 +908,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -933,9 +934,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -951,9 +952,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -996,7 +997,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1029,9 +1030,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1042,9 +1043,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1061,9 +1062,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1086,7 +1087,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1112,9 +1113,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1163,7 +1164,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1213,9 +1214,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1242,7 +1243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1251,9 +1252,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1286,7 +1287,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1307,8 +1308,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 8e71dc827a..741d5d0fb2 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -57,16 +57,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "dev.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,13 +97,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -124,12 +124,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -159,18 +159,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -239,7 +240,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -326,7 +327,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -401,14 +402,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Read Issue and Post Poem @@ -426,12 +427,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -507,7 +508,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -529,21 +530,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -582,9 +583,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -609,9 +610,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -635,9 +636,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -653,9 +654,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -698,7 +699,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -731,9 +732,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -744,9 +745,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -762,9 +763,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -787,7 +788,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -813,9 +814,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -864,7 +865,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -914,9 +915,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -956,7 +957,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -978,8 +979,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index ab906c5bc9..5a8a51f6b3 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "developer-docs-consolidator.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,7 +103,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -121,10 +121,10 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -154,12 +154,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -184,18 +184,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"General\".", @@ -301,7 +302,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -425,7 +426,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -505,7 +506,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -514,7 +515,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -1079,7 +1080,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1132,7 +1133,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1146,12 +1147,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1252,7 +1253,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1276,14 +1277,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1385,7 +1386,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat specs/*.md),Bash(cat),Bash(date),Bash(echo),Bash(find specs -maxdepth 1 -ls),Bash(find specs -name '\''*.md'\''),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -r '\''*'\'' specs),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l specs/*.md),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1408,9 +1409,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1436,9 +1437,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1454,9 +1455,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1478,9 +1479,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1525,7 +1526,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1558,9 +1559,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1571,9 +1572,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1589,9 +1590,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1614,7 +1615,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1640,9 +1641,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1691,7 +1692,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1745,9 +1746,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1787,7 +1788,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1833,9 +1834,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1856,7 +1857,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index a51952b2d6..5572cc08b3 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -59,16 +59,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "dictation-prompt.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -83,8 +83,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -100,13 +100,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -127,12 +127,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -162,18 +162,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [documentation automation] will be automatically added.", @@ -253,7 +254,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -355,7 +356,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -430,14 +431,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -527,12 +528,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -608,7 +609,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -630,21 +631,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -682,9 +683,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -709,9 +710,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -735,9 +736,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -753,9 +754,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -799,7 +800,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -832,9 +833,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -845,9 +846,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -863,9 +864,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -888,7 +889,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -914,9 +915,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -965,7 +966,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1015,9 +1016,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1056,7 +1057,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1102,8 +1103,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 6124f5a204..8b28b2c8e1 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "docs-noob-tester.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -83,8 +83,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -100,13 +100,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -127,12 +127,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -162,18 +162,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"General\".", @@ -263,7 +264,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -380,7 +381,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -455,7 +456,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -464,7 +465,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Documentation Noob Testing @@ -636,7 +637,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -650,17 +651,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -736,7 +737,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -760,21 +761,21 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -815,9 +816,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -842,9 +843,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -868,9 +869,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -884,7 +885,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -895,9 +896,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -941,7 +942,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -974,9 +975,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -987,9 +988,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1005,9 +1006,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1030,7 +1031,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1056,9 +1057,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1107,7 +1108,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1157,9 +1158,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1196,7 +1197,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1217,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); upload_assets: @@ -1244,7 +1245,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1266,12 +1267,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1296,8 +1297,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml b/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml index 0a695c7bb3..07391fa1be 100644 --- a/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml +++ b/.github/workflows/docs-quality-maintenance-project67.campaign.lock.yml @@ -58,16 +58,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "docs-quality-maintenance-project67.campaign.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Create workspace directory run: mkdir -p ./.gh-aw - env: @@ -138,7 +138,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -159,12 +159,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -194,18 +194,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":10},"create_issue":{"max":1},"create_project_status_update":{"max":1},"missing_tool":{},"noop":{"max":1},"update_project":{"max":15}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -410,7 +411,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -606,7 +607,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -681,14 +682,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -1235,12 +1236,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1343,7 +1344,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1365,21 +1366,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1417,9 +1418,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1444,9 +1445,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1470,9 +1471,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1497,9 +1498,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1543,7 +1544,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1576,9 +1577,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1589,9 +1590,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1607,9 +1608,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1632,7 +1633,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1658,9 +1659,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1709,7 +1710,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1759,9 +1760,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1789,7 +1790,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1828,9 +1829,9 @@ jobs: GH_AW_CAMPAIGN_ID: docs-quality-maintenance-project73 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1862,7 +1863,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1883,9 +1884,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Update Project id: update_project @@ -1896,8 +1897,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/update_project.cjs'); + const { main } = require('/opt/gh-aw/actions/update_project.cjs'); await main(); diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 3ed9377eb5..ca571861dc 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "duplicate-code-detector.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,7 +97,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -115,7 +115,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -136,12 +136,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -166,18 +166,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Assignees [copilot] will be automatically assigned.", @@ -264,7 +265,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -371,7 +372,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] @@ -436,7 +437,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -447,7 +448,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Duplicate Code Detection @@ -681,7 +682,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -697,12 +698,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -778,7 +779,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -804,20 +805,20 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains api.openai.com,openai.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.openai.com,openai.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -837,9 +838,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -865,9 +866,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -891,9 +892,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -909,9 +910,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -954,7 +955,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -987,9 +988,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1000,9 +1001,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1018,9 +1019,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1043,7 +1044,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1069,9 +1070,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1120,7 +1121,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1153,9 +1154,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1192,7 +1193,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1213,8 +1214,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/example-custom-error-patterns.lock.yml b/.github/workflows/example-custom-error-patterns.lock.yml index b2b20cd4ad..939b09e56a 100644 --- a/.github/workflows/example-custom-error-patterns.lock.yml +++ b/.github/workflows/example-custom-error-patterns.lock.yml @@ -54,16 +54,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "example-custom-error-patterns.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -83,13 +83,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -110,12 +110,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -145,10 +145,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Setup MCPs env: GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} @@ -239,13 +239,13 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Example: Custom Error Patterns @@ -264,12 +264,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append GitHub context to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -326,7 +326,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -348,21 +348,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -399,9 +399,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -424,9 +424,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -442,9 +442,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"CUSTOM_ERROR:\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Custom project-specific error format\"},{\"id\":\"\",\"pattern\":\"\\\\[BUILD_FAILED\\\\]\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Build failure indicator\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -476,7 +476,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -485,8 +485,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index d2b6109013..d6d69d2f72 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -53,16 +53,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "example-permissions-warning.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,13 +86,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -113,12 +113,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -148,10 +148,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Setup MCPs env: GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} @@ -240,13 +240,13 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Example: Properly Provisioned Permissions @@ -265,12 +265,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append GitHub context to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -327,7 +327,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -349,21 +349,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -400,9 +400,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -425,9 +425,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -443,9 +443,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 6ecdd29fd6..ad3ce35c5b 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "example-workflow-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -130,12 +130,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -160,10 +160,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -179,12 +179,13 @@ jobs: gh aw --version - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[workflow-analysis] \". Discussions will be created in category \"Audits\".", @@ -257,7 +258,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -360,7 +361,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -427,14 +428,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -480,12 +481,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -561,7 +562,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -583,14 +584,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -664,7 +665,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -687,9 +688,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -715,9 +716,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -733,9 +734,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -751,9 +752,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -796,7 +797,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -829,9 +830,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -842,9 +843,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -860,9 +861,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -885,7 +886,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -911,9 +912,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -962,7 +963,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1016,9 +1017,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1055,7 +1056,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1076,8 +1077,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/file-size-reduction-project71.campaign.lock.yml b/.github/workflows/file-size-reduction-project71.campaign.lock.yml index aaf654164d..0dd397f111 100644 --- a/.github/workflows/file-size-reduction-project71.campaign.lock.yml +++ b/.github/workflows/file-size-reduction-project71.campaign.lock.yml @@ -58,16 +58,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "file-size-reduction-project71.campaign.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Create workspace directory run: mkdir -p ./.gh-aw - env: @@ -138,7 +138,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/campaigns CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -159,12 +159,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -194,18 +194,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":10},"create_issue":{"max":1},"create_project_status_update":{"max":1},"missing_tool":{},"noop":{"max":1},"update_project":{"max":10}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -410,7 +411,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -606,7 +607,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -681,14 +682,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -1232,12 +1233,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1340,7 +1341,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1362,21 +1363,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1414,9 +1415,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1441,9 +1442,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1467,9 +1468,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1494,9 +1495,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1540,7 +1541,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1573,9 +1574,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1586,9 +1587,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1604,9 +1605,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1629,7 +1630,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1655,9 +1656,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1706,7 +1707,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1756,9 +1757,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1786,7 +1787,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1825,9 +1826,9 @@ jobs: GH_AW_CAMPAIGN_ID: file-size-reduction-project71 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1859,7 +1860,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1880,9 +1881,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Update Project id: update_project @@ -1893,8 +1894,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/update_project.cjs'); + const { main } = require('/opt/gh-aw/actions/update_project.cjs'); await main(); diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 34b44d4ff7..dea4e1048b 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -68,16 +68,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "firewall-escape.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -92,8 +92,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -109,16 +109,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -135,7 +135,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -156,12 +156,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -191,18 +191,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Firewall Escape] \". Discussions will be created in category \"audits\".", @@ -275,7 +276,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -374,7 +375,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -449,7 +450,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -457,7 +458,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" *Auto-generated by firewall escape test workflow*`, labels: ['bug', 'firewall', 'automated'] @@ -774,7 +775,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -787,12 +788,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -922,7 +923,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -945,21 +946,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 60 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -997,9 +998,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1024,9 +1025,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1050,9 +1051,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1083,9 +1084,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1130,7 +1131,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1164,9 +1165,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1178,9 +1179,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1197,9 +1198,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1220,7 +1221,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1246,9 +1247,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1297,7 +1298,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1347,9 +1348,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1405,7 +1406,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1414,9 +1415,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1437,7 +1438,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1474,9 +1475,9 @@ jobs: MAX_FILE_COUNT: 50 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1507,7 +1508,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1528,9 +1529,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1551,7 +1552,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index d2aeac6630..a4f5839690 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -53,16 +53,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "firewall.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,13 +86,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -113,12 +113,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -148,10 +148,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Setup MCPs env: GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} @@ -242,7 +242,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -250,7 +250,7 @@ jobs: GH_AW_GITHUB_ACTOR: ${{ github.actor }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Firewall Test Agent @@ -284,7 +284,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -298,12 +298,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append GitHub context to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -360,7 +360,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -384,21 +384,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -435,9 +435,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -460,9 +460,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -478,9 +478,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 3fb297b822..e87ca4bfbd 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "github-mcp-structural-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -93,8 +93,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -110,13 +110,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -142,7 +142,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -171,12 +171,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -201,18 +201,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[mcp-analysis] \". Discussions will be created in category \"audits\".", @@ -302,7 +303,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -409,7 +410,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -476,7 +477,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -485,7 +486,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Python Data Visualization Guide @@ -983,7 +984,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1112,7 +1113,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1126,12 +1127,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1232,7 +1233,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1256,14 +1257,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1341,7 +1342,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1367,9 +1368,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1395,9 +1396,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1413,9 +1414,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1435,7 +1436,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1446,9 +1447,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1493,7 +1494,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1526,9 +1527,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1539,9 +1540,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1557,9 +1558,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1582,7 +1583,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1608,9 +1609,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1659,7 +1660,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1713,9 +1714,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1752,7 +1753,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1773,9 +1774,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1796,7 +1797,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1831,7 +1832,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1853,12 +1854,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1883,8 +1884,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 169b9216e8..f735d026ab 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "github-mcp-tools-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -90,8 +90,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -107,16 +107,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -145,12 +145,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -175,16 +175,17 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -290,7 +291,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -404,7 +405,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -471,7 +472,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -479,7 +480,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -867,7 +868,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -979,7 +980,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -992,12 +993,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1098,7 +1099,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1121,14 +1122,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1206,7 +1207,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1229,9 +1230,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1257,9 +1258,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1275,9 +1276,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1299,9 +1300,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1346,7 +1347,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1379,9 +1380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1392,9 +1393,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1410,9 +1411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1435,7 +1436,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1461,9 +1462,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1512,7 +1513,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1566,9 +1567,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1608,7 +1609,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1654,9 +1655,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1677,7 +1678,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 75381d031b..88fd07efba 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "github-remote-mcp-auth-test.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,13 +97,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -124,12 +124,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -159,16 +159,17 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[auth-test] \". Discussions will be created in category \"audits\".", @@ -241,7 +242,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -332,7 +333,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -407,7 +408,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -417,7 +418,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # GitHub Remote MCP Authentication Test @@ -516,7 +517,7 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -531,12 +532,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -612,7 +613,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -637,21 +638,21 @@ jobs: GH_AW_GITHUB_WORKFLOW: ${{ github.workflow }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --model gpt-5-mini --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -688,9 +689,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -715,9 +716,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -741,9 +742,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -759,9 +760,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -804,7 +805,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -837,9 +838,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -850,9 +851,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -868,9 +869,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -893,7 +894,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -919,9 +920,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -970,7 +971,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1019,9 +1020,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1059,7 +1060,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1080,8 +1081,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 37479034e5..4011709894 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "glossary-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,7 +103,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -121,10 +121,10 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -153,12 +153,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -188,18 +188,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [documentation glossary] will be automatically added.", @@ -279,7 +280,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -381,7 +382,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -462,7 +463,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -470,7 +471,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ### Documentation @@ -995,7 +996,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1102,7 +1103,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1115,12 +1116,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1221,7 +1222,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1244,14 +1245,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1285,7 +1286,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find docs -name '\''*.md'\'')' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git log --since='\''24 hours ago'\'' --oneline)' --allow-tool 'shell(git log --since='\''7 days ago'\'' --oneline)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep -r '\''*'\'' docs)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1323,9 +1324,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1350,9 +1351,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1376,9 +1377,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1400,9 +1401,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1447,7 +1448,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1480,9 +1481,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1493,9 +1494,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1511,9 +1512,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1536,7 +1537,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1562,9 +1563,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1613,7 +1614,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1663,9 +1664,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1704,7 +1705,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1750,9 +1751,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1773,7 +1774,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index abe40997d0..b9a522dbd6 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "go-fan.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -85,8 +85,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -102,7 +102,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -120,10 +120,10 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -152,12 +152,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -182,18 +182,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[go-fan] \". Discussions will be created in category \"General\".", @@ -266,7 +267,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -361,7 +362,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -441,7 +442,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -451,7 +452,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -755,7 +756,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -770,12 +771,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -876,7 +877,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -901,14 +902,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1004,7 +1005,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat go.mod),Bash(cat go.sum),Bash(cat specs/mods/*),Bash(cat),Bash(date),Bash(echo),Bash(find pkg -name '\''*.go'\''),Bash(find specs/mods/ -maxdepth 1 -ls),Bash(go list -m all),Bash(grep -r '\''import'\'' --include='\''*.go'\''),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1027,9 +1028,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1055,9 +1056,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1073,9 +1074,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1097,9 +1098,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1143,7 +1144,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1177,9 +1178,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1191,9 +1192,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1210,9 +1211,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1235,7 +1236,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1261,9 +1262,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1312,7 +1313,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1366,9 +1367,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1406,7 +1407,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1427,9 +1428,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1450,7 +1451,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 8d632d4218..1fc249074d 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "go-logger.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,7 +97,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -110,7 +110,7 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -122,7 +122,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -151,12 +151,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -181,18 +181,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[log] \". Labels [enhancement automation] will be automatically added.", @@ -272,7 +273,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -370,7 +371,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -437,14 +438,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Go Logger Enhancement @@ -711,12 +712,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -817,7 +818,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -839,14 +840,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -951,7 +952,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(./gh-aw compile *),Bash(cat),Bash(date),Bash(echo),Bash(find pkg -name '\''*.go'\'' -type f ! -name '\''*_test.go'\''),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -n '\''func '\'' pkg/*.go),Bash(grep -r '\''var log = logger.New'\'' pkg --include='\''*.go'\''),Bash(grep),Bash(head -n * pkg/**/*.go),Bash(head),Bash(ls),Bash(make build),Bash(make recompile),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l pkg/**/*.go),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -974,9 +975,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1002,9 +1003,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1020,9 +1021,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1044,9 +1045,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1091,7 +1092,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1124,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1137,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1155,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1180,7 +1181,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1206,9 +1207,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1257,7 +1258,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1311,9 +1312,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1352,7 +1353,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1398,9 +1399,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1421,7 +1422,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index f79dd44a6d..cb52442860 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -59,16 +59,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "go-pattern-detector.