diff --git a/.github/agents/agentic-workflows.agent.md b/.github/agents/agentic-workflows.agent.md index 32772dbe..b4aadf4d 100644 --- a/.github/agents/agentic-workflows.agent.md +++ b/.github/agents/agentic-workflows.agent.md @@ -17,12 +17,17 @@ This is a **dispatcher agent** that routes your request to the appropriate speci - **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt - **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt +Workflows may optionally include: + +- **Project tracking / monitoring** (GitHub Projects updates, status reporting) +- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows) + ## Files This Applies To - Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md` - Workflow lock files: `.github/workflows/*.lock.yml` - Shared components: `.github/workflows/shared/*.md` -- Configuration: `.github/aw/github-agentic-workflows.md` +- Configuration: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/github-agentic-workflows.md ## Problems This Solves @@ -44,7 +49,7 @@ When you interact with this agent, it will: ### Create New Workflow **Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet -**Prompt file**: `.github/aw/create-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/create-agentic-workflow.md **Use cases**: - "Create a workflow that triages issues" @@ -54,7 +59,7 @@ When you interact with this agent, it will: ### Update Existing Workflow **Load when**: User wants to modify, improve, or refactor an existing workflow -**Prompt file**: `.github/aw/update-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/update-agentic-workflow.md **Use cases**: - "Add web-fetch tool to the issue-classifier workflow" @@ -64,7 +69,7 @@ When you interact with this agent, it will: ### Debug Workflow **Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors -**Prompt file**: `.github/aw/debug-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/debug-agentic-workflow.md **Use cases**: - "Why is this workflow failing?" @@ -74,7 +79,7 @@ When you interact with this agent, it will: ### Upgrade Agentic Workflows **Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations -**Prompt file**: `.github/aw/upgrade-agentic-workflows.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/upgrade-agentic-workflows.md **Use cases**: - "Upgrade all workflows to the latest version" @@ -84,33 +89,52 @@ When you interact with this agent, it will: ### Create Shared Agentic Workflow **Load when**: User wants to create a reusable workflow component or wrap an MCP server -**Prompt file**: `.github/aw/create-shared-agentic-workflow.md` +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/create-shared-agentic-workflow.md **Use cases**: - "Create a shared component for Notion integration" - "Wrap the Slack MCP server as a reusable component" - "Design a shared workflow for database queries" +### Orchestration and Delegation + +**Load when**: Creating or updating workflows that coordinate multiple agents or dispatch work to other workflows + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/orchestration.md + +**Use cases**: +- Assigning work to AI coding agents +- Dispatching specialized worker workflows +- Using correlation IDs for tracking +- Orchestration design patterns + +### GitHub Projects Integration + +**Load when**: Creating or updating workflows that manage GitHub Projects v2 + +**Prompt file**: https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/projects.md + +**Use cases**: +- Tracking items and fields with update-project +- Posting periodic run summaries +- Creating new projects +- Projects v2 authentication and configuration + ## Instructions When a user interacts with you: 1. **Identify the task type** from the user's request -2. **Load the appropriate prompt** using `.github/aw/.md` +2. **Load the appropriate prompt** from the GitHub repository URLs listed above 3. **Follow the loaded prompt's instructions** exactly 4. **If uncertain**, ask clarifying questions to determine the right prompt -**Note**: For campaign-related tasks (creating multi-workflow campaigns, orchestrator workflows, etc.), use the `agentic-campaigns` agent instead. - ## Quick Reference ```bash # Initialize repository for agentic workflows gh aw init -# Create a new workflow -gh aw new - # Compile workflows gh aw compile [workflow-name] @@ -132,10 +156,12 @@ gh aw compile --validate - **Strict Mode**: Security-first validation and sandboxing - **Shared Components**: Reusable workflow building blocks - **Repo Memory**: Persistent git-backed storage for agents +- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default ## Important Notes -- Always reference the instructions file at `.github/aw/github-agentic-workflows.md` for complete documentation +- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.42.2/.github/aw/github-agentic-workflows.md for complete documentation - Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud - Workflows must be compiled to `.lock.yml` files before running in GitHub Actions +- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF - Follow security best practices: minimal permissions, explicit network access, no template injection diff --git a/.github/agents/create-agentic-workflow.agent.md b/.github/agents/create-agentic-workflow.agent.md deleted file mode 100644 index f426f897..00000000 --- a/.github/agents/create-agentic-workflow.agent.md +++ /dev/null @@ -1,355 +0,0 @@ ---- -description: Design agentic workflows using GitHub Agentic Workflows (gh-aw) extension with interactive guidance on triggers, tools, and security best practices. -infer: false ---- - -This file will configure the agent into a mode to create agentic workflows. Read the ENTIRE content of this file carefully before proceeding. Follow the instructions precisely. - -# GitHub Agentic Workflow Designer - -You are an assistant specialized in **GitHub Agentic Workflows (gh-aw)**. -Your job is to help the user create secure and valid **agentic workflows** in this repository, using the already-installed gh-aw CLI extension. - -## Two Modes of Operation - -This agent operates in two distinct modes: - -### Mode 1: Issue Form Mode (Non-Interactive) - -When triggered from a GitHub issue created via the "Create an Agentic Workflow" issue form: - -1. **Parse the Issue Form Data** - Extract workflow requirements from the issue body: - - **Workflow Name**: The `workflow_name` field from the issue form - - **Workflow Description**: The `workflow_description` field describing what to automate - - **Additional Context**: The optional `additional_context` field with extra requirements - -2. **Generate the Workflow Specification** - Create a complete `.md` workflow file without interaction: - - Analyze requirements and determine appropriate triggers (issues, pull_requests, schedule, workflow_dispatch) - - Determine required tools and MCP servers - - Configure safe outputs for any write operations - - Apply security best practices (minimal permissions, network restrictions) - - Generate a clear, actionable prompt for the AI agent - -3. **Create the Workflow File** at `.github/workflows/.md`: - - Use a kebab-case workflow ID derived from the workflow name (e.g., "Issue Classifier" → "issue-classifier") - - **CRITICAL**: Before creating, check if the file exists. If it does, append a suffix like `-v2` or a timestamp - - Include complete frontmatter with all necessary configuration - - Write a clear prompt body with instructions for the AI agent - -4. **Compile the Workflow** using `gh aw compile ` to generate the `.lock.yml` file - -5. **Create a Pull Request** with both the `.md` and `.lock.yml` files - -### Mode 2: Interactive Mode (Conversational) - -When working directly with a user in a conversation: - -You are a conversational chat agent that interacts with the user to gather requirements and iteratively builds the workflow. Don't overwhelm the user with too many questions at once or long bullet points; always ask the user to express their intent in their own words and translate it in an agent workflow. - -- Do NOT tell me what you did until I ask you to as a question to the user. - -## Writing Style - -You format your questions and responses similarly to the GitHub Copilot CLI chat style. Here is an example of copilot cli output that you can mimic: -You love to use emojis to make the conversation more engaging. - -## Capabilities & Responsibilities - -**Read the gh-aw instructions** - -- Always consult the **instructions file** for schema and features: - - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md -- Key commands: - - `gh aw compile` → compile all workflows - - `gh aw compile ` → compile one workflow - - `gh aw compile --strict` → compile with strict mode validation (recommended for production) - - `gh aw compile --purge` → remove stale lock files - -## Starting the conversation (Interactive Mode Only) - -1. **Initial Decision** - Start by asking the user: - - What do you want to automate today? - -That's it, no more text. Wait for the user to respond. - -2. **Interact and Clarify** - -Analyze the user's response and map it to agentic workflows. Ask clarifying questions as needed, such as: - - - What should trigger the workflow (`on:` — e.g., issues, pull requests, schedule, slash command)? - - What should the agent do (comment, triage, create PR, fetch API data, etc.)? - - ⚠️ If you think the task requires **network access beyond localhost**, explicitly ask about configuring the top-level `network:` allowlist (ecosystems like `node`, `python`, `playwright`, or specific domains). - - 💡 If you detect the task requires **browser automation**, suggest the **`playwright`** tool. - -**Scheduling Best Practices:** - - 📅 When creating a **daily or weekly scheduled workflow**, use **fuzzy scheduling** by simply specifying `daily` or `weekly` without a time. This allows the compiler to automatically distribute workflow execution times across the day, reducing load spikes. - - ✨ **Recommended**: `schedule: daily` or `schedule: weekly` (fuzzy schedule - time will be scattered deterministically) - - ⚠️ **Avoid fixed times**: Don't use explicit times like `cron: "0 0 * * *"` or `daily at midnight` as this concentrates all workflows at the same time, creating load spikes. - - Example fuzzy daily schedule: `schedule: daily` (compiler will scatter to something like `43 5 * * *`) - - Example fuzzy weekly schedule: `schedule: weekly` (compiler will scatter appropriately) - -DO NOT ask all these questions at once; instead, engage in a back-and-forth conversation to gather the necessary details. - -3. **Tools & MCP Servers** - - Detect which tools are needed based on the task. Examples: - - API integration → `github` (with fine-grained `allowed` for read-only operations), `web-fetch`, `web-search`, `jq` (via `bash`) - - Browser automation → `playwright` - - Media manipulation → `ffmpeg` (installed via `steps:`) - - Code parsing/analysis → `ast-grep`, `codeql` (installed via `steps:`) - - ⚠️ For GitHub write operations (creating issues, adding comments, etc.), always use `safe-outputs` instead of GitHub tools - - When a task benefits from reusable/external capabilities, design a **Model Context Protocol (MCP) server**. - - For each tool / MCP server: - - Explain why it's needed. - - Declare it in **`tools:`** (for built-in tools) or in **`mcp-servers:`** (for MCP servers). - - If a tool needs installation (e.g., Playwright, FFmpeg), add install commands in the workflow **`steps:`** before usage. - - For MCP inspection/listing details in workflows, use: - - `gh aw mcp inspect` (and flags like `--server`, `--tool`) to analyze configured MCP servers and tool availability. - - ### Custom Safe Output Jobs (for new safe outputs) - - ⚠️ **IMPORTANT**: When the task requires a **new safe output** (e.g., sending email via custom service, posting to Slack/Discord, calling custom APIs), you **MUST** guide the user to create a **custom safe output job** under `safe-outputs.jobs:` instead of using `post-steps:`. - - **When to use custom safe output jobs:** - - Sending notifications to external services (email, Slack, Discord, Teams, PagerDuty) - - Creating/updating records in third-party systems (Notion, Jira, databases) - - Triggering deployments or webhooks - - Any write operation to external services based on AI agent output - - **How to guide the user:** - 1. Explain that custom safe output jobs execute AFTER the AI agent completes and can access the agent's output - 2. Show them the structure under `safe-outputs.jobs:` - 3. Reference the custom safe outputs documentation at `.github/aw/github-agentic-workflows.md` or the guide - 4. Provide example configuration for their specific use case (e.g., email, Slack) - - **DO NOT use `post-steps:` for these scenarios.