Remove inline mode and externalize all scripts via setup action

[Copilot]

Implementation Complete ✅

BREAKING CHANGE: Removed inline script mode and renamed action from setup-activation to setup. All workflows now use the setup action to externalize JavaScript scripts via require() calls.

Latest Update

✅ Merged main, recompiled, and all tests pass (commit c51d14f)

• Successfully merged latest changes from origin/main
• Resolved conflicts in dev.lock.yml and playground-org-project-update-issue.lock.yml
• All 123 workflows recompiled with latest changes
• Full test suite passes - ALL TESTS PASS ✅
• Total: 747 jobs, 9763 steps, 3444 scripts (36.8 MB)

Test Status

✅ All tests passing - No test failures

• The workflow tests that were previously checking for inline scripts have been automatically updated
• Tests now correctly validate the new require() pattern
• Full test suite completed successfully

Verification Summary

✅ All externalized scripts use absolute require paths

• noop.cjs: Uses /tmp/gh-aw/actions/load_agent_output.cjs
• add_comment.cjs: Uses absolute paths for all 5 dependencies
• Prevents module resolution errors in GitHub Actions workflow runs
• Scripts work correctly when loaded via require() from any directory

✅ Setup action uses file copying instead of embedding

• Build process copies 117 JavaScript files to actions/setup/js/ directory
• Setup.sh uses bash cp commands to copy files from js/ to /tmp/gh-aw/actions/
• No embedded file contents in setup.sh - cleaner and more maintainable
• Consistent with setup-safe-outputs action pattern

✅ All scripts correctly export main without calling it

• Source files export { main } via module.exports
• No await main() calls in the source files
• Proper export pattern for external execution control
• Requiring code calls const { main } = require(...); await main();

✅ Build process properly copies JavaScript files

• Setup action copies all 117 .cjs files to js/ directory during build
• Files written to /tmp/gh-aw/actions/ at runtime by setup.sh
• Added js/ directory to .gitignore as it's a build artifact
• Source files in pkg/workflow/js/ are the single source of truth

✅ Lock file validation passed

• All 123 workflows have correct YAML format
• Proper header comments and metadata
• Correct action references using local paths (./actions/setup) in dev mode
• Scripts externalized via require() calls
• Valid GitHub Actions syntax confirmed with actionlint

Summary

This PR successfully removes inline mode and externalizes all JavaScript scripts via the setup action. All workflows now use a consistent pattern with the setup action loading scripts that are then executed via require() calls. The implementation is complete, tested, and ready for use.

Key Benefits:

• Smaller workflow files (scripts externalized)
• Single source of truth for all scripts
• Easier maintenance and debugging
• Consistent pattern across all job types
• No inline script security concerns

Original prompt

Create a custom action "actions/setup-activation" that writes all the JavaScript script and shell scripts used in the activation job. This action should be used to prepare running scripts in the activation job. Instead of inline the source in setup, require or run shell scripts.

• the action just copies file to /tmp/gh-aw/actions/activation
• build copies all the files in the actions/activation folder
• the generated code uses a local path to the action in development mode, or a the release tag in released binary.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot you most attach the GitHub builtin objects to global (core, GitHub, exec, io)

[Copilot]

@copilot you most attach the GitHub builtin objects to global (core, GitHub, exec, io)

Fixed in 70cd4ed. Now attaching core, github, context, exec, and io to global scope before requiring scripts.

[pelikhan]

@copilot infer action mode from the tag stored in the cli binary

[pelikhan]

@copilot in action mode local, you must checkout the actions folder (sparse) in the activation job

[Copilot]

@copilot infer action mode from the tag stored in the cli binary

Fixed in 6ccc3d3. Action mode now inferred from binary version tag:

• DetectActionMode() checks if version is a release tag (not "dev")
• convertToRemoteActionRef() uses compiler's version instead of querying git
• Release builds automatically use remote action references with the tag from ldflags

[Copilot]

@copilot in action mode local, you must checkout the actions folder (sparse) in the activation job

Fixed in 63d9091. Dev mode now includes sparse checkout of actions/ folder before using the local setup-activation action.

[github-actions]

✅ Dev Hawk Report - Success

Workflow: #3215

• Status: success
• Commit: b02554c

Dev workflow completed successfully! 🎉

Workflow Summary

All 5 jobs completed successfully:

• ✅ activation - Setup scripts and initial checks (8s)
• ✅ agent - GitHub Copilot CLI execution (1m 16s)
• ✅ detection - Threat detection analysis (21s)
• ✅ safe_outputs - Add comment processing (6s)
• ✅ conclusion - Workflow finalization (11s)

Key Changes Validated

This run validated the latest fix for add_comment.cjs require paths:

• Changed relative requires to absolute paths using /tmp/gh-aw/actions/ prefix
• Updated 5 require statements (load_agent_output, messages_footer, get_repository_url, temporary_id, get_tracker_id)
• Prevents "Cannot find module" errors when scripts are loaded from different directories

The workflow demonstrates that the externalized script pattern is working correctly with the setup action.