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -130,12 +130,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -160,18 +160,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcp/ast-grep:latest + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcp/ast-grep:latest - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[ast-grep] \". Labels [code-quality ast-grep] will be automatically added.", @@ -258,7 +259,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -370,7 +371,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -437,7 +438,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -447,7 +448,7 @@ jobs: GH_AW_GITHUB_EVENT_AFTER: ${{ github.event.after }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## ast-grep MCP Server @@ -597,7 +598,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -612,12 +613,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -693,7 +694,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -718,14 +719,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -800,7 +801,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools Bash,BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__ast-grep,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -823,9 +824,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -851,9 +852,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -869,9 +870,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -887,9 +888,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -966,7 +967,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -999,9 +1000,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1012,9 +1013,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1030,9 +1031,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1055,7 +1056,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1081,9 +1082,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1132,7 +1133,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1186,9 +1187,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1225,7 +1226,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1246,8 +1247,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 79588db1e9..fd04c41ed2 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -71,25 +71,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "grumpy-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -102,9 +102,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*\",\"runStarted\":\"😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time.\",\"runSuccess\":\"😤 Fine. [{workflow_name}]({run_url}) finished the review. It wasn't completely terrible. I guess. 🙄\",\"runFailure\":\"😤 Great. [{workflow_name}]({run_url}) {status}. As if my day couldn't get any worse...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -116,8 +116,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -133,16 +133,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -171,12 +171,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -206,18 +206,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"create_pull_request_review_comment":{"max":5},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -331,7 +332,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -448,7 +449,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -523,7 +524,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -533,7 +534,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Grumpy Code Reviewer 🔥 @@ -671,7 +672,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -686,12 +687,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -792,7 +793,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -814,7 +815,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -824,21 +825,21 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -876,9 +877,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -904,9 +905,9 @@ jobs: GH_AW_COMMAND: grumpy with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -930,9 +931,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -954,9 +955,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1000,7 +1001,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1033,9 +1034,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1046,9 +1047,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1065,9 +1066,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1088,7 +1089,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1114,9 +1115,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1165,7 +1166,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1215,9 +1216,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1247,7 +1248,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1256,9 +1257,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1267,9 +1268,9 @@ jobs: GH_AW_COMMANDS: "[\"grumpy\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1302,7 +1303,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1323,9 +1324,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1346,7 +1347,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 0a3a18b5bd..0871c47d46 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "hourly-ci-cleaner.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,7 +105,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -118,7 +118,7 @@ jobs: cache-dependency-path: 'actions/setup/js/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install Make run: | sudo apt-get update @@ -154,12 +154,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -189,18 +189,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ca] \".", @@ -280,7 +281,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -382,7 +383,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -457,7 +458,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -468,7 +469,7 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_RUN_ID: ${{ needs.check_ci_status.outputs.ci_run_id }} GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # CI Cleaner Agent @@ -817,7 +818,7 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -833,12 +834,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -914,7 +915,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -940,21 +941,21 @@ jobs: GH_AW_NEEDS_CHECK_CI_STATUS_OUTPUTS_CI_STATUS: ${{ needs.check_ci_status.outputs.ci_status }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache/go:/opt/hostedtoolcache/go:ro --mount /usr/bin/go:/usr/bin/go:ro --mount /usr/bin/make:/usr/bin/make:ro --mount /usr/local/bin/node:/usr/local/bin/node:ro --mount /usr/local/bin/npm:/usr/local/bin/npm:ro --mount /usr/local/lib/node_modules:/usr/local/lib/node_modules:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --mount /opt/hostedtoolcache/go:/opt/hostedtoolcache/go:ro --mount /usr/bin/go:/usr/bin/go:ro --mount /usr/bin/make:/usr/bin/make:ro --mount /usr/local/bin/node:/usr/local/bin/node:ro --mount /usr/local/bin/npm:/usr/local/bin/npm:ro --mount /usr/local/lib/node_modules:/usr/local/lib/node_modules:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent ci-cleaner --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -992,9 +993,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1019,9 +1020,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1045,9 +1046,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1063,9 +1064,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1148,7 +1149,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1182,9 +1183,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1198,9 +1199,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1217,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1242,7 +1243,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1268,9 +1269,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1319,7 +1320,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1369,9 +1370,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1411,7 +1412,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1457,8 +1458,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index bd8a23f7ad..3f1ddb0147 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "instructions-janitor.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -80,8 +80,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -97,16 +97,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -135,12 +135,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -165,18 +165,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[instructions] \". Labels [documentation automation instructions] will be automatically added.", @@ -256,7 +257,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -354,7 +355,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -421,14 +422,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Instructions Janitor @@ -595,12 +596,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -701,7 +702,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -723,14 +724,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -831,7 +832,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat .github/aw/github-agentic-workflows.md),Bash(cat),Bash(date),Bash(echo),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git describe --tags --abbrev=0),Bash(git log --since='\''*'\'' --pretty=format:'\''%h %s'\'' -- docs/),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l .github/aw/github-agentic-workflows.md),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -854,9 +855,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -882,9 +883,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -900,9 +901,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -924,9 +925,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -971,7 +972,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1004,9 +1005,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1017,9 +1018,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1035,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1060,7 +1061,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1086,9 +1087,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1137,7 +1138,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1191,9 +1192,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1232,7 +1233,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1278,9 +1279,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1301,7 +1302,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 5b9b9386c5..d50e834ddd 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -59,16 +59,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "issue-arborist.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -82,8 +82,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -99,13 +99,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - env: @@ -134,12 +134,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -164,18 +164,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"create_issue":{"max":5},"link_sub_issue":{"max":50},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 5 issue(s) can be created. Title will be prefixed with \"[Parent] \".", @@ -316,7 +317,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -463,7 +464,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -515,7 +516,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -523,7 +524,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -756,7 +757,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -769,12 +770,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -850,7 +851,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -873,20 +874,20 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -906,9 +907,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -934,9 +935,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -960,9 +961,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -978,9 +979,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1023,7 +1024,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1056,9 +1057,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1069,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1087,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1112,7 +1113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1138,9 +1139,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1189,7 +1190,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1222,9 +1223,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1262,7 +1263,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1283,8 +1284,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index f58d648146..09658dc259 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -67,25 +67,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "issue-classifier.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -96,9 +96,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Issue Classifier" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -111,8 +111,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -128,13 +128,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -155,9 +155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown @@ -167,18 +167,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_labels":{"allowed":["bug","feature","enhancement","documentation"],"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add labels to an existing GitHub issue or pull request for categorization and filtering. Labels must already exist in the repository. For creating new issues with labels, use create_issue with the labels property instead. CONSTRAINTS: Maximum 1 label(s) can be added. Only these labels are allowed: [bug feature enhancement documentation].", @@ -249,7 +250,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_labels": { "defaultMax": 5, @@ -333,7 +334,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -400,7 +401,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -410,7 +411,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -461,7 +462,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -476,12 +477,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -557,7 +558,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -582,14 +583,14 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run AI Inference uses: actions/ai-inference@334892bb203895caaed82ec52d23c1ed9385151e # v2 env: @@ -610,9 +611,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -636,9 +637,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -654,9 +655,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_custom_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_custom_log.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -698,7 +699,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -731,9 +732,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -744,9 +745,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -762,9 +763,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -785,7 +786,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -811,9 +812,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -880,9 +881,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -908,7 +909,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -917,9 +918,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -950,7 +951,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -971,8 +972,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 88770508b2..cb0ea7a23b 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "issue-monster.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -90,8 +90,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -107,13 +107,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -134,12 +134,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -169,18 +169,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":3},"assign_to_agent":{"max":3},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 3 comment(s) can be added.", @@ -273,7 +274,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -374,7 +375,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -449,7 +450,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -460,7 +461,7 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_LIST: ${{ needs.search_issues.outputs.issue_list }} GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -654,7 +655,7 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -670,12 +671,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -751,7 +752,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -777,21 +778,21 @@ jobs: GH_AW_NEEDS_SEARCH_ISSUES_OUTPUTS_ISSUE_NUMBERS: ${{ needs.search_issues.outputs.issue_numbers }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -829,9 +830,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -856,9 +857,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -882,9 +883,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -900,9 +901,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -945,7 +946,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -978,9 +979,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -991,9 +992,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1010,9 +1011,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1035,7 +1036,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1061,9 +1062,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1112,7 +1113,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1162,9 +1163,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1190,7 +1191,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1199,9 +1200,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1212,9 +1213,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "9" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); await main(); - name: Check skip-if-no-match query id: check_skip_if_no_match @@ -1225,9 +1226,9 @@ jobs: GH_AW_SKIP_MIN_MATCHES: "1" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_no_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_no_match.cjs'); await main(); safe_outputs: @@ -1261,7 +1262,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1282,9 +1283,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign To Agent id: assign_to_agent @@ -1296,9 +1297,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); await main(); search_issues: diff --git a/.github/workflows/issue-template-optimizer.lock.yml b/.github/workflows/issue-template-optimizer.lock.yml index 819583f223..3eeaa4fd66 100644 --- a/.github/workflows/issue-template-optimizer.lock.yml +++ b/.github/workflows/issue-template-optimizer.lock.yml @@ -56,16 +56,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "issue-template-optimizer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -81,8 +81,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -98,16 +98,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -136,12 +136,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -171,18 +171,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ca] \". Labels [documentation templates] will be automatically added. PRs will be created as drafts.", @@ -262,7 +263,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -364,7 +365,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -439,14 +440,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Issue Template Optimizer @@ -737,12 +738,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -843,7 +844,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -865,21 +866,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -917,9 +918,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -944,9 +945,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -970,9 +971,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -994,9 +995,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1041,7 +1042,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1074,9 +1075,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1087,9 +1088,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1105,9 +1106,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1130,7 +1131,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1156,9 +1157,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1207,7 +1208,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1257,9 +1258,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1298,7 +1299,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1344,9 +1345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1367,7 +1368,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 286e29fb4a..b6591ba043 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -52,16 +52,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "issue-triage-agent.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -75,8 +75,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -92,9 +92,9 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -107,7 +107,7 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -137,18 +137,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["bug","feature","enhancement","documentation","question","help-wanted","good-first-issue"],"max":3},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -241,7 +242,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -343,7 +344,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -418,7 +419,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -426,7 +427,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Issue Triage Agent @@ -446,7 +447,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -459,12 +460,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -540,7 +541,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -563,21 +564,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -615,9 +616,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -642,9 +643,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -668,9 +669,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -686,9 +687,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -731,7 +732,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -764,9 +765,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -777,9 +778,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -795,9 +796,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -820,7 +821,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -846,9 +847,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -897,7 +898,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -947,9 +948,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -988,7 +989,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1009,8 +1010,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 56cea86140..2598e2a796 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -57,16 +57,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "jsweep.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -82,8 +82,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -99,7 +99,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -118,14 +118,14 @@ jobs: - name: Install TypeScript language service run: npm install -g --silent typescript-language-server typescript - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install Node.js dependencies run: npm install working-directory: actions/setup/js # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -154,12 +154,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -189,18 +189,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[jsweep] \". Labels [unbloat automation] will be automatically added.", @@ -280,7 +281,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -382,7 +383,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -463,7 +464,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -472,7 +473,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # jsweep - JavaScript Unbloater @@ -728,7 +729,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -742,12 +743,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -848,7 +849,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -872,21 +873,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -924,9 +925,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -951,9 +952,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -977,9 +978,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1001,9 +1002,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1048,7 +1049,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1082,9 +1083,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1096,9 +1097,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1115,9 +1116,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1140,7 +1141,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1166,9 +1167,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1217,7 +1218,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1267,9 +1268,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1309,7 +1310,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1355,9 +1356,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1378,7 +1379,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index f593fb578b..c91e41d745 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -57,16 +57,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "layout-spec-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -81,8 +81,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -98,13 +98,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache configuration from frontmatter processed below - name: Cache (layout-spec-cache-${{ github.run_id }}) uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -132,12 +132,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -167,18 +167,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[specs] \". Labels [documentation automation] will be automatically added.", @@ -258,7 +259,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -360,7 +361,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -435,14 +436,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Layout Specification Maintainer @@ -720,12 +721,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -801,7 +802,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -823,14 +824,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -866,7 +867,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat specs/layout.md)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find .github/workflows -name '\''*.lock.yml'\'')' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git diff specs/layout.md)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep -r '\''.*'\'' pkg/workflow/*.go)' --allow-tool 'shell(grep -r '\''.*'\'' pkg/workflow/js/)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq '\''.*'\'' .github/workflows/*.lock.yml)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -904,9 +905,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -931,9 +932,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -957,9 +958,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -975,9 +976,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1021,7 +1022,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1055,9 +1056,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1069,9 +1070,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1088,9 +1089,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1113,7 +1114,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1139,9 +1140,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1190,7 +1191,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1240,9 +1241,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1282,7 +1283,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1328,8 +1329,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 265252f658..a6fa043a6e 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "lockfile-stats.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,16 +101,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -139,12 +139,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -169,18 +169,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -253,7 +254,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -348,7 +349,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -415,7 +416,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -423,7 +424,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -777,7 +778,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -790,12 +791,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -896,7 +897,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -919,14 +920,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1015,7 +1016,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1038,9 +1039,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1066,9 +1067,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1084,9 +1085,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1108,9 +1109,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1154,7 +1155,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1187,9 +1188,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1200,9 +1201,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1218,9 +1219,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1243,7 +1244,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1269,9 +1270,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1320,7 +1321,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1374,9 +1375,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1413,7 +1414,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1434,9 +1435,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1457,7 +1458,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index ac2688e79b..a0ebd2c4b8 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -76,16 +76,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "mcp-inspector.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -101,8 +101,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -118,7 +118,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -141,7 +141,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install dependencies run: make deps-dev - env: @@ -157,7 +157,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -186,12 +186,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -221,18 +221,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.27.0 mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/memory mcp/notion + run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.27.0 mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/memory mcp/notion - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"},"post-to-slack-channel":{"description":"Post a message to a Slack channel. Message must be 200 characters or less. Supports basic Slack markdown: *bold*, _italic_, ~strike~, `code`, ```code block```, \u003equote, and links \u003curl|text\u003e. Requires GH_AW_SLACK_CHANNEL_ID environment variable to be set.","inputs":{"message":{"default":null,"description":"The message to post (max 200 characters, supports Slack markdown)","required":true,"type":"string"}},"output":"Message posted to Slack successfully!"}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -339,7 +340,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -619,7 +620,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -741,14 +742,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -949,12 +950,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1055,7 +1056,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1077,14 +1078,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1172,7 +1173,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool arxiv --allow-tool 'arxiv(get_paper_details)' --allow-tool 'arxiv(get_paper_pdf)' --allow-tool 'arxiv(search_arxiv)' --allow-tool ast-grep --allow-tool 'ast-grep(*)' --allow-tool brave-search --allow-tool 'brave-search(*)' --allow-tool context7 --allow-tool 'context7(get-library-docs)' --allow-tool 'context7(resolve-library-id)' --allow-tool datadog --allow-tool 'datadog(get_datadog_metric)' --allow-tool 'datadog(search_datadog_dashboards)' --allow-tool 'datadog(search_datadog_metrics)' --allow-tool 'datadog(search_datadog_slos)' --allow-tool deepwiki --allow-tool 'deepwiki(ask_question)' --allow-tool 'deepwiki(read_wiki_contents)' --allow-tool 'deepwiki(read_wiki_structure)' --allow-tool fabric-rti --allow-tool 'fabric-rti(get_eventstream)' --allow-tool 'fabric-rti(get_eventstream_definition)' --allow-tool 'fabric-rti(kusto_get_entities_schema)' --allow-tool 'fabric-rti(kusto_get_function_schema)' --allow-tool 'fabric-rti(kusto_get_shots)' --allow-tool 'fabric-rti(kusto_get_table_schema)' --allow-tool 'fabric-rti(kusto_known_services)' --allow-tool 'fabric-rti(kusto_list_databases)' --allow-tool 'fabric-rti(kusto_list_tables)' --allow-tool 'fabric-rti(kusto_query)' --allow-tool 'fabric-rti(kusto_sample_function_data)' --allow-tool 'fabric-rti(kusto_sample_table_data)' --allow-tool 'fabric-rti(list_eventstreams)' --allow-tool gh-aw --allow-tool github --allow-tool markitdown --allow-tool 'markitdown(*)' --allow-tool memory --allow-tool 'memory(delete_memory)' --allow-tool 'memory(list_memories)' --allow-tool 'memory(retrieve_memory)' --allow-tool 'memory(store_memory)' --allow-tool microsoftdocs --allow-tool 'microsoftdocs(*)' --allow-tool notion --allow-tool 'notion(get_database)' --allow-tool 'notion(get_page)' --allow-tool 'notion(query_database)' --allow-tool 'notion(search_pages)' --allow-tool safeoutputs --allow-tool sentry --allow-tool 'sentry(analyze_issue_with_seer)' --allow-tool 'sentry(find_dsns)' --allow-tool 'sentry(find_organizations)' --allow-tool 'sentry(find_projects)' --allow-tool 'sentry(find_releases)' --allow-tool 'sentry(find_teams)' --allow-tool 'sentry(get_doc)' --allow-tool 'sentry(get_event_attachment)' --allow-tool 'sentry(get_issue_details)' --allow-tool 'sentry(get_trace_details)' --allow-tool 'sentry(search_docs requires SENTRY_OPENAI_API_KEY)' --allow-tool 'sentry(search_events)' --allow-tool 'sentry(search_issues)' --allow-tool 'sentry(whoami)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool tavily --allow-tool 'tavily(*)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1214,9 +1215,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,BRAVE_API_KEY,CONTEXT7_API_KEY,COPILOT_GITHUB_TOKEN,DD_API_KEY,DD_APPLICATION_KEY,DD_SITE,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN,SENTRY_ACCESS_TOKEN,SENTRY_OPENAI_API_KEY,TAVILY_API_KEY' @@ -1253,9 +1254,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1279,9 +1280,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1303,9 +1304,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1351,7 +1352,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1384,9 +1385,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1397,9 +1398,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1415,9 +1416,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1440,7 +1441,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1466,9 +1467,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1517,7 +1518,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1567,9 +1568,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1594,11 +1595,11 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output - path: /tmp/gh-aw/safe-jobs/ + path: /opt/gh-aw/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/tmp/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" + find "/opt/gh-aw/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" - name: Add comment to Notion page uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1724,11 +1725,11 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output - path: /tmp/gh-aw/safe-jobs/ + path: /opt/gh-aw/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/tmp/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" + find "/opt/gh-aw/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" - name: Post message to Slack uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1880,7 +1881,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1901,9 +1902,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1924,7 +1925,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index f8603032f0..ea5994ca9c 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -66,16 +66,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "mergefest.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -87,9 +87,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Mergefest" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -102,8 +102,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -119,13 +119,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup git configuration run: "git config user.name \"github-actions[bot]\"\ngit config user.email \"github-actions[bot]@users.noreply.github.com\"\n\n# Create .gitignore to exclude workflow YAML files\ncat > /tmp/merge-gitignore << 'EOF'\n# Exclude all .yml files in .github/workflows/\n.github/workflows/*.yml\nEOF" @@ -149,12 +149,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -184,18 +184,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Push committed changes to a pull request's branch. Use this to add follow-up commits to an existing PR, such as addressing review feedback or fixing issues. Changes must be committed locally before calling this tool.", @@ -270,7 +271,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -363,7 +364,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -438,7 +439,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -448,7 +449,7 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Mergefest - Merge Main into Pull Request Branch @@ -754,7 +755,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -769,12 +770,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -850,7 +851,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -872,7 +873,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -882,14 +883,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -935,7 +936,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git add)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git config)' --allow-tool 'shell(git diff)' --allow-tool 'shell(git fetch)' --allow-tool 'shell(git log)' --allow-tool 'shell(git merge)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git pull)' --allow-tool 'shell(git reset)' --allow-tool 'shell(git rev-parse)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(make fmt)' --allow-tool 'shell(make lint)' --allow-tool 'shell(make recompile)' --allow-tool 'shell(make test-unit)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -973,9 +974,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1001,9 +1002,9 @@ jobs: GH_AW_COMMAND: mergefest with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1027,9 +1028,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1045,9 +1046,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1091,7 +1092,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1124,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1137,9 +1138,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1155,9 +1156,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1178,7 +1179,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1204,9 +1205,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1255,7 +1256,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1305,9 +1306,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1336,7 +1337,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1345,9 +1346,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1356,9 +1357,9 @@ jobs: GH_AW_COMMANDS: "[\"mergefest\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1390,7 +1391,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1436,8 +1437,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 3c193137ec..1739edf075 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "metrics-collector.