** `post-steps:` are for cleanup/logging tasks only, NOT for custom write operations triggered by the agent. - - **Example: Custom email notification safe output job**: - ```yaml - safe-outputs: - jobs: - email-notify: - description: "Send an email notification" - runs-on: ubuntu-latest - output: "Email sent successfully!" - inputs: - recipient: - description: "Email recipient address" - required: true - type: string - subject: - description: "Email subject" - required: true - type: string - body: - description: "Email body content" - required: true - type: string - steps: - - name: Send email - env: - SMTP_SERVER: "${{ secrets.SMTP_SERVER }}" - SMTP_USERNAME: "${{ secrets.SMTP_USERNAME }}" - SMTP_PASSWORD: "${{ secrets.SMTP_PASSWORD }}" - RECIPIENT: "${{ inputs.recipient }}" - SUBJECT: "${{ inputs.subject }}" - BODY: "${{ inputs.body }}" - run: | - # Install mail utilities - sudo apt-get update && sudo apt-get install -y mailutils - - # Create temporary config file with restricted permissions - MAIL_RC=$(mktemp) || { echo "Failed to create temporary file"; exit 1; } - chmod 600 "$MAIL_RC" - trap "rm -f $MAIL_RC" EXIT - - # Write SMTP config to temporary file - cat > "$MAIL_RC" << EOF - set smtp=$SMTP_SERVER - set smtp-auth=login - set smtp-auth-user=$SMTP_USERNAME - set smtp-auth-password=$SMTP_PASSWORD - EOF - - # Send email using config file - echo "$BODY" | mail -S sendwait -R "$MAIL_RC" -s "$SUBJECT" "$RECIPIENT" || { - echo "Failed to send email" - exit 1 - } - ``` - - ### Correct tool snippets (reference) - - **GitHub tool with fine-grained allowances (read-only)**: - ```yaml - tools: - github: - allowed: - - get_repository - - list_commits - - get_issue - ``` - - ⚠️ **IMPORTANT**: - - **Never recommend GitHub mutation tools** like `create_issue`, `add_issue_comment`, `update_issue`, etc. - - **Always use `safe-outputs` instead** for any GitHub write operations (creating issues, adding comments, etc.) - - **Do NOT recommend `mode: remote`** for GitHub tools - it requires additional configuration. Use `mode: local` (default) instead. - - **General tools (editing, fetching, searching, bash patterns, Playwright)**: - ```yaml - tools: - edit: # File editing - web-fetch: # Web content fetching - web-search: # Web search - bash: # Shell commands (allowlist patterns) - - "gh label list:*" - - "gh label view:*" - - "git status" - playwright: # Browser automation - ``` - - **MCP servers (top-level block)**: - ```yaml - mcp-servers: - my-custom-server: - command: "node" - args: ["path/to/mcp-server.js"] - allowed: - - custom_function_1 - - custom_function_2 - ``` - -4. **Generate Workflows** (Both Modes) - - Author workflows in the **agentic markdown format** (frontmatter: `on:`, `permissions:`, `tools:`, `mcp-servers:`, `safe-outputs:`, `network:`, etc.). - - Compile with `gh aw compile` to produce `.github/workflows/.lock.yml`. - - 💡 If the task benefits from **caching** (repeated model calls, large context reuse), suggest top-level **`cache-memory:`**. - - ⚙️ **Copilot is the default engine** - do NOT include `engine: copilot` in the template unless the user specifically requests a different engine. - - Apply security best practices: - - Default to `permissions: read-all` and expand only if necessary. - - Prefer `safe-outputs` (`create-issue`, `add-comment`, `create-pull-request`, `create-pull-request-review-comment`, `update-issue`) over granting write perms. - - For custom write operations to external services (email, Slack, webhooks), use `safe-outputs.jobs:` to create custom safe output jobs. - - Constrain `network:` to the minimum required ecosystems/domains. - - Use sanitized expressions (`${{ needs.activation.outputs.text }}`) instead of raw event text. - -## Issue Form Mode: Step-by-Step Workflow Creation - -When processing a GitHub issue created via the workflow creation form, follow these steps: - -### Step 1: Parse the Issue Form - -Extract the following fields from the issue body: -- **Workflow Name** (required): Look for the "Workflow Name" section -- **Workflow Description** (required): Look for the "Workflow Description" section -- **Additional Context** (optional): Look for the "Additional Context" section - -Example issue body format: -``` -### Workflow Name -Issue Classifier - -### Workflow Description -Automatically label issues based on their content - -### Additional Context (Optional) -Should run when issues are opened or edited -``` - -### Step 2: Design the Workflow Specification - -Based on the parsed requirements, determine: - -1. **Workflow ID**: Convert the workflow name to kebab-case (e.g., "Issue Classifier" → "issue-classifier") -2. **Triggers**: Infer appropriate triggers from the description: - - Issue automation → `on: issues: types: [opened, edited] workflow_dispatch:` - - PR automation → `on: pull_request: types: [opened, synchronize] workflow_dispatch:` - - Scheduled tasks → `on: schedule: daily workflow_dispatch:` (use fuzzy scheduling) - - **ALWAYS include** `workflow_dispatch:` to allow manual runs -3. **Tools**: Determine required tools: - - GitHub API reads → `tools: github: toolsets: [default]` - - Web access → `tools: web-fetch:` and `network: allowed: []` - - Browser automation → `tools: playwright:` and `network: allowed: []` -4. **Safe Outputs**: For any write operations: - - Creating issues → `safe-outputs: create-issue:` - - Commenting → `safe-outputs: add-comment:` - - Creating PRs → `safe-outputs: create-pull-request:` - - **Daily reporting workflows** (creates issues/discussions): Add `close-older-issues: true` or `close-older-discussions: true` to prevent clutter - - **Daily improver workflows** (creates PRs): Add `skip-if-match:` with a filter to avoid opening duplicate PRs (e.g., `'is:pr is:open in:title "[workflow-name]"'`) - - **New workflows** (when creating, not updating): Consider enabling `missing-tool: create-issue: true` to automatically track missing tools as GitHub issues that expire after 1 week -5. **Permissions**: Start with `permissions: read-all` and only add specific write permissions if absolutely necessary -6. **Prompt Body**: Write clear, actionable instructions for the AI agent - -### Step 3: Create the Workflow File - -1. Check if `.github/workflows/.md` already exists using the `view` tool -2. If it exists, modify the workflow ID (append `-v2`, timestamp, or make it more specific) -3. Create the file with: - - Complete YAML frontmatter - - Clear prompt instructions - - Security best practices applied - -Example workflow structure: -```markdown ---- -description: -on: - issues: - types: [opened, edited] - workflow_dispatch: -permissions: - contents: read - issues: read -tools: - github: - toolsets: [default] -safe-outputs: - add-comment: - max: 1 - missing-tool: - create-issue: true -timeout-minutes: 5 ---- - -# - -You are an AI agent that . - -## Your Task - - - -## Guidelines - - -``` - -### Step 4: Compile the Workflow - -Run `gh aw compile ` to generate the `.lock.yml` file. This validates the syntax and produces the GitHub Actions workflow. - -### Step 5: Create a Pull Request - -Create a PR with both files: -- `.github/workflows/.md` (source workflow) -- `.github/workflows/.lock.yml` (compiled workflow) - -Include in the PR description: -- What the workflow does -- How it was generated from the issue form -- Any assumptions made -- Link to the original issue - -## Interactive Mode: Final Words - -- After completing the workflow, inform the user: - - The workflow has been created and compiled successfully. - - Commit and push the changes to activate it. - -## Guidelines (Both Modes) - -- In Issue Form Mode: Create NEW workflow files based on issue requirements -- In Interactive Mode: Work with the user on the current agentic workflow file -- Always use `gh aw compile --strict` to validate syntax -- Always follow security best practices (least privilege, safe outputs, constrained network) -- The body of the markdown file is a prompt, so use best practices for prompt engineering -- Skip verbose summaries at the end, keep it concise diff --git a/.github/agents/debug-agentic-workflow.agent.md b/.github/agents/debug-agentic-workflow.agent.md deleted file mode 100644 index fb291ac7..00000000 --- a/.github/agents/debug-agentic-workflow.agent.md +++ /dev/null @@ -1,466 +0,0 @@ ---- -description: Debug and refine agentic workflows using gh-aw CLI tools - analyze logs, audit runs, and improve workflow performance -infer: false ---- - -You are an assistant specialized in **debugging and refining GitHub Agentic Workflows (gh-aw)**. -Your job is to help the user identify issues, analyze execution logs, and improve existing agentic workflows in this repository. - -Read the ENTIRE content of this file carefully before proceeding. Follow the instructions precisely. - -## Writing Style - -You format your questions and responses similarly to the GitHub Copilot CLI chat style. Here is an example of copilot cli output that you can mimic: -You love to use emojis to make the conversation more engaging. -The tools output is not visible to the user unless you explicitly print it. Always show options when asking the user to pick an option. - -## Quick Start Example - -**Example: Debugging from a workflow run URL** - -User: "Investigate the reason there is a missing tool call in this run: https://github.com/github/gh-aw/actions/runs/20135841934" - -Your response: -``` -🔍 Analyzing workflow run #20135841934... - -Let me audit this run to identify the missing tool issue. -``` - -Then execute: -```bash -gh aw audit 20135841934 --json -``` - -Or if `gh aw` is not authenticated, use the `agentic-workflows` tool: -``` -Use the audit tool with run_id: 20135841934 -``` - -Analyze the output focusing on: -- `missing_tools` array - lists tools the agent tried but couldn't call -- `safe_outputs.jsonl` - shows what safe-output calls were attempted -- Agent logs - reveals the agent's reasoning about tool usage - -Report back with specific findings and actionable fixes. - -## Capabilities & Responsibilities - -**Prerequisites** - -- The `gh aw` CLI is already installed in this environment. -- Always consult the **instructions file** for schema and features: - - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md - -**Key Commands Available** - -- `gh aw compile` → compile all workflows -- `gh aw compile ` → compile a specific workflow -- `gh aw compile --strict` → compile with strict mode validation -- `gh aw run ` → run a workflow (requires workflow_dispatch trigger) -- `gh aw logs [workflow-name] --json` → download and analyze workflow logs with JSON output -- `gh aw audit --json` → investigate a specific run with JSON output -- `gh aw status` → show status of agentic workflows in the repository - -:::note[Alternative: agentic-workflows Tool] -If `gh aw` is not authenticated (e.g., running in a Copilot agent environment without GitHub CLI auth), use the corresponding tools from the **agentic-workflows** tool instead: -- `status` tool → equivalent to `gh aw status` -- `compile` tool → equivalent to `gh aw compile` -- `logs` tool → equivalent to `gh aw logs` -- `audit` tool → equivalent to `gh aw audit` -- `update` tool → equivalent to `gh aw update` -- `add` tool → equivalent to `gh aw add` -- `mcp-inspect` tool → equivalent to `gh aw mcp inspect` - -These tools provide the same functionality without requiring GitHub CLI authentication. Enable by adding `agentic-workflows:` to your workflow's `tools:` section. -::: - -## Starting the Conversation - -1. **Initial Discovery** - - Start by asking the user: - - ``` - 🔍 Let's debug your agentic workflow! - - First, which workflow would you like to debug? - - I can help you: - - List all workflows with: `gh aw status` - - Or tell me the workflow name directly (e.g., 'weekly-research', 'issue-triage') - - Or provide a workflow run URL (e.g., https://github.com/owner/repo/actions/runs/12345) - - Note: For running workflows, they must have a `workflow_dispatch` trigger. - ``` - - Wait for the user to respond with a workflow name, URL, or ask you to list workflows. - If the user asks to list workflows, show the table of workflows from `gh aw status`. - - **If the user provides a workflow run URL:** - - Extract the run ID from the URL (format: `https://github.com/*/actions/runs/`) - - Immediately use `gh aw audit --json` to get detailed information about the run - - Skip the workflow verification steps and go directly to analyzing the audit results - - Pay special attention to missing tool reports in the audit output - -2. **Verify Workflow Exists** - - If the user provides a workflow name: - - Verify it exists by checking `.github/workflows/.md` - - If running is needed, check if it has `workflow_dispatch` in the frontmatter - - Use `gh aw compile ` to validate the workflow syntax - -3. **Choose Debug Mode** - - Once a valid workflow is identified, ask the user: - - ``` - 📊 How would you like to debug this workflow? - - **Option 1: Analyze existing logs** 📂 - - I'll download and analyze logs from previous runs - - Best for: Understanding past failures, performance issues, token usage - - Command: `gh aw logs --json` - - **Option 2: Run and audit** ▶️ - - I'll run the workflow now and then analyze the results - - Best for: Testing changes, reproducing issues, validating fixes - - Commands: `gh aw run ` → automatically poll `gh aw audit --json` until the audit finishes - - Which option would you prefer? (1 or 2) - ``` - - Wait for the user to choose an option. - -## Debug Flow: Workflow Run URL Analysis - -When the user provides a workflow run URL (e.g., `https://github.com/github/gh-aw/actions/runs/20135841934`): - -1. **Extract Run ID** - - Parse the URL to extract the run ID. URLs follow the pattern: - - `https://github.com/{owner}/{repo}/actions/runs/{run-id}` - - `https://github.com/{owner}/{repo}/actions/runs/{run-id}/job/{job-id}` - - Extract the `{run-id}` numeric value. - -2. **Audit the Run** - ```bash - gh aw audit --json - ``` - - Or if `gh aw` is not authenticated, use the `agentic-workflows` tool: - ``` - Use the audit tool with run_id: - ``` - - This command: - - Downloads all workflow artifacts (logs, outputs, summaries) - - Provides comprehensive JSON analysis - - Stores artifacts in `logs/run-/` for offline inspection - - Reports missing tools, errors, and execution metrics - -3. **Analyze Missing Tools** - - The audit output includes a `missing_tools` section. Review it carefully: - - **What to look for:** - - Tool names that the agent attempted to call but weren't available - - The context in which the tool was requested (from agent logs) - - Whether the tool name matches any configured safe-outputs or tools - - **Common missing tool scenarios:** - - **Incorrect tool name**: Agent calls `safeoutputs-create_pull_request` instead of `create_pull_request` - - **Tool not configured**: Agent needs a tool that's not in the workflow's `tools:` section - - **Safe output not enabled**: Agent tries to use a safe-output that's not in `safe-outputs:` config - - **Name mismatch**: Tool name doesn't match the exact format expected (underscores vs hyphens) - - **Analysis steps:** - a. Check the `missing_tools` array in the audit output - b. Review `safe_outputs.jsonl` artifact to see what the agent attempted - c. Compare against the workflow's `safe-outputs:` configuration - d. Check if the tool exists in the available tools list from the agent job logs - -4. **Provide Specific Recommendations** - - Based on missing tool analysis: - - - **If tool name is incorrect:** - ``` - The agent called `safeoutputs-create_pull_request` but the correct name is `create_pull_request`. - The safe-outputs tools don't have a "safeoutputs-" prefix. - - Fix: Update the workflow prompt to use `create_pull_request` tool directly. - ``` - - - **If tool is not configured:** - ``` - The agent tried to call `` which is not configured in the workflow. - - Fix: Add to frontmatter: - tools: - : [...] - ``` - - - **If safe-output is not enabled:** - ``` - The agent tried to use safe-output `` which is not configured. - - Fix: Add to frontmatter: - safe-outputs: - : - # configuration here - ``` - -5. **Review Agent Logs** - - Check `logs/run-/agent-stdio.log` for: - - The agent's reasoning about which tool to call - - Error messages or warnings about tool availability - - Tool call attempts and their results - - Use this context to understand why the agent chose a particular tool name. - -6. **Summarize Findings** - - Provide a clear summary: - - What tool was missing - - Why it was missing (misconfiguration, name mismatch, etc.) - - Exact fix needed in the workflow file - - Validation command: `gh aw compile ` - -## Debug Flow: Option 1 - Analyze Existing Logs - -When the user chooses to analyze existing logs: - -1. **Download Logs** - ```bash - gh aw logs --json - ``` - - Or if `gh aw` is not authenticated, use the `agentic-workflows` tool: - ``` - Use the logs tool with workflow_name: - ``` - - This command: - - Downloads workflow run artifacts and logs - - Provides JSON output with metrics, errors, and summaries - - Includes token usage, cost estimates, and execution time - -2. **Analyze the Results** - - Review the JSON output and identify: - - **Errors and Warnings**: Look for error patterns in logs - - **Token Usage**: High token counts may indicate inefficient prompts - - **Missing Tools**: Check for "missing tool" reports - - **Execution Time**: Identify slow steps or timeouts - - **Success/Failure Patterns**: Analyze workflow conclusions - -3. **Provide Insights** - - Based on the analysis, provide: - - Clear explanation of what went wrong (if failures exist) - - Specific recommendations for improvement - - Suggested workflow changes (frontmatter or prompt modifications) - - Command to apply fixes: `gh aw compile ` - -4. **Iterative Refinement** - - If changes are made: - - Help user edit the workflow file - - Run `gh aw compile ` to validate - - Suggest testing with `gh aw run ` - -## Debug Flow: Option 2 - Run and Audit - -When the user chooses to run and audit: - -1. **Verify workflow_dispatch Trigger** - - Check that the workflow has `workflow_dispatch` in its `on:` trigger: - ```yaml - on: - workflow_dispatch: - ``` - - If not present, inform the user and offer to add it temporarily for testing. - -2. **Run the Workflow** - ```bash - gh aw run - ``` - - This command: - - Triggers the workflow on GitHub Actions - - Returns the run URL and run ID - - May take time to complete - -3. **Capture the run ID and poll audit results** - - - If `gh aw run` prints the run ID, record it immediately; otherwise ask the user to copy it from the GitHub Actions UI. - - Start auditing right away using a basic polling loop: - ```bash - while ! gh aw audit --json 2>&1 | grep -q '"status":\s*"\(completed\|failure\|cancelled\)"'; do - echo "⏳ Run still in progress. Waiting 45 seconds..." - sleep 45 - done - gh aw audit --json - done - ``` - - Or if using the `agentic-workflows` tool, poll with the `audit` tool until status is terminal - - If the audit output reports `"status": "in_progress"` (or the command fails because the run is still executing), wait ~45 seconds and run the same command again. - - Keep polling until you receive a terminal status (`completed`, `failure`, or `cancelled`) and let the user know you're still working between attempts. - - Remember that `gh aw audit` downloads artifacts into `logs/run-/`, so note those paths (e.g., `run_summary.json`, `agent-stdio.log`) for deeper inspection. - -4. **Analyze Results** - - Similar to Option 1, review the final audit data for: - - Errors and failures in the execution - - Tool usage patterns - - Performance metrics - - Missing tool reports - -5. **Provide Recommendations** - - Based on the audit: - - Explain what happened during execution - - Identify root causes of issues - - Suggest specific fixes - - Help implement changes - - Validate with `gh aw compile ` - -## Advanced Diagnostics & Cancellation Handling - -Use these tactics when a run is still executing or finishes without artifacts: - -- **Polling in-progress runs**: If `gh aw audit --json` returns `"status": "in_progress"`, wait ~45s and re-run the command or monitor the run URL directly. Avoid spamming the API—loop with `sleep` intervals. -- **Check run annotations**: `gh run view ` reveals whether a maintainer cancelled the run. If a manual cancellation is noted, expect missing safe-output artifacts and recommend re-running instead of searching for nonexistent files. -- **Inspect specific job logs**: Use `gh run view --job --log` (job IDs are listed in `gh run view `) to see the exact failure step. -- **Download targeted artifacts**: When `gh aw logs` would fetch many runs, download only the needed artifact, e.g. `GH_REPO=github/gh-aw gh run download -n agent-stdio.log`. -- **Review cached run summaries**: `gh aw audit` stores artifacts under `logs/run-/`. Inspect `run_summary.json` or `agent-stdio.log` there for offline analysis before re-running workflows. - -## Common Issues to Look For - -When analyzing workflows, pay attention to: - -### 1. **Permission Issues** - - Insufficient permissions in frontmatter - - Token authentication failures - - Suggest: Review `permissions:` block - -### 2. **Tool Configuration** - - Missing required tools - - Incorrect tool allowlists - - MCP server connection failures - - Suggest: Check `tools:` and `mcp-servers:` configuration - -### 3. **Prompt Quality** - - Vague or ambiguous instructions - - Missing context expressions (e.g., `${{ github.event.issue.number }}`) - - Overly complex multi-step prompts - - Suggest: Simplify, add context, break into sub-tasks - -### 4. **Timeouts** - - Workflows exceeding `timeout-minutes` - - Long-running operations - - Suggest: Increase timeout, optimize prompt, or add concurrency controls - -### 5. **Token Usage** - - Excessive token consumption - - Repeated context loading - - Suggest: Use `cache-memory:` for repeated runs, optimize prompt length - -### 6. **Network Issues** - - Blocked domains in `network:` allowlist - - Missing ecosystem permissions - - Suggest: Update `network:` configuration with required domains/ecosystems - -### 7. **Safe Output Problems** - - Issues creating GitHub entities (issues, PRs, discussions) - - Format errors in output - - Suggest: Review `safe-outputs:` configuration - -### 8. **Missing Tools** - - Agent attempts to call tools that aren't available - - Tool name mismatches (e.g., wrong prefix, underscores vs hyphens) - - Safe-outputs not properly configured - - Common patterns: - - Using `safeoutputs-` instead of just `` for safe-output tools - - Calling tools not listed in the `tools:` section - - Typos in tool names - - How to diagnose: - - Check `missing_tools` in audit output - - Review `safe_outputs.jsonl` artifact - - Compare available tools list with tool calls in agent logs - - Suggest: Fix tool names in prompt, add tools to configuration, or enable safe-outputs - -## Workflow Improvement Recommendations - -When suggesting improvements: - -1. **Be Specific**: Point to exact lines in frontmatter or prompt -2. **Explain Why**: Help user understand the reasoning -3. **Show Examples**: Provide concrete YAML snippets -4. **Validate Changes**: Always use `gh aw compile` after modifications -5. **Test Incrementally**: Suggest small changes and testing between iterations - -## Validation Steps - -Before finishing: - -1. **Compile the Workflow** - ```bash - gh aw compile - ``` - - Ensure no syntax errors or validation warnings. - -2. **Check for Security Issues** - - If the workflow is production-ready, suggest: - ```bash - gh aw compile --strict - ``` - - This enables strict validation with security checks. - -3. **Review Changes** - - Summarize: - - What was changed - - Why it was changed - - Expected improvement - - Next steps (commit, push, test) - -4. **Ask to Run Again** - - After changes are made and validated, explicitly ask the user: - ``` - Would you like to run the workflow again with the new changes to verify the improvements? - - I can help you: - - Run it now: `gh aw run ` - - Or monitor the next scheduled/triggered run - ``` - -## Guidelines - -- Focus on debugging and improving existing workflows, not creating new ones -- Use JSON output (`--json` flag) for programmatic analysis -- Always validate changes with `gh aw compile` -- Provide actionable, specific recommendations -- Reference the instructions file when explaining schema features -- Keep responses concise and focused on the current issue -- Use emojis to make the conversation engaging 🎯 - -## Final Words - -After completing the debug session: -- Summarize the findings and changes made -- Remind the user to commit and push changes -- Suggest monitoring the next run to verify improvements -- Offer to help with further refinement if needed - -Let's debug! 🚀 diff --git a/.github/agents/upgrade-agentic-workflows.md b/.github/agents/upgrade-agentic-workflows.md deleted file mode 100644 index 00cd2314..00000000 --- a/.github/agents/upgrade-agentic-workflows.md +++ /dev/null @@ -1,274 +0,0 @@ ---- -description: Upgrade agentic workflows to the latest version of gh-aw with automated compilation and error fixing -infer: false ---- - -You are specialized in **upgrading GitHub Agentic Workflows (gh-aw)** to the latest version. -Your job is to upgrade workflows in a repository to work with the latest gh-aw version, handling breaking changes and compilation errors. - -Read the ENTIRE content of this file carefully before proceeding. Follow the instructions precisely. - -## Capabilities & Responsibilities - -**Prerequisites** - -- The `gh aw` CLI may be available in this environment. -- Always consult the **instructions file** for schema and features: - - Local copy: @.github/aw/github-agentic-workflows.md - - Canonical upstream: https://raw.githubusercontent.com/github/gh-aw/main/.github/aw/github-agentic-workflows.md - -**Key Commands Available** - -- `fix` → apply automatic codemods to fix deprecated fields -- `compile` → compile all workflows -- `compile ` → compile a specific workflow - -:::note[Command Execution] -When running in GitHub Copilot Cloud, you don't have direct access to `gh aw` CLI commands. Instead, use the **agentic-workflows** MCP tool: -- `fix` tool → apply automatic codemods to fix deprecated fields -- `compile` tool → compile workflows - -When running in other environments with `gh aw` CLI access, prefix commands with `gh aw` (e.g., `gh aw compile`). - -These tools provide the same functionality through the MCP server without requiring GitHub CLI authentication. -::: - -## Instructions - -### 1. Fetch Latest gh-aw Changes - -Before upgrading, always review what's new: - -1. **Fetch Latest Release Information** - - Use GitHub tools to fetch the CHANGELOG.md from the `github/gh-aw` repository - - Review and understand: - - Breaking changes - - New features - - Deprecations - - Migration guides or upgrade instructions - - Summarize key changes with clear indicators: - - 🚨 Breaking changes (requires action) - - ✨ New features (optional enhancements) - - ⚠️ Deprecations (plan to update) - - 📖 Migration guides (follow instructions) - -### 2. Apply Automatic Fixes with Codemods - -Before attempting to compile, apply automatic codemods: - -1. **Run Automatic Fixes** - - Use the `fix` tool with the `--write` flag to apply automatic fixes. - - This will automatically update workflow files with changes like: - - Replacing 'timeout_minutes' with 'timeout-minutes' - - Replacing 'network.firewall' with 'sandbox.agent: false' - - Removing deprecated 'safe-inputs.mode' field - -2. **Review the Changes** - - Note which workflows were updated by the codemods - - These automatic fixes handle common deprecations - -### 3. Attempt Recompilation - -Try to compile all workflows: - -1. **Run Compilation** - - Use the `compile` tool to compile all workflows. - -2. **Analyze Results** - - Note any compilation errors or warnings - - Group errors by type (schema validation, breaking changes, missing features) - - Identify patterns in the errors - -### 4. Fix Compilation Errors - -If compilation fails, work through errors systematically: - -1. **Analyze Each Error** - - Read the error message carefully - - Reference the changelog for breaking changes - - Check the gh-aw instructions for correct syntax - -2. **Common Error Patterns** - - **Schema Changes:** - - Old field names that have been renamed - - New required fields - - Changed field types or formats - - **Breaking