diff --git a/.github/agentics/repo-audit-analyzer.md b/.github/agentics/repo-audit-analyzer.md.skip similarity index 100% rename from .github/agentics/repo-audit-analyzer.md rename to .github/agentics/repo-audit-analyzer.md.skip diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index b8a317833e..bb22cbabe2 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -75,6 +75,11 @@ "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" }, + "actions/setup-node@v4": { + "repo": "actions/setup-node", + "version": "v4", + "sha": "49933ea5288caeca8642d1e84afbd3f7d6820020" + }, "actions/setup-node@v6": { "repo": "actions/setup-node", "version": "v6", @@ -130,6 +135,11 @@ "version": "v2.0.3", "sha": "e95548e56dfa95d4e1a28d6f422fafe75c4c26fb" }, + "docker/build-push-action@v5": { + "repo": "docker/build-push-action", + "version": "v5", + "sha": "ca052bb54ab0790a636c9b5f226502c73d547a25" + }, "docker/build-push-action@v6": { "repo": "docker/build-push-action", "version": "v6", @@ -180,6 +190,11 @@ "version": "v1.275.0", "sha": "d354de180d0c9e813cfddfcbdc079945d4be589b" }, + "softprops/action-gh-release@v1": { + "repo": "softprops/action-gh-release", + "version": "v1", + "sha": "26994186c0ac3ef5cae75ac16aa32e8153525f77" + }, "super-linter/super-linter@v8.2.1": { "repo": "super-linter/super-linter", "version": "v8.2.1", diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml.skip similarity index 100% rename from .github/workflows/repo-audit-analyzer.lock.yml rename to .github/workflows/repo-audit-analyzer.lock.yml.skip diff --git a/.github/workflows/repo-audit-analyzer.md b/.github/workflows/repo-audit-analyzer.md.skip similarity index 100% rename from .github/workflows/repo-audit-analyzer.md rename to .github/workflows/repo-audit-analyzer.md.skip diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index b8a317833e..bb22cbabe2 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -75,6 +75,11 @@ "version": "v4.8.0", "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9" }, + "actions/setup-node@v4": { + "repo": "actions/setup-node", + "version": "v4", + "sha": "49933ea5288caeca8642d1e84afbd3f7d6820020" + }, "actions/setup-node@v6": { "repo": "actions/setup-node", "version": "v6", @@ -130,6 +135,11 @@ "version": "v2.0.3", "sha": "e95548e56dfa95d4e1a28d6f422fafe75c4c26fb" }, + "docker/build-push-action@v5": { + "repo": "docker/build-push-action", + "version": "v5", + "sha": "ca052bb54ab0790a636c9b5f226502c73d547a25" + }, "docker/build-push-action@v6": { "repo": "docker/build-push-action", "version": "v6", @@ -180,6 +190,11 @@ "version": "v1.275.0", "sha": "d354de180d0c9e813cfddfcbdc079945d4be589b" }, + "softprops/action-gh-release@v1": { + "repo": "softprops/action-gh-release", + "version": "v1", + "sha": "26994186c0ac3ef5cae75ac16aa32e8153525f77" + }, "super-linter/super-linter@v8.2.1": { "repo": "super-linter/super-linter", "version": "v8.2.1", diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go index 9206b028cf..21245c9011 100644 --- a/pkg/workflow/mcp_renderer.go +++ b/pkg/workflow/mcp_renderer.go @@ -3,6 +3,7 @@ package workflow import ( "fmt" "os" + "regexp" "sort" "strings" @@ -866,6 +867,10 @@ func prepareConfigForValidation(config string) string { // ${MCP_GATEWAY_API_KEY} -> "sample-api-key" (example key) // $GITHUB_MCP_SERVER_TOKEN -> "sample-token" (example token) // $GITHUB_MCP_LOCKDOWN -> "1" (example lockdown value) + // $GH_AW_SAFE_INPUTS_PORT -> 3000 (example safe inputs port) + // $GH_AW_SAFE_INPUTS_API_KEY -> "sample-api-key" (example safe inputs API key) + // $GH_AW_SERENA_PORT -> 3001 (example serena port) + // $GH_AW_GITHUB_TOKEN -> "sample-token" (example GitHub token) // \${...} (escaped for Copilot) -> ${...} (unescaped for validation) cleaned = strings.ReplaceAll(cleaned, "$MCP_GATEWAY_PORT", "8080") @@ -873,13 +878,31 @@ func prepareConfigForValidation(config string) string { cleaned = strings.ReplaceAll(cleaned, "\"${MCP_GATEWAY_API_KEY}\"", "\"sample-api-key\"") cleaned = strings.ReplaceAll(cleaned, "\"$GITHUB_MCP_SERVER_TOKEN\"", "\"sample-token\"") cleaned = strings.ReplaceAll(cleaned, "\"$GITHUB_MCP_LOCKDOWN\"", "\"1\"") + cleaned = strings.ReplaceAll(cleaned, "$GH_AW_SAFE_INPUTS_PORT", "3000") + cleaned = strings.ReplaceAll(cleaned, "\"$GH_AW_SAFE_INPUTS_API_KEY\"", "\"sample-api-key\"") + cleaned = strings.ReplaceAll(cleaned, "$GH_AW_SERENA_PORT", "3001") + cleaned = strings.ReplaceAll(cleaned, "\"$GH_AW_GITHUB_TOKEN\"", "\"sample-token\"") // Handle Copilot-style escaped variables: \${VARIABLE} -> sample-value cleaned = strings.ReplaceAll(cleaned, "\\${GITHUB_PERSONAL_ACCESS_TOKEN}", "sample-token") cleaned = strings.ReplaceAll(cleaned, "\\${GITHUB_MCP_SERVER_TOKEN}", "sample-token") + cleaned = strings.ReplaceAll(cleaned, "\\${GH_AW_GITHUB_TOKEN}", "sample-token") // Handle shell command substitutions: $([ "$VAR" = "1" ] && echo true || echo false) -> true cleaned = strings.ReplaceAll(cleaned, "\"$([ \\\"$GITHUB_MCP_LOCKDOWN\\\" = \\\"1\\\" ] && echo true || echo false)\"", "\"true\"") + // Use regex to replace any remaining environment variables with sample values + // Pattern 1: "$VARIABLE_NAME" -> "sample-value" (direct shell variable references) + directVarPattern := regexp.MustCompile(`"\$([A-Z_][A-Z0-9_]*)"`) + cleaned = directVarPattern.ReplaceAllString(cleaned, `"sample-value"`) + + // Pattern 2: "\\${VARIABLE_NAME}" -> "sample-value" (backslash-escaped for Copilot) + escapedVarPattern := regexp.MustCompile(`"\\\\?\$\{([A-Z_][A-Z0-9_]*)\}"`) + cleaned = escapedVarPattern.ReplaceAllString(cleaned, `"sample-value"`) + + // Pattern 3: Unquoted $VAR (like $MCP_GATEWAY_PORT) -> sample-value + unquotedVarPattern := regexp.MustCompile(`\$([A-Z_][A-Z0-9_]*)`) + cleaned = unquotedVarPattern.ReplaceAllString(cleaned, `sample-value`) + return cleaned }