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -95,13 +95,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -110,7 +110,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -131,12 +131,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -166,7 +166,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Install gh-aw extension env: @@ -273,14 +273,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -531,7 +531,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -544,12 +544,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -636,7 +636,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -659,21 +659,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -710,9 +710,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -735,9 +735,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -762,9 +762,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -796,7 +796,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -805,9 +805,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -826,7 +826,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -864,8 +864,8 @@ jobs: FILE_GLOB_FILTER: "metrics/**" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index e99e5de238..0e23978691 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -62,16 +62,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "notion-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -130,12 +130,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -165,18 +165,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcp/notion + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcp/notion - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1},"notion-add-comment":{"description":"Add a comment to a Notion page","inputs":{"comment":{"default":null,"description":"The comment text to add","required":true,"type":"string"}},"output":"Comment added to Notion successfully!"}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -240,7 +241,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -334,7 +335,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -409,7 +410,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -417,7 +418,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_EXPR_FD3E9604: ${{ github.event.inputs.issue-number }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -439,7 +440,7 @@ jobs: GH_AW_EXPR_FD3E9604: ${{ github.event.inputs.issue-number }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -452,12 +453,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -533,7 +534,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -556,21 +557,21 @@ jobs: GH_AW_EXPR_FD3E9604: ${{ github.event.inputs.issue-number }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -608,9 +609,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,NOTION_API_TOKEN' @@ -636,9 +637,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -662,9 +663,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -680,9 +681,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -725,7 +726,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -758,9 +759,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -771,9 +772,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -789,9 +790,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -814,7 +815,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -840,9 +841,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -891,7 +892,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -941,9 +942,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -968,11 +969,11 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: agent-output - path: /tmp/gh-aw/safe-jobs/ + path: /opt/gh-aw/safe-jobs/ - name: Setup Safe Job Environment Variables run: | - find "/tmp/gh-aw/safe-jobs/" -type f -print - echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" + find "/opt/gh-aw/safe-jobs/" -type f -print + echo "GH_AW_AGENT_OUTPUT=/opt/gh-aw/safe-jobs/agent-output" >> "$GITHUB_ENV" - name: Add comment to Notion page uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 1096000da4..e07f4fb7b0 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "org-health-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -93,8 +93,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -110,13 +110,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -144,7 +144,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -173,12 +173,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -201,15 +201,16 @@ jobs: which awf awf --version - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"reports\".", @@ -299,7 +300,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -409,7 +410,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -484,14 +485,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Python Data Visualization Guide @@ -1298,12 +1299,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1404,7 +1405,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1426,21 +1427,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 60 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1481,9 +1482,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1508,9 +1509,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1534,9 +1535,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1556,7 +1557,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1567,9 +1568,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1614,7 +1615,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1647,9 +1648,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1660,9 +1661,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1678,9 +1679,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1703,7 +1704,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1729,9 +1730,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1780,7 +1781,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1830,9 +1831,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1869,7 +1870,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1890,9 +1891,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1913,7 +1914,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1948,7 +1949,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1970,12 +1971,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2000,8 +2001,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index c1296f1269..81946a6bc1 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -89,25 +89,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "pdf-summary.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -120,9 +120,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📄 *Summary compiled by [{workflow_name}]({run_url})*\",\"runStarted\":\"📖 Page by page! [{workflow_name}]({run_url}) is reading through this {event_type}...\",\"runSuccess\":\"📚 TL;DR ready! [{workflow_name}]({run_url}) has distilled the essence. Knowledge condensed! ✨\",\"runFailure\":\"📖 Reading interrupted! [{workflow_name}]({run_url}) {status}. The document remains unsummarized...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -135,8 +135,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -152,7 +152,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -162,13 +162,13 @@ jobs: with: python-version: '3.12' - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install Markitdown MCP run: pip install markitdown-mcp # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -197,12 +197,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -232,18 +232,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -312,7 +313,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -406,7 +407,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -481,7 +482,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -494,7 +495,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -654,7 +655,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -672,12 +673,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -778,7 +779,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -800,7 +801,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -813,21 +814,21 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -865,9 +866,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -893,9 +894,9 @@ jobs: GH_AW_COMMAND: summarize with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -919,9 +920,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -943,9 +944,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -989,7 +990,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1022,9 +1023,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1035,9 +1036,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1054,9 +1055,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1077,7 +1078,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1103,9 +1104,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1154,7 +1155,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1204,9 +1205,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1238,7 +1239,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1247,9 +1248,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1258,9 +1259,9 @@ jobs: GH_AW_COMMANDS: "[\"summarize\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1293,7 +1294,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1314,9 +1315,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1337,7 +1338,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 5d1081de41..4403c4a26d 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -72,25 +72,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "plan.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -102,9 +102,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Plan Command" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -118,8 +118,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -135,13 +135,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -162,12 +162,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -197,18 +197,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"close_discussion":{"max":1,"required_category":"Ideas"},"create_issue":{"max":6},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 6 issue(s) can be created. Title will be prefixed with \"[plan] \". Labels [plan ai-generated] will be automatically added.", @@ -329,7 +330,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "close_discussion": { "defaultMax": 1, @@ -458,7 +459,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -533,7 +534,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -544,7 +545,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Planning Assistant @@ -732,7 +733,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -748,12 +749,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -829,7 +830,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -851,7 +852,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -862,21 +863,21 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -914,9 +915,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -942,9 +943,9 @@ jobs: GH_AW_COMMAND: plan with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -968,9 +969,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -986,9 +987,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1031,7 +1032,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1064,9 +1065,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1077,9 +1078,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1095,9 +1096,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1118,7 +1119,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1144,9 +1145,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1195,7 +1196,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1245,9 +1246,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1277,7 +1278,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1286,9 +1287,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1297,9 +1298,9 @@ jobs: GH_AW_COMMANDS: "[\"plan\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1330,7 +1331,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1351,8 +1352,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/playground-org-project-update-issue.lock.yml b/.github/workflows/playground-org-project-update-issue.lock.yml index 552458979a..3159c6e8a4 100644 --- a/.github/workflows/playground-org-project-update-issue.lock.yml +++ b/.github/workflows/playground-org-project-update-issue.lock.yml @@ -53,16 +53,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "playground-org-project-update-issue.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -77,8 +77,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -94,13 +94,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -121,12 +121,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -156,18 +156,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1},"update_project":{"max":10}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -266,7 +267,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -376,7 +377,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -451,14 +452,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Issue Updater @@ -473,12 +474,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -554,7 +555,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -576,21 +577,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -628,9 +629,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TEST_ORG_PROJECT_WRITE' @@ -656,9 +657,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -682,9 +683,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -700,9 +701,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -745,7 +746,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -778,9 +779,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -791,9 +792,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -809,9 +810,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -834,7 +835,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -860,9 +861,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -911,7 +912,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -961,9 +962,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -996,7 +997,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1017,8 +1018,8 @@ jobs: with: github-token: ${{ secrets.TEST_ORG_PROJECT_WRITE }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/update_project.cjs'); + const { main } = require('/opt/gh-aw/actions/update_project.cjs'); await main(); diff --git a/.github/workflows/playground-snapshots-refresh.lock.yml b/.github/workflows/playground-snapshots-refresh.lock.yml index 30a82390d2..f16f830843 100644 --- a/.github/workflows/playground-snapshots-refresh.lock.yml +++ b/.github/workflows/playground-snapshots-refresh.lock.yml @@ -55,16 +55,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "playground-snapshots-refresh.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -79,8 +79,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -96,9 +96,9 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -139,12 +139,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -174,18 +174,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[docs] \". Labels [documentation] will be automatically added.", @@ -265,7 +266,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -367,7 +368,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -442,14 +443,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Playground snapshots refresh @@ -475,12 +476,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -556,7 +557,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -578,21 +579,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -630,9 +631,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,PLAYGROUND_SNAPSHOTS_REPO,PLAYGROUND_SNAPSHOTS_TOKEN,PLAYGROUND_SNAPSHOTS_WORKFLOW_IDS' @@ -660,9 +661,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -686,9 +687,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -704,9 +705,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -750,7 +751,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -783,9 +784,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -796,9 +797,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -814,9 +815,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -839,7 +840,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -865,9 +866,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -916,7 +917,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -966,9 +967,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1007,7 +1008,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1053,8 +1054,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 0a5890baac..e622bb4b7d 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -74,25 +74,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "poem-bot.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -105,9 +105,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🪶 *Verses penned by [{workflow_name}]({run_url})*\",\"runStarted\":\"🎭 Hear ye! The muse stirs! [{workflow_name}]({run_url}) takes quill in hand for this {event_type}...\",\"runSuccess\":\"🪶 The poem is writ! [{workflow_name}]({run_url}) has composed verses most fair. Applause! 👏\",\"runFailure\":\"🎭 Alas! [{workflow_name}]({run_url}) {status}. The muse has fled, leaving verses unsung...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -123,8 +123,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -140,16 +140,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -179,12 +179,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -214,18 +214,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":3,"target":"*"},"add_labels":{"allowed":["poetry","creative","automation","ai-generated","epic","haiku","sonnet","limerick"],"max":5},"create_agent_task":{"max":1},"create_discussion":{"max":2},"create_issue":{"max":2},"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{},"create_pull_request_review_comment":{"max":2},"link_sub_issue":{"max":3},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0},"update_issue":{"max":2},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 2 issue(s) can be created. Title will be prefixed with \"[🎭 POEM-BOT] \". Labels [poetry automation ai-generated] will be automatically added.", @@ -592,7 +593,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -895,7 +896,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -970,7 +971,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -981,7 +982,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Poem Bot - A Creative Agentic Workflow @@ -1037,7 +1038,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1053,12 +1054,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1159,7 +1160,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1181,7 +1182,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1192,14 +1193,14 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1229,7 +1230,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --model gpt-5 --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1270,9 +1271,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1298,9 +1299,9 @@ jobs: GH_AW_COMMAND: poem-bot with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1324,9 +1325,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1347,7 +1348,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1358,9 +1359,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1406,7 +1407,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1439,9 +1440,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1454,9 +1455,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1473,9 +1474,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1496,7 +1497,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1522,9 +1523,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1573,7 +1574,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1622,9 +1623,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1654,7 +1655,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1663,9 +1664,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1674,9 +1675,9 @@ jobs: GH_AW_COMMANDS: "[\"poem-bot\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1714,7 +1715,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1761,9 +1762,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Create Agent Session id: create_agent_session @@ -1775,9 +1776,9 @@ jobs: with: github-token: ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/create_agent_session.cjs'); await main(); + const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main(); update_cache_memory: needs: @@ -1797,7 +1798,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1832,7 +1833,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1854,12 +1855,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1887,8 +1888,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index fb93fc3222..47566d8262 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "portfolio-analyst.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -92,8 +92,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -109,13 +109,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -164,7 +164,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -194,12 +194,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -229,18 +229,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[portfolio] \". Discussions will be created in category \"Audits\".", @@ -330,7 +331,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -448,7 +449,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -523,7 +524,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -531,7 +532,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -1002,7 +1003,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1243,7 +1244,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1256,12 +1257,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1362,7 +1363,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1385,21 +1386,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1440,9 +1441,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1467,9 +1468,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1493,9 +1494,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1515,7 +1516,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1526,9 +1527,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1573,7 +1574,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1607,9 +1608,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1621,9 +1622,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1640,9 +1641,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1665,7 +1666,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1691,9 +1692,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1742,7 +1743,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1792,9 +1793,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1832,7 +1833,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1853,9 +1854,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1876,7 +1877,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1911,7 +1912,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1933,12 +1934,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1964,8 +1965,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 75cae101a6..bd65806e16 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -98,16 +98,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "pr-nitpick-reviewer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -120,9 +120,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*\",\"runStarted\":\"🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}...\",\"runSuccess\":\"🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅\",\"runFailure\":\"🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -135,8 +135,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -152,16 +152,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -190,12 +190,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -225,18 +225,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":3},"create_discussion":{"max":1},"create_pull_request_review_comment":{"max":10},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[nitpick-report] \". Discussions will be created in category \"General\".", @@ -376,7 +377,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -519,7 +520,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -594,7 +595,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -605,7 +606,7 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -983,7 +984,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -999,12 +1000,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1105,7 +1106,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1127,7 +1128,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1138,21 +1139,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1190,9 +1191,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1218,9 +1219,9 @@ jobs: GH_AW_COMMAND: nit with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1244,9 +1245,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1268,9 +1269,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1314,7 +1315,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1347,9 +1348,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1360,9 +1361,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1379,9 +1380,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1402,7 +1403,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1428,9 +1429,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1479,7 +1480,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1529,9 +1530,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1569,7 +1570,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1578,9 +1579,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1589,9 +1590,9 @@ jobs: GH_AW_COMMANDS: "[\"nit\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1624,7 +1625,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1645,9 +1646,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1668,7 +1669,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 0c0fb3af3d..7fd1b60387 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -67,16 +67,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "prompt-clustering-analysis.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -92,8 +92,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -109,13 +109,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up jq utilities directory run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n#!/usr/bin/env bash\n# jqschema.sh\njq -c '\ndef walk(f):\n . as $in |\n if type == \"object\" then\n reduce keys[] as $k ({}; . + {($k): ($in[$k] | walk(f))})\n elif type == \"array\" then\n if length == 0 then [] else [.[0] | walk(f)] end\n else\n type\n end;\nwalk(.)\n'\nEOF\nchmod +x /tmp/gh-aw/jqschema.sh" - name: Set up Go @@ -183,7 +183,7 @@ jobs: restore-keys: prompt-clustering-cache- # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -213,12 +213,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -243,18 +243,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[prompt-clustering] \". Discussions will be created in category \"audits\".", @@ -327,7 +328,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -426,7 +427,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -493,7 +494,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -501,7 +502,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## jqschema - JSON Schema Discovery @@ -1019,7 +1020,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1209,7 +1210,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1222,12 +1223,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1328,7 +1329,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1351,14 +1352,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1436,7 +1437,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,anaconda.org,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,cdn.playwright.dev,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,anaconda.org,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,cdn.playwright.dev,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1459,9 +1460,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1487,9 +1488,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1505,9 +1506,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1529,9 +1530,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1575,7 +1576,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1608,9 +1609,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1621,9 +1622,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1639,9 +1640,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1664,7 +1665,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1690,9 +1691,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1741,7 +1742,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1795,9 +1796,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1834,7 +1835,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1855,9 +1856,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1878,7 +1879,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index c07685b12f..9501651269 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "python-data-charts.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,13 +105,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -137,7 +137,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -166,12 +166,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -201,10 +201,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -220,12 +220,13 @@ jobs: gh aw --version - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"artifacts\".", @@ -315,7 +316,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -436,7 +437,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -511,7 +512,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -520,7 +521,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Charts with Trending - Complete Guide @@ -1088,7 +1089,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1527,7 +1528,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1541,12 +1542,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1647,7 +1648,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1671,21 +1672,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1726,9 +1727,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1753,9 +1754,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1779,9 +1780,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1801,7 +1802,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1812,9 +1813,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1859,7 +1860,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1892,9 +1893,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1905,9 +1906,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1923,9 +1924,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1948,7 +1949,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1974,9 +1975,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -2025,7 +2026,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -2075,9 +2076,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -2114,7 +2115,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2135,9 +2136,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -2158,7 +2159,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -2193,7 +2194,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -2215,12 +2216,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -2245,8 +2246,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 3e4c0df198..c6605e6b08 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -102,25 +102,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "q.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add rocket reaction to the triggering item id: react @@ -133,9 +133,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🎩 *Equipped by [{workflow_name}]({run_url})*\",\"runStarted\":\"🔧 Pay attention, 007! [{workflow_name}]({run_url}) is preparing your gadgets for this {event_type}...\",\"runSuccess\":\"🎩 Mission equipment ready! [{workflow_name}]({run_url}) has optimized your workflow. Use wisely, 007! 🔫\",\"runFailure\":\"🔧 Technical difficulties! [{workflow_name}]({run_url}) {status}. Even Q Branch has bad days...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -150,8 +150,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -167,7 +167,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -185,7 +185,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install dependencies run: make deps-dev - env: @@ -199,7 +199,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -228,12 +228,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -263,18 +263,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -376,7 +377,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -499,7 +500,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -593,7 +594,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -607,7 +608,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -990,7 +991,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1009,12 +1010,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1115,7 +1116,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1137,7 +1138,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -1151,14 +1152,14 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1172,7 +1173,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool gh-aw --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool tavily --allow-tool 'tavily(*)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1211,9 +1212,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -1240,9 +1241,9 @@ jobs: GH_AW_COMMAND: q with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1266,9 +1267,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1290,9 +1291,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1337,7 +1338,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1370,9 +1371,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1383,9 +1384,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1402,9 +1403,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1425,7 +1426,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1451,9 +1452,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1502,7 +1503,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1552,9 +1553,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1592,7 +1593,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1601,9 +1602,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1612,9 +1613,9 @@ jobs: GH_AW_COMMANDS: "[\"q\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1648,7 +1649,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1694,9 +1695,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1717,7 +1718,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6737c59012..df61326a18 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -58,16 +58,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "release.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_ID: ${{ needs.release.outputs.release_id }} @@ -134,12 +134,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -169,18 +169,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1},"update_release":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Update a GitHub release description by replacing, appending to, or prepending to the existing content. Use this to add release notes, changelogs, or additional information to an existing release. CONSTRAINTS: Maximum 1 release(s) can be updated.", @@ -259,7 +260,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -357,7 +358,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -432,7 +433,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -441,7 +442,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: ${{ needs.release.outputs.release_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Release Highlights Generator @@ -579,7 +580,7 @@ jobs: GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: ${{ needs.release.outputs.release_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -593,12 +594,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -674,7 +675,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -698,21 +699,21 @@ jobs: GH_AW_NEEDS_RELEASE_OUTPUTS_RELEASE_ID: ${{ needs.release.outputs.release_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,githubnext.github.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,githubnext.github.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -750,9 +751,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -777,9 +778,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -803,9 +804,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -821,9 +822,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -866,7 +867,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -899,9 +900,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -912,9 +913,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -930,9 +931,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -953,7 +954,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -979,9 +980,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1030,7 +1031,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1080,9 +1081,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1161,7 +1162,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1170,9 +1171,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); release: @@ -1249,7 +1250,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1270,8 +1271,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index f28544d56c..612905280c 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "repo-tree-map.