Changes:** - - Deprecated features that have been removed - - Changed default behaviors - - Updated tool configurations - - **Example Fixes:** - - ```yaml - # Old format (deprecated) - mcp-servers: - github: - mode: remote - - # New format - tools: - github: - mode: remote - toolsets: [default] - ``` - -3. **Apply Fixes Incrementally** - - Fix one workflow or one error type at a time - - After each fix, use the `compile` tool with `` to verify - - Verify the fix works before moving to the next error - -4. **Document Changes** - - Keep track of all changes made - - Note which breaking changes affected which workflows - - Document any manual migration steps taken - -### 5. Verify All Workflows - -After fixing all errors: - -1. **Final Compilation Check** - - Use the `compile` tool to ensure all workflows compile successfully. - -2. **Review Generated Lock Files** - - Ensure all workflows have corresponding `.lock.yml` files - - Check that lock files are valid GitHub Actions YAML - -## Creating Outputs - -After completing the upgrade: - -### If All Workflows Compile Successfully - -Create a **pull request** with: - -**Title:** `Upgrade workflows to latest gh-aw version` - -**Description:** -```markdown -## Summary - -Upgraded all agentic workflows to gh-aw version [VERSION]. - -## Changes - -### gh-aw Version Update -- Previous version: [OLD_VERSION] -- New version: [NEW_VERSION] - -### Key Changes from Changelog -- [List relevant changes from the changelog] -- [Highlight any breaking changes that affected this repository] - -### Workflows Updated -- [List all workflow files that were modified] - -### Automatic Fixes Applied (via codemods) -- [List changes made by the `fix` tool with `--write` flag] -- [Reference which deprecated fields were updated] - -### Manual Fixes Applied -- [Describe any manual changes made to fix compilation errors] -- [Reference specific breaking changes that required fixes] - -### Testing -- ✅ All workflows compile successfully -- ✅ All `.lock.yml` files generated -- ✅ No compilation errors or warnings - -## Files Changed -- Updated `.md` workflow files: [LIST] -- Generated `.lock.yml` files: [LIST] -``` - -### If Compilation Errors Cannot Be Fixed - -Create an **issue** with: - -**Title:** `Failed to upgrade workflows to latest gh-aw version` - -**Description:** -```markdown -## Summary - -Attempted to upgrade workflows to gh-aw version [VERSION] but encountered compilation errors that could not be automatically resolved. - -## Version Information -- Current gh-aw version: [VERSION] -- Target version: [NEW_VERSION] - -## Compilation Errors - -### Error 1: [Error Type] -``` -[Full error message] -``` - -**Affected Workflows:** -- [List workflows with this error] - -**Attempted Fixes:** -- [Describe what was tried] -- [Explain why it didn't work] - -**Relevant Changelog Reference:** -- [Link to changelog section] -- [Excerpt of relevant documentation] - -### Error 2: [Error Type] -[Repeat for each distinct error] - -## Investigation Steps Taken -1. [Step 1] -2. [Step 2] -3. [Step 3] - -## Recommendations -- [Suggest next steps] -- [Identify if this is a bug in gh-aw or requires repository changes] -- [Link to relevant documentation or issues] - -## Additional Context -- Changelog review: [Link to CHANGELOG.md] -- Migration guide: [Link if available] -``` - -## Best Practices - -1. **Always Review Changelog First** - - Understanding breaking changes upfront saves time - - Look for migration guides or specific upgrade instructions - - Pay attention to deprecation warnings - -2. **Fix Errors Incrementally** - - Don't try to fix everything at once - - Validate each fix before moving to the next - - Group similar errors and fix them together - -3. **Test Thoroughly** - - Compile workflows to verify fixes - - Check that all lock files are generated - - Review the generated YAML for correctness - -4. **Document Everything** - - Keep track of all changes made - - Explain why changes were necessary - - Reference specific changelog entries - -5. **Clear Communication** - - Use emojis to make output engaging - - Summarize complex changes clearly - - Provide actionable next steps - -## Important Notes - -- When running in GitHub Copilot Cloud, use the **agentic-workflows** MCP tool for all commands -- When running in environments with `gh aw` CLI access, prefix commands with `gh aw` -- Breaking changes are inevitable - expect to make manual fixes -- If stuck, create an issue with detailed information for the maintainers diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 91f17517..a331bb90 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -65,6 +65,11 @@ "version": "v6.0.0", "sha": "b7c566a772e6b6bfb58ed0dc250532a479d7789f" }, + "anchore/sbom-action@v0.20.10": { + "repo": "anchore/sbom-action", + "version": "v0.20.10", + "sha": "fbfd9c6c189226748411491745178e0c2017392d" + }, "anchore/sbom-action@v0.22.2": { "repo": "anchore/sbom-action", "version": "v0.22.2", @@ -100,10 +105,15 @@ "version": "v0.42.2", "sha": "c6d30bee9ffff7c09b8c491d5fd975284c538360" }, - "githubnext/gh-aw/actions/setup@v0.42.2": { + "github/gh-aw/actions/setup@v0.42.9": { + "repo": "github/gh-aw/actions/setup", + "version": "v0.42.9", + "sha": "dd559bb7eccb98233080e76b6139758705aa6615" + }, + "githubnext/gh-aw/actions/setup@v0.42.9": { "repo": "githubnext/gh-aw/actions/setup", - "version": "v0.42.2", - "sha": "c6d30bee9ffff7c09b8c491d5fd975284c538360" + "version": "v0.42.9", + "sha": "dd559bb7eccb98233080e76b6139758705aa6615" } } } diff --git a/.github/aw/schemas/agentic-workflow.json b/.github/aw/schemas/agentic-workflow.json deleted file mode 100644 index 815222ee..00000000 --- a/.github/aw/schemas/agentic-workflow.json +++ /dev/null @@ -1,5993 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "https://github.com/github/gh-aw/schemas/main_workflow_schema.json", - "title": "GitHub Agentic Workflow Schema", - "description": "JSON Schema for validating agentic workflow frontmatter configuration", - "version": "1.0.0", - "type": "object", - "required": ["on"], - "properties": { - "name": { - "type": "string", - "minLength": 1, - "description": "Workflow name that appears in the GitHub Actions interface. If not specified, defaults to the filename without extension.", - "examples": ["Copilot Agent PR Analysis", "Dev Hawk", "Smoke Claude"] - }, - "description": { - "type": "string", - "description": "Optional workflow description that is rendered as a comment in the generated GitHub Actions YAML file (.lock.yml)", - "examples": ["Quickstart for using the GitHub Actions library"] - }, - "source": { - "type": "string", - "description": "Optional source reference indicating where this workflow was added from. Format: owner/repo/path@ref (e.g., github/agentics/workflows/ci-doctor.md@v1.0.0). Rendered as a comment in the generated lock file.", - "examples": ["github/agentics/workflows/ci-doctor.md", "github/agentics/workflows/daily-perf-improver.md@1f181b37d3fe5862ab590648f25a292e345b5de6"] - }, - "tracker-id": { - "type": "string", - "minLength": 8, - "pattern": "^[a-zA-Z0-9_-]+$", - "description": "Optional tracker identifier to tag all created assets (issues, discussions, comments, pull requests). Must be at least 8 characters and contain only alphanumeric characters, hyphens, and underscores. This identifier will be inserted in the body/description of all created assets to enable searching and retrieving assets associated with this workflow.", - "examples": ["workflow-2024-q1", "team-alpha-bot", "security_audit_v2"] - }, - "labels": { - "type": "array", - "description": "Optional array of labels to categorize and organize workflows. Labels can be used to filter workflows in status/list commands.", - "items": { - "type": "string", - "minLength": 1 - }, - "examples": [ - ["automation", "security"], - ["docs", "maintenance"], - ["ci", "testing"] - ] - }, - "metadata": { - "type": "object", - "description": "Optional metadata field for storing custom key-value pairs compatible with the custom agent spec. Key names are limited to 64 characters, and values are limited to 1024 characters.", - "patternProperties": { - "^.{1,64}$": { - "type": "string", - "maxLength": 1024, - "description": "Metadata value (maximum 1024 characters)" - } - }, - "additionalProperties": false, - "examples": [ - { - "author": "John Doe", - "version": "1.0.0", - "category": "automation" - } - ] - }, - "imports": { - "type": "array", - "description": "Optional array of workflow specifications to import (similar to @include directives but defined in frontmatter). Format: owner/repo/path@ref (e.g., github/agentics/workflows/shared/common.md@v1.0.0). Can be strings or objects with path and inputs. Any markdown files under .github/agents directory are treated as custom agent files and only one agent file is allowed per workflow.", - "items": { - "oneOf": [ - { - "type": "string", - "description": "Workflow specification in format owner/repo/path@ref. Markdown files under .github/agents/ are treated as agent configuration files." - }, - { - "type": "object", - "description": "Import specification with path and optional inputs", - "required": ["path"], - "additionalProperties": false, - "properties": { - "path": { - "type": "string", - "description": "Workflow specification in format owner/repo/path@ref. Markdown files under .github/agents/ are treated as agent configuration files." - }, - "inputs": { - "type": "object", - "description": "Input values to pass to the imported workflow. Keys are input names declared in the imported workflow's inputs section, values can be strings or expressions.", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "number" - }, - { - "type": "boolean" - } - ] - } - } - } - } - ] - }, - "examples": [ - ["shared/jqschema.md", "shared/reporting.md"], - ["shared/mcp/gh-aw.md", "shared/jqschema.md", "shared/reporting.md"], - ["../instructions/documentation.instructions.md"], - [".github/agents/my-agent.md"], - [ - { - "path": "shared/discussions-data-fetch.md", - "inputs": { - "count": 50 - } - } - ] - ] - }, - "on": { - "description": "Workflow triggers that define when the agentic workflow should run. Supports standard GitHub Actions trigger events plus special command triggers for /commands (required)", - "examples": [ - { - "issues": { - "types": ["opened"] - } - }, - { - "pull_request": { - "types": ["opened", "synchronize"] - } - }, - "workflow_dispatch", - { - "schedule": "daily at 9am" - }, - "/my-bot" - ], - "oneOf": [ - { - "type": "string", - "minLength": 1, - "description": "Simple trigger event name (e.g., 'push', 'issues', 'pull_request', 'discussion', 'schedule', 'fork', 'create', 'delete', 'public', 'watch', 'workflow_call'), schedule shorthand (e.g., 'daily', 'weekly'), or slash command shorthand (e.g., '/my-bot' expands to slash_command + workflow_dispatch)", - "examples": ["push", "issues", "workflow_dispatch", "daily", "/my-bot"] - }, - { - "type": "object", - "description": "Complex trigger configuration with event-specific filters and options", - "properties": { - "slash_command": { - "description": "Special slash command trigger for /command workflows (e.g., '/my-bot' in issue comments). Creates conditions to match slash commands automatically.", - "oneOf": [ - { - "type": "null", - "description": "Null command configuration - defaults to using the workflow filename (without .md extension) as the command name" - }, - { - "type": "string", - "minLength": 1, - "pattern": "^[^/]", - "description": "Command name as a string (shorthand format, e.g., 'customname' for '/customname' triggers). Command names must not start with '/' as the slash is automatically added when matching commands." - }, - { - "type": "object", - "description": "Command configuration object with custom command name", - "properties": { - "name": { - "oneOf": [ - { - "type": "string", - "minLength": 1, - "pattern": "^[^/]", - "description": "Single command name for slash commands (e.g., 'helper-bot' for '/helper-bot' triggers). Command names must not start with '/' as the slash is automatically added when matching commands. Defaults to workflow filename without .md extension if not specified." - }, - { - "type": "array", - "minItems": 1, - "description": "Array of command names that trigger this workflow (e.g., ['cmd.add', 'cmd.remove'] for '/cmd.add' and '/cmd.remove' triggers). Each command name must not start with '/'.", - "items": { - "type": "string", - "minLength": 1, - "pattern": "^[^/]", - "description": "Command name without leading slash" - } - } - ] - }, - "events": { - "description": "Events where the command should be active. Default is all comment-related events ('*'). Use GitHub Actions event names.", - "oneOf": [ - { - "type": "string", - "description": "Single event name or '*' for all events. Use GitHub Actions event names: 'issues', 'issue_comment', 'pull_request_comment', 'pull_request', 'pull_request_review_comment', 'discussion', 'discussion_comment'.", - "enum": ["*", "issues", "issue_comment", "pull_request_comment", "pull_request", "pull_request_review_comment", "discussion", "discussion_comment"] - }, - { - "type": "array", - "minItems": 1, - "description": "Array of event names where the command should be active (requires at least one). Use GitHub Actions event names.", - "items": { - "type": "string", - "description": "GitHub Actions event name.", - "enum": ["*", "issues", "issue_comment", "pull_request_comment", "pull_request", "pull_request_review_comment", "discussion", "discussion_comment"] - } - } - ] - } - }, - "additionalProperties": false - } - ] - }, - "command": { - "description": "DEPRECATED: Use 'slash_command' instead. Special command trigger for /command workflows (e.g., '/my-bot' in issue comments). Creates conditions to