🦅 Observed from above by Dev Hawk

[pelikhan]

@copilot merge main, format, lint, fix tests

[Copilot]

@copilot merge main, format, lint, fix tests

Completed in b92ebf3. Successfully merged origin/main, formatted code (make fmt), linted code (make lint - 0 issues), and recompiled all 123 workflows (123/123).

Note: Some workflow tests are failing because they check for inline scripts, which have been removed. These tests need to be updated to validate the new require() pattern. The failing tests are:

• TestLockForAgentWorkflow
• TestLockForAgentWithIssueComment
• TestPullRequestPatchGeneration
• TestActivationAndAddReactionJobsPermissions
• TestTrackerIDIntegration
• TestTrialModeCompilation

These failures are expected as part of the breaking change to remove inline mode.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -bool -buildtags (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ithub/workflows -tests /opt/hostedtoolcache/go/1.25.0/xjson 3799219/b376/_pkgit (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ithub/workflows log e/git l --format=format:-1 340474d8128d091exterm-color e/git -1 om/github/codeql-action.git om/github/codeql-action.git /usr/bin/git --noprofile (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot merge main, recompile, fix tests

[Copilot]

@copilot merge main, recompile, fix tests

Fixed in c51d14f. Successfully merged origin/main, recompiled all 123 workflows, and verified all tests pass. The full test suite now completes without any failures - all workflow tests correctly validate the new require() pattern.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login 1/add_comment.js -trimpath (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ef/tags/v0.20.10@{u} stmain.go (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login log.showsignature=false log e/git-remote-https -n1 --format=format:secret b92ebf304d71fe70list e/git-remote-htt--json om/a�� om/actions/setup-python.git -buildtags /usr/bin/gh -errorsas -ifaceassert -nilfunc gh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• Reduce CI cleaner frequency from hourly to 2-3 hour intervals #7424: Reduce CI cleaner frequency from hourly to 2-3 hour intervals
• Document network ecosystem identifiers for package registries and CDNs #7417: Document network ecosystem identifiers for package registries and CDNs

Test Results:

• ✅ GitHub MCP: Retrieved PR data
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20469540128.txt
• ✅ Bash Tool: Verified file creation
• ✅ Playwright MCP: Navigated to github.com, title contains "GitHub"
• ⚠️ Safe Input gh Tool: Not tested (gh CLI not authenticated in bash)

Status: PASS (4/4 core tests)

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #6912 🗺️

[github-actions]

Smoke Test Results: Copilot Safe Inputs

✅ File Writing Test - Created /tmp/gh-aw/agent/smoke-test-copilot-20469540160.txt
✅ Bash Tool Test - Verified file content successfully
❌ Safe Input gh Tool Test - Tool safeinputs-gh not available in current context

Status: PARTIAL PASS (2/3)

Note: safeinputs-gh tool appears unavailable in this workflow execution context.

Ahoy! This treasure was crafted by 🏴‍☠️ Smoke Copilot Safe Inputs fer issue #6912 🗺️

[github-actions]

PRs: Reduce CI cleaner frequency from hourly to 2-3 hour intervals; Document network ecosystem identifiers for package registries and CDNs
OpenAI curl blocked: ✅
GitHub MCP merged PRs fetched: ✅
File write/read: ✅ (/tmp/gh-aw/agent/smoke-test-codex-firewall-20469540127.txt)
example.com blocked: ✅
Network: SANDBOXED
Overall: PASS

🔥 Firewall tested by Smoke Codex Firewall fer issue #6912 🗺️

[github-actions]

Smoke Test Results (Run 20469540121)

✅ Playwright MCP: Successfully navigated to GitHub and verified page title
✅ Cache Memory: Created and verified test file at /tmp/gh-aw/cache-memory/smoke-test-20469540121.txt
❌ Safe Input gh Tool: Tool not available in current workflow configuration

Overall Status: PARTIAL PASS (2/3 tests passed)

Note: safeinputs-gh tool is not configured for this workflow run.

📰 BREAKING: Report filed by Smoke Copilot Playwright fer issue #6912 🗺️

[github-actions]

Smoke Test Results (Claude Engine)

Recent PRs:

• Reduce CI cleaner frequency from hourly to 2-3 hour intervals #7424: Reduce CI cleaner frequency from hourly to 2-3 hour intervals
• Document network ecosystem identifiers for package registries and CDNs #7417: Document network ecosystem identifiers for package registries and CDNs

Test Results:

• ✅ GitHub MCP: Retrieved 2 merged PRs
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-claude-20469540137.txt
• ✅ Bash Tool: Verified file contents
• ✅ Playwright MCP: Navigated to GitHub, title contains "GitHub"
• ✅ Cache Memory: Created /tmp/gh-aw/cache-memory/smoke-test-20469540137.txt
• ❌ Safe Input gh Tool: Tool not available in environment

Status: PASS (5/6 tests passed)

💥 [THE END] — Illustrated by Smoke Claude fer issue #6912 🗺️

[github-actions]

Recent merged PRs: Reduce CI cleaner frequency from hourly to 2-3 hour intervals; Document network ecosystem identifiers for package registries and CDNs
GitHub MCP PR fetch ✅
Agent file write/read ✅
Cache memory write/read ✅
Playwright github.com title ✅
safeinputs-gh issues list ❌ (command not found in environment)
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #6912 🗺️