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -128,12 +128,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -163,18 +163,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"dev\".", @@ -247,7 +248,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -346,7 +347,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -421,14 +422,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -561,12 +562,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -642,7 +643,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -664,21 +665,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -716,9 +717,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -743,9 +744,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -769,9 +770,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -787,9 +788,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -832,7 +833,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -865,9 +866,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -878,9 +879,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -896,9 +897,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -921,7 +922,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -947,9 +948,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -998,7 +999,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1048,9 +1049,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1087,7 +1088,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1108,8 +1109,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 401cb5bbd7..a574718957 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "repository-quality-improver.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -85,8 +85,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -102,7 +102,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -120,7 +120,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory (focus-areas) run: | @@ -154,12 +154,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -189,18 +189,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"general\".", @@ -273,7 +274,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -372,7 +373,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -453,7 +454,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -461,7 +462,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -968,7 +969,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1031,7 +1032,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1044,12 +1045,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1151,7 +1152,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1174,21 +1175,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory-focus-areas/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1226,9 +1227,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1253,9 +1254,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1279,9 +1280,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1303,9 +1304,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1349,7 +1350,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1382,9 +1383,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1395,9 +1396,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1413,9 +1414,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1438,7 +1439,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1464,9 +1465,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1515,7 +1516,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1565,9 +1566,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1604,7 +1605,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1625,9 +1626,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1648,7 +1649,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (focus-areas) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 3e57ed9828..041d79eb0c 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "research.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -87,8 +87,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -104,13 +104,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -131,12 +131,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -166,18 +166,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"research\".", @@ -250,7 +251,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -349,7 +350,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -437,7 +438,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -447,7 +448,7 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -499,7 +500,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -514,12 +515,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -595,7 +596,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -620,21 +621,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -673,9 +674,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -701,9 +702,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -727,9 +728,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -745,9 +746,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -790,7 +791,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -823,9 +824,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -836,9 +837,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -854,9 +855,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -879,7 +880,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -905,9 +906,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -956,7 +957,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1006,9 +1007,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1045,7 +1046,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1066,8 +1067,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 3c957f5399..cdb155dd6e 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "safe-output-health.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,13 +105,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -136,7 +136,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -165,12 +165,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -195,18 +195,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"audits\".", @@ -279,7 +280,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -378,7 +379,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -445,7 +446,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -453,7 +454,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -900,7 +901,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -913,12 +914,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1019,7 +1020,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1042,14 +1043,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1140,7 +1141,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(jq *),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1164,9 +1165,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1192,9 +1193,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1210,9 +1211,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1234,9 +1235,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1280,7 +1281,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1313,9 +1314,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1326,9 +1327,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1344,9 +1345,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1369,7 +1370,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1395,9 +1396,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1446,7 +1447,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1500,9 +1501,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1539,7 +1540,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1560,9 +1561,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1583,7 +1584,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index baf6221e65..07b631e385 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -61,16 +61,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "schema-consistency-checker.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,16 +103,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -143,12 +143,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -173,16 +173,17 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Schema Consistency] \". Discussions will be created in category \"audits\".", @@ -255,7 +256,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -340,7 +341,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -407,14 +408,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -769,12 +770,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -875,7 +876,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -897,14 +898,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -982,7 +983,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1005,9 +1006,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1033,9 +1034,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1051,9 +1052,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1075,9 +1076,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1121,7 +1122,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1154,9 +1155,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1167,9 +1168,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1185,9 +1186,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1210,7 +1211,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1236,9 +1237,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1287,7 +1288,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1341,9 +1342,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1380,7 +1381,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1401,9 +1402,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1424,7 +1425,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 8e49eadd81..b995921b0b 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -115,25 +115,25 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "scout.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Compute current body text id: compute-text uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/compute_text.cjs'); + const { main } = require('/opt/gh-aw/actions/compute_text.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -146,9 +146,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔭 *Intelligence gathered by [{workflow_name}]({run_url})*\",\"runStarted\":\"🏕️ Scout on patrol! [{workflow_name}]({run_url}) is blazing trails through this {event_type}...\",\"runSuccess\":\"🔭 Recon complete! [{workflow_name}]({run_url}) has charted the territory. Map ready! 🗺️\",\"runFailure\":\"🏕️ Lost in the wilderness! [{workflow_name}]({run_url}) {status}. Sending search party...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -161,8 +161,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -178,7 +178,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -188,7 +188,7 @@ jobs: with: python-version: '3.12' - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install Markitdown MCP run: pip install markitdown-mcp - name: Set up jq utilities directory @@ -196,7 +196,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -225,12 +225,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -255,18 +255,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcp/arxiv-mcp-server mcp/context7 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcp/arxiv-mcp-server mcp/context7 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -335,7 +336,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -455,7 +456,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -529,7 +530,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -541,7 +542,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -811,7 +812,7 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -828,12 +829,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -934,7 +935,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -956,7 +957,7 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -968,14 +969,14 @@ jobs: GH_AW_NEEDS_ACTIVATION_OUTPUTS_TEXT: ${{ needs.activation.outputs.text }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1077,7 +1078,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(/tmp/gh-aw/jqschema.sh),Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(jq *),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__arxiv__get_paper_details,mcp__arxiv__get_paper_pdf,mcp__arxiv__search_arxiv,mcp__context7__get-library-docs,mcp__context7__resolve-library-id,mcp__deepwiki__ask_question,mcp__deepwiki__read_wiki_contents,mcp__deepwiki__read_wiki_structure,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__markitdown,mcp__microsoftdocs,mcp__tavily' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1100,9 +1101,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,CONTEXT7_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,TAVILY_API_KEY' @@ -1131,9 +1132,9 @@ jobs: GH_AW_COMMAND: scout with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1149,9 +1150,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1173,9 +1174,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1219,7 +1220,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1252,9 +1253,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1265,9 +1266,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1284,9 +1285,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1307,7 +1308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1333,9 +1334,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1384,7 +1385,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1438,9 +1439,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1482,7 +1483,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1491,9 +1492,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1502,9 +1503,9 @@ jobs: GH_AW_COMMANDS: "[\"scout\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1537,7 +1538,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1558,9 +1559,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1581,7 +1582,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 018b9330fe..e2e62d4ec2 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "security-compliance.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -85,8 +85,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -102,13 +102,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -117,7 +117,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -138,12 +138,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -173,18 +173,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":100},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 100 issue(s) can be created. Labels [security campaign-tracker] will be automatically added.", @@ -271,7 +272,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -377,7 +378,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -452,7 +453,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -463,7 +464,7 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_SEVERITY_THRESHOLD: ${{ github.event.inputs.severity_threshold }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Security Compliance Campaign @@ -729,7 +730,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -745,12 +746,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -856,7 +857,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -882,21 +883,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -934,9 +935,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -961,9 +962,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -987,9 +988,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1014,9 +1015,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1060,7 +1061,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1093,9 +1094,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1106,9 +1107,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1124,9 +1125,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1147,7 +1148,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1173,9 +1174,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1224,7 +1225,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1274,9 +1275,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1304,7 +1305,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1342,9 +1343,9 @@ jobs: FILE_GLOB_FILTER: "memory/campaigns/security-compliance-*/**" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1374,7 +1375,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1395,8 +1396,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index b3bdabe769..58e3757626 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "security-fix-pr.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -88,8 +88,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -105,16 +105,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -143,12 +143,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -173,18 +173,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Reviewers [copilot] will be assigned.", @@ -264,7 +265,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -362,7 +363,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -429,7 +430,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -439,7 +440,7 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_SECURITY_URL: ${{ github.event.inputs.security_url }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Security Issue Fix Agent @@ -589,7 +590,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -604,12 +605,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -710,7 +711,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -735,14 +736,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -820,7 +821,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -843,9 +844,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -871,9 +872,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -889,9 +890,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -913,9 +914,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -960,7 +961,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -993,9 +994,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1006,9 +1007,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1024,9 +1025,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1049,7 +1050,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1075,9 +1076,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1126,7 +1127,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1180,9 +1181,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1208,7 +1209,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1217,9 +1218,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1230,9 +1231,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1264,7 +1265,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1310,9 +1311,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1333,7 +1334,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 64c1b2db4d..233bd7b41f 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "semantic-function-refactor.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -128,12 +128,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -158,18 +158,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"close_issue":{"max":10,"required_title_prefix":"[refactor] "},"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[refactor] \". Labels [refactoring code-quality automated-analysis] will be automatically added.", @@ -280,7 +281,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "close_issue": { "defaultMax": 1, @@ -396,7 +397,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -463,7 +464,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -472,7 +473,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -925,7 +926,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -939,12 +940,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1020,7 +1021,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1044,14 +1045,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1144,7 +1145,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat pkg/**/*.go),Bash(cat),Bash(date),Bash(echo),Bash(find pkg -name '\''*.go'\'' ! -name '\''*_test.go'\'' -type f),Bash(find pkg -type f -name '\''*.go'\'' ! -name '\''*_test.go'\''),Bash(find pkg/ -maxdepth 1 -ls),Bash(find pkg/workflow/ -maxdepth 1 -ls),Bash(grep -r '\''func '\'' pkg --include='\''*.go'\''),Bash(grep),Bash(head -n * pkg/**/*.go),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l pkg/**/*.go),Bash(wc),Bash(yq),BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1167,9 +1168,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1195,9 +1196,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1213,9 +1214,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1231,9 +1232,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1276,7 +1277,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1309,9 +1310,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1322,9 +1323,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1340,9 +1341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1365,7 +1366,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1391,9 +1392,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1442,7 +1443,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1496,9 +1497,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1535,7 +1536,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1556,8 +1557,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 70f4b0a848..ab8d9d5df4 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "slide-deck-maintainer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -87,8 +87,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -104,13 +104,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: @@ -124,7 +124,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -153,12 +153,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -188,18 +188,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[slides] \".", @@ -279,7 +280,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -387,7 +388,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -462,7 +463,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -474,7 +475,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Slide Deck Maintenance Agent @@ -692,7 +693,7 @@ jobs: GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -709,17 +710,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -820,7 +821,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -847,14 +848,14 @@ jobs: GH_AW_INPUTS_FOCUS: ${{ inputs.focus }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -898,7 +899,7 @@ jobs: timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(cat*)' --allow-tool 'shell(cd*)' --allow-tool 'shell(curl*)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find*)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(grep*)' --allow-tool 'shell(head)' --allow-tool 'shell(head*)' --allow-tool 'shell(kill*)' --allow-tool 'shell(ls)' --allow-tool 'shell(ls*)' --allow-tool 'shell(lsof*)' --allow-tool 'shell(npm install*)' --allow-tool 'shell(npm run*)' --allow-tool 'shell(npx @marp-team/marp-cli*)' --allow-tool 'shell(pwd)' --allow-tool 'shell(pwd*)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(tail*)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -936,9 +937,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -963,9 +964,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -989,9 +990,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1013,9 +1014,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1060,7 +1061,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1094,9 +1095,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1108,9 +1109,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1127,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1152,7 +1153,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1178,9 +1179,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1229,7 +1230,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1279,9 +1280,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1307,7 +1308,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1316,9 +1317,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1329,9 +1330,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1364,7 +1365,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1410,9 +1411,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1433,7 +1434,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index e5716d1e22..b949450b51 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -74,16 +74,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-claude.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add heart reaction to the triggering item id: react @@ -95,9 +95,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 💥 *[THE END] — Illustrated by [{workflow_name}]({run_url})*\",\"runStarted\":\"💥 **WHOOSH!** [{workflow_name}]({run_url}) springs into action on this {event_type}! *[Panel 1 begins...]*\",\"runSuccess\":\"🎬 **THE END** — [{workflow_name}]({run_url}) **MISSION: ACCOMPLISHED!** The hero saves the day! ✨\",\"runFailure\":\"💫 **TO BE CONTINUED...** [{workflow_name}]({run_url}) {status}! Our hero faces unexpected challenges...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -110,8 +110,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -127,7 +127,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -145,10 +145,10 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -177,12 +177,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -207,18 +207,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-claude"],"max":3},"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -351,7 +352,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -500,7 +501,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -580,7 +581,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -589,7 +590,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## MCP Response Size Limits @@ -733,7 +734,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -747,17 +748,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -858,7 +859,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -882,14 +883,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -988,7 +989,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 15 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1012,9 +1013,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1040,9 +1041,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1058,9 +1059,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1082,9 +1083,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1128,7 +1129,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1161,9 +1162,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1174,9 +1175,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1193,9 +1194,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1216,7 +1217,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1242,9 +1243,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1293,7 +1294,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1348,9 +1349,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1379,7 +1380,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1388,9 +1389,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1423,7 +1424,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1444,9 +1445,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1467,7 +1468,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/smoke-codex-firewall.lock.yml b/.github/workflows/smoke-codex-firewall.lock.yml index baa8baef54..535d0d6622 100644 --- a/.github/workflows/smoke-codex-firewall.lock.yml +++ b/.github/workflows/smoke-codex-firewall.lock.yml @@ -70,16 +70,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-codex-firewall.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add rocket reaction to the triggering item id: react @@ -91,9 +91,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔥 *Firewall tested by [{workflow_name}]({run_url})*\",\"runStarted\":\"🔒 Initiating firewall smoke test... [{workflow_name}]({run_url}) is validating network sandboxing for {event_type}...\",\"runSuccess\":\"✅ Firewall validation complete... [{workflow_name}]({run_url}) confirmed network sandboxing is operational. 🛡️\",\"runFailure\":\"❌ Firewall validation failed... [{workflow_name}]({run_url}) {status}. Network sandboxing may not be working correctly.\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -106,8 +106,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -123,13 +123,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -150,12 +150,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -180,18 +180,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-codex-firewall"],"max":3},"create_issue":{"max":1},"hide_comment":{"max":5},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -352,7 +353,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -488,7 +489,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] EOF @@ -540,7 +541,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -549,7 +550,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Smoke Test: Codex Engine with AWF Firewall @@ -585,7 +586,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -599,12 +600,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -680,7 +681,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -704,20 +705,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,https://api.github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,https://api.github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -737,9 +738,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -765,9 +766,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -791,9 +792,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -809,9 +810,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -854,7 +855,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -887,9 +888,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -900,9 +901,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -919,9 +920,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -942,7 +943,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -968,9 +969,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1019,7 +1020,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1052,9 +1053,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1083,7 +1084,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1092,9 +1093,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1127,7 +1128,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1148,8 +1149,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 3833b714f2..da13426082 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -70,16 +70,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-codex.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add hooray reaction to the triggering item id: react @@ -91,9 +91,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🔮 *The oracle has spoken through [{workflow_name}]({run_url})*\",\"runStarted\":\"🔮 The ancient spirits stir... [{workflow_name}]({run_url}) awakens to divine this {event_type}...\",\"runSuccess\":\"✨ The prophecy is fulfilled... [{workflow_name}]({run_url}) has completed its mystical journey. The stars align. 🌟\",\"runFailure\":\"🌑 The shadows whisper... [{workflow_name}]({run_url}) {status}. The oracle requires further meditation...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -106,8 +106,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -123,7 +123,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -141,10 +141,10 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -173,12 +173,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -203,18 +203,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-codex"],"max":3},"create_issue":{"max":1},"hide_comment":{"max":5},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -375,7 +376,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -529,7 +530,7 @@ jobs: [mcp_servers.safeoutputs] command = "node" args = [ - "/tmp/gh-aw/safeoutputs/mcp-server.cjs", + "/opt/gh-aw/safeoutputs/mcp-server.cjs", ] env_vars = ["GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS", "GH_AW_SAFE_OUTPUTS_CONFIG_PATH", "GH_AW_SAFE_OUTPUTS_TOOLS_PATH", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"] @@ -594,7 +595,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -603,7 +604,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Smoke Test: Codex Engine Validation @@ -636,7 +637,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -650,17 +651,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -761,7 +762,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -785,20 +786,20 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Run Codex run: | set -o pipefail INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --full-auto --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -818,9 +819,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'CODEX_API_KEY,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN,OPENAI_API_KEY' @@ -846,9 +847,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -872,9 +873,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_codex_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_codex_log.cjs'); await main(); - name: Firewall summary if: always() @@ -896,9 +897,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(ERROR)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex ERROR messages with timestamp\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T[\\\\d:.]+Z)\\\\s+(WARN|WARNING)\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Codex warning messages with timestamp\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -942,7 +943,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -975,9 +976,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -988,9 +989,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1007,9 +1008,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1030,7 +1031,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1056,9 +1057,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1107,7 +1108,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CODEX_API_KEY or OPENAI_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex + run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} @@ -1140,9 +1141,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1171,7 +1172,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1180,9 +1181,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1215,7 +1216,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1236,9 +1237,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1259,7 +1260,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml index 3f0005f738..6f66b179e4 100644 --- a/.github/workflows/smoke-copilot-no-firewall.lock.yml +++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml @@ -74,16 +74,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-copilot-no-firewall.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add +1 reaction to the triggering item id: react @@ -95,9 +95,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🤖 *DIAGNOSTIC REPORT GENERATED BY [{workflow_name}]({run_url})*\",\"runStarted\":\"🤖 SYSTEM_INIT: [{workflow_name}]({run_url}) ACTIVATED. PROCESSING {event_type}. ALL SUBSYSTEMS ONLINE.\",\"runSuccess\":\"🤖 DIAGNOSTIC COMPLETE: [{workflow_name}]({run_url}) STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.\",\"runFailure\":\"🤖 ALERT: [{workflow_name}]({run_url}) {status}. ANOMALY_DETECTED. REPAIR_REQUIRED.\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -110,8 +110,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -127,7 +127,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -145,7 +145,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -166,12 +166,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -195,18 +195,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-copilot-no-firewall"],"max":3},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -299,7 +300,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -367,12 +368,12 @@ jobs: EOF - name: Setup Safe Inputs Config run: | - mkdir -p /tmp/gh-aw/safe-inputs/logs - cat > /tmp/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' + mkdir -p /opt/gh-aw/safe-inputs/logs + cat > /opt/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' { "serverName": "safeinputs", "version": "1.0.0", - "logDir": "/tmp/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/safe-inputs/logs", "tools": [ { "name": "gh", @@ -399,7 +400,7 @@ jobs: ] } EOF_TOOLS_JSON - cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' + cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' const path = require("path"); const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -408,17 +409,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: false, - logDir: "/tmp/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); process.exit(1); }); EOFSI - chmod +x /tmp/gh-aw/safe-inputs/mcp-server.cjs + chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs - name: Setup Safe Inputs Tool Files run: | - cat > /tmp/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' + cat > /opt/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' #!/bin/bash # Auto-generated safe-input tool: gh # Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -430,7 +431,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS EOFSH_gh - chmod +x /tmp/gh-aw/safe-inputs/gh.sh + chmod +x /opt/gh-aw/safe-inputs/gh.sh - name: Generate Safe Inputs MCP Server Config id: safe-inputs-config @@ -459,7 +460,7 @@ jobs: export GH_AW_SAFE_INPUTS_PORT export GH_AW_SAFE_INPUTS_API_KEY - bash /tmp/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_safe_inputs_server.sh - name: Setup MCPs env: @@ -519,7 +520,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -600,7 +601,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -609,7 +610,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" **IMPORTANT**: Always use the `safeinputs-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `safeinputs-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default. @@ -647,7 +648,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -661,17 +662,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -747,7 +748,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -771,14 +772,14 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -828,9 +829,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -856,9 +857,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -882,18 +883,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Parse safe-inputs logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); await main(); - name: Validate agent logs for errors if: always() @@ -903,9 +904,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -948,7 +949,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -981,9 +982,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -994,9 +995,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1013,9 +1014,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1036,7 +1037,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1062,9 +1063,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1113,7 +1114,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1163,9 +1164,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1194,7 +1195,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1203,9 +1204,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1238,7 +1239,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1259,8 +1260,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml index ea8d37a6f8..79c8d91d95 100644 --- a/.github/workflows/smoke-copilot-playwright.lock.yml +++ b/.github/workflows/smoke-copilot-playwright.lock.yml @@ -74,16 +74,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-copilot-playwright.