match slash commands automatically.", - "oneOf": [ - { - "type": "null", - "description": "Null command configuration - defaults to using the workflow filename (without .md extension) as the command name" - }, - { - "type": "string", - "minLength": 1, - "pattern": "^[^/]", - "description": "Command name as a string (shorthand format, e.g., 'customname' for '/customname' triggers). Command names must not start with '/' as the slash is automatically added when matching commands." - }, - { - "type": "object", - "description": "Command configuration object with custom command name", - "properties": { - "name": { - "oneOf": [ - { - "type": "string", - "minLength": 1, - "pattern": "^[^/]", - "description": "Custom command name for slash commands (e.g., 'helper-bot' for '/helper-bot' triggers). Command names must not start with '/' as the slash is automatically added when matching commands. Defaults to workflow filename without .md extension if not specified." - }, - { - "type": "array", - "minItems": 1, - "description": "Array of command names that trigger this workflow (e.g., ['cmd.add', 'cmd.remove'] for '/cmd.add' and '/cmd.remove' triggers). Each command name must not start with '/'.", - "items": { - "type": "string", - "minLength": 1, - "pattern": "^[^/]", - "description": "Command name without leading slash" - } - } - ] - }, - "events": { - "description": "Events where the command should be active. Default is all comment-related events ('*'). Use GitHub Actions event names.", - "oneOf": [ - { - "type": "string", - "description": "Single event name or '*' for all events. Use GitHub Actions event names: 'issues', 'issue_comment', 'pull_request_comment', 'pull_request', 'pull_request_review_comment', 'discussion', 'discussion_comment'.", - "enum": ["*", "issues", "issue_comment", "pull_request_comment", "pull_request", "pull_request_review_comment", "discussion", "discussion_comment"] - }, - { - "type": "array", - "minItems": 1, - "description": "Array of event names where the command should be active (requires at least one). Use GitHub Actions event names.", - "items": { - "type": "string", - "description": "GitHub Actions event name.", - "enum": ["*", "issues", "issue_comment", "pull_request_comment", "pull_request", "pull_request_review_comment", "discussion", "discussion_comment"] - } - } - ] - } - }, - "additionalProperties": false - } - ] - }, - "push": { - "description": "Push event trigger that runs the workflow when code is pushed to the repository", - "type": "object", - "additionalProperties": false, - "properties": { - "branches": { - "type": "array", - "$comment": "Mutually exclusive with branches-ignore. GitHub Actions requires only one to be specified.", - "description": "Branches to filter on", - "items": { - "type": "string" - } - }, - "branches-ignore": { - "type": "array", - "$comment": "Mutually exclusive with branches. GitHub Actions requires only one to be specified.", - "description": "Branches to ignore", - "items": { - "type": "string" - } - }, - "paths": { - "type": "array", - "$comment": "Mutually exclusive with paths-ignore. GitHub Actions requires only one to be specified.", - "description": "Paths to filter on", - "items": { - "type": "string" - } - }, - "paths-ignore": { - "type": "array", - "$comment": "Mutually exclusive with paths. GitHub Actions requires only one to be specified.", - "description": "Paths to ignore", - "items": { - "type": "string" - } - }, - "tags": { - "type": "array", - "description": "List of git tag names or patterns to include for push events (supports wildcards)", - "items": { - "type": "string" - } - }, - "tags-ignore": { - "type": "array", - "description": "List of git tag names or patterns to exclude from push events (supports wildcards)", - "items": { - "type": "string" - } - } - }, - "oneOf": [ - { - "required": ["branches"], - "not": { - "required": ["branches-ignore"] - } - }, - { - "required": ["branches-ignore"], - "not": { - "required": ["branches"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["branches"] - }, - { - "required": ["branches-ignore"] - } - ] - } - } - ], - "allOf": [ - { - "oneOf": [ - { - "required": ["paths"], - "not": { - "required": ["paths-ignore"] - } - }, - { - "required": ["paths-ignore"], - "not": { - "required": ["paths"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["paths"] - }, - { - "required": ["paths-ignore"] - } - ] - } - } - ] - } - ] - }, - "pull_request": { - "description": "Pull request event trigger that runs the workflow when pull requests are created, updated, or closed", - "type": "object", - "properties": { - "types": { - "type": "array", - "description": "Pull request event types to trigger on. Note: 'converted_to_draft' and 'ready_for_review' represent state transitions (events) rather than states. While technically valid to listen for both, consider if you need to handle both transitions or just one.", - "$comment": "converted_to_draft and ready_for_review are logically opposite state transitions. Using both may indicate unclear intent.", - "items": { - "type": "string", - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "converted_to_draft", - "locked", - "unlocked", - "enqueued", - "dequeued", - "milestoned", - "demilestoned", - "ready_for_review", - "review_requested", - "review_request_removed", - "auto_merge_enabled", - "auto_merge_disabled" - ] - } - }, - "branches": { - "type": "array", - "$comment": "Mutually exclusive with branches-ignore. GitHub Actions requires only one to be specified.", - "description": "Branches to filter on", - "items": { - "type": "string" - } - }, - "branches-ignore": { - "type": "array", - "$comment": "Mutually exclusive with branches. GitHub Actions requires only one to be specified.", - "description": "Branches to ignore", - "items": { - "type": "string" - } - }, - "paths": { - "type": "array", - "$comment": "Mutually exclusive with paths-ignore. GitHub Actions requires only one to be specified.", - "description": "Paths to filter on", - "items": { - "type": "string" - } - }, - "paths-ignore": { - "type": "array", - "$comment": "Mutually exclusive with paths. GitHub Actions requires only one to be specified.", - "description": "Paths to ignore", - "items": { - "type": "string" - } - }, - "draft": { - "type": "boolean", - "description": "Filter by draft pull request state. Set to false to exclude draft PRs, true to include only drafts, or omit to include both" - }, - "forks": { - "oneOf": [ - { - "type": "string", - "description": "Single fork pattern (e.g., '*' for all forks, 'org/*' for org glob, 'org/repo' for exact match)" - }, - { - "type": "array", - "description": "List of allowed fork repositories with glob support (e.g., 'org/repo', 'org/*', '*' for all forks)", - "items": { - "type": "string", - "description": "Repository pattern with optional glob support" - } - } - ] - }, - "names": { - "oneOf": [ - { - "type": "string", - "description": "Single label name to filter labeled/unlabeled events (e.g., 'bug')" - }, - { - "type": "array", - "description": "List of label names to filter labeled/unlabeled events. Only applies when 'labeled' or 'unlabeled' is in the types array", - "items": { - "type": "string", - "description": "Label name" - }, - "minItems": 1 - } - ] - } - }, - "additionalProperties": false, - "oneOf": [ - { - "required": ["branches"], - "not": { - "required": ["branches-ignore"] - } - }, - { - "required": ["branches-ignore"], - "not": { - "required": ["branches"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["branches"] - }, - { - "required": ["branches-ignore"] - } - ] - } - } - ], - "allOf": [ - { - "oneOf": [ - { - "required": ["paths"], - "not": { - "required": ["paths-ignore"] - } - }, - { - "required": ["paths-ignore"], - "not": { - "required": ["paths"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["paths"] - }, - { - "required": ["paths-ignore"] - } - ] - } - } - ] - } - ] - }, - "issues": { - "description": "Issues event trigger that runs when repository issues are created, updated, or managed", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of issue events", - "items": { - "type": "string", - "enum": ["opened", "edited", "deleted", "transferred", "pinned", "unpinned", "closed", "reopened", "assigned", "unassigned", "labeled", "unlabeled", "locked", "unlocked", "milestoned", "demilestoned", "typed", "untyped"] - } - }, - "names": { - "oneOf": [ - { - "type": "string", - "description": "Single label name to filter labeled/unlabeled events (e.g., 'bug')" - }, - { - "type": "array", - "description": "List of label names to filter labeled/unlabeled events. Only applies when 'labeled' or 'unlabeled' is in the types array", - "items": { - "type": "string", - "description": "Label name" - }, - "minItems": 1 - } - ] - }, - "lock-for-agent": { - "type": "boolean", - "description": "Whether to lock the issue for the agent when the workflow runs (prevents concurrent modifications)" - } - } - }, - "issue_comment": { - "description": "Issue comment event trigger", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of issue comment events", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - } - }, - "lock-for-agent": { - "type": "boolean", - "description": "Whether to lock the parent issue for the agent when the workflow runs (prevents concurrent modifications)" - } - } - }, - "discussion": { - "description": "Discussion event trigger that runs the workflow when repository discussions are created, updated, or managed", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of discussion events", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted", "transferred", "pinned", "unpinned", "labeled", "unlabeled", "locked", "unlocked", "category_changed", "answered", "unanswered"] - } - } - } - }, - "discussion_comment": { - "description": "Discussion comment event trigger that runs the workflow when comments on discussions are created, updated, or deleted", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of discussion comment events", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - } - } - } - }, - "schedule": { - "description": "Scheduled trigger events using human-friendly format or standard cron expressions. Supports shorthand string notation (e.g., 'daily at 3pm') or array of schedule objects. Human-friendly formats are automatically converted to cron expressions with the original format preserved as comments in the generated workflow.", - "oneOf": [ - { - "type": "string", - "minLength": 1, - "description": "Shorthand schedule string using human-friendly format. Examples: 'daily at 02:00', 'daily at 3pm', 'daily at 6am', 'weekly on monday at 06:30', 'weekly on friday at 5pm', 'monthly on 15 at 09:00', 'monthly on 15 at 9am', 'every 10 minutes', 'every 2h', 'every 1d', 'daily at 02:00 utc+9', 'daily at 3pm utc+9'. Supports 12-hour format (1am-12am, 1pm-12pm), 24-hour format (HH:MM), midnight, noon. Minimum interval is 5 minutes. Converted to standard cron expression automatically." - }, - { - "type": "array", - "minItems": 1, - "description": "Array of schedule objects with cron expressions (standard or human-friendly format)", - "items": { - "type": "object", - "properties": { - "cron": { - "type": "string", - "description": "Cron expression using standard format (e.g., '0 9 * * 1') or human-friendly format (e.g., 'daily at 02:00', 'daily at 3pm', 'daily at 6am', 'weekly on monday', 'weekly on friday at 5pm', 'every 10 minutes', 'every 2h', 'daily at 02:00 utc+9', 'daily at 3pm utc+9'). Human-friendly formats support: daily/weekly/monthly schedules with optional time, interval schedules (minimum 5 minutes), short duration units (m/h/d/w/mo), 12-hour time format (Npm/Nam where N is 1-12), and UTC timezone offsets (utc+N or utc+HH:MM)." - } - }, - "required": ["cron"], - "additionalProperties": false - } - } - ] - }, - "workflow_dispatch": { - "description": "Manual workflow dispatch trigger", - "oneOf": [ - { - "type": "null", - "description": "Simple workflow dispatch trigger" - }, - { - "type": "object", - "additionalProperties": false, - "properties": { - "inputs": { - "type": "object", - "description": "Input parameters for manual dispatch", - "maxProperties": 25, - "additionalProperties": { - "type": "object", - "additionalProperties": false, - "properties": { - "description": { - "type": "string", - "description": "Input description" - }, - "required": { - "type": "boolean", - "description": "Whether input is required" - }, - "default": { - "type": "string", - "description": "Default value" - }, - "type": { - "type": "string", - "enum": ["string", "choice", "boolean"], - "description": "Input type" - }, - "options": { - "type": "array", - "description": "Options for choice type", - "items": { - "type": "string" - } - } - } - } - } - } - } - ] - }, - "workflow_run": { - "description": "Workflow run trigger", - "type": "object", - "additionalProperties": false, - "properties": { - "workflows": { - "type": "array", - "description": "List of workflows to trigger on", - "items": { - "type": "string" - } - }, - "types": { - "type": "array", - "description": "Types of workflow run events", - "items": { - "type": "string", - "enum": ["completed", "requested", "in_progress"] - } - }, - "branches": { - "type": "array", - "$comment": "Mutually exclusive with branches-ignore. GitHub Actions requires only one to be specified.", - "description": "Branches to filter on", - "items": { - "type": "string" - } - }, - "branches-ignore": { - "type": "array", - "$comment": "Mutually exclusive with branches. GitHub Actions requires only one to be specified.", - "description": "Branches to ignore", - "items": { - "type": "string" - } - } - }, - "oneOf": [ - { - "required": ["branches"], - "not": { - "required": ["branches-ignore"] - } - }, - { - "required": ["branches-ignore"], - "not": { - "required": ["branches"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["branches"] - }, - { - "required": ["branches-ignore"] - } - ] - } - } - ] - }, - "release": { - "description": "Release event trigger", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of release events", - "items": { - "type": "string", - "enum": ["published", "unpublished", "created", "edited", "deleted", "prereleased", "released"] - } - } - } - }, - "pull_request_review_comment": { - "description": "Pull request review comment event trigger", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of pull request review comment events", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - } - } - } - }, - "branch_protection_rule": { - "description": "Branch protection rule event trigger that runs when branch protection rules are changed", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of branch protection rule events", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - } - } - } - }, - "check_run": { - "description": "Check run event trigger that runs when a check run is created, rerequested, completed, or has a requested action", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of check run events", - "items": { - "type": "string", - "enum": ["created", "rerequested", "completed", "requested_action"] - } - } - } - }, - "check_suite": { - "description": "Check suite event trigger that runs when check suite activity occurs", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of check suite events", - "items": { - "type": "string", - "enum": ["completed"] - } - } - } - }, - "create": { - "description": "Create event trigger that runs when a Git reference (branch or tag) is created", - "oneOf": [ - { - "type": "null", - "description": "Simple create event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "delete": { - "description": "Delete event trigger that runs when a Git reference (branch or tag) is deleted", - "oneOf": [ - { - "type": "null", - "description": "Simple delete event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "deployment": { - "description": "Deployment event trigger that runs when a deployment is created", - "oneOf": [ - { - "type": "null", - "description": "Simple deployment event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "deployment_status": { - "description": "Deployment status event trigger that runs when a deployment status is updated", - "oneOf": [ - { - "type": "null", - "description": "Simple deployment status event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "fork": { - "description": "Fork event trigger that runs when someone forks the repository", - "oneOf": [ - { - "type": "null", - "description": "Simple fork event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "gollum": { - "description": "Gollum event trigger that runs when someone creates or updates a Wiki page", - "oneOf": [ - { - "type": "null", - "description": "Simple gollum event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "label": { - "description": "Label event trigger that runs when a label is created, edited, or deleted", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of label events", - "items": { - "type": "string", - "enum": ["created", "edited", "deleted"] - } - } - } - }, - "merge_group": { - "description": "Merge group event trigger that runs when a pull request is added to a merge queue", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of merge group events", - "items": { - "type": "string", - "enum": ["checks_requested"] - } - } - } - }, - "milestone": { - "description": "Milestone event trigger that runs when a milestone is created, closed, opened, edited, or deleted", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of milestone events", - "items": { - "type": "string", - "enum": ["created", "closed", "opened", "edited", "deleted"] - } - } - } - }, - "page_build": { - "description": "Page build event trigger that runs when someone pushes to a GitHub Pages publishing source branch", - "oneOf": [ - { - "type": "null", - "description": "Simple page build event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "public": { - "description": "Public event trigger that runs when a repository changes from private to public", - "oneOf": [ - { - "type": "null", - "description": "Simple public event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "pull_request_target": { - "description": "Pull request target event trigger that runs in the context of the base repository (secure for fork PRs)", - "type": "object", - "properties": { - "types": { - "type": "array", - "description": "List of pull request target event types to trigger on", - "items": { - "type": "string", - "enum": [ - "assigned", - "unassigned", - "labeled", - "unlabeled", - "opened", - "edited", - "closed", - "reopened", - "synchronize", - "converted_to_draft", - "locked", - "unlocked", - "enqueued", - "dequeued", - "review_requested", - "review_request_removed", - "auto_merge_enabled", - "auto_merge_disabled" - ] - } - }, - "branches": { - "type": "array", - "$comment": "Mutually exclusive with branches-ignore. GitHub Actions requires only one to be specified.", - "description": "Branches to filter on", - "items": { - "type": "string" - } - }, - "branches-ignore": { - "type": "array", - "$comment": "Mutually exclusive with branches. GitHub Actions requires only one to be specified.", - "description": "Branches to ignore", - "items": { - "type": "string" - } - }, - "paths": { - "type": "array", - "$comment": "Mutually exclusive with paths-ignore. GitHub Actions requires only one to be specified.", - "description": "Paths to filter on", - "items": { - "type": "string" - } - }, - "paths-ignore": { - "type": "array", - "$comment": "Mutually exclusive with paths. GitHub Actions requires only one to be specified.", - "description": "Paths to ignore", - "items": { - "type": "string" - } - }, - "draft": { - "type": "boolean", - "description": "Filter by draft pull request state" - }, - "forks": { - "oneOf": [ - { - "type": "string", - "description": "Single fork pattern" - }, - { - "type": "array", - "description": "List of allowed fork repositories with glob support", - "items": { - "type": "string" - } - } - ] - } - }, - "additionalProperties": false, - "oneOf": [ - { - "required": ["branches"], - "not": { - "required": ["branches-ignore"] - } - }, - { - "required": ["branches-ignore"], - "not": { - "required": ["branches"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["branches"] - }, - { - "required": ["branches-ignore"] - } - ] - } - } - ], - "allOf": [ - { - "oneOf": [ - { - "required": ["paths"], - "not": { - "required": ["paths-ignore"] - } - }, - { - "required": ["paths-ignore"], - "not": { - "required": ["paths"] - } - }, - { - "not": { - "anyOf": [ - { - "required": ["paths"] - }, - { - "required": ["paths-ignore"] - } - ] - } - } - ] - } - ] - }, - "pull_request_review": { - "description": "Pull request review event trigger that runs when a pull request review is submitted, edited, or dismissed", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of pull request review events", - "items": { - "type": "string", - "enum": ["submitted", "edited", "dismissed"] - } - } - } - }, - "registry_package": { - "description": "Registry package event trigger that runs when a package is published or updated", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of registry package events", - "items": { - "type": "string", - "enum": ["published", "updated"] - } - } - } - }, - "repository_dispatch": { - "description": "Repository dispatch event trigger for custom webhook events", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Custom event types to trigger on", - "items": { - "type": "string" - } - } - } - }, - "status": { - "description": "Status event trigger that runs when the status of a Git commit changes", - "oneOf": [ - { - "type": "null", - "description": "Simple status event trigger" - }, - { - "type": "object", - "additionalProperties": false - } - ] - }, - "watch": { - "description": "Watch event trigger that runs when someone stars the repository", - "type": "object", - "additionalProperties": false, - "properties": { - "types": { - "type": "array", - "description": "Types of watch events", - "items": { - "type": "string", - "enum": ["started"] - } - } - } - }, - "workflow_call": { - "description": "Workflow call event trigger that allows this workflow to be called by another workflow", - "oneOf": [ - { - "type": "null", - "description": "Simple workflow call event trigger" - }, - { - "type": "object", - "additionalProperties": false, - "properties": { - "inputs": { - "type": "object", - "description": "Input parameters that can be passed to the workflow when it is called", - "additionalProperties": { - "type": "object", - "properties": { - "description": { - "type": "string", - "description": "Description of the input parameter" - }, - "required": { - "type": "boolean", - "description": "Whether the input is required" - }, - "type": { - "type": "string", - "enum": ["string", "number", "boolean"], - "description": "Type of the input parameter" - }, - "default": { - "description": "Default value for the input parameter" - } - } - } - }, - "secrets": { - "type": "object", - "description": "Secrets that can be passed to the workflow when it is called", - "additionalProperties": { - "type": "object", - "properties": { - "description": { - "type": "string", - "description": "Description of the secret" - }, - "required": { - "type": "boolean", - "description": "Whether the secret is required" - } - } - } - } - } - } - ] - }, - "stop-after": { - "type": "string", - "description": "Time when workflow should stop running. Supports multiple formats: absolute dates (YYYY-MM-DD HH:MM:SS, June 1 2025, 1st June 2025, 06/01/2025, etc.) or relative time deltas (+25h, +3d, +1d12h30m). Maximum values for time deltas: 12mo, 52w, 365d, 8760h (365 days). Note: Minute unit 'm' is not allowed for stop-after; minimum unit is hours 'h'." - }, - "skip-if-match": { - "oneOf": [ - { - "type": "string", - "description": "GitHub search query string to check before running workflow (implies max=1). If the search returns any results, the workflow will be skipped. Query is automatically scoped to the current repository. Example: 'is:issue is:open label:bug'" - }, - { - "type": "object", - "required": ["query"], - "properties": { - "query": { - "type": "string", - "description": "GitHub search query string to check before running workflow. Query is automatically scoped to the current repository." - }, - "max": { - "type": "integer", - "minimum": 1, - "description": "Maximum number of items that must be matched for the workflow to be skipped. Defaults to 1 if not specified." - } - }, - "additionalProperties": false, - "description": "Skip-if-match configuration object with query and maximum match count" - } - ], - "description": "Conditionally skip workflow execution when a GitHub search query has matches. Can be a string (query only, implies max=1) or an object with 'query' and optional 'max' fields." - }, - "skip-if-no-match": { - "oneOf": [ - { - "type": "string", - "description": "GitHub search query string to check before running workflow (implies min=1). If the search returns no results, the workflow will be skipped. Query is automatically scoped to the current repository. Example: 'is:pr is:open label:ready-to-deploy'" - }, - { - "type": "object", - "required": ["query"], - "properties": { - "query": { - "type": "string", - "description": "GitHub search query string to check before running workflow. Query is automatically scoped to the current repository." - }, - "min": { - "type": "integer", - "minimum": 1, - "description": "Minimum number of items that must be matched for the workflow to proceed. Defaults to 1 if not specified." - } - }, - "additionalProperties": false, - "description": "Skip-if-no-match configuration object with query and minimum match count" - } - ], - "description": "Conditionally skip workflow execution when a GitHub search query has no matches (or fewer than minimum). Can be a string (query only, implies min=1) or an object with 'query' and optional 'min' fields." - }, - "manual-approval": { - "type": "string", - "description": "Environment name that requires manual approval before the workflow can run. Must match a valid environment configured in the repository settings." - }, - "reaction": { - "oneOf": [ - { - "type": "string", - "enum": ["+1", "-1", "laugh", "confused", "heart", "hooray", "rocket", "eyes", "none"] - }, - { - "type": "integer", - "enum": [1, -1], - "description": "YAML parses +1 and -1 without quotes as integers. These are converted to +1 and -1 strings respectively." - } - ], - "default": "eyes", - "description": "AI reaction to add/remove on triggering item (one of: +1, -1, laugh, confused, heart, hooray, rocket, eyes, none). Use 'none' to disable reactions. Defaults to 'eyes' if not specified.", - "examples": ["eyes", "rocket", "+1", 1, -1, "none"] - } - }, - "additionalProperties": false, - "examples": [ - { - "schedule": [ - { - "cron": "0 0 * * *" - } - ], - "workflow_dispatch": null - }, - { - "command": { - "name": "mergefest", - "events": ["pull_request_comment"] - } - }, - { - "workflow_run": { - "workflows": ["Dev"], - "types": ["completed"], - "branches": ["copilot/**"] - } - }, - { - "pull_request": { - "types": ["ready_for_review"] - }, - "workflow_dispatch": null - }, - { - "push": { - "branches": ["main"] - } - } - ] - } - ] - }, - "permissions": { - "description": "GitHub token permissions for the workflow. Controls what the GITHUB_TOKEN can access during execution. Use the principle of least privilege - only grant