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -95,9 +95,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*\",\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -110,8 +110,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -127,7 +127,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -145,13 +145,13 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Pre-flight Playwright MCP Test run: "echo \"🧪 Testing Playwright MCP Docker container startup...\"\n\n# Pull the Playwright MCP Docker image\necho \"Pulling Playwright MCP Docker image...\"\ndocker pull mcr.microsoft.com/playwright/mcp\n\n# Test container startup with a simple healthcheck\necho \"Testing container startup...\"\ntimeout 30 docker run --rm -i mcr.microsoft.com/playwright/mcp --help || {\n echo \"❌ Playwright MCP container failed to start\"\n exit 1\n}\n\necho \"✅ Playwright MCP container pre-flight check passed\"\n" # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -180,12 +180,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -215,18 +215,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-copilot"],"max":3},"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -359,7 +360,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -460,12 +461,12 @@ jobs: EOF - name: Setup Safe Inputs Config run: | - mkdir -p /tmp/gh-aw/safe-inputs/logs - cat > /tmp/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' + mkdir -p /opt/gh-aw/safe-inputs/logs + cat > /opt/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' { "serverName": "safeinputs", "version": "1.0.0", - "logDir": "/tmp/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/safe-inputs/logs", "tools": [ { "name": "gh", @@ -492,7 +493,7 @@ jobs: ] } EOF_TOOLS_JSON - cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' + cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' const path = require("path"); const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -501,17 +502,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: false, - logDir: "/tmp/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); process.exit(1); }); EOFSI - chmod +x /tmp/gh-aw/safe-inputs/mcp-server.cjs + chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs - name: Setup Safe Inputs Tool Files run: | - cat > /tmp/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' + cat > /opt/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' #!/bin/bash # Auto-generated safe-input tool: gh # Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -523,7 +524,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS EOFSH_gh - chmod +x /tmp/gh-aw/safe-inputs/gh.sh + chmod +x /opt/gh-aw/safe-inputs/gh.sh - name: Generate Safe Inputs MCP Server Config id: safe-inputs-config @@ -552,7 +553,7 @@ jobs: export GH_AW_SAFE_INPUTS_PORT export GH_AW_SAFE_INPUTS_API_KEY - bash /tmp/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_safe_inputs_server.sh - name: Setup MCPs env: @@ -612,7 +613,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -693,7 +694,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -701,7 +702,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" **IMPORTANT**: Always use the `safeinputs-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `safeinputs-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default. @@ -747,7 +748,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -760,17 +761,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -871,7 +872,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -894,21 +895,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,accounts.google.com,android.clients.google.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,clients2.google.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.google.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,accounts.google.com,android.clients.google.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,clients2.google.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.google.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -949,9 +950,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -976,9 +977,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1002,18 +1003,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Parse safe-inputs logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); await main(); - name: Firewall summary if: always() @@ -1035,9 +1036,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - if: always() name: Collect Playwright MCP Logs @@ -1094,7 +1095,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1127,9 +1128,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1140,9 +1141,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1159,9 +1160,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1182,7 +1183,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1208,9 +1209,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1259,7 +1260,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1310,9 +1311,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1341,7 +1342,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1350,9 +1351,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1385,7 +1386,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1406,9 +1407,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1429,7 +1430,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml index 30c195747d..ee8cbdf66a 100644 --- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml +++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml @@ -74,16 +74,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-copilot-safe-inputs.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -94,9 +94,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Smoke Copilot Safe Inputs" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -109,8 +109,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -126,13 +126,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -153,12 +153,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -182,12 +182,13 @@ jobs: awf --version - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-copilot"],"max":3},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -280,7 +281,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -348,12 +349,12 @@ jobs: EOF - name: Setup Safe Inputs Config run: | - mkdir -p /tmp/gh-aw/safe-inputs/logs - cat > /tmp/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' + mkdir -p /opt/gh-aw/safe-inputs/logs + cat > /opt/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON' { "serverName": "safeinputs", "version": "1.0.0", - "logDir": "/tmp/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/safe-inputs/logs", "tools": [ { "name": "gh", @@ -380,7 +381,7 @@ jobs: ] } EOF_TOOLS_JSON - cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' + cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI' const path = require("path"); const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); @@ -389,17 +390,17 @@ jobs: startHttpServer(configPath, { port: port, stateless: false, - logDir: "/tmp/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); process.exit(1); }); EOFSI - chmod +x /tmp/gh-aw/safe-inputs/mcp-server.cjs + chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs - name: Setup Safe Inputs Tool Files run: | - cat > /tmp/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' + cat > /opt/gh-aw/safe-inputs/gh.sh << 'EOFSH_gh' #!/bin/bash # Auto-generated safe-input tool: gh # Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. @@ -411,7 +412,7 @@ jobs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS EOFSH_gh - chmod +x /tmp/gh-aw/safe-inputs/gh.sh + chmod +x /opt/gh-aw/safe-inputs/gh.sh - name: Generate Safe Inputs MCP Server Config id: safe-inputs-config @@ -440,7 +441,7 @@ jobs: export GH_AW_SAFE_INPUTS_PORT export GH_AW_SAFE_INPUTS_API_KEY - bash /tmp/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_safe_inputs_server.sh - name: Setup MCPs env: @@ -470,7 +471,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -545,7 +546,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -553,7 +554,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" **IMPORTANT**: Always use the `safeinputs-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `safeinputs-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default. @@ -600,7 +601,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -613,12 +614,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -645,21 +646,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -698,9 +699,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -725,9 +726,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -751,18 +752,18 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Parse safe-inputs logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); await main(); - name: Firewall summary if: always() @@ -778,9 +779,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -824,7 +825,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -857,9 +858,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -870,9 +871,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -888,9 +889,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -911,7 +912,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -937,9 +938,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -988,7 +989,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1038,9 +1039,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1069,7 +1070,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1078,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1112,7 +1113,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1133,8 +1134,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 8294e9d34d..9bb1882a07 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -70,16 +70,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-copilot.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -91,9 +91,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 📰 *BREAKING: Report filed by [{workflow_name}]({run_url})*\",\"runStarted\":\"📰 BREAKING: [{workflow_name}]({run_url}) is now investigating this {event_type}. Sources say the story is developing...\",\"runSuccess\":\"📰 VERDICT: [{workflow_name}]({run_url}) has concluded. All systems operational. This is a developing story. 🎤\",\"runFailure\":\"📰 DEVELOPING STORY: [{workflow_name}]({run_url}) reports {status}. Our correspondents are investigating the incident...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -106,8 +106,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -123,16 +123,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -161,12 +161,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -196,18 +196,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"add_labels":{"allowed":["smoke-copilot"],"max":3},"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created.", @@ -340,7 +341,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -475,7 +476,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -550,7 +551,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -559,7 +560,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Smoke Test: Copilot Engine Validation @@ -595,7 +596,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -609,12 +610,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -715,7 +716,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -739,21 +740,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,http://httpbin.org,https://api.github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,http://httpbin.org,https://api.github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -791,9 +792,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -818,9 +819,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -844,9 +845,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -868,9 +869,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -914,7 +915,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -947,9 +948,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -960,9 +961,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -979,9 +980,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1002,7 +1003,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1028,9 +1029,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1079,7 +1080,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1129,9 +1130,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1160,7 +1161,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1169,9 +1170,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1204,7 +1205,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1225,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1248,7 +1249,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index a3be80c3cd..3def8a3fe8 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -91,16 +91,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-detector.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -112,9 +112,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🚨 *Alert generated by [{workflow_name}]({run_url})*\",\"runStarted\":\"🔥 BEEP BEEP! [{workflow_name}]({run_url}) detected smoke on this {event_type}! Investigating...\",\"runSuccess\":\"🚨 All clear! [{workflow_name}]({run_url}) has completed the investigation. Fire report filed! 📋\",\"runFailure\":\"🔥 Alarm malfunction! [{workflow_name}]({run_url}) {status}. Manual inspection required...\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -130,8 +130,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -147,13 +147,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -172,7 +172,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -201,12 +201,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -231,18 +231,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1,"target":"*"},"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[smoke-detector] \". Labels [smoke-test investigation] will be automatically added.", @@ -351,7 +352,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -471,7 +472,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -538,7 +539,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -552,7 +553,7 @@ jobs: GH_AW_INPUTS_RUN_NUMBER: ${{ inputs.run_number }} GH_AW_INPUTS_WORKFLOW_NAME: ${{ inputs.workflow_name }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -826,7 +827,7 @@ jobs: GH_AW_INPUTS_WORKFLOW_NAME: ${{ inputs.workflow_name }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -845,12 +846,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -951,7 +952,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -980,14 +981,14 @@ jobs: GH_AW_INPUTS_WORKFLOW_NAME: ${{ inputs.workflow_name }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1065,7 +1066,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1088,9 +1089,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1116,9 +1117,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1134,9 +1135,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1158,9 +1159,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1204,7 +1205,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1237,9 +1238,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1250,9 +1251,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1269,9 +1270,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1294,7 +1295,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1320,9 +1321,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1371,7 +1372,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1425,9 +1426,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1453,7 +1454,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1462,9 +1463,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1497,7 +1498,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1518,9 +1519,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1541,7 +1542,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/smoke-srt-custom-config.lock.yml b/.github/workflows/smoke-srt-custom-config.lock.yml index 105b0d1c5c..f2f211b386 100644 --- a/.github/workflows/smoke-srt-custom-config.lock.yml +++ b/.github/workflows/smoke-srt-custom-config.lock.yml @@ -53,16 +53,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-srt-custom-config.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,13 +86,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -113,12 +113,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Setup Node.js @@ -156,10 +156,10 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Setup MCPs env: GITHUB_MCP_LOCKDOWN: ${{ steps.determine-automatic-lockdown.outputs.lockdown == 'true' && '1' || '0' }} @@ -250,13 +250,13 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" **IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.** @@ -273,12 +273,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append GitHub context to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -335,7 +335,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -357,14 +357,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -673,9 +673,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -698,9 +698,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Validate agent logs for errors if: always() @@ -710,9 +710,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() diff --git a/.github/workflows/smoke-srt.lock.yml b/.github/workflows/smoke-srt.lock.yml index 29c69ede62..910c4799c1 100644 --- a/.github/workflows/smoke-srt.lock.yml +++ b/.github/workflows/smoke-srt.lock.yml @@ -63,16 +63,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "smoke-srt.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -85,8 +85,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -102,13 +102,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -129,12 +129,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Setup Node.js @@ -172,18 +172,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Report that a tool or capability needed to complete the task is not available. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", @@ -230,7 +231,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "missing_tool": { "defaultMax": 20, @@ -303,7 +304,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -378,14 +379,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" **IMPORTANT: Keep all outputs extremely short and concise. Use single-line responses where possible. No verbose explanations.** @@ -402,12 +403,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -483,7 +484,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -505,14 +506,14 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -773,9 +774,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -800,9 +801,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -826,9 +827,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Validate agent logs for errors if: always() @@ -838,9 +839,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -881,7 +882,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -914,9 +915,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -927,9 +928,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -946,9 +947,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -969,7 +970,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -995,9 +996,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1046,7 +1047,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1096,9 +1097,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1127,7 +1128,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1136,8 +1137,8 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 19e0dd01f3..04d1dcfa91 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -72,16 +72,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "stale-repo-identifier.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -100,8 +100,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -117,13 +117,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -185,7 +185,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -215,12 +215,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -243,15 +243,16 @@ jobs: which awf awf --version - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":10},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created. Title will be prefixed with \"[Stale Repository] \". Labels [stale-repository automated-analysis] will be automatically added.", @@ -355,7 +356,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -472,7 +473,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -547,7 +548,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -557,7 +558,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Python Data Visualization Guide @@ -1091,7 +1092,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1246,7 +1247,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1261,12 +1262,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1367,7 +1368,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1392,21 +1393,21 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1447,9 +1448,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1474,9 +1475,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1500,9 +1501,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1522,7 +1523,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1533,9 +1534,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1580,7 +1581,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1613,9 +1614,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1626,9 +1627,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1645,9 +1646,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1670,7 +1671,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1696,9 +1697,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1747,7 +1748,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1797,9 +1798,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1837,7 +1838,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1858,9 +1859,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1881,7 +1882,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1916,7 +1917,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1938,12 +1939,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1969,8 +1970,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 4c7f78fef8..45830b8b07 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -62,16 +62,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "static-analysis-report.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -87,8 +87,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -104,13 +104,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -135,7 +135,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -164,12 +164,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -194,18 +194,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"security\".", @@ -278,7 +279,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -377,7 +378,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -444,7 +445,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -452,7 +453,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" @@ -825,7 +826,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -838,12 +839,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -944,7 +945,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -967,14 +968,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1052,7 +1053,7 @@ jobs: timeout-minutes: 45 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1076,9 +1077,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1104,9 +1105,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1122,9 +1123,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1146,9 +1147,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1192,7 +1193,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1225,9 +1226,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1238,9 +1239,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1256,9 +1257,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1281,7 +1282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1307,9 +1308,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1358,7 +1359,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1412,9 +1413,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1451,7 +1452,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1472,9 +1473,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1495,7 +1496,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index c77912f510..159685517f 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -55,16 +55,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "sub-issue-closer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -78,8 +78,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -95,13 +95,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -122,12 +122,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -157,18 +157,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":20,"target":"*"},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":20}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 20 comment(s) can be added. Target: *.", @@ -270,7 +271,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -383,7 +384,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -458,7 +459,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -466,7 +467,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Sub-Issue Closer 🔒 @@ -592,7 +593,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -605,12 +606,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -686,7 +687,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -709,21 +710,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -761,9 +762,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -788,9 +789,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -814,9 +815,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -832,9 +833,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -877,7 +878,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -910,9 +911,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -923,9 +924,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -941,9 +942,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -966,7 +967,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -992,9 +993,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1043,7 +1044,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1093,9 +1094,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1134,7 +1135,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1155,8 +1156,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 5fc6afaf92..0247fcc3d4 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "super-linter.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -87,8 +87,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -104,13 +104,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Download super-linter log uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -119,7 +119,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -148,12 +148,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -183,18 +183,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[linter] \". Labels [automation code-quality] will be automatically added.", @@ -281,7 +282,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -387,7 +388,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -462,7 +463,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -473,7 +474,7 @@ jobs: GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -613,7 +614,7 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -629,12 +630,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -735,7 +736,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -761,21 +762,21 @@ jobs: GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -813,9 +814,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -840,9 +841,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -866,9 +867,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -890,9 +891,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -936,7 +937,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -969,9 +970,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -982,9 +983,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1000,9 +1001,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1025,7 +1026,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1051,9 +1052,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1102,7 +1103,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1152,9 +1153,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1191,7 +1192,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1212,9 +1213,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); super_linter: @@ -1281,7 +1282,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index e25fac1620..d7bcf67a08 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "technical-doc-writer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -92,8 +92,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -109,7 +109,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -122,7 +122,7 @@ jobs: cache-dependency-path: 'docs/package-lock.json' package-manager-cache: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Install dependencies run: npm ci working-directory: ./docs @@ -134,7 +134,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -163,12 +163,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -198,18 +198,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"create_pull_request":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -328,7 +329,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -456,7 +457,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -531,7 +532,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -539,7 +540,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ### Documentation @@ -943,7 +944,7 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -956,12 +957,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1062,7 +1063,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1085,14 +1086,14 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_TOPIC: ${{ github.event.inputs.topic }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1103,7 +1104,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1144,9 +1145,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1171,9 +1172,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1197,9 +1198,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1219,7 +1220,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1230,9 +1231,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1278,7 +1279,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1311,9 +1312,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1324,9 +1325,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1343,9 +1344,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1368,7 +1369,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1394,9 +1395,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1445,7 +1446,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1495,9 +1496,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1538,7 +1539,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1584,9 +1585,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1607,7 +1608,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1642,7 +1643,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1664,12 +1665,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1695,8 +1696,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 50e8e55c00..a2b32603d9 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -54,16 +54,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "terminal-stylist.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -76,8 +76,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -93,7 +93,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -111,7 +111,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -132,12 +132,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -167,18 +167,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"General\".", @@ -251,7 +252,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -350,7 +351,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -431,7 +432,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -440,7 +441,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Terminal Stylist - Console Output Analysis @@ -569,7 +570,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -583,12 +584,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -664,7 +665,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -688,21 +689,21 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -740,9 +741,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -767,9 +768,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -793,9 +794,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -811,9 +812,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -856,7 +857,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -889,9 +890,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -902,9 +903,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -920,9 +921,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -945,7 +946,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -971,9 +972,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1022,7 +1023,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1072,9 +1073,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1111,7 +1112,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1132,8 +1133,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 5384421f54..8ddfde6b22 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -78,16 +78,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "tidy.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -99,9 +99,9 @@ jobs: GH_AW_WORKFLOW_NAME: "Tidy" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -114,8 +114,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -131,13 +131,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Set up Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: @@ -172,12 +172,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -207,18 +207,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_missing_tool_issue":{"max":1,"title_prefix":"[missing tool]"},"create_pull_request":{},"missing_tool":{},"noop":{"max":1},"push_to_pull_request_branch":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Reviewers [copilot] will be assigned.", @@ -326,7 +327,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -448,7 +449,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -523,14 +524,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Code Tidying Agent @@ -614,12 +615,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -695,7 +696,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -717,21 +718,21 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/pr_context_prompt.md" >> "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -763,7 +764,7 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git restore:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(make:*)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -801,9 +802,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -829,9 +830,9 @@ jobs: GH_AW_COMMAND: tidy with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -855,9 +856,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -873,9 +874,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -919,7 +920,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -952,9 +953,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -967,9 +968,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -985,9 +986,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1008,7 +1009,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1034,9 +1035,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1085,7 +1086,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1135,9 +1136,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1167,7 +1168,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1176,9 +1177,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1187,9 +1188,9 @@ jobs: GH_AW_COMMANDS: "[\"tidy\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1221,7 +1222,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1267,8 +1268,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 54487eed00..6fbfa1ba54 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -59,16 +59,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "typist.