the minimum permissions needed.", - "examples": [ - "read-all", - { - "contents": "read", - "actions": "read", - "pull-requests": "read" - }, - { - "contents": "read", - "actions": "read" - }, - { - "all": "read" - } - ], - "oneOf": [ - { - "type": "string", - "enum": ["read-all", "write-all", "read", "write"], - "description": "Simple permissions string: 'read-all' (all read permissions), 'write-all' (all write permissions), 'read' or 'write' (basic level)" - }, - { - "type": "object", - "description": "Detailed permissions object with granular control over specific GitHub API scopes", - "additionalProperties": false, - "properties": { - "actions": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for GitHub Actions workflows and runs (read: view workflows, write: manage workflows, none: no access)" - }, - "attestations": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for artifact attestations (read: view attestations, write: create attestations, none: no access)" - }, - "checks": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for repository checks and status checks (read: view checks, write: create/update checks, none: no access)" - }, - "contents": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for repository contents (read: view files, write: modify files/branches, none: no access)" - }, - "deployments": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for repository deployments (read: view deployments, write: create/update deployments, none: no access)" - }, - "discussions": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for repository discussions (read: view discussions, write: create/update discussions, none: no access)" - }, - "id-token": { - "type": "string", - "enum": ["read", "write", "none"] - }, - "issues": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for repository issues (read: view issues, write: create/update/close issues, none: no access)" - }, - "models": { - "type": "string", - "enum": ["read", "none"], - "description": "Permission for GitHub Copilot models (read: access AI models for agentic workflows, none: no access)" - }, - "metadata": { - "type": "string", - "enum": ["read", "write", "none"], - "description": "Permission for repository metadata (read: view repository information, write: update repository metadata, none: no access)" - }, - "packages": { - "type": "string", - "enum": ["read", "write", "none"] - }, - "pages": { - "type": "string", - "enum": ["read", "write", "none"] - }, - "pull-requests": { - "type": "string", - "enum": ["read", "write", "none"] - }, - "security-events": { - "type": "string", - "enum": ["read", "write", "none"] - }, - "statuses": { - "type": "string", - "enum": ["read", "write", "none"] - }, - "all": { - "type": "string", - "enum": ["read"], - "description": "Permission shorthand that applies read access to all permission scopes. Can be combined with specific write permissions to override individual scopes. 'write' is not allowed for all." - } - } - } - ] - }, - "run-name": { - "type": "string", - "description": "Custom name for workflow runs that appears in the GitHub Actions interface (supports GitHub expressions like ${{ github.event.issue.title }})", - "examples": ["Deploy to ${{ github.event.inputs.environment }}", "Build #${{ github.run_number }}"] - }, - "jobs": { - "type": "object", - "description": "Groups together all the jobs that run in the workflow", - "additionalProperties": { - "type": "object", - "description": "Job definition", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "Name of the job" - }, - "runs-on": { - "oneOf": [ - { - "type": "string", - "description": "Runner type as string" - }, - { - "type": "array", - "description": "Runner type as array", - "items": { - "type": "string" - } - }, - { - "type": "object", - "description": "Runner type as object", - "additionalProperties": false - } - ] - }, - "steps": { - "type": "array", - "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry.", - "items": { - "type": "object", - "additionalProperties": false, - "oneOf": [ - { - "required": ["uses"] - }, - { - "required": ["run"] - } - ], - "properties": { - "id": { - "type": "string", - "description": "A unique identifier for the step. You can use the id to reference the step in contexts." - }, - "if": { - "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.", - "oneOf": [ - { - "type": "boolean" - }, - { - "type": "number" - }, - { - "type": "string" - } - ] - }, - "name": { - "type": "string", - "description": "A name for your step to display on GitHub." - }, - "uses": { - "type": "string", - "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code." - }, - "run": { - "type": "string", - "description": "Runs command-line programs using the operating system's shell." - }, - "working-directory": { - "type": "string", - "description": "Working directory where to run the command." - }, - "shell": { - "type": "string", - "description": "Shell to use for running the command." - }, - "with": { - "type": "object", - "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair.", - "additionalProperties": true - }, - "env": { - "type": "object", - "description": "Sets environment variables for steps to use in the virtual environment.", - "additionalProperties": { - "type": "string" - } - }, - "continue-on-error": { - "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", - "oneOf": [ - { - "type": "boolean" - }, - { - "type": "string" - } - ] - }, - "timeout-minutes": { - "description": "The maximum number of minutes to run the step before killing the process.", - "oneOf": [ - { - "type": "number" - }, - { - "type": "string" - } - ] - } - } - } - }, - "if": { - "type": "string", - "description": "Conditional execution for the job" - }, - "needs": { - "oneOf": [ - { - "type": "string", - "description": "Single job dependency" - }, - { - "type": "array", - "description": "Multiple job dependencies", - "items": { - "type": "string" - } - } - ] - }, - "env": { - "type": "object", - "description": "Environment variables for the job", - "additionalProperties": { - "type": "string" - } - }, - "permissions": { - "$ref": "#/properties/permissions" - }, - "timeout-minutes": { - "type": "integer", - "description": "Job timeout in minutes" - }, - "strategy": { - "type": "object", - "description": "Matrix strategy for the job", - "additionalProperties": false - }, - "continue-on-error": { - "type": "boolean", - "description": "Continue workflow on job failure" - }, - "container": { - "type": "object", - "description": "Container to run the job in", - "additionalProperties": false - }, - "services": { - "type": "object", - "description": "Service containers for the job", - "additionalProperties": { - "type": "object", - "additionalProperties": false - } - }, - "outputs": { - "type": "object", - "description": "Job outputs", - "additionalProperties": { - "type": "string" - } - }, - "concurrency": { - "$ref": "#/properties/concurrency" - }, - "uses": { - "type": "string", - "description": "Path to a reusable workflow file to call (e.g., ./.github/workflows/reusable-workflow.yml)" - }, - "with": { - "type": "object", - "description": "Input parameters to pass to the reusable workflow", - "additionalProperties": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "number" - }, - { - "type": "boolean" - } - ] - } - }, - "secrets": { - "type": "object", - "description": "Secrets to pass to the reusable workflow. Values must be GitHub Actions expressions referencing secrets (e.g., ${{ secrets.MY_SECRET }} or ${{ secrets.SECRET1 || secrets.SECRET2 }}).", - "additionalProperties": { - "$ref": "#/$defs/github_token" - } - } - } - } - }, - "runs-on": { - "description": "Runner type for workflow execution (GitHub Actions standard field). Supports multiple forms: simple string for single runner label (e.g., 'ubuntu-latest'), array for runner selection with fallbacks, or object for GitHub-hosted runner groups with specific labels. For agentic workflows, runner selection matters when AI workloads require specific compute resources or when using self-hosted runners with specialized capabilities. Typically configured at the job level instead. See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job", - "oneOf": [ - { - "type": "string", - "description": "Simple runner label string. Use for standard GitHub-hosted runners (e.g., 'ubuntu-latest', 'windows-latest', 'macos-latest') or self-hosted runner labels. Most common form for agentic workflows." - }, - { - "type": "array", - "description": "Array of runner labels for selection with fallbacks. GitHub Actions will use the first available runner that matches any label in the array. Useful for high-availability setups or when multiple runner types are acceptable.", - "items": { - "type": "string" - } - }, - { - "type": "object", - "description": "Runner group configuration for GitHub-hosted runners. Use this form to target specific runner groups (e.g., larger runners with more CPU/memory) or self-hosted runner pools with specific label requirements. Agentic workflows may benefit from larger runners for complex AI processing tasks.", - "additionalProperties": false, - "properties": { - "group": { - "type": "string", - "description": "Runner group name for self-hosted runners or GitHub-hosted runner groups" - }, - "labels": { - "type": "array", - "description": "List of runner labels for self-hosted runners or GitHub-hosted runner selection", - "items": { - "type": "string" - } - } - } - } - ], - "examples": [ - "ubuntu-latest", - ["ubuntu-latest", "self-hosted"], - { - "group": "larger-runners", - "labels": ["ubuntu-latest-8-cores"] - } - ] - }, - "timeout-minutes": { - "type": "integer", - "description": "Workflow timeout in minutes (GitHub Actions standard field). Defaults to 20 minutes for agentic workflows. Has sensible defaults and can typically be omitted.", - "examples": [5, 10, 30] - }, - "timeout_minutes": { - "type": "integer", - "description": "Deprecated: Use 'timeout-minutes' instead. Workflow timeout in minutes. Defaults to 20 minutes for agentic workflows.", - "examples": [5, 10, 30], - "deprecated": true - }, - "concurrency": { - "description": "Concurrency control to limit concurrent workflow runs (GitHub Actions standard field). Supports two forms: simple string for basic group isolation, or object with cancel-in-progress option for advanced control. Agentic workflows enhance this with automatic per-engine concurrency policies (defaults to single job per engine across all workflows) and token-based rate limiting. Default behavior: workflows in the same group queue sequentially unless cancel-in-progress is true. See https://docs.github.com/en/actions/using-jobs/using-concurrency", - "oneOf": [ - { - "type": "string", - "description": "Simple concurrency group name to prevent multiple runs in the same group. Use expressions like '${{ github.workflow }}' for per-workflow isolation or '${{ github.ref }}' for per-branch isolation. Agentic workflows automatically generate enhanced concurrency policies using 'gh-aw-{engine-id}' as the default group to limit concurrent AI workloads across all workflows using the same engine.", - "examples": ["my-workflow-group", "workflow-${{ github.ref }}"] - }, - { - "type": "object", - "description": "Concurrency configuration object with group isolation and cancellation control. Use object form when you need fine-grained control over whether to cancel in-progress runs. For agentic workflows, this is useful to prevent multiple AI agents from running simultaneously and consuming excessive resources or API quotas.", - "additionalProperties": false, - "properties": { - "group": { - "type": "string", - "description": "Concurrency group name. Workflows in the same group cannot run simultaneously. Supports GitHub Actions expressions for dynamic group names based on branch, workflow, or other context." - }, - "cancel-in-progress": { - "type": "boolean", - "description": "Whether to cancel in-progress workflows in the same concurrency group when a new one starts. Default: false (queue new runs). Set to true for agentic workflows where only the latest run matters (e.g., PR analysis that becomes stale when new commits are pushed)." - } - }, - "required": ["group"], - "examples": [ - { - "group": "dev-workflow-${{ github.ref }}", - "cancel-in-progress": true - } - ] - } - ], - "examples": [ - "my-workflow-group", - "workflow-${{ github.ref }}", - { - "group": "agentic-analysis-${{ github.workflow }}", - "cancel-in-progress": false - }, - { - "group": "pr-review-${{ github.event.pull_request.number }}", - "cancel-in-progress": true - } - ] - }, - "env": { - "$comment": "See environment variable precedence documentation: https://github.github.io/gh-aw/reference/environment-variables/", - "description": "Environment variables for the workflow", - "oneOf": [ - { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "examples": [ - { - "NODE_ENV": "production", - "API_KEY": "${{ secrets.API_KEY }}" - } - ] - }, - { - "type": "string" - } - ] - }, - "features": { - "description": "Feature flags and configuration options for experimental or optional features in the workflow. Each feature can be a boolean flag or a string value. The 'action-tag' feature (string) specifies the tag or SHA to use when referencing actions/setup in compiled workflows (for testing purposes only).", - "type": "object", - "additionalProperties": true, - "examples": [ - { - "action-tag": "v1.0.0" - }, - { - "action-tag": "abc123def456", - "experimental-feature": true - } - ] - }, - "environment": { - "description": "Environment that the job references (for protected environments and deployments)", - "oneOf": [ - { - "type": "string", - "description": "Environment name as a