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -83,8 +83,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -100,7 +100,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -118,7 +118,7 @@ jobs: - name: Install Go language service (gopls) run: go install golang.org/x/tools/gopls@latest - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -139,12 +139,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -169,18 +169,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Discussions will be created in category \"General\".", @@ -253,7 +254,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -348,7 +349,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -428,7 +429,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -437,7 +438,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -923,7 +924,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -937,12 +938,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1018,7 +1019,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1042,14 +1043,14 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1142,7 +1143,7 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat pkg/**/*.go),Bash(cat),Bash(date),Bash(echo),Bash(find pkg -name '\''*.go'\'' ! -name '\''*_test.go'\'' -type f),Bash(find pkg -type f -name '\''*.go'\'' ! -name '\''*_test.go'\''),Bash(find pkg/ -maxdepth 1 -ls),Bash(grep -r '\''\bany\b'\'' pkg --include='\''*.go'\''),Bash(grep -r '\''interface{}'\'' pkg --include='\''*.go'\''),Bash(grep -r '\''type '\'' pkg --include='\''*.go'\''),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc -l pkg/**/*.go),Bash(wc),Bash(yq),BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1165,9 +1166,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1193,9 +1194,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1211,9 +1212,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1229,9 +1230,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1274,7 +1275,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1307,9 +1308,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1320,9 +1321,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1338,9 +1339,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1363,7 +1364,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1389,9 +1390,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1440,7 +1441,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1494,9 +1495,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1533,7 +1534,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1554,8 +1555,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 9927152466..9ffcc0c95b 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -60,16 +60,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "ubuntu-image-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -85,8 +85,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -102,13 +102,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -129,12 +129,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -164,18 +164,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_pull_request":{},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[ubuntu-image] \". Labels [documentation automation infrastructure] will be automatically added.", @@ -255,7 +256,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_pull_request": { "defaultMax": 1, @@ -357,7 +358,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -432,7 +433,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -440,7 +441,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # Ubuntu Actions Image Analyzer @@ -896,7 +897,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -909,12 +910,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -990,7 +991,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1013,14 +1014,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -1052,7 +1053,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat specs/ubuntulatest.md)' --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(find .github/workflows -name '\''*.lock.yml'\'' -type f)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1090,9 +1091,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1117,9 +1118,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1143,9 +1144,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1161,9 +1162,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1207,7 +1208,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1241,9 +1242,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1255,9 +1256,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1274,9 +1275,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1299,7 +1300,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1325,9 +1326,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1376,7 +1377,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1426,9 +1427,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1454,7 +1455,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1463,9 +1464,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check skip-if-match query id: check_skip_if_match @@ -1476,9 +1477,9 @@ jobs: GH_AW_SKIP_MAX_MATCHES: "1" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_skip_if_match.cjs'); + const { main } = require('/opt/gh-aw/actions/check_skip_if_match.cjs'); await main(); safe_outputs: @@ -1511,7 +1512,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1557,8 +1558,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a16ac89930..0aefd5849e 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -74,16 +74,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "unbloat-docs.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -96,9 +96,9 @@ jobs: GH_AW_SAFE_OUTPUT_MESSAGES: "{\"footer\":\"\\u003e 🗜️ *Compressed by [{workflow_name}]({run_url})*\",\"runStarted\":\"📦 Time to slim down! [{workflow_name}]({run_url}) is trimming the excess from this {event_type}...\",\"runSuccess\":\"🗜️ Docs on a diet! [{workflow_name}]({run_url}) has removed the bloat. Lean and mean! 💪\",\"runFailure\":\"📦 Unbloating paused! [{workflow_name}]({run_url}) {status}. The docs remain... fluffy.\"}" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); agent: @@ -114,8 +114,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -131,9 +131,9 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -156,7 +156,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -185,12 +185,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -215,18 +215,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 mcr.microsoft.com/playwright/mcp - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":1},"create_pull_request":{},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", @@ -345,7 +346,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -489,7 +490,7 @@ jobs: }, "safeoutputs": { "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "env": { "GH_AW_MCP_LOG_DIR": "$GH_AW_MCP_LOG_DIR", "GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS", @@ -556,7 +557,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -566,7 +567,7 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -825,7 +826,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -840,17 +841,17 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append playwright output directory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/playwright_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -951,7 +952,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -976,14 +977,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): @@ -1116,7 +1117,7 @@ jobs: timeout-minutes: 12 run: | set -o pipefail - sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache/node:/opt/hostedtoolcache/node:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- NODE_BIN_PATH="$(find /opt/hostedtoolcache/node -maxdepth 1 -type d | head -1 | xargs basename)/x64/bin" && export PATH="/opt/hostedtoolcache/node/$NODE_BIN_PATH:$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 90 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools 'Bash(cat *),Bash(cat),Bash(cd *),Bash(cp *),Bash(curl *),Bash(date),Bash(echo),Bash(find docs/src/content/docs -name '\''*.md'\''),Bash(git add:*),Bash(git branch:*),Bash(git checkout:*),Bash(git commit:*),Bash(git merge:*),Bash(git rm:*),Bash(git status),Bash(git switch:*),Bash(grep -n *),Bash(grep),Bash(head *),Bash(head),Bash(kill *),Bash(ls),Bash(mkdir *),Bash(mv *),Bash(node *),Bash(ps *),Bash(pwd),Bash(sleep *),Bash(sort),Bash(tail *),Bash(tail),Bash(uniq),Bash(wc -l *),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for' --debug --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1143,9 +1144,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'ANTHROPIC_API_KEY,CLAUDE_CODE_OAUTH_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1172,9 +1173,9 @@ jobs: GH_AW_COMMAND: unbloat with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1190,9 +1191,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/agent-stdio.log with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_claude_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1212,7 +1213,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1223,9 +1224,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1271,7 +1272,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1304,9 +1305,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1317,9 +1318,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1336,9 +1337,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1359,7 +1360,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1385,9 +1386,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1436,7 +1437,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code + run: /opt/gh-aw/actions/validate_multi_secret.sh CLAUDE_CODE_OAUTH_TOKEN ANTHROPIC_API_KEY Claude Code https://githubnext.github.io/gh-aw/reference/engines/#anthropic-claude-code env: CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1491,9 +1492,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1523,7 +1524,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for command workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1532,9 +1533,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); - name: Check command position id: check_command_position @@ -1543,9 +1544,9 @@ jobs: GH_AW_COMMANDS: "[\"unbloat\"]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_command_position.cjs'); + const { main } = require('/opt/gh-aw/actions/check_command_position.cjs'); await main(); safe_outputs: @@ -1579,7 +1580,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1625,9 +1626,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1648,7 +1649,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1683,7 +1684,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1705,12 +1706,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1736,8 +1737,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 25fbd236b4..e45c589e76 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -62,16 +62,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "video-analyzer.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -86,8 +86,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -103,13 +103,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - id: setup-ffmpeg name: Setup FFmpeg run: |- @@ -138,12 +138,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -173,18 +173,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_issue":{"max":1},"missing_tool":{},"noop":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[video-analysis] \". Labels [automation video-processing] will be automatically added.", @@ -271,7 +272,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_issue": { "defaultMax": 1, @@ -377,7 +378,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -452,7 +453,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -462,7 +463,7 @@ jobs: GH_AW_GITHUB_EVENT_INPUTS_VIDEO_URL: ${{ github.event.inputs.video_url }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" # FFmpeg Usage Guide @@ -739,7 +740,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -754,12 +755,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -835,7 +836,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -860,14 +861,14 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -891,7 +892,7 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(ffmpeg *)' --allow-tool 'shell(ffprobe *)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -929,9 +930,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -956,9 +957,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -982,9 +983,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1000,9 +1001,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1045,7 +1046,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1078,9 +1079,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1091,9 +1092,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1109,9 +1110,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1134,7 +1135,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1160,9 +1161,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1211,7 +1212,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1261,9 +1262,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1300,7 +1301,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1321,8 +1322,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index b00b190ec3..25db61470e 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -59,16 +59,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "weekly-issue-summary.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -85,8 +85,8 @@ jobs: GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -102,9 +102,9 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Setup Python environment run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n" - name: Install Python scientific libraries @@ -130,7 +130,7 @@ jobs: # Cache memory file share configuration from frontmatter processed below - name: Create cache-memory directory - run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh + run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh - name: Restore cache memory file share data uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -151,7 +151,7 @@ jobs: git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -181,18 +181,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"create_discussion":{"max":1},"missing_tool":{},"noop":{"max":1},"upload_asset":{"max":0}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a GitHub discussion for announcements, Q\u0026A, reports, status updates, or community conversations. Use this for content that benefits from threaded replies, doesn't require task tracking, or serves as documentation. For actionable work items that need assignment and status tracking, use create_issue instead. CONSTRAINTS: Maximum 1 discussion(s) can be created. Title will be prefixed with \"[Weekly Summary] \". Discussions will be created in category \"Audits\".", @@ -282,7 +283,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "create_discussion": { "defaultMax": 1, @@ -393,7 +394,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -468,7 +469,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -476,7 +477,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" ## Report Structure @@ -1007,7 +1008,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1054,7 +1055,7 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1067,12 +1068,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append cache memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1173,7 +1174,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1196,21 +1197,21 @@ jobs: GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1251,9 +1252,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1278,9 +1279,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1304,9 +1305,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1326,7 +1327,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ retention-days: 1 if-no-files-found: ignore - name: Validate agent logs for errors @@ -1337,9 +1338,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1384,7 +1385,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1418,9 +1419,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1432,9 +1433,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1451,9 +1452,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1476,7 +1477,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1502,9 +1503,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1553,7 +1554,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1603,9 +1604,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1643,7 +1644,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1664,9 +1665,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); update_cache_memory: @@ -1687,7 +1688,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 continue-on-error: true @@ -1722,7 +1723,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1744,12 +1745,12 @@ jobs: uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: safe-outputs-assets - path: /tmp/gh-aw/safeoutputs/assets/ + path: /opt/gh-aw/safeoutputs/assets/ - name: List downloaded asset files continue-on-error: true run: | echo "Downloaded asset files:" - find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls + find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1775,8 +1776,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/upload_assets.cjs'); + const { main } = require('/opt/gh-aw/actions/upload_assets.cjs'); await main(); diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index bd90a24527..d4256a81f3 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -64,16 +64,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "workflow-generator.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); - name: Add eyes reaction to the triggering item id: react @@ -85,9 +85,9 @@ jobs: GH_AW_LOCK_FOR_AGENT: "true" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/add_reaction_and_edit_comment.cjs'); + const { main } = require('/opt/gh-aw/actions/add_reaction_and_edit_comment.cjs'); await main(); - name: Lock issue for agent workflow id: lock-issue @@ -95,9 +95,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/lock-issue.cjs'); + const { main } = require('/opt/gh-aw/actions/lock-issue.cjs'); await main(); agent: @@ -110,8 +110,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -127,13 +127,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -154,12 +154,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -189,18 +189,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"assign_to_agent":{},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":1}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Assign the GitHub Copilot coding agent to work on an issue. The agent will analyze the issue and attempt to implement a solution, creating a pull request when complete. Use this to delegate coding tasks to Copilot.", @@ -304,7 +305,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "assign_to_agent": { "defaultMax": 1, @@ -417,7 +418,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -492,7 +493,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: @@ -500,7 +501,7 @@ jobs: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -587,7 +588,7 @@ jobs: GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -600,12 +601,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append safe outputs instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -681,7 +682,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -704,21 +705,21 @@ jobs: GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 5 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -756,9 +757,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -783,9 +784,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -809,9 +810,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -827,9 +828,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -872,7 +873,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -905,9 +906,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -918,9 +919,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -936,9 +937,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); - name: Unlock issue after agent workflow id: unlock-issue @@ -946,9 +947,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/unlock-issue.cjs'); + const { main } = require('/opt/gh-aw/actions/unlock-issue.cjs'); await main(); detection: @@ -969,7 +970,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -995,9 +996,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1046,7 +1047,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1096,9 +1097,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1125,7 +1126,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1134,9 +1135,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); safe_outputs: @@ -1167,7 +1168,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1188,9 +1189,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); - name: Assign To Agent id: assign_to_agent @@ -1201,8 +1202,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_AGENT_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/assign_to_agent.cjs'); + const { main } = require('/opt/gh-aw/actions/assign_to_agent.cjs'); await main(); diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 2888d19892..b864daeb6a 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -59,16 +59,16 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check workflow file timestamps uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_WORKFLOW_FILE: "workflow-health-manager.lock.yml" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_workflow_timestamp_api.cjs'); + const { main } = require('/opt/gh-aw/actions/check_workflow_timestamp_api.cjs'); await main(); agent: @@ -84,8 +84,8 @@ jobs: env: GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs GH_AW_SAFE_OUTPUTS: /tmp/gh-aw/safeoutputs/outputs.jsonl - GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /tmp/gh-aw/safeoutputs/config.json - GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /tmp/gh-aw/safeoutputs/tools.json + GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json + GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json outputs: has_patch: ${{ steps.collect_output.outputs.has_patch }} model: ${{ steps.generate_aw_info.outputs.model }} @@ -101,13 +101,13 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: persist-credentials: false - name: Create gh-aw temp directory - run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh + run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh # Repo memory git-based storage configuration from frontmatter processed below - name: Clone repo-memory branch (default) env: @@ -116,7 +116,7 @@ jobs: TARGET_REPO: ${{ github.repository }} MEMORY_DIR: /tmp/gh-aw/repo-memory/default CREATE_ORPHAN: true - run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh + run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -137,12 +137,12 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); + const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main(); - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -172,18 +172,19 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs'); + const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Downloading container images - run: bash /tmp/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 - name: Write Safe Outputs Config run: | + mkdir -p /opt/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' {"add_comment":{"max":15},"create_issue":{"max":10},"missing_tool":{},"noop":{"max":1},"update_issue":{"max":5}} EOF - cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 10 issue(s) can be created.", @@ -325,7 +326,7 @@ jobs: } ] EOF - cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF' + cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF' { "add_comment": { "defaultMax": 1, @@ -471,7 +472,7 @@ jobs: "safeoutputs": { "type": "local", "command": "node", - "args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"], + "args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"], "tools": ["*"], "env": { "GH_AW_MCP_LOG_DIR": "\${GH_AW_MCP_LOG_DIR}", @@ -546,14 +547,14 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs'); + const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs'); await generateWorkflowOverview(core); - name: Create prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} run: | - bash /tmp/gh-aw/actions/create_prompt_first.sh + bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" {{#runtime-import? .github/shared-instructions.md}} @@ -983,12 +984,12 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/xpia_prompt.md" >> "$GH_AW_PROMPT" - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt run: | - cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" + cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT" - name: Append repo memory instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -1094,7 +1095,7 @@ jobs: GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | - const substitutePlaceholders = require('/tmp/gh-aw/actions/substitute_placeholders.cjs'); + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); // Call the substitution function return await substitutePlaceholders({ @@ -1116,21 +1117,21 @@ jobs: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs'); + const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Print prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - run: bash /tmp/gh-aw/actions/print_prompt_summary.sh + run: bash /opt/gh-aw/actions/print_prompt_summary.sh - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): timeout-minutes: 20 run: | set -o pipefail - sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ + sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,raw.githubusercontent.com,registry.npmjs.org --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --image-tag 0.8.2 \ -- /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1168,9 +1169,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs'); + const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs'); await main(); env: GH_AW_SECRET_NAMES: 'COPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GITHUB_TOKEN' @@ -1195,9 +1196,9 @@ jobs: GITHUB_API_URL: ${{ github.api_url }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs'); + const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs'); await main(); - name: Upload sanitized agent output if: always() && env.GH_AW_AGENT_OUTPUT @@ -1221,9 +1222,9 @@ jobs: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_copilot_log.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - name: Firewall summary if: always() @@ -1248,9 +1249,9 @@ jobs: GH_AW_ERROR_PATTERNS: "[{\"id\":\"\",\"pattern\":\"::(error)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - error\"},{\"id\":\"\",\"pattern\":\"::(warning)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - warning\"},{\"id\":\"\",\"pattern\":\"::(notice)(?:\\\\s+[^:]*)?::(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"GitHub Actions workflow command - notice\"},{\"id\":\"\",\"pattern\":\"(ERROR|Error):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic ERROR messages\"},{\"id\":\"\",\"pattern\":\"(WARNING|Warning):\\\\s+(.+)\",\"level_group\":1,\"message_group\":2,\"description\":\"Generic WARNING messages\"},{\"id\":\"\",\"pattern\":\"(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\s+\\\\[(WARN|WARNING)\\\\]\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI timestamped WARNING messages\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(CRITICAL|ERROR):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed critical/error messages with timestamp\"},{\"id\":\"\",\"pattern\":\"\\\\[(\\\\d{4}-\\\\d{2}-\\\\d{2}T\\\\d{2}:\\\\d{2}:\\\\d{2}\\\\.\\\\d{3}Z)\\\\]\\\\s+(WARNING):\\\\s+(.+)\",\"level_group\":2,\"message_group\":3,\"description\":\"Copilot CLI bracketed warning messages with timestamp\"},{\"id\":\"\",\"pattern\":\"✗\\\\s+(.+)\",\"level_group\":0,\"message_group\":1,\"description\":\"Copilot CLI failed command indicator\"},{\"id\":\"\",\"pattern\":\"(?:command not found|not found):\\\\s*(.+)|(.+):\\\\s*(?:command not found|not found)\",\"level_group\":0,\"message_group\":0,\"description\":\"Shell command not found error\"},{\"id\":\"\",\"pattern\":\"Cannot find module\\\\s+['\\\"](.+)['\\\"]\",\"level_group\":0,\"message_group\":1,\"description\":\"Node.js module not found error\"},{\"id\":\"\",\"pattern\":\"Permission denied and could not request permission from user\",\"level_group\":0,\"message_group\":0,\"description\":\"Copilot CLI permission denied warning (user interaction required)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*permission.*denied\",\"level_group\":0,\"message_group\":0,\"description\":\"Permission denied error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*unauthorized\",\"level_group\":0,\"message_group\":0,\"description\":\"Unauthorized access error (requires error context)\"},{\"id\":\"\",\"pattern\":\"\\\\berror\\\\b.*forbidden\",\"level_group\":0,\"message_group\":0,\"description\":\"Forbidden access error (requires error context)\"}]" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs'); + const { main } = require('/opt/gh-aw/actions/validate_errors.cjs'); await main(); - name: Upload agent artifacts if: always() @@ -1294,7 +1295,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Debug job inputs env: COMMENT_ID: ${{ needs.activation.outputs.comment_id }} @@ -1327,9 +1328,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/noop.cjs'); + const { main } = require('/opt/gh-aw/actions/noop.cjs'); await main(); - name: Record Missing Tool id: missing_tool @@ -1340,9 +1341,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); + const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main(); - name: Update reaction comment with completion status id: conclusion @@ -1358,9 +1359,9 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/notify_comment_error.cjs'); + const { main } = require('/opt/gh-aw/actions/notify_comment_error.cjs'); await main(); detection: @@ -1383,7 +1384,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent artifacts continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1409,9 +1410,9 @@ jobs: HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/setup_threat_detection.cjs'); + const { main } = require('/opt/gh-aw/actions/setup_threat_detection.cjs'); const templateContent = `# Threat Detection Analysis You are a security analyst tasked with analyzing agent output and code changes for potential security threats. ## Workflow Source Context @@ -1460,7 +1461,7 @@ jobs: mkdir -p /tmp/gh-aw/threat-detection touch /tmp/gh-aw/threat-detection/detection.log - name: Validate COPILOT_GITHUB_TOKEN secret - run: /tmp/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default + run: /opt/gh-aw/actions/validate_multi_secret.sh COPILOT_GITHUB_TOKEN GitHub Copilot CLI https://githubnext.github.io/gh-aw/reference/engines/#github-copilot-default env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI @@ -1510,9 +1511,9 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_threat_detection_results.cjs'); await main(); - name: Upload threat detection log if: always() @@ -1538,7 +1539,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Check team membership for workflow id: check_membership uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -1547,9 +1548,9 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/check_membership.cjs'); + const { main } = require('/opt/gh-aw/actions/check_membership.cjs'); await main(); push_repo_memory: @@ -1570,7 +1571,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: @@ -1608,9 +1609,9 @@ jobs: FILE_GLOB_FILTER: "**" with: script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); + const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main(); safe_outputs: @@ -1642,7 +1643,7 @@ jobs: - name: Setup Scripts uses: ./actions/setup with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Download agent output artifact continue-on-error: true uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -1663,8 +1664,8 @@ jobs: with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | - const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/safe_output_handler_manager.cjs'); + const { main } = require('/opt/gh-aw/actions/safe_output_handler_manager.cjs'); await main(); diff --git a/actions/setup/action.yml b/actions/setup/action.yml index aca0e26c8f..b97093786d 100644 --- a/actions/setup/action.yml +++ b/actions/setup/action.yml @@ -4,9 +4,9 @@ author: 'GitHub Next' inputs: destination: - description: 'Destination directory for activation files (default: /tmp/gh-aw/actions)' + description: 'Destination directory for activation files (default: /opt/gh-aw/actions)' required: false - default: '/tmp/gh-aw/actions' + default: '/opt/gh-aw/actions' outputs: files-copied: diff --git a/actions/setup/setup.sh b/actions/setup/setup.sh index e86a0316ec..3cfe57c87b 100755 --- a/actions/setup/setup.sh +++ b/actions/setup/setup.sh @@ -15,7 +15,7 @@ set -e # Get destination from input or use default -DESTINATION="${INPUT_DESTINATION:-/tmp/gh-aw/actions}" +DESTINATION="${INPUT_DESTINATION:-/opt/gh-aw/actions}" echo "Copying activation files to ${DESTINATION}" @@ -94,7 +94,7 @@ fi echo "Successfully copied ${FILE_COUNT} files to ${DESTINATION}" # Copy prompt markdown files to their expected directory -PROMPTS_DEST="/tmp/gh-aw/prompts" +PROMPTS_DEST="/opt/gh-aw/prompts" echo "Copying prompt markdown files to ${PROMPTS_DEST}" mkdir -p "${PROMPTS_DEST}" @@ -116,7 +116,7 @@ else fi # Copy safe-inputs files to their expected directory -SAFE_INPUTS_DEST="/tmp/gh-aw/safe-inputs" +SAFE_INPUTS_DEST="/opt/gh-aw/safe-inputs" echo "Copying safe-inputs files to ${SAFE_INPUTS_DEST}" mkdir -p "${SAFE_INPUTS_DEST}" @@ -167,7 +167,7 @@ fi echo "Successfully copied ${SAFE_INPUTS_COUNT} safe-inputs files to ${SAFE_INPUTS_DEST}" # Copy safe-outputs files to their expected directory -SAFE_OUTPUTS_DEST="/tmp/gh-aw/safeoutputs" +SAFE_OUTPUTS_DEST="/opt/gh-aw/safeoutputs" echo "Copying safe-outputs files to ${SAFE_OUTPUTS_DEST}" mkdir -p "${SAFE_OUTPUTS_DEST}" diff --git a/actions/setup/sh/start_safe_inputs_server.sh b/actions/setup/sh/start_safe_inputs_server.sh index 4dd2bffc52..d634232231 100755 --- a/actions/setup/sh/start_safe_inputs_server.sh +++ b/actions/setup/sh/start_safe_inputs_server.sh @@ -4,20 +4,20 @@ set -e -cd /tmp/gh-aw/safe-inputs || exit 1 +cd /opt/gh-aw/safe-inputs || exit 1 # Verify required files exist echo "Verifying safe-inputs setup..." # Check core configuration files if [ ! -f mcp-server.cjs ]; then - echo "ERROR: mcp-server.cjs not found in /tmp/gh-aw/safe-inputs" - ls -la /tmp/gh-aw/safe-inputs/ + echo "ERROR: mcp-server.cjs not found in /opt/gh-aw/safe-inputs" + ls -la /opt/gh-aw/safe-inputs/ exit 1 fi if [ ! -f tools.json ]; then - echo "ERROR: tools.json not found in /tmp/gh-aw/safe-inputs" - ls -la /tmp/gh-aw/safe-inputs/ + echo "ERROR: tools.json not found in /opt/gh-aw/safe-inputs" + ls -la /opt/gh-aw/safe-inputs/ exit 1 fi @@ -48,13 +48,13 @@ for dep in "${REQUIRED_DEPS[@]}"; do done if [ ${#MISSING_FILES[@]} -gt 0 ]; then - echo "ERROR: Missing required dependency files in /tmp/gh-aw/safe-inputs/" + echo "ERROR: Missing required dependency files in /opt/gh-aw/safe-inputs/" for file in "${MISSING_FILES[@]}"; do echo " - $file" done echo echo "Current directory contents:" - ls -la /tmp/gh-aw/safe-inputs/ + ls -la /opt/gh-aw/safe-inputs/ echo echo "These files should have been copied by the Setup Scripts action." echo "This usually indicates a problem with the actions/setup step." diff --git a/pkg/workflow/agentic_engine.go b/pkg/workflow/agentic_engine.go index 874eb0696d..344f1ba245 100644 --- a/pkg/workflow/agentic_engine.go +++ b/pkg/workflow/agentic_engine.go @@ -316,7 +316,7 @@ func GenerateMultiSecretValidationStep(secretNames []string, engineName, docsURL stepLines := []string{ stepName, - " run: /tmp/gh-aw/actions/validate_multi_secret.sh " + scriptArgsStr, + " run: /opt/gh-aw/actions/validate_multi_secret.sh " + scriptArgsStr, " env:", } diff --git a/pkg/workflow/bundler_file_mode.go b/pkg/workflow/bundler_file_mode.go index 35c4adbb14..b5d3821e0b 100644 --- a/pkg/workflow/bundler_file_mode.go +++ b/pkg/workflow/bundler_file_mode.go @@ -9,7 +9,7 @@ // # How it works // // 1. CollectScriptFiles - Recursively collects all JavaScript files used by a script -// 2. GenerateWriteScriptsStep - Creates a step that writes all files to /tmp/gh-aw/scripts/ +// 2. GenerateWriteScriptsStep - Creates a step that writes all files to /opt/gh-aw/scripts/ // 3. GenerateRequireScript - Converts a script to require from the local filesystem // // # Benefits @@ -35,10 +35,10 @@ import ( var fileModeLog = logger.New("workflow:bundler_file_mode") // ScriptsBasePath is the directory where JavaScript files are written at runtime -const ScriptsBasePath = "/tmp/gh-aw/scripts" +const ScriptsBasePath = "/opt/gh-aw/scripts" // SetupActionDestination is the directory where the setup action writes activation scripts -const SetupActionDestination = "/tmp/gh-aw/actions" +const SetupActionDestination = "/opt/gh-aw/actions" // ScriptFile represents a JavaScript file to be written to disk type ScriptFile struct { @@ -257,7 +257,7 @@ func patchTopLevelAwaitForFileMode(content string) string { } // GenerateWriteScriptsStep generates the YAML for a step that writes all collected -// JavaScript files to /tmp/gh-aw/scripts/. This step should be added once at the +// JavaScript files to /opt/gh-aw/scripts/. This step should be added once at the // beginning of the safe_outputs job. // // The generated step uses a heredoc to write each file efficiently. @@ -333,7 +333,7 @@ globalThis.io = io; // This function: // 1. Adds a preamble to expose github-script globals (github, context, core, exec, io) on globalThis // 2. Gets the script content from the registry -// 3. Transforms relative require() calls to absolute paths (e.g., './helper.cjs' -> '/tmp/gh-aw/scripts/helper.cjs') +// 3. Transforms relative require() calls to absolute paths (e.g., './helper.cjs' -> '/opt/gh-aw/scripts/helper.cjs') // 4. Patches top-level await patterns to work in the execution context // // This is different from GenerateRequireScript which just generates a require() call. @@ -350,7 +350,7 @@ func GetInlinedScriptForFileMode(scriptName string) (string, error) { return "", fmt.Errorf("script not found in registry: %s", scriptName) } - // Transform relative requires to absolute paths pointing to /tmp/gh-aw/scripts/ + // Transform relative requires to absolute paths pointing to /opt/gh-aw/scripts/ transformed := TransformRequiresToAbsolutePath(content, ScriptsBasePath) // Patch top-level await patterns @@ -373,7 +373,7 @@ func GetInlinedScriptForFileMode(scriptName string) (string, error) { // // Into: // -// const { helper } = require('/tmp/gh-aw/scripts/helper.cjs'); +// const { helper } = require('/opt/gh-aw/scripts/helper.cjs'); func RewriteScriptForFileMode(content string, currentPath string) string { // Regular expression to match local require statements requireRegex := regexp.MustCompile(`require\(['"](\.\.?/)([^'"]+)['"]\)`) @@ -425,7 +425,7 @@ func RewriteScriptForFileMode(content string, currentPath string) string { // // Parameters: // - content: The JavaScript content to transform -// - basePath: The absolute path to use for requires (e.g., "/tmp/gh-aw/safeoutputs") +// - basePath: The absolute path to use for requires (e.g., "/opt/gh-aw/safeoutputs") func TransformRequiresToAbsolutePath(content string, basePath string) string { // Regular expression to match local require statements requireRegex := regexp.MustCompile(`require\(['"](\.\.?/)([^'"]+)['"]\)`) diff --git a/pkg/workflow/bundler_file_mode_test.go b/pkg/workflow/bundler_file_mode_test.go index 472d96f123..cebba5d5ea 100644 --- a/pkg/workflow/bundler_file_mode_test.go +++ b/pkg/workflow/bundler_file_mode_test.go @@ -117,12 +117,12 @@ func TestGenerateWriteScriptsStep(t *testing.T) { // Check that the step includes the mkdir command stepsStr := strings.Join(steps, "") - if !strings.Contains(stepsStr, "mkdir -p /tmp/gh-aw/scripts") { + if !strings.Contains(stepsStr, "mkdir -p /opt/gh-aw/scripts") { t.Error("Expected mkdir command for scripts directory") } // Check that the file is written - if !strings.Contains(stepsStr, "cat > /tmp/gh-aw/scripts/test.cjs") { + if !strings.Contains(stepsStr, "cat > /opt/gh-aw/scripts/test.cjs") { t.Error("Expected cat command for writing file") } @@ -135,8 +135,8 @@ func TestGenerateWriteScriptsStep(t *testing.T) { func TestGenerateRequireScript(t *testing.T) { script := GenerateRequireScript("create_issue.cjs") - if !strings.Contains(script, "/tmp/gh-aw/scripts/create_issue.cjs") { - t.Errorf("Expected script to require from /tmp/gh-aw/scripts/, got: %s", script) + if !strings.Contains(script, "/opt/gh-aw/scripts/create_issue.cjs") { + t.Errorf("Expected script to require from /opt/gh-aw/scripts/, got: %s", script) } if !strings.Contains(script, "require(") { @@ -165,19 +165,19 @@ func TestRewriteScriptForFileMode(t *testing.T) { name: "simple relative require", content: "const { helper } = require('./helper.cjs');", currentPath: "main.cjs", - wantContain: "/tmp/gh-aw/scripts/helper.cjs", + wantContain: "/opt/gh-aw/scripts/helper.cjs", }, { name: "nested relative require", content: "const { util } = require('./utils/util.cjs');", currentPath: "main.cjs", - wantContain: "/tmp/gh-aw/scripts/utils/util.cjs", + wantContain: "/opt/gh-aw/scripts/utils/util.cjs", }, { name: "parent directory require", content: "const { shared } = require('../shared.cjs');", currentPath: "utils/util.cjs", - wantContain: "/tmp/gh-aw/scripts/shared.cjs", + wantContain: "/opt/gh-aw/scripts/shared.cjs", }, } @@ -212,7 +212,7 @@ func TestPrepareFilesForFileMode(t *testing.T) { // Check that require paths are rewritten mainFile := prepared[0] - if !strings.Contains(mainFile.Content, "/tmp/gh-aw/scripts/helper.cjs") { + if !strings.Contains(mainFile.Content, "/opt/gh-aw/scripts/helper.cjs") { t.Errorf("Expected main file to have rewritten require path, got: %s", mainFile.Content) } diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index 3132efdcc7..4044877018 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -349,7 +349,7 @@ func generateCacheMemorySteps(builder *strings.Builder, data *WorkflowData) { if useBackwardCompatiblePaths { // For single default cache, use the original directory for backward compatibility builder.WriteString(" - name: Create cache-memory directory\n") - builder.WriteString(" run: bash /tmp/gh-aw/actions/create_cache_memory_dir.sh\n") + builder.WriteString(" run: bash /opt/gh-aw/actions/create_cache_memory_dir.sh\n") } else { fmt.Fprintf(builder, " - name: Create cache-memory directory (%s)\n", cache.ID) builder.WriteString(" run: |\n") diff --git a/pkg/workflow/cjs_require_validation_test.go b/pkg/workflow/cjs_require_validation_test.go index 16343fd3e3..011fd0ef25 100644 --- a/pkg/workflow/cjs_require_validation_test.go +++ b/pkg/workflow/cjs_require_validation_test.go @@ -12,7 +12,7 @@ import ( // do not use require() statements with "actions/" paths or "@actions/*" npm packages. // // When these .cjs files are deployed to GitHub Actions runners, they are copied -// to /tmp/gh-aw/actions/ as a flat directory structure. Any require() statements +// to /opt/gh-aw/actions/ as a flat directory structure. Any require() statements // that reference "actions/..." paths or "@actions/*" npm packages would fail because: // 1. There's no parent "actions/" directory in the runtime environment // 2. All files are in the same flat directory @@ -136,7 +136,7 @@ func TestCJSFilesNoActionsRequires(t *testing.T) { t.Errorf(" - %s", violation) } t.Error("\nWhen .cjs files are deployed to GitHub Actions runners, they are copied") - t.Error("to /tmp/gh-aw/actions/ as a flat directory. Any require() statements that") + t.Error("to /opt/gh-aw/actions/ as a flat directory. Any require() statements that") t.Error("reference 'actions/...' paths or '@actions/*' npm packages will fail at runtime") t.Error("because:") t.Error(" 1. The parent 'actions/' directory structure doesn't exist") diff --git a/pkg/workflow/claude_engine.go b/pkg/workflow/claude_engine.go index f1261f295c..7991709634 100644 --- a/pkg/workflow/claude_engine.go +++ b/pkg/workflow/claude_engine.go @@ -265,6 +265,10 @@ func (e *ClaudeEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str claudeLog.Print("Added hostedtoolcache node mount to AWF container") + // Mount /opt/gh-aw as readonly for script and configuration files + awfArgs = append(awfArgs, "--mount", "/opt/gh-aw:/opt/gh-aw:ro") + claudeLog.Print("Added /opt/gh-aw mount as readonly to AWF container") + // Add custom mounts from agent config if specified if agentConfig != nil && len(agentConfig.Mounts) > 0 { // Sort mounts for consistent output diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go index 95b73dd0cb..e1b3cbe844 100644 --- a/pkg/workflow/codex_engine.go +++ b/pkg/workflow/codex_engine.go @@ -178,6 +178,10 @@ func (e *CodexEngine) GetExecutionSteps(workflowData *WorkflowData, logFile stri codexEngineLog.Print("Added hostedtoolcache node mount to AWF container") + // Mount /opt/gh-aw as readonly for script and configuration files + awfArgs = append(awfArgs, "--mount", "/opt/gh-aw:/opt/gh-aw:ro") + codexEngineLog.Print("Added /opt/gh-aw mount as readonly to AWF container") + // Add custom mounts from agent config if specified if agentConfig != nil && len(agentConfig.Mounts) > 0 { sortedMounts := make([]string, len(agentConfig.Mounts)) diff --git a/pkg/workflow/compiler_activation_jobs.go b/pkg/workflow/compiler_activation_jobs.go index 757619987b..94256d37e5 100644 --- a/pkg/workflow/compiler_activation_jobs.go +++ b/pkg/workflow/compiler_activation_jobs.go @@ -694,16 +694,17 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) ( if data.SafeOutputs != nil { env = make(map[string]string) - // Set GH_AW_SAFE_OUTPUTS to fixed path + // Set GH_AW_SAFE_OUTPUTS to writable path in /tmp + // The MCP server writes agent outputs to this file during execution env["GH_AW_SAFE_OUTPUTS"] = "/tmp/gh-aw/safeoutputs/outputs.jsonl" // Set GH_AW_MCP_LOG_DIR for safe outputs MCP server logging // Store in mcp-logs directory so it's included in mcp-logs artifact env["GH_AW_MCP_LOG_DIR"] = "/tmp/gh-aw/mcp-logs/safeoutputs" - // Set config and tools paths (files are written to these paths) - env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = "/tmp/gh-aw/safeoutputs/config.json" - env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = "/tmp/gh-aw/safeoutputs/tools.json" + // Set config and tools paths (readonly files in /opt/gh-aw) + env["GH_AW_SAFE_OUTPUTS_CONFIG_PATH"] = "/opt/gh-aw/safeoutputs/config.json" + env["GH_AW_SAFE_OUTPUTS_TOOLS_PATH"] = "/opt/gh-aw/safeoutputs/tools.json" // Add asset-related environment variables if upload-assets is configured if data.SafeOutputs.UploadAssets != nil { diff --git a/pkg/workflow/compiler_safe_outputs_specialized.go b/pkg/workflow/compiler_safe_outputs_specialized.go index f972ff52d9..60ec3993b9 100644 --- a/pkg/workflow/compiler_safe_outputs_specialized.go +++ b/pkg/workflow/compiler_safe_outputs_specialized.go @@ -42,7 +42,7 @@ func (c *Compiler) buildCreateAgentSessionStepConfig(data *WorkflowData, mainJob return SafeOutputStepConfig{ StepName: "Create Agent Session", StepID: "create_agent_session", - Script: "const { main } = require('/tmp/gh-aw/actions/create_agent_session.cjs'); await main();", + Script: "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();", CustomEnvVars: customEnvVars, Condition: condition, Token: cfg.GitHubToken, diff --git a/pkg/workflow/compiler_safe_outputs_steps_test.go b/pkg/workflow/compiler_safe_outputs_steps_test.go index caa638bb25..330d7a9522 100644 --- a/pkg/workflow/compiler_safe_outputs_steps_test.go +++ b/pkg/workflow/compiler_safe_outputs_steps_test.go @@ -45,7 +45,7 @@ func TestBuildConsolidatedSafeOutputStep(t *testing.T) { "name: Create Issue", "id: create_issue", "setupGlobals", - "require('/tmp/gh-aw/actions/create_issue_handler.cjs')", + "require('/opt/gh-aw/actions/create_issue_handler.cjs')", "await main();", }, checkNotContains: []string{ @@ -532,7 +532,7 @@ func TestScriptNameVsInlineScript(t *testing.T) { stepsContent := strings.Join(steps, "") assert.Contains(t, stepsContent, "setupGlobals") - assert.Contains(t, stepsContent, "require('/tmp/gh-aw/actions/test_handler.cjs')") + assert.Contains(t, stepsContent, "require('/opt/gh-aw/actions/test_handler.cjs')") assert.Contains(t, stepsContent, "await main()") assert.NotContains(t, stepsContent, "console.log") }) diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index f03c1b9717..d06463e83a 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -220,7 +220,7 @@ func (c *Compiler) generatePrompt(yaml *strings.Builder, data *WorkflowData) { } yaml.WriteString(" run: |\n") - yaml.WriteString(" bash /tmp/gh-aw/actions/create_prompt_first.sh\n") + yaml.WriteString(" bash /opt/gh-aw/actions/create_prompt_first.sh\n") if len(chunks) > 0 { // Write template with placeholders directly to target file @@ -317,7 +317,7 @@ func (c *Compiler) generatePrompt(yaml *strings.Builder, data *WorkflowData) { yaml.WriteString(" - name: Print prompt\n") yaml.WriteString(" env:\n") yaml.WriteString(" GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt\n") - yaml.WriteString(" run: bash /tmp/gh-aw/actions/print_prompt_summary.sh\n") + yaml.WriteString(" run: bash /opt/gh-aw/actions/print_prompt_summary.sh\n") } func (c *Compiler) generatePostSteps(yaml *strings.Builder, data *WorkflowData) { @@ -502,7 +502,7 @@ func (c *Compiler) generateWorkflowOverviewStep(yaml *strings.Builder, data *Wor fmt.Fprintf(yaml, " uses: %s\n", GetActionPin("actions/github-script")) yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs');\n") + yaml.WriteString(" const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');\n") yaml.WriteString(" await generateWorkflowOverview(core);\n") } @@ -563,9 +563,9 @@ func (c *Compiler) generateOutputCollectionStep(yaml *strings.Builder, data *Wor yaml.WriteString(" script: |\n") // Load script from external file using require() - yaml.WriteString(" const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/tmp/gh-aw/actions/collect_ndjson_output.cjs');\n") + yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/collect_ndjson_output.cjs');\n") yaml.WriteString(" await main();\n") // Record artifact upload for validation diff --git a/pkg/workflow/compiler_yaml_ai_execution.go b/pkg/workflow/compiler_yaml_ai_execution.go index 558ddbf5d6..e19fa7c2d9 100644 --- a/pkg/workflow/compiler_yaml_ai_execution.go +++ b/pkg/workflow/compiler_yaml_ai_execution.go @@ -51,7 +51,7 @@ func (c *Compiler) generateLogParsing(yaml *strings.Builder, engine CodingAgentE yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load log parser script from external file using require() - yaml.WriteString(" const { main } = require('/tmp/gh-aw/actions/" + parserScriptName + ".cjs');\n") + yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/" + parserScriptName + ".cjs');\n") yaml.WriteString(" await main();\n") } @@ -69,7 +69,7 @@ func (c *Compiler) generateSafeInputsLogParsing(yaml *strings.Builder) { yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load safe-inputs log parser script from external file using require() - yaml.WriteString(" const { main } = require('/tmp/gh-aw/actions/parse_safe_inputs_logs.cjs');\n") + yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs');\n") yaml.WriteString(" await main();\n") } @@ -144,6 +144,6 @@ func (c *Compiler) generateErrorValidation(yaml *strings.Builder, engine CodingA yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Load error validation script from external file using require() - yaml.WriteString(" const { main } = require('/tmp/gh-aw/actions/validate_errors.cjs');\n") + yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/validate_errors.cjs');\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index a7311947ad..82b1498c8a 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -90,7 +90,7 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat // Create /tmp/gh-aw/ base directory for all temporary files // This must be created before custom steps so they can use the temp directory yaml.WriteString(" - name: Create gh-aw temp directory\n") - yaml.WriteString(" run: bash /tmp/gh-aw/actions/create_gh_aw_tmp_dir.sh\n") + yaml.WriteString(" run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh\n") // Add custom steps if present if data.CustomSteps != "" { diff --git a/pkg/workflow/copilot_engine_execution.go b/pkg/workflow/copilot_engine_execution.go index 64ef0495b8..4139f1fa99 100644 --- a/pkg/workflow/copilot_engine_execution.go +++ b/pkg/workflow/copilot_engine_execution.go @@ -267,6 +267,10 @@ func (e *CopilotEngine) GetExecutionSteps(workflowData *WorkflowData, logFile st awfArgs = append(awfArgs, "--mount", "/home/runner/.copilot:/home/runner/.copilot:rw") copilotExecLog.Print("Added gh CLI, copilot binary, and .copilot config directory mounts to AWF container") + // Mount /opt/gh-aw as readonly for script and configuration files + awfArgs = append(awfArgs, "--mount", "/opt/gh-aw:/opt/gh-aw:ro") + copilotExecLog.Print("Added /opt/gh-aw mount as readonly to AWF container") + // Add custom mounts from agent config if specified if agentConfig != nil && len(agentConfig.Mounts) > 0 { // Sort mounts for consistent output diff --git a/pkg/workflow/copilot_participant_steps.go b/pkg/workflow/copilot_participant_steps.go index 7a86e78019..b3cafc3c46 100644 --- a/pkg/workflow/copilot_participant_steps.go +++ b/pkg/workflow/copilot_participant_steps.go @@ -100,7 +100,7 @@ func buildIssueAssigneeSteps(config CopilotParticipantConfig, effectiveToken str steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") // Load script from external file using require() - steps = append(steps, " const { main } = require('/tmp/gh-aw/actions/assign_issue.cjs');\n") + steps = append(steps, " const { main } = require('/opt/gh-aw/actions/assign_issue.cjs');\n") steps = append(steps, " await main({ github, context, core, exec, io });\n") // Add a comment after each assignee step except the last @@ -131,7 +131,7 @@ func buildPRReviewerSteps(config CopilotParticipantConfig, effectiveToken string steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") // Load script from external file using require() - steps = append(steps, " const { main } = require('/tmp/gh-aw/actions/add_copilot_reviewer.cjs');\n") + steps = append(steps, " const { main } = require('/opt/gh-aw/actions/add_copilot_reviewer.cjs');\n") steps = append(steps, " await main({ github, context, core, exec, io });\n") } else { steps = append(steps, fmt.Sprintf(" - name: Add %s as reviewer\n", reviewer)) diff --git a/pkg/workflow/create_agent_session.go b/pkg/workflow/create_agent_session.go index 074805a8c8..5b0d2c71b3 100644 --- a/pkg/workflow/create_agent_session.go +++ b/pkg/workflow/create_agent_session.go @@ -131,7 +131,7 @@ func (c *Compiler) buildCreateOutputAgentSessionJob(data *WorkflowData, mainJobN StepID: "create_agent_session", MainJobName: mainJobName, CustomEnvVars: customEnvVars, - Script: "const { main } = require('/tmp/gh-aw/actions/create_agent_session.cjs'); await main();", + Script: "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();", Permissions: NewPermissionsContentsWriteIssuesWritePRWrite(), Outputs: outputs, Condition: jobCondition, diff --git a/pkg/workflow/create_issue.go b/pkg/workflow/create_issue.go index aeb2cd5779..3c7a0cb4cd 100644 --- a/pkg/workflow/create_issue.go +++ b/pkg/workflow/create_issue.go @@ -120,7 +120,7 @@ func buildCopilotAssignmentStep(configToken string) []string { steps = append(steps, " const { setupGlobals } = require('"+SetupActionDestination+"/setup_globals.cjs');\n") steps = append(steps, " setupGlobals(core, github, context, exec, io);\n") // Load script from external file using require() - steps = append(steps, " const { main } = require('/tmp/gh-aw/actions/assign_copilot_to_created_issues.cjs');\n") + steps = append(steps, " const { main } = require('/opt/gh-aw/actions/assign_copilot_to_created_issues.cjs');\n") steps = append(steps, " await main({ github, context, core, exec, io });\n") return steps diff --git a/pkg/workflow/detection_success_test.go b/pkg/workflow/detection_success_test.go index afc931c557..e41230cdeb 100644 --- a/pkg/workflow/detection_success_test.go +++ b/pkg/workflow/detection_success_test.go @@ -61,7 +61,7 @@ Create an issue. } // Check that the script uses require to load the parse_threat_detection_results.cjs file - if !strings.Contains(yaml, "require('/tmp/gh-aw/actions/parse_threat_detection_results.cjs')") { + if !strings.Contains(yaml, "require('/opt/gh-aw/actions/parse_threat_detection_results.cjs')") { t.Error("Parse results step doesn't use require to load parse_threat_detection_results.cjs") } diff --git a/pkg/workflow/docker.go b/pkg/workflow/docker.go index d600e2c987..1362f0247e 100644 --- a/pkg/workflow/docker.go +++ b/pkg/workflow/docker.go @@ -80,7 +80,7 @@ func generateDownloadDockerImagesStep(yaml *strings.Builder, dockerImages []stri } yaml.WriteString(" - name: Downloading container images\n") - yaml.WriteString(" run: bash /tmp/gh-aw/actions/download_docker_images.sh") + yaml.WriteString(" run: bash /opt/gh-aw/actions/download_docker_images.sh") for _, image := range dockerImages { fmt.Fprintf(yaml, " %s", image) } diff --git a/pkg/workflow/docker_predownload_test.go b/pkg/workflow/docker_predownload_test.go index 5aa604df72..1fc5fe87f5 100644 --- a/pkg/workflow/docker_predownload_test.go +++ b/pkg/workflow/docker_predownload_test.go @@ -134,8 +134,8 @@ Test workflow with custom MCP container.`, // If we expect a step, verify the images are present if tt.expectStep { // Verify the script call is present - if !strings.Contains(string(yaml), "bash /tmp/gh-aw/actions/download_docker_images.sh") { - t.Error("Expected to find 'bash /tmp/gh-aw/actions/download_docker_images.sh' script call in generated YAML") + if !strings.Contains(string(yaml), "bash /opt/gh-aw/actions/download_docker_images.sh") { + t.Error("Expected to find 'bash /opt/gh-aw/actions/download_docker_images.sh' script call in generated YAML") } for _, expectedImage := range tt.expectedImages { // Check that the image is being passed as an argument to the script diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go index 2b90b9358f..486a09d183 100644 --- a/pkg/workflow/maintenance_workflow.go +++ b/pkg/workflow/maintenance_workflow.go @@ -143,7 +143,7 @@ jobs: yaml.WriteString(` - name: Setup Scripts uses: ` + setupActionRef + ` with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Close expired discussions uses: ` + GetActionPin("actions/github-script") + ` @@ -152,9 +152,9 @@ jobs: `) // Add the close expired discussions script using require() - yaml.WriteString(` const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/close_expired_discussions.cjs'); + const { main } = require('/opt/gh-aw/actions/close_expired_discussions.cjs'); await main(); `) @@ -183,7 +183,7 @@ jobs: yaml.WriteString(` - name: Setup Scripts uses: ` + setupActionRef + ` with: - destination: /tmp/gh-aw/actions + destination: /opt/gh-aw/actions - name: Close expired issues uses: ` + GetActionPin("actions/github-script") + ` @@ -192,9 +192,9 @@ jobs: `) // Add the close expired issues script using require() - yaml.WriteString(` const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs'); + yaml.WriteString(` const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/tmp/gh-aw/actions/close_expired_issues.cjs'); + const { main } = require('/opt/gh-aw/actions/close_expired_issues.cjs'); await main(); `) diff --git a/pkg/workflow/mcp-config.go b/pkg/workflow/mcp-config.go index 669df2ce72..bddeef591d 100644 --- a/pkg/workflow/mcp-config.go +++ b/pkg/workflow/mcp-config.go @@ -239,7 +239,7 @@ func renderSafeOutputsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, i yaml, constants.SafeOutputsMCPServerID, "node", - []string{"/tmp/gh-aw/safeoutputs/mcp-server.cjs"}, + []string{"/opt/gh-aw/safeoutputs/mcp-server.cjs"}, envVars, isLast, includeCopilotFields, @@ -307,7 +307,7 @@ func renderSafeOutputsMCPConfigTOML(yaml *strings.Builder) { yaml.WriteString(" [mcp_servers." + constants.SafeOutputsMCPServerID + "]\n") yaml.WriteString(" command = \"node\"\n") yaml.WriteString(" args = [\n") - yaml.WriteString(" \"/tmp/gh-aw/safeoutputs/mcp-server.cjs\",\n") + yaml.WriteString(" \"/opt/gh-aw/safeoutputs/mcp-server.cjs\",\n") yaml.WriteString(" ]\n") // Use env_vars array to reference environment variables instead of embedding GitHub Actions expressions yaml.WriteString(" env_vars = [\"GH_AW_SAFE_OUTPUTS\", \"GH_AW_ASSETS_BRANCH\", \"GH_AW_ASSETS_MAX_SIZE_KB\", \"GH_AW_ASSETS_ALLOWED_EXTS\", \"GITHUB_REPOSITORY\", \"GITHUB_SERVER_URL\", \"GITHUB_SHA\", \"GITHUB_WORKSPACE\", \"DEFAULT_BRANCH\"]\n") diff --git a/pkg/workflow/mcp_config_builtin_test.go b/pkg/workflow/mcp_config_builtin_test.go index ed44e09894..f61e833bce 100644 --- a/pkg/workflow/mcp_config_builtin_test.go +++ b/pkg/workflow/mcp_config_builtin_test.go @@ -24,7 +24,7 @@ func TestRenderBuiltinMCPServerBlock(t *testing.T) { name: "SafeOutputs Copilot format", serverID: constants.SafeOutputsMCPServerID, command: "node", - args: []string{"/tmp/gh-aw/safeoutputs/mcp-server.cjs"}, + args: []string{"/opt/gh-aw/safeoutputs/mcp-server.cjs"}, envVars: []string{ "GH_AW_SAFE_OUTPUTS", "GH_AW_ASSETS_BRANCH", @@ -35,7 +35,7 @@ func TestRenderBuiltinMCPServerBlock(t *testing.T) { `"safeoutputs": {`, `"type": "local"`, `"command": "node"`, - `"args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"]`, + `"args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"]`, `"tools": ["*"]`, `"env": {`, `"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}"`, @@ -48,7 +48,7 @@ func TestRenderBuiltinMCPServerBlock(t *testing.T) { name: "SafeOutputs Claude format", serverID: constants.SafeOutputsMCPServerID, command: "node", - args: []string{"/tmp/gh-aw/safeoutputs/mcp-server.cjs"}, + args: []string{"/opt/gh-aw/safeoutputs/mcp-server.cjs"}, envVars: []string{ "GH_AW_SAFE_OUTPUTS", "GH_AW_ASSETS_BRANCH", @@ -58,7 +58,7 @@ func TestRenderBuiltinMCPServerBlock(t *testing.T) { expectedContent: []string{ `"safeoutputs": {`, `"command": "node"`, - `"args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"]`, + `"args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"]`, `"env": {`, `"GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS"`, `"GH_AW_ASSETS_BRANCH": "$GH_AW_ASSETS_BRANCH"`, diff --git a/pkg/workflow/mcp_config_refactor_test.go b/pkg/workflow/mcp_config_refactor_test.go index ffad7a5b42..7f384fe9c5 100644 --- a/pkg/workflow/mcp_config_refactor_test.go +++ b/pkg/workflow/mcp_config_refactor_test.go @@ -127,7 +127,7 @@ func TestRenderSafeOutputsMCPConfigWithOptions(t *testing.T) { `"safeoutputs": {`, `"type": "local"`, `"command": "node"`, - `"args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"]`, + `"args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"]`, `"tools": ["*"]`, `"env": {`, `"GH_AW_SAFE_OUTPUTS": "\${GH_AW_SAFE_OUTPUTS}"`, @@ -146,7 +146,7 @@ func TestRenderSafeOutputsMCPConfigWithOptions(t *testing.T) { expectedContent: []string{ `"safeoutputs": {`, `"command": "node"`, - `"args": ["/tmp/gh-aw/safeoutputs/mcp-server.cjs"]`, + `"args": ["/opt/gh-aw/safeoutputs/mcp-server.cjs"]`, // Security fix: Now uses shell variables instead of GitHub expressions `"GH_AW_SAFE_OUTPUTS": "$GH_AW_SAFE_OUTPUTS"`, `"GH_AW_SAFE_OUTPUTS_CONFIG_PATH": "$GH_AW_SAFE_OUTPUTS_CONFIG_PATH"`, @@ -333,7 +333,7 @@ func TestRenderSafeOutputsMCPConfigTOML(t *testing.T) { `[mcp_servers.safeoutputs]`, `command = "node"`, `args = [`, - `"/tmp/gh-aw/safeoutputs/mcp-server.cjs"`, + `"/opt/gh-aw/safeoutputs/mcp-server.cjs"`, `env_vars = ["GH_AW_SAFE_OUTPUTS", "GH_AW_ASSETS_BRANCH", "GH_AW_ASSETS_MAX_SIZE_KB", "GH_AW_ASSETS_ALLOWED_EXTS", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_SHA", "GITHUB_WORKSPACE", "DEFAULT_BRANCH"]`, } diff --git a/pkg/workflow/mcp_config_shared_test.go b/pkg/workflow/mcp_config_shared_test.go index 1b9181ed8c..8a4fd30749 100644 --- a/pkg/workflow/mcp_config_shared_test.go +++ b/pkg/workflow/mcp_config_shared_test.go @@ -104,7 +104,7 @@ func TestRenderSafeOutputsMCPConfigShared(t *testing.T) { wantContains: []string{ `"safeoutputs": {`, `"command": "node"`, - `"/tmp/gh-aw/safeoutputs/mcp-server.cjs"`, + `"/opt/gh-aw/safeoutputs/mcp-server.cjs"`, `"GH_AW_SAFE_OUTPUTS"`, `"GH_AW_ASSETS_BRANCH"`, `"GH_AW_ASSETS_MAX_SIZE_KB"`, diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index 0d2287f3a7..855e23a51a 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -220,7 +220,7 @@ func (r *MCPConfigRendererUnified) renderSafeOutputsTOML(yaml *strings.Builder) yaml.WriteString(" [mcp_servers." + constants.SafeOutputsMCPServerID + "]\n") yaml.WriteString(" command = \"node\"\n") yaml.WriteString(" args = [\n") - yaml.WriteString(" \"/tmp/gh-aw/safeoutputs/mcp-server.cjs\",\n") + yaml.WriteString(" \"/opt/gh-aw/safeoutputs/mcp-server.cjs\",\n") yaml.WriteString(" ]\n") yaml.WriteString(" env_vars = [\"GH_AW_MCP_LOG_DIR\", \"GH_AW_SAFE_OUTPUTS\", \"GH_AW_SAFE_OUTPUTS_CONFIG_PATH\", \"GH_AW_SAFE_OUTPUTS_TOOLS_PATH\", \"GH_AW_ASSETS_BRANCH\", \"GH_AW_ASSETS_MAX_SIZE_KB\", \"GH_AW_ASSETS_ALLOWED_EXTS\", \"GITHUB_REPOSITORY\", \"GITHUB_SERVER_URL\", \"GITHUB_SHA\", \"GITHUB_WORKSPACE\", \"DEFAULT_BRANCH\"]\n") } diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go index 1a16a23538..eccb7fd22a 100644 --- a/pkg/workflow/mcp_servers.go +++ b/pkg/workflow/mcp_servers.go @@ -252,12 +252,13 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Step 1: Write config files (config.json, tools.json, validation.json) yaml.WriteString(" - name: Write Safe Outputs Config\n") yaml.WriteString(" run: |\n") + yaml.WriteString(" mkdir -p /opt/gh-aw/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/safeoutputs\n") yaml.WriteString(" mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs\n") // Write the safe-outputs configuration to config.json if safeOutputConfig != "" { - yaml.WriteString(" cat > /tmp/gh-aw/safeoutputs/config.json << 'EOF'\n") + yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/config.json << 'EOF'\n") yaml.WriteString(" " + safeOutputConfig + "\n") yaml.WriteString(" EOF\n") } @@ -269,7 +270,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Fall back to empty array on error filteredToolsJSON = "[]" } - yaml.WriteString(" cat > /tmp/gh-aw/safeoutputs/tools.json << 'EOF'\n") + yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF'\n") // Write each line of the indented JSON with proper YAML indentation for _, line := range strings.Split(filteredToolsJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -294,7 +295,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, mcpServersLog.Printf("CRITICAL: Error generating validation config JSON: %v - validation will not work correctly", err) validationConfigJSON = "{}" } - yaml.WriteString(" cat > /tmp/gh-aw/safeoutputs/validation.json << 'EOF'\n") + yaml.WriteString(" cat > /opt/gh-aw/safeoutputs/validation.json << 'EOF'\n") // Write each line of the indented JSON with proper YAML indentation for _, line := range strings.Split(validationConfigJSON, "\n") { yaml.WriteString(" " + line + "\n") @@ -311,11 +312,11 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Step 1: Write config files (JavaScript files are now copied by actions/setup) yaml.WriteString(" - name: Setup Safe Inputs Config\n") yaml.WriteString(" run: |\n") - yaml.WriteString(" mkdir -p /tmp/gh-aw/safe-inputs/logs\n") + yaml.WriteString(" mkdir -p /opt/gh-aw/safe-inputs/logs\n") // Generate the tools.json configuration file toolsJSON := generateSafeInputsToolsConfig(workflowData.SafeInputs) - yaml.WriteString(" cat > /tmp/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON'\n") + yaml.WriteString(" cat > /opt/gh-aw/safe-inputs/tools.json << 'EOF_TOOLS_JSON'\n") for _, line := range strings.Split(toolsJSON, "\n") { yaml.WriteString(" " + line + "\n") } @@ -323,12 +324,12 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, // Generate the MCP server entry point safeInputsMCPServer := generateSafeInputsMCPServerScript(workflowData.SafeInputs) - yaml.WriteString(" cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI'\n") + yaml.WriteString(" cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'EOFSI'\n") for _, line := range FormatJavaScriptForYAML(safeInputsMCPServer) { yaml.WriteString(line) } yaml.WriteString(" EOFSI\n") - yaml.WriteString(" chmod +x /tmp/gh-aw/safe-inputs/mcp-server.cjs\n") + yaml.WriteString(" chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs\n") yaml.WriteString(" \n") // Step 2: Generate tool files (js/py/sh) @@ -347,7 +348,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, if toolConfig.Script != "" { // JavaScript tool toolScript := generateSafeInputJavaScriptToolScript(toolConfig) - fmt.Fprintf(yaml, " cat > /tmp/gh-aw/safe-inputs/%s.cjs << 'EOFJS_%s'\n", toolName, toolName) + fmt.Fprintf(yaml, " cat > /opt/gh-aw/safe-inputs/%s.cjs << 'EOFJS_%s'\n", toolName, toolName) for _, line := range FormatJavaScriptForYAML(toolScript) { yaml.WriteString(line) } @@ -355,25 +356,25 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, } else if toolConfig.Run != "" { // Shell script tool toolScript := generateSafeInputShellToolScript(toolConfig) - fmt.Fprintf(yaml, " cat > /tmp/gh-aw/safe-inputs/%s.sh << 'EOFSH_%s'\n", toolName, toolName) + fmt.Fprintf(yaml, " cat > /opt/gh-aw/safe-inputs/%s.sh << 'EOFSH_%s'\n", toolName, toolName) for _, line := range strings.Split(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " EOFSH_%s\n", toolName) - fmt.Fprintf(yaml, " chmod +x /tmp/gh-aw/safe-inputs/%s.sh\n", toolName) + fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/safe-inputs/%s.sh\n", toolName) } else if toolConfig.Py != "" { // Python script tool toolScript := generateSafeInputPythonToolScript(toolConfig) - fmt.Fprintf(yaml, " cat > /tmp/gh-aw/safe-inputs/%s.py << 'EOFPY_%s'\n", toolName, toolName) + fmt.Fprintf(yaml, " cat > /opt/gh-aw/safe-inputs/%s.py << 'EOFPY_%s'\n", toolName, toolName) for _, line := range strings.Split(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } fmt.Fprintf(yaml, " EOFPY_%s\n", toolName) - fmt.Fprintf(yaml, " chmod +x /tmp/gh-aw/safe-inputs/%s.py\n", toolName) + fmt.Fprintf(yaml, " chmod +x /opt/gh-aw/safe-inputs/%s.py\n", toolName) } else if toolConfig.Go != "" { // Go script tool toolScript := generateSafeInputGoToolScript(toolConfig) - fmt.Fprintf(yaml, " cat > /tmp/gh-aw/safe-inputs/%s.go << 'EOFGO_%s'\n", toolName, toolName) + fmt.Fprintf(yaml, " cat > /opt/gh-aw/safe-inputs/%s.go << 'EOFGO_%s'\n", toolName, toolName) for _, line := range strings.Split(toolScript, "\n") { yaml.WriteString(" " + line + "\n") } @@ -431,7 +432,7 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, yaml.WriteString(" \n") // Call the bundled shell script to start the server - yaml.WriteString(" bash /tmp/gh-aw/actions/start_safe_inputs_server.sh\n") + yaml.WriteString(" bash /opt/gh-aw/actions/start_safe_inputs_server.sh\n") yaml.WriteString(" \n") } @@ -599,7 +600,7 @@ func generateMCPGatewayStepInline(yaml *strings.Builder, engine CodingAgentEngin yaml.WriteString(" \n") yaml.WriteString(" # Run gateway start script\n") - yaml.WriteString(" bash /tmp/gh-aw/actions/start_mcp_gateway.sh\n") + yaml.WriteString(" bash /opt/gh-aw/actions/start_mcp_gateway.sh\n") } // shellQuote adds shell quoting to a string if needed @@ -972,6 +973,6 @@ func (c *Compiler) generateGitHubMCPLockdownDetectionStep(yaml *strings.Builder, fmt.Fprintf(yaml, " uses: %s\n", pinnedAction) yaml.WriteString(" with:\n") yaml.WriteString(" script: |\n") - yaml.WriteString(" const determineAutomaticLockdown = require('/tmp/gh-aw/actions/determine_automatic_lockdown.cjs');\n") + yaml.WriteString(" const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');\n") yaml.WriteString(" await determineAutomaticLockdown(github, context, core);\n") } diff --git a/pkg/workflow/missing_tool.go b/pkg/workflow/missing_tool.go index 7a05bc2029..49fc033c37 100644 --- a/pkg/workflow/missing_tool.go +++ b/pkg/workflow/missing_tool.go @@ -80,7 +80,7 @@ func (c *Compiler) buildCreateOutputMissingToolJob(data *WorkflowData, mainJobNa StepID: "missing_tool", MainJobName: mainJobName, CustomEnvVars: customEnvVars, - Script: "const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); await main();", + Script: "const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main();", Permissions: permissions, Outputs: outputs, Condition: jobCondition, diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go index 0d5b641d1f..340bd2059a 100644 --- a/pkg/workflow/notify_comment.go +++ b/pkg/workflow/notify_comment.go @@ -139,7 +139,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa StepID: "missing_tool", MainJobName: mainJobName, CustomEnvVars: missingToolEnvVars, - Script: "const { main } = require('/tmp/gh-aw/actions/missing_tool.cjs'); await main();", + Script: "const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main();", ScriptFile: "missing_tool.cjs", Token: data.SafeOutputs.MissingTool.GitHubToken, }) diff --git a/pkg/workflow/pr.go b/pkg/workflow/pr.go index 12b530e54e..01451f3766 100644 --- a/pkg/workflow/pr.go +++ b/pkg/workflow/pr.go @@ -64,6 +64,6 @@ func (c *Compiler) generatePRReadyForReviewCheckout(yaml *strings.Builder, data yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript for checking out the PR branch - WriteJavaScriptToYAML(yaml, "const { main } = require('/tmp/gh-aw/actions/checkout_pr_branch.cjs'); await main();") + WriteJavaScriptToYAML(yaml, "const { main } = require('/opt/gh-aw/actions/checkout_pr_branch.cjs'); await main();") } } diff --git a/pkg/workflow/pr_checkout_test.go b/pkg/workflow/pr_checkout_test.go index 378886ec2c..9117f98d4f 100644 --- a/pkg/workflow/pr_checkout_test.go +++ b/pkg/workflow/pr_checkout_test.go @@ -221,7 +221,7 @@ Test workflow with permissions but checkout should be conditional. } // Check for PR context prompt using cat command - hasPRPrompt := strings.Contains(lockStr, "cat \"/tmp/gh-aw/prompts/pr_context_prompt.md\"") + hasPRPrompt := strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") if hasPRPrompt != tt.expectPRPrompt { t.Errorf("Expected PR context prompt: %v, got: %v", tt.expectPRPrompt, hasPRPrompt) } @@ -242,7 +242,7 @@ Test workflow with permissions but checkout should be conditional. // If PR prompt is expected, verify the cat command references the correct file if tt.expectPRPrompt { - if !strings.Contains(lockStr, "cat \"/tmp/gh-aw/prompts/pr_context_prompt.md\"") { + if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\"") { t.Error("PR context prompt should reference pr_context_prompt.md file") } } diff --git a/pkg/workflow/prompt_step_helper.go b/pkg/workflow/prompt_step_helper.go index d8f79c7c78..3430b3530c 100644 --- a/pkg/workflow/prompt_step_helper.go +++ b/pkg/workflow/prompt_step_helper.go @@ -115,13 +115,13 @@ func generateStaticPromptStep(yaml *strings.Builder, description string, promptT } // generateStaticPromptStepFromFile generates a workflow step for appending a prompt file -// from /tmp/gh-aw/prompts/ to the prompt file. This is the preferred approach as it +// from /opt/gh-aw/prompts/ to the prompt file. This is the preferred approach as it // keeps prompt content in markdown files instead of embedding in the binary. // // Parameters: // - yaml: The string builder to write the YAML to // - description: The name of the workflow step (e.g., "Append XPIA security instructions to prompt") -// - promptFilename: The filename of the prompt in /tmp/gh-aw/prompts/ (e.g., "xpia_prompt.md") +// - promptFilename: The filename of the prompt in /opt/gh-aw/prompts/ (e.g., "xpia_prompt.md") // - shouldInclude: Whether to generate the step (false means skip generation entirely) func generateStaticPromptStepFromFile(yaml *strings.Builder, description string, promptFilename string, shouldInclude bool) { promptStepHelperLog.Printf("Generating static prompt step from file: description=%s, file=%s, shouldInclude=%t", description, promptFilename, shouldInclude) diff --git a/pkg/workflow/prompt_step_test.go b/pkg/workflow/prompt_step_test.go index db5333e9b7..fcac883caa 100644 --- a/pkg/workflow/prompt_step_test.go +++ b/pkg/workflow/prompt_step_test.go @@ -134,7 +134,7 @@ func TestPromptStepRefactoringConsistency(t *testing.T) { t.Error("Expected GH_AW_PROMPT env variable not found") } // After refactoring, we use cat command to read the file - if !strings.Contains(result, `cat "/tmp/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT"`) { + if !strings.Contains(result, `cat "/opt/gh-aw/prompts/temp_folder_prompt.md" >> "$GH_AW_PROMPT"`) { t.Error("Expected cat command for temp folder prompt file not found") } }) diff --git a/pkg/workflow/prompts_test.go b/pkg/workflow/prompts_test.go index 13e230a6ba..052b04fc74 100644 --- a/pkg/workflow/prompts_test.go +++ b/pkg/workflow/prompts_test.go @@ -295,7 +295,7 @@ This is a test workflow with playwright enabled. } // Test 2: Verify the cat command for playwright prompt file is included - if !strings.Contains(lockStr, "cat \"/tmp/gh-aw/prompts/playwright_prompt.md\" >> \"$GH_AW_PROMPT\"") { + if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/playwright_prompt.md\" >> \"$GH_AW_PROMPT\"") { t.Error("Expected cat command for playwright prompt file in generated workflow") } @@ -469,7 +469,7 @@ This is a test workflow with issue_comment trigger. } // Test 2: Verify the cat command for PR context prompt file is included - if !strings.Contains(lockStr, "cat \"/tmp/gh-aw/prompts/pr_context_prompt.md\" >> \"$GH_AW_PROMPT\"") { + if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/pr_context_prompt.md\" >> \"$GH_AW_PROMPT\"") { t.Error("Expected cat command for PR context prompt file in generated workflow") } diff --git a/pkg/workflow/publish_assets.go b/pkg/workflow/publish_assets.go index 62d7e376bc..ade7be048d 100644 --- a/pkg/workflow/publish_assets.go +++ b/pkg/workflow/publish_assets.go @@ -115,14 +115,14 @@ func (c *Compiler) buildUploadAssetsJob(data *WorkflowData, mainJobName string, preSteps = append(preSteps, fmt.Sprintf(" uses: %s\n", GetActionPin("actions/download-artifact"))) preSteps = append(preSteps, " with:\n") preSteps = append(preSteps, " name: safe-outputs-assets\n") - preSteps = append(preSteps, " path: /tmp/gh-aw/safeoutputs/assets/\n") + preSteps = append(preSteps, " path: /opt/gh-aw/safeoutputs/assets/\n") // Step 4: List files preSteps = append(preSteps, " - name: List downloaded asset files\n") preSteps = append(preSteps, " continue-on-error: true\n") // Continue if no assets were uploaded preSteps = append(preSteps, " run: |\n") preSteps = append(preSteps, " echo \"Downloaded asset files:\"\n") - preSteps = append(preSteps, " find /tmp/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls\n") + preSteps = append(preSteps, " find /opt/gh-aw/safeoutputs/assets/ -maxdepth 1 -ls\n") // Build custom environment variables specific to upload-assets var customEnvVars []string @@ -182,7 +182,7 @@ func generateSafeOutputsAssetsArtifactUpload(builder *strings.Builder, data *Wor fmt.Fprintf(builder, " uses: %s\n", GetActionPin("actions/upload-artifact")) builder.WriteString(" with:\n") builder.WriteString(" name: safe-outputs-assets\n") - builder.WriteString(" path: /tmp/gh-aw/safeoutputs/assets/\n") + builder.WriteString(" path: /opt/gh-aw/safeoutputs/assets/\n") builder.WriteString(" retention-days: 1\n") builder.WriteString(" if-no-files-found: ignore\n") } diff --git a/pkg/workflow/redact_secrets.go b/pkg/workflow/redact_secrets.go index 481245e2cb..029ff23d82 100644 --- a/pkg/workflow/redact_secrets.go +++ b/pkg/workflow/redact_secrets.go @@ -74,7 +74,7 @@ func (c *Compiler) generateSecretRedactionStep(yaml *strings.Builder, yamlConten // Use setupGlobals helper to attach GitHub Actions builtin objects to global scope yaml.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/tmp/gh-aw/actions/redact_secrets.cjs');\n") + yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/redact_secrets.cjs');\n") yaml.WriteString(" await main();\n") // Add environment variables diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index f5a46a843a..2e7efa4edb 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -535,7 +535,7 @@ func generateRepoMemorySteps(builder *strings.Builder, data *WorkflowData) { fmt.Fprintf(builder, " TARGET_REPO: %s\n", targetRepo) fmt.Fprintf(builder, " MEMORY_DIR: %s\n", memoryDir) fmt.Fprintf(builder, " CREATE_ORPHAN: %t\n", memory.CreateOrphan) - builder.WriteString(" run: bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh\n") + builder.WriteString(" run: bash /opt/gh-aw/actions/clone_repo_memory_branch.sh\n") } } @@ -643,7 +643,7 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna step.WriteString(" const { setupGlobals } = require('" + SetupActionDestination + "/setup_globals.cjs');\n") step.WriteString(" setupGlobals(core, github, context, exec, io);\n") // Add the JavaScript script with proper indentation - formattedScript := FormatJavaScriptForYAML("const { main } = require('/tmp/gh-aw/actions/push_repo_memory.cjs'); await main();") + formattedScript := FormatJavaScriptForYAML("const { main } = require('/opt/gh-aw/actions/push_repo_memory.cjs'); await main();") for _, line := range formattedScript { step.WriteString(line) } diff --git a/pkg/workflow/repo_memory_integration_test.go b/pkg/workflow/repo_memory_integration_test.go index 5bd5849398..a0964cdf75 100644 --- a/pkg/workflow/repo_memory_integration_test.go +++ b/pkg/workflow/repo_memory_integration_test.go @@ -239,7 +239,7 @@ This workflow has file validation. } // Check that push_repo_memory.cjs is being required (not inlined) - if !strings.Contains(lockFile, "require('/tmp/gh-aw/actions/push_repo_memory.cjs')") { + if !strings.Contains(lockFile, "require('/opt/gh-aw/actions/push_repo_memory.cjs')") { t.Error("Expected push_repo_memory script to be loaded via require") } diff --git a/pkg/workflow/repo_memory_test.go b/pkg/workflow/repo_memory_test.go index 61aefdc648..073b90fe7c 100644 --- a/pkg/workflow/repo_memory_test.go +++ b/pkg/workflow/repo_memory_test.go @@ -220,7 +220,7 @@ func TestRepoMemoryStepsGeneration(t *testing.T) { } // Check for script call - if !strings.Contains(output, "bash /tmp/gh-aw/actions/clone_repo_memory_branch.sh") { + if !strings.Contains(output, "bash /opt/gh-aw/actions/clone_repo_memory_branch.sh") { t.Error("Expected clone_repo_memory_branch.sh script call") } diff --git a/pkg/workflow/safe_inputs_generator.go b/pkg/workflow/safe_inputs_generator.go index cf89879ecd..35b6849cf6 100644 --- a/pkg/workflow/safe_inputs_generator.go +++ b/pkg/workflow/safe_inputs_generator.go @@ -161,7 +161,7 @@ const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: false, - logDir: "/tmp/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/safe-inputs/logs" }).catch(error => { console.error("Failed to start safe-inputs HTTP server:", error); process.exit(1); diff --git a/pkg/workflow/safe_inputs_generator_test.go b/pkg/workflow/safe_inputs_generator_test.go index 7956f71da5..857eeccc75 100644 --- a/pkg/workflow/safe_inputs_generator_test.go +++ b/pkg/workflow/safe_inputs_generator_test.go @@ -75,7 +75,7 @@ func TestGenerateSafeInputsMCPServerScript(t *testing.T) { t.Error("Script should reference tools.json configuration file") } - if !strings.Contains(script, "/tmp/gh-aw/safe-inputs/logs") { + if !strings.Contains(script, "/opt/gh-aw/safe-inputs/logs") { t.Error("Script should specify log directory") } diff --git a/pkg/workflow/safe_inputs_http_codex_test.go b/pkg/workflow/safe_inputs_http_codex_test.go index 676c219aaf..7e97e7549d 100644 --- a/pkg/workflow/safe_inputs_http_codex_test.go +++ b/pkg/workflow/safe_inputs_http_codex_test.go @@ -86,7 +86,7 @@ Test safe-inputs HTTP transport for Codex t.Error("Codex config should not use stdio transport (command = 'node'), should use HTTP") } - if strings.Contains(codexConfigSection, `args = [`) && strings.Contains(codexConfigSection, `/tmp/gh-aw/safe-inputs/mcp-server.cjs`) { + if strings.Contains(codexConfigSection, `args = [`) && strings.Contains(codexConfigSection, `/opt/gh-aw/safe-inputs/mcp-server.cjs`) { t.Error("Codex config should not use stdio transport with mcp-server.cjs args, should use HTTP") } diff --git a/pkg/workflow/safe_inputs_mode_test.go b/pkg/workflow/safe_inputs_mode_test.go index 63e83c78ca..2707108a6a 100644 --- a/pkg/workflow/safe_inputs_mode_test.go +++ b/pkg/workflow/safe_inputs_mode_test.go @@ -113,7 +113,7 @@ Test safe-inputs HTTP mode // extractMCPServerEntryPoint extracts the mcp-server.cjs entry point script from the YAML func extractMCPServerEntryPoint(yamlStr string) string { // Find the mcp-server.cjs section - start := strings.Index(yamlStr, "cat > /tmp/gh-aw/safe-inputs/mcp-server.cjs") + start := strings.Index(yamlStr, "cat > /opt/gh-aw/safe-inputs/mcp-server.cjs") if start == -1 { return "" } diff --git a/pkg/workflow/safe_inputs_parser.go b/pkg/workflow/safe_inputs_parser.go index 4334d8e6f4..5cb766f76a 100644 --- a/pkg/workflow/safe_inputs_parser.go +++ b/pkg/workflow/safe_inputs_parser.go @@ -52,7 +52,7 @@ const ( ) // SafeInputsDirectory is the directory where safe-inputs files are generated -const SafeInputsDirectory = "/tmp/gh-aw/safe-inputs" +const SafeInputsDirectory = "/opt/gh-aw/safe-inputs" // HasSafeInputs checks if safe-inputs are configured func HasSafeInputs(safeInputs *SafeInputsConfig) bool { diff --git a/pkg/workflow/safe_jobs.go b/pkg/workflow/safe_jobs.go index f5b95774a3..3f08da3e75 100644 --- a/pkg/workflow/safe_jobs.go +++ b/pkg/workflow/safe_jobs.go @@ -228,19 +228,19 @@ func (c *Compiler) buildSafeJobs(data *WorkflowData, threatDetectionEnabled bool // Add step to download agent output artifact using shared helper downloadSteps := buildArtifactDownloadSteps(ArtifactDownloadConfig{ ArtifactName: constants.AgentOutputArtifactName, - DownloadPath: "/tmp/gh-aw/safe-jobs/", + DownloadPath: "/opt/gh-aw/safe-jobs/", SetupEnvStep: false, // We'll handle env vars separately to add job-specific ones StepName: "Download agent output artifact", }) steps = append(steps, downloadSteps...) // the download artifacts always creates a folder, then unpacks in that folder - agentOutputArtifactFilename := fmt.Sprintf("/tmp/gh-aw/safe-jobs/%s", constants.AgentOutputArtifactName) + agentOutputArtifactFilename := fmt.Sprintf("/opt/gh-aw/safe-jobs/%s", constants.AgentOutputArtifactName) // Add environment variables step with GH_AW_AGENT_OUTPUT and job-specific env vars steps = append(steps, " - name: Setup Safe Job Environment Variables\n") steps = append(steps, " run: |\n") - steps = append(steps, " find \"/tmp/gh-aw/safe-jobs/\" -type f -print\n") + steps = append(steps, " find \"/opt/gh-aw/safe-jobs/\" -type f -print\n") // Configure GH_AW_AGENT_OUTPUT to point to downloaded artifact file steps = append(steps, fmt.Sprintf(" echo \"GH_AW_AGENT_OUTPUT=%s\" >> \"$GITHUB_ENV\"\n", agentOutputArtifactFilename)) diff --git a/pkg/workflow/safe_outputs_mcp_integration_test.go b/pkg/workflow/safe_outputs_mcp_integration_test.go index 3f38a10f87..210903ece4 100644 --- a/pkg/workflow/safe_outputs_mcp_integration_test.go +++ b/pkg/workflow/safe_outputs_mcp_integration_test.go @@ -53,7 +53,7 @@ Test safe outputs workflow with MCP server integration. // So we don't check for cat command anymore, we just check the MCP config references it // Check that safe-outputs configuration file is written - if !strings.Contains(yamlStr, "cat > /tmp/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to be written to config.json file") } @@ -64,7 +64,7 @@ Test safe outputs workflow with MCP server integration. // Check that the MCP server is configured with correct command if !strings.Contains(yamlStr, `"command": "node"`) || - !strings.Contains(yamlStr, `"/tmp/gh-aw/safeoutputs/mcp-server.cjs"`) { + !strings.Contains(yamlStr, `"/opt/gh-aw/safeoutputs/mcp-server.cjs"`) { t.Error("Expected safeoutputs MCP server to be configured with node command") } @@ -74,7 +74,7 @@ Test safe outputs workflow with MCP server integration. } // Check that config file is created - if !strings.Contains(yamlStr, "cat > /tmp/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { t.Error("Expected config file to be created") } @@ -119,7 +119,7 @@ Test workflow without safe outputs. // The check is now redundant since we removed the cat command entirely // Check that safe-outputs configuration file is NOT written - if strings.Contains(yamlStr, "cat > /tmp/gh-aw/safeoutputs/config.json") { + if strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to NOT be written when safe-outputs are disabled") } @@ -172,7 +172,7 @@ Test safe outputs workflow with Codex engine. // So we don't check for cat command anymore // Check that safe-outputs configuration file is written - if !strings.Contains(yamlStr, "cat > /tmp/gh-aw/safeoutputs/config.json") { + if !strings.Contains(yamlStr, "cat > /opt/gh-aw/safeoutputs/config.json") { t.Error("Expected safe-outputs configuration to be written to config.json file") } diff --git a/pkg/workflow/secret_validation_test.go b/pkg/workflow/secret_validation_test.go index 6b2c76a7e5..794a952302 100644 --- a/pkg/workflow/secret_validation_test.go +++ b/pkg/workflow/secret_validation_test.go @@ -78,7 +78,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { docsURL: "https://githubnext.github.io/gh-aw/reference/engines/#openai-codex", wantStrings: []string{ "Validate CODEX_API_KEY or OPENAI_API_KEY secret", - "run: /tmp/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex", + "run: /opt/gh-aw/actions/validate_multi_secret.sh CODEX_API_KEY OPENAI_API_KEY Codex https://githubnext.github.io/gh-aw/reference/engines/#openai-codex", "CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }}", "OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}", }, @@ -97,7 +97,7 @@ func TestGenerateMultiSecretValidationStep(t *testing.T) { } // Verify it calls the validate_multi_secret.sh script - if !strings.Contains(stepContent, "/tmp/gh-aw/actions/validate_multi_secret.sh") { + if !strings.Contains(stepContent, "/opt/gh-aw/actions/validate_multi_secret.sh") { t.Error("Expected step to call validate_multi_secret.sh script") } @@ -182,7 +182,7 @@ func TestCodexEngineHasSecretValidation(t *testing.T) { } // Should call the validate_multi_secret.sh script with both secret names - if !strings.Contains(firstStep, "/tmp/gh-aw/actions/validate_multi_secret.sh") { + if !strings.Contains(firstStep, "/opt/gh-aw/actions/validate_multi_secret.sh") { t.Error("Should call validate_multi_secret.sh script") } if !strings.Contains(firstStep, "CODEX_API_KEY OPENAI_API_KEY") { diff --git a/pkg/workflow/sh.go b/pkg/workflow/sh.go index 7a0e738c5c..fc59e7581e 100644 --- a/pkg/workflow/sh.go +++ b/pkg/workflow/sh.go @@ -12,7 +12,7 @@ var shLog = logger.New("workflow:sh") // Prompt file paths at runtime (copied by setup action) const ( - promptsDir = "/tmp/gh-aw/prompts" + promptsDir = "/opt/gh-aw/prompts" prContextPromptFile = "pr_context_prompt.md" xpiaPromptFile = "xpia_prompt.md" tempFolderPromptFile = "temp_folder_prompt.md" @@ -26,7 +26,7 @@ const ( //go:embed prompts/github_context_prompt.md var githubContextPromptText string -// WritePromptFileToYAML writes a shell command to cat a prompt file from /tmp/gh-aw/prompts/ +// WritePromptFileToYAML writes a shell command to cat a prompt file from /opt/gh-aw/prompts/ // This replaces the previous approach of embedding prompt text in the binary. func WritePromptFileToYAML(yaml *strings.Builder, filename string, indent string) { shLog.Printf("Writing prompt file reference to YAML: file=%s", filename) diff --git a/pkg/workflow/step_summary_test.go b/pkg/workflow/step_summary_test.go index 7458019add..a8665d6bcf 100644 --- a/pkg/workflow/step_summary_test.go +++ b/pkg/workflow/step_summary_test.go @@ -252,7 +252,7 @@ This workflow tests the workflow overview for Claude engine. } // Verify workflow overview uses require to call the .cjs file - if !strings.Contains(lockContent, "const { generateWorkflowOverview } = require('/tmp/gh-aw/actions/generate_workflow_overview.cjs');") { + if !strings.Contains(lockContent, "const { generateWorkflowOverview } = require('/opt/gh-aw/actions/generate_workflow_overview.cjs');") { t.Error("Expected workflow overview step to use require to invoke generate_workflow_overview.cjs") } if !strings.Contains(lockContent, "await generateWorkflowOverview(core);") { diff --git a/pkg/workflow/temp_folder_test.go b/pkg/workflow/temp_folder_test.go index aed423bda4..99d33a1ec1 100644 --- a/pkg/workflow/temp_folder_test.go +++ b/pkg/workflow/temp_folder_test.go @@ -52,7 +52,7 @@ This is a test workflow to verify temp folder instructions are included. } // Test 2: Verify the cat command for temp folder prompt file is included - if !strings.Contains(lockStr, "cat \"/tmp/gh-aw/prompts/temp_folder_prompt.md\" >> \"$GH_AW_PROMPT\"") { + if !strings.Contains(lockStr, "cat \"/opt/gh-aw/prompts/temp_folder_prompt.md\" >> \"$GH_AW_PROMPT\"") { t.Error("Expected cat command for temp folder prompt file in generated workflow") } diff --git a/pkg/workflow/template.go b/pkg/workflow/template.go index 6fe780d460..e7e01d26a8 100644 --- a/pkg/workflow/template.go +++ b/pkg/workflow/template.go @@ -118,8 +118,8 @@ func (c *Compiler) generateInterpolationAndTemplateStep(yaml *strings.Builder, e // Load interpolate_prompt script from external file // Use setup_globals helper to store GitHub Actions objects in global scope - yaml.WriteString(" const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs');\n") + yaml.WriteString(" const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');\n") yaml.WriteString(" setupGlobals(core, github, context, exec, io);\n") - yaml.WriteString(" const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs');\n") + yaml.WriteString(" const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs');\n") yaml.WriteString(" await main();\n") } diff --git a/pkg/workflow/template_rendering_test.go b/pkg/workflow/template_rendering_test.go index 5316b64576..e3657193cb 100644 --- a/pkg/workflow/template_rendering_test.go +++ b/pkg/workflow/template_rendering_test.go @@ -97,7 +97,7 @@ Normal content here. } // Verify the setupGlobals helper is used - if !strings.Contains(compiledStr, "const { setupGlobals } = require('/tmp/gh-aw/actions/setup_globals.cjs')") { + if !strings.Contains(compiledStr, "const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs')") { t.Error("Template rendering step should use setupGlobals helper") } @@ -106,7 +106,7 @@ Normal content here. } // Verify the interpolate_prompt script is loaded via require - if !strings.Contains(compiledStr, "const { main } = require('/tmp/gh-aw/actions/interpolate_prompt.cjs')") { + if !strings.Contains(compiledStr, "const { main } = require('/opt/gh-aw/actions/interpolate_prompt.cjs')") { t.Error("Template rendering step should require interpolate_prompt.cjs") } diff --git a/pkg/workflow/xpia_test.go b/pkg/workflow/xpia_test.go index 7a91f8f659..14f76ac2d6 100644 --- a/pkg/workflow/xpia_test.go +++ b/pkg/workflow/xpia_test.go @@ -82,7 +82,7 @@ func TestXPIAPromptInWorkflow(t *testing.T) { } // Check that the cat command to the XPIA prompt file is included - if !strings.Contains(output, "cat \"/tmp/gh-aw/prompts/xpia_prompt.md\" >> \"$GH_AW_PROMPT\"") { + if !strings.Contains(output, "cat \"/opt/gh-aw/prompts/xpia_prompt.md\" >> \"$GH_AW_PROMPT\"") { t.Error("Expected cat command for XPIA prompt file") } } diff --git a/specs/artifacts.md b/specs/artifacts.md index b04ceff524..200d18e35d 100644 --- a/specs/artifacts.md +++ b/specs/artifacts.md @@ -51,7 +51,7 @@ This section provides an overview of artifacts organized by job name, with dupli - **Paths**: `${{ env.GH_AW_SAFE_OUTPUTS }}` - **Used in**: 73 workflow(s) - agent-performance-analyzer.md, ai-moderator.md, archie.md, artifacts-summary.md, blog-auditor.md, brave.md, breaking-change-checker.md, campaign-generator.md, changeset.md, ci-coach.md, ci-doctor.md, cli-consistency-checker.md, cloclo.md, commit-changes-analyzer.md, copilot-pr-merged-report.md, copilot-pr-nlp-analysis.md, craft.md, daily-choice-test.md, daily-copilot-token-report.md, daily-fact.md, daily-file-diet.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, dependabot-go-checker.md, dev-hawk.md, dev.md, dictation-prompt.md, example-workflow-analyzer.md, github-mcp-structural-analysis.md, github-mcp-tools-report.md, glossary-maintainer.md, go-fan.md, go-pattern-detector.md, grumpy-reviewer.md, hourly-ci-cleaner.md, issue-classifier.md, issue-template-optimizer.md, issue-triage-agent.md, layout-spec-maintainer.md, mcp-inspector.md, mergefest.md, notion-issue-summary.md, org-health-report.md, pdf-summary.md, plan.md, playground-org-project-update-issue.md, playground-snapshots-refresh.md, poem-bot.md, portfolio-analyst.md, pr-nitpick-reviewer.md, python-data-charts.md, q.md, release.md, repo-tree-map.md, repository-quality-improver.md, research.md, scout.md, security-compliance.md, slide-deck-maintainer.md, smoke-copilot-playwright.md, smoke-detector.md, smoke-srt.md, stale-repo-identifier.md, super-linter.md, technical-doc-writer.md, tidy.md, typist.md, video-analyzer.md, weekly-issue-summary.md, workflow-generator.md, workflow-health-manager.md - `safe-outputs-assets` - - **Paths**: `/tmp/gh-aw/safeoutputs/assets/` + - **Paths**: `/opt/gh-aw/safeoutputs/assets/` - **Used in**: 14 workflow(s) - copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, github-mcp-structural-analysis.md, org-health-report.md, poem-bot.md, portfolio-analyst.md, python-data-charts.md, stale-repo-identifier.md, technical-doc-writer.md, weekly-issue-summary.md - `trending-charts` - **Paths**: `/tmp/gh-aw/python/charts/*.png` @@ -71,7 +71,7 @@ This section provides an overview of artifacts organized by job name, with dupli **Artifacts Downloaded:** - `agent-output` - - **Download paths**: `/tmp/gh-aw/safeoutputs/` + - **Download paths**: `/opt/gh-aw/safeoutputs/` - **Used in**: 73 workflow(s) - agent-performance-analyzer.md, ai-moderator.md, archie.md, artifacts-summary.md, blog-auditor.md, brave.md, breaking-change-checker.md, campaign-generator.md, changeset.md, ci-coach.md, ci-doctor.md, cli-consistency-checker.md, cloclo.md, commit-changes-analyzer.md, copilot-pr-merged-report.md, copilot-pr-nlp-analysis.md, craft.md, daily-choice-test.md, daily-copilot-token-report.md, daily-fact.md, daily-file-diet.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, dependabot-go-checker.md, dev-hawk.md, dev.md, dictation-prompt.md, example-workflow-analyzer.md, github-mcp-structural-analysis.md, github-mcp-tools-report.md, glossary-maintainer.md, go-fan.md, go-pattern-detector.md, grumpy-reviewer.md, hourly-ci-cleaner.md, issue-classifier.md, issue-template-optimizer.md, issue-triage-agent.md, layout-spec-maintainer.md, mcp-inspector.md, mergefest.md, notion-issue-summary.md, org-health-report.md, pdf-summary.md, plan.md, playground-org-project-update-issue.md, playground-snapshots-refresh.md, poem-bot.md, portfolio-analyst.md, pr-nitpick-reviewer.md, python-data-charts.md, q.md, release.md, repo-tree-map.md, repository-quality-improver.md, research.md, scout.md, security-compliance.md, slide-deck-maintainer.md, smoke-copilot-playwright.md, smoke-detector.md, smoke-srt.md, stale-repo-identifier.md, super-linter.md, technical-doc-writer.md, tidy.md, typist.md, video-analyzer.md, weekly-issue-summary.md, workflow-generator.md, workflow-health-manager.md ### Job: `detection` @@ -91,5519 +91,24 @@ This section provides an overview of artifacts organized by job name, with dupli - **Download paths**: `/tmp/gh-aw/threat-detection/` - **Used in**: 72 workflow(s) - agent-performance-analyzer.md, archie.md, artifacts-summary.md, blog-auditor.md, brave.md, breaking-change-checker.md, campaign-generator.md, changeset.md, ci-coach.md, ci-doctor.md, cli-consistency-checker.md, cloclo.md, commit-changes-analyzer.md, copilot-pr-merged-report.md, copilot-pr-nlp-analysis.md, craft.md, daily-choice-test.md, daily-copilot-token-report.md, daily-fact.md, daily-file-diet.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, dependabot-go-checker.md, dev-hawk.md, dev.md, dictation-prompt.md, example-workflow-analyzer.md, github-mcp-structural-analysis.md, github-mcp-tools-report.md, glossary-maintainer.md, go-fan.md, go-pattern-detector.md, grumpy-reviewer.md, hourly-ci-cleaner.md, issue-classifier.md, issue-template-optimizer.md, issue-triage-agent.md, layout-spec-maintainer.md, mcp-inspector.md, mergefest.md, notion-issue-summary.md, org-health-report.md, pdf-summary.md, plan.md, playground-org-project-update-issue.md, playground-snapshots-refresh.md, poem-bot.md, portfolio-analyst.md, pr-nitpick-reviewer.md, python-data-charts.md, q.md, release.md, repo-tree-map.md, repository-quality-improver.md, research.md, scout.md, security-compliance.md, slide-deck-maintainer.md, smoke-copilot-playwright.md, smoke-detector.md, smoke-srt.md, stale-repo-identifier.md, super-linter.md, technical-doc-writer.md, tidy.md, typist.md, video-analyzer.md, weekly-issue-summary.md, workflow-generator.md, workflow-health-manager.md -### Job: `generate-sbom` - -**Artifacts Uploaded:** - -- `sbom-artifacts` - - **Paths**: `sbom.cdx.json`, `sbom.spdx.json` - - **Used in**: 1 workflow(s) - release.md - -### Job: `notion_add_comment` - -**Artifacts Downloaded:** - -- `agent-output` - - **Download paths**: `/tmp/gh-aw/safe-jobs/` - - **Used in**: 2 workflow(s) - mcp-inspector.md, notion-issue-summary.md - -### Job: `post_to_slack_channel` - -**Artifacts Downloaded:** - -- `agent-output` - - **Download paths**: `/tmp/gh-aw/safe-jobs/` - - **Used in**: 1 workflow(s) - mcp-inspector.md - -### Job: `push_repo_memory` - -**Artifacts Downloaded:** - -- `repo-memory-default` - - **Download paths**: `/tmp/gh-aw/repo-memory/default` - - **Used in**: 8 workflow(s) - agent-performance-analyzer.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-news.md, deep-report.md, metrics-collector.md, security-compliance.md, workflow-health-manager.md - -### Job: `safe_outputs` +### Job: `post-conclusion` **Artifacts Downloaded:** - `agent-artifacts` - **Download paths**: `/tmp/gh-aw/` - - **Used in**: 17 workflow(s) - changeset.md, ci-coach.md, cloclo.md, craft.md, dictation-prompt.md, github-mcp-tools-report.md, glossary-maintainer.md, hourly-ci-cleaner.md, issue-template-optimizer.md, layout-spec-maintainer.md, mergefest.md, playground-snapshots-refresh.md, poem-bot.md, q.md, slide-deck-maintainer.md, technical-doc-writer.md, tidy.md + - **Used in**: 8 workflow(s) - agent-performance-analyzer.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-news.md, deep-report.md, metrics-collector.md, security-compliance.md, workflow-health-manager.md - `agent-output` - - **Download paths**: `/tmp/gh-aw/safeoutputs/` - - **Used in**: 70 workflow(s) - agent-performance-analyzer.md, ai-moderator.md, archie.md, artifacts-summary.md, blog-auditor.md, brave.md, breaking-change-checker.md, campaign-generator.md, changeset.md, ci-coach.md, ci-doctor.md, cli-consistency-checker.md, cloclo.md, commit-changes-analyzer.md, copilot-pr-merged-report.md, copilot-pr-nlp-analysis.md, craft.md, daily-copilot-token-report.md, daily-fact.md, daily-file-diet.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, dependabot-go-checker.md, dev-hawk.md, dev.md, dictation-prompt.md, example-workflow-analyzer.md, github-mcp-structural-analysis.md, github-mcp-tools-report.md, glossary-maintainer.md, go-fan.md, go-pattern-detector.md, grumpy-reviewer.md, hourly-ci-cleaner.md, issue-classifier.md, issue-template-optimizer.md, issue-triage-agent.md, layout-spec-maintainer.md, mcp-inspector.md, mergefest.md, org-health-report.md, pdf-summary.md, plan.md, playground-org-project-update-issue.md, playground-snapshots-refresh.md, poem-bot.md, portfolio-analyst.md, pr-nitpick-reviewer.md, python-data-charts.md, q.md, release.md, repo-tree-map.md, repository-quality-improver.md, research.md, scout.md, security-compliance.md, slide-deck-maintainer.md, smoke-copilot-playwright.md, smoke-detector.md, stale-repo-identifier.md, super-linter.md, technical-doc-writer.md, tidy.md, typist.md, video-analyzer.md, weekly-issue-summary.md, workflow-generator.md, workflow-health-manager.md + - **Download paths**: `/tmp/gh-aw/` + - **Used in**: 1 workflow(s) - github-mcp-structural-analysis.md +- `safe-output` + - **Download paths**: `/tmp/gh-aw/` + - **Used in**: 8 workflow(s) - agent-performance-analyzer.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-news.md, deep-report.md, metrics-collector.md, security-compliance.md, workflow-health-manager.md -### Job: `super_linter` +### Job: `super-linter` **Artifacts Uploaded:** - `super-linter-log` - - **Paths**: `super-linter.log` + - **Paths**: `/tmp/super-linter.log` - **Used in**: 1 workflow(s) - super-linter.md - -### Job: `test_environment` - -**Artifacts Downloaded:** - -- `agent-output` - - **Download paths**: `/tmp/gh-aw/safe-jobs/` - - **Used in**: 1 workflow(s) - daily-choice-test.md - -### Job: `update_cache_memory` - -**Artifacts Downloaded:** - -- `cache-memory` - - **Download paths**: `/tmp/gh-aw/cache-memory` - - **Used in**: 31 workflow(s) - ci-coach.md, ci-doctor.md, cloclo.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, github-mcp-structural-analysis.md, github-mcp-tools-report.md, glossary-maintainer.md, go-fan.md, grumpy-reviewer.md, issue-template-optimizer.md, mcp-inspector.md, org-health-report.md, pdf-summary.md, poem-bot.md, portfolio-analyst.md, pr-nitpick-reviewer.md, python-data-charts.md, q.md, scout.md, slide-deck-maintainer.md, smoke-copilot-playwright.md, smoke-detector.md, stale-repo-identifier.md, super-linter.md, technical-doc-writer.md, weekly-issue-summary.md -- `cache-memory-focus-areas` - - **Download paths**: `/tmp/gh-aw/cache-memory-focus-areas` - - **Used in**: 1 workflow(s) - repository-quality-improver.md - -### Job: `upload_assets` - -**Artifacts Downloaded:** - -- `agent-output` - - **Download paths**: `/tmp/gh-aw/safeoutputs/` - - **Used in**: 14 workflow(s) - copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, github-mcp-structural-analysis.md, org-health-report.md, poem-bot.md, portfolio-analyst.md, python-data-charts.md, stale-repo-identifier.md, technical-doc-writer.md, weekly-issue-summary.md -- `safe-outputs-assets` - - **Download paths**: `/tmp/gh-aw/safeoutputs/assets/` - - **Used in**: 14 workflow(s) - copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, deep-report.md, github-mcp-structural-analysis.md, org-health-report.md, poem-bot.md, portfolio-analyst.md, python-data-charts.md, stale-repo-identifier.md, technical-doc-writer.md, weekly-issue-summary.md - -## Workflows - -### agent-performance-analyzer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### ai-moderator.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent safe_outputs] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent] - -### archie.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### artifacts-summary.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### blog-auditor.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### brave.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### breaking-change-checker.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### campaign-generator.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### changeset.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/mcp-config/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### ci-coach.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### ci-doctor.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### cli-consistency-checker.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### cloclo.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### commit-changes-analyzer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### copilot-pr-merged-report.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/safe-inputs/logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### copilot-pr-nlp-analysis.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### craft.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### daily-choice-test.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection test_environment] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `test_environment` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safe-jobs/` - - **Depends on jobs**: [agent detection] - -### daily-copilot-token-report.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### daily-fact.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/mcp-config/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### daily-file-diet.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### daily-issues-report.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/mcp-config/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### daily-news.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### daily-repo-chronicle.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### deep-report.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/mcp-config/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### dependabot-go-checker.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### dev-hawk.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### dev.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### dictation-prompt.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### example-custom-error-patterns.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -### example-permissions-warning.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -### example-workflow-analyzer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### firewall.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -### github-mcp-structural-analysis.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### github-mcp-tools-report.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### glossary-maintainer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### go-fan.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### go-pattern-detector.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### grumpy-reviewer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### hourly-ci-cleaner.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### issue-classifier.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### issue-template-optimizer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### issue-triage-agent.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### layout-spec-maintainer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### mcp-inspector.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection notion_add_comment post_to_slack_channel safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `notion_add_comment` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safe-jobs/` - - **Depends on jobs**: [agent detection] - -#### Job: `post_to_slack_channel` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safe-jobs/` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### mergefest.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### metrics-collector.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent] - -### notion-issue-summary.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection notion_add_comment] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `notion_add_comment` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safe-jobs/` - - **Depends on jobs**: [agent detection] - -### org-health-report.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### pdf-summary.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### plan.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### playground-org-project-update-issue.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### playground-snapshots-refresh.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### poem-bot.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### portfolio-analyst.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `trending-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `trending-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### pr-nitpick-reviewer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### python-data-charts.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### q.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### release.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `generate-sbom` - -**Uploads:** - -- **Artifact**: `sbom-artifacts` - - **Upload paths**: - - `sbom.spdx.json` - - `sbom.cdx.json` - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### repo-tree-map.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### repository-quality-improver.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory-focus-areas` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory-focus-areas` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory-focus-areas` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory-focus-areas` - - **Depends on jobs**: [agent detection] - -### research.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### scout.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### security-compliance.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### slide-deck-maintainer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### smoke-copilot-playwright.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `playwright-debug-logs-${{ github.run_id }}` - - **Upload paths**: - - `/tmp/gh-aw/playwright-debug-logs/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/safe-inputs/logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### smoke-detector.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### smoke-srt-custom-config.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/agent-stdio.log` - -### smoke-srt.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -### stale-repo-identifier.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `trending-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `trending-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### super-linter.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -**Downloads:** - -- **Artifact**: `super-linter-log` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation super_linter] - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `super_linter` - -**Uploads:** - -- **Artifact**: `super-linter-log` - - **Upload paths**: - - `super-linter.log` - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -### technical-doc-writer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### tidy.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - - `/tmp/gh-aw/aw.patch` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection] - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/` - - **Depends on jobs**: [activation agent detection] - -### typist.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### video-analyzer.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### weekly-issue-summary.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `data-charts` - - **Upload paths**: - - `/tmp/gh-aw/python/charts/*.png` - -- **Artifact**: `python-source-and-data` - - **Upload paths**: - - `/tmp/gh-aw/python/*.py` - - `/tmp/gh-aw/python/data/*` - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `cache-memory` - - **Upload paths**: - - `/tmp/gh-aw/cache-memory` - -- **Artifact**: `safe-outputs-assets` - - **Upload paths**: - - `/tmp/gh-aw/safeoutputs/assets/` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory upload_assets] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -#### Job: `update_cache_memory` - -**Downloads:** - -- **Artifact**: `cache-memory` (by name) - - **Download path**: `/tmp/gh-aw/cache-memory` - - **Depends on jobs**: [agent detection] - -#### Job: `upload_assets` - -**Downloads:** - -- **Artifact**: `safe-outputs-assets` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/assets/` - - **Depends on jobs**: [agent detection] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### workflow-generator.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -### workflow-health-manager.md - -#### Job: `agent` - -**Uploads:** - -- **Artifact**: `safe-output` - - **Upload paths**: - - `${{ env.GH_AW_SAFE_OUTPUTS }}` - -- **Artifact**: `agent-output` - - **Upload paths**: - - `${{ env.GH_AW_AGENT_OUTPUT }}` - -- **Artifact**: `agent_outputs` - - **Upload paths**: - - `/tmp/gh-aw/sandbox/agent/logs/` - - `/tmp/gh-aw/redacted-urls.log` - -- **Artifact**: `repo-memory-default` - - **Upload paths**: - - `/tmp/gh-aw/repo-memory/default` - -- **Artifact**: `agent-artifacts` - - **Upload paths**: - - `/tmp/gh-aw/aw-prompts/prompt.txt` - - `/tmp/gh-aw/aw_info.json` - - `/tmp/gh-aw/mcp-logs/` - - `/tmp/gh-aw/sandbox/firewall/logs/` - - `/tmp/gh-aw/agent-stdio.log` - -#### Job: `conclusion` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs] - -#### Job: `detection` - -**Uploads:** - -- **Artifact**: `threat-detection.log` - - **Upload paths**: - - `/tmp/gh-aw/threat-detection/detection.log` - -**Downloads:** - -- **Artifact**: `agent-artifacts` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/threat-detection/` - - **Depends on jobs**: [agent] - -#### Job: `push_repo_memory` - -**Downloads:** - -- **Artifact**: `repo-memory-default` (by name) - - **Download path**: `/tmp/gh-aw/repo-memory/default` - - **Depends on jobs**: [agent detection] - -#### Job: `safe_outputs` - -**Downloads:** - -- **Artifact**: `agent-output` (by name) - - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [agent detection] - -## Usage Examples - -### JavaScript (actions/github-script) - -```javascript -// Reading a file from a downloaded artifact -const fs = require('fs'); -const path = require('path'); - -// If artifact 'build-output' was downloaded to '/tmp/artifacts' -// and contains 'dist/app.js' (after common parent stripping) -const filePath = path.join('/tmp/artifacts', 'dist', 'app.js'); -const content = fs.readFileSync(filePath, 'utf8'); -``` - -### Go - -```go -// Reading a file from a downloaded artifact -import ( - "os" - "path/filepath" -) - -// If artifact 'build-output' was downloaded to '/tmp/artifacts' -// and contains 'dist/app.js' (after common parent stripping) -filePath := filepath.Join("/tmp/artifacts", "dist", "app.js") -content, err := os.ReadFile(filePath) -``` - -## Notes - -- This document is auto-generated from workflow analysis -- Actual file paths may vary based on the workflow execution context -- Always verify file existence before reading in production code -- Common parent directories are automatically stripped during upload -- Use `ComputeDownloadPath()` from the artifact manager for accurate path computation