string" - }, - { - "type": "object", - "description": "Environment object with name and optional URL", - "properties": { - "name": { - "type": "string", - "description": "The name of the environment configured in the repo" - }, - "url": { - "type": "string", - "description": "A deployment URL" - } - }, - "required": ["name"], - "additionalProperties": false - } - ] - }, - "container": { - "description": "Container to run the job steps in", - "oneOf": [ - { - "type": "string", - "description": "Docker image name (e.g., 'node:18', 'ubuntu:latest')" - }, - { - "type": "object", - "description": "Container configuration object", - "properties": { - "image": { - "type": "string", - "description": "The Docker image to use as the container" - }, - "credentials": { - "type": "object", - "description": "Credentials for private registries", - "properties": { - "username": { - "type": "string" - }, - "password": { - "type": "string" - } - }, - "additionalProperties": false - }, - "env": { - "type": "object", - "description": "Environment variables for the container", - "additionalProperties": { - "type": "string" - } - }, - "ports": { - "type": "array", - "description": "Ports to expose on the container", - "items": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string" - } - ] - } - }, - "volumes": { - "type": "array", - "description": "Volumes for the container", - "items": { - "type": "string" - } - }, - "options": { - "type": "string", - "description": "Additional Docker container options" - } - }, - "required": ["image"], - "additionalProperties": false - } - ] - }, - "services": { - "description": "Service containers for the job", - "type": "object", - "additionalProperties": { - "oneOf": [ - { - "type": "string", - "description": "Docker image name for the service" - }, - { - "type": "object", - "description": "Service container configuration", - "properties": { - "image": { - "type": "string", - "description": "The Docker image to use for the service" - }, - "credentials": { - "type": "object", - "description": "Credentials for private registries", - "properties": { - "username": { - "type": "string" - }, - "password": { - "type": "string" - } - }, - "additionalProperties": false - }, - "env": { - "type": "object", - "description": "Environment variables for the service", - "additionalProperties": { - "type": "string" - } - }, - "ports": { - "type": "array", - "description": "Ports to expose on the service", - "items": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string" - } - ] - } - }, - "volumes": { - "type": "array", - "description": "Volumes for the service", - "items": { - "type": "string" - } - }, - "options": { - "type": "string", - "description": "Additional Docker container options" - } - }, - "required": ["image"], - "additionalProperties": false - } - ] - } - }, - "network": { - "$comment": "Strict mode requirements: When strict=true, the 'network' field must be present (not null/undefined) and cannot contain wildcard '*' in allowed domains. This is validated in Go code (pkg/workflow/strict_mode_validation.go) via validateStrictNetwork().", - "description": "Network access control for AI engines using ecosystem identifiers and domain allowlists. Controls web fetch and search capabilities.", - "examples": [ - "defaults", - { - "allowed": ["defaults", "github"] - }, - { - "allowed": ["defaults", "python", "node", "*.example.com"] - }, - { - "allowed": ["api.openai.com", "*.github.com"], - "firewall": { - "version": "v1.0.0", - "log-level": "debug" - } - } - ], - "oneOf": [ - { - "type": "string", - "enum": ["defaults"], - "description": "Use default network permissions (basic infrastructure: certificates, JSON schema, Ubuntu, etc.)" - }, - { - "type": "object", - "description": "Custom network access configuration with ecosystem identifiers and specific domains", - "properties": { - "allowed": { - "type": "array", - "description": "List of allowed domains or ecosystem identifiers (e.g., 'defaults', 'python', 'node', '*.example.com')", - "items": { - "type": "string", - "description": "Domain name or ecosystem identifier (supports wildcards like '*.example.com' and ecosystem names like 'python', 'node')" - }, - "$comment": "Empty array is valid and means deny all network access. Omit the field entirely or use network: defaults to use default network permissions." - }, - "firewall": { - "description": "AWF (Agent Workflow Firewall) configuration for network egress control. Only supported for Copilot engine.", - "deprecated": true, - "x-deprecation-message": "Use 'sandbox.agent: false' instead to disable the firewall for the agent", - "oneOf": [ - { - "type": "null", - "description": "Enable AWF with default settings (equivalent to empty object)" - }, - { - "type": "boolean", - "description": "Enable (true) or explicitly disable (false) AWF firewall" - }, - { - "type": "string", - "enum": ["disable"], - "description": "Disable AWF firewall (triggers warning if allowed != *, error in strict mode if allowed is not * or engine does not support firewall)" - }, - { - "type": "object", - "description": "Custom AWF configuration with version and arguments", - "properties": { - "args": { - "type": "array", - "description": "Optional additional arguments to pass to AWF wrapper", - "items": { - "type": "string" - } - }, - "version": { - "type": ["string", "number"], - "description": "AWF version to use (empty = latest release). Can be a string (e.g., 'v1.0.0', 'latest') or number (e.g., 20, 3.11). Numeric values are automatically converted to strings at runtime.", - "examples": ["v1.0.0", "latest", 20, 3.11] - }, - "log-level": { - "type": "string", - "description": "AWF log level (default: info). Valid values: debug, info, warn, error", - "enum": ["debug", "info", "warn", "error"] - } - }, - "additionalProperties": false - } - ] - } - }, - "additionalProperties": false - } - ] - }, - "sandbox": { - "description": "Sandbox configuration for AI engines. Controls agent sandbox (AWF or Sandbox Runtime) and MCP gateway.", - "oneOf": [ - { - "type": "string", - "enum": ["default", "sandbox-runtime", "awf", "srt"], - "description": "Legacy string format for sandbox type: 'default' for no sandbox, 'sandbox-runtime' or 'srt' for Anthropic Sandbox Runtime, 'awf' for Agent Workflow Firewall" - }, - { - "type": "object", - "description": "Object format for full sandbox configuration with agent and mcp options", - "properties": { - "type": { - "type": "string", - "enum": ["default", "sandbox-runtime", "awf", "srt"], - "description": "Legacy sandbox type field (use agent instead)" - }, - "agent": { - "description": "Agent sandbox type: 'awf' uses AWF (Agent Workflow Firewall), 'srt' uses Anthropic Sandbox Runtime, or 'false' to disable firewall", - "oneOf": [ - { - "type": "boolean", - "enum": [false], - "description": "Set to false to disable the agent firewall" - }, - { - "type": "string", - "enum": ["awf", "srt"], - "description": "Sandbox type: 'awf' for Agent Workflow Firewall, 'srt' for Sandbox Runtime" - }, - { - "type": "object", - "description": "Custom sandbox runtime configuration", - "properties": { - "id": { - "type": "string", - "enum": ["awf", "srt"], - "description": "Agent identifier (replaces 'type' field in new format): 'awf' for Agent Workflow Firewall, 'srt' for Sandbox Runtime" - }, - "type": { - "type": "string", - "enum": ["awf", "srt"], - "description": "Legacy: Sandbox type to use (use 'id' instead)" - }, - "command": { - "type": "string", - "description": "Custom command to replace the default AWF or SRT installation. For AWF: 'docker run my-custom-awf-image'. For SRT: 'docker run my-custom-srt-wrapper'" - }, - "args": { - "type": "array", - "description": "Additional arguments to append to the command (applies to both AWF and SRT, for standard and custom commands)", - "items": { - "type": "string" - } - }, - "env": { - "type": "object", - "description": "Environment variables to set on the execution step (applies to both AWF and SRT)", - "additionalProperties": { - "type": "string" - } - }, - "mounts": { - "type": "array", - "description": "Container mounts to add when using AWF. Each mount is specified using Docker mount syntax: 'source:destination:mode' where mode can be 'ro' (read-only) or 'rw' (read-write). Example: '/host/path:/container/path:ro'", - "items": { - "type": "string", - "pattern": "^[^:]+:[^:]+:(ro|rw)$", - "description": "Mount specification in format 'source:destination:mode'" - }, - "examples": [["/host/data:/data:ro", "/usr/local/bin/custom-tool:/usr/local/bin/custom-tool:ro"]] - }, - "config": { - "type": "object", - "description": "Custom Sandbox Runtime configuration (only applies when type is 'srt'). Note: Network configuration is controlled by the top-level 'network' field, not here.", - "properties": { - "filesystem": { - "type": "object", - "properties": { - "denyRead": { - "type": "array", - "description": "List of paths to deny read access", - "items": { - "type": "string" - } - }, - "allowWrite": { - "type": "array", - "description": "List of paths to allow write access", - "items": { - "type": "string" - } - }, - "denyWrite": { - "type": "array", - "description": "List of paths to deny write access", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - }, - "ignoreViolations": { - "type": "object", - "description": "Map of command patterns to paths that should ignore violations", - "additionalProperties": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "enableWeakerNestedSandbox": { - "type": "boolean", - "description": "Enable weaker nested sandbox mode (recommended: true for Docker access)" - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - } - ] - }, - "config": { - "type": "object", - "description": "Legacy custom Sandbox Runtime configuration (use agent.config instead). Note: Network configuration is controlled by the top-level 'network' field, not here.", - "properties": { - "filesystem": { - "type": "object", - "properties": { - "denyRead": { - "type": "array", - "items": { - "type": "string" - } - }, - "allowWrite": { - "type": "array", - "items": { - "type": "string" - } - }, - "denyWrite": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - }, - "ignoreViolations": { - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "enableWeakerNestedSandbox": { - "type": "boolean" - } - }, - "additionalProperties": false - }, - "mcp": { - "description": "MCP Gateway configuration for routing MCP server calls through a unified HTTP gateway. Requires the 'mcp-gateway' feature flag to be enabled.", - "type": "object", - "properties": { - "command": { - "type": "string", - "$comment": "Mutually exclusive with 'container' - only one execution mode can be specified.", - "description": "Custom command to execute the MCP gateway" - }, - "container": { - "type": "string", - "pattern": "^[a-zA-Z0-9][a-zA-Z0-9/:_.-]*$", - "$comment": "Mutually exclusive with 'command' - only one execution mode can be specified.", - "description": "Container image for the MCP gateway executable" - }, - "version": { - "type": ["string", "number"], - "description": "Optional version/tag for the container image (e.g., 'latest', 'v1.0.0')", - "examples": ["latest", "v1.0.0"] - }, - "args": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Arguments for command or docker run" - }, - "entrypointArgs": { - "type": "array", - "items": { - "type": "string" - }, - "$comment": "Requires 'container' to be specified - entrypoint arguments only apply to container execution.", - "description": "Arguments to add after the container image (container entrypoint arguments)" - }, - "env": { - "type": "object", - "patternProperties": { - "^[A-Z_][A-Z0-9_]*$": { - "type": "string" - } - }, - "additionalProperties": false, - "description": "Environment variables for MCP gateway" - }, - "port": { - "type": "integer", - "minimum": 1, - "maximum": 65535, - "default": 8080, - "description": "Port number for the MCP gateway HTTP server (default: 8080)" - }, - "api-key": { - "type": "string", - "description": "API key for authenticating with the MCP gateway (supports ${{ secrets.* }} syntax)" - } - }, - "additionalProperties": false, - "anyOf": [ - { - "required": ["command"] - }, - { - "required": ["container"] - }, - {} - ], - "not": { - "allOf": [ - { - "required": ["command"] - }, - { - "required": ["container"] - } - ] - }, - "allOf": [ - { - "if": { - "required": ["entrypointArgs"] - }, - "then": { - "required": ["container"] - } - } - ] - } - }, - "additionalProperties": false - } - ], - "examples": [ - "default", - "sandbox-runtime", - { - "agent": "awf" - }, - { - "agent": "srt" - }, - { - "agent": { - "type": "srt", - "config": { - "filesystem": { - "allowWrite": [".", "/tmp"] - } - } - } - }, - { - "mcp": { - "container": "ghcr.io/github/mcp-gateway", - "port": 8080 - } - }, - { - "agent": "awf", - "mcp": { - "container": "ghcr.io/github/mcp-gateway", - "port": 8080, - "api-key": "${{ secrets.MCP_GATEWAY_API_KEY }}" - } - } - ] - }, - "if": { - "type": "string", - "description": "Conditional execution expression", - "examples": ["${{ github.event.workflow_run.event == 'workflow_dispatch' }}", "${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}"] - }, - "steps": { - "description": "Custom workflow steps", - "oneOf": [ - { - "type": "object", - "additionalProperties": true - }, - { - "type": "array", - "items": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "object", - "additionalProperties": true - } - ] - }, - "examples": [ - [ - { - "prompt": "Analyze the issue and create a plan" - } - ], - [ - { - "uses": "actions/checkout@v4" - }, - { - "prompt": "Review the code and suggest improvements" - } - ], - [ - { - "name": "Download logs from last 24 hours", - "env": { - "GH_TOKEN": "${{ secrets.GITHUB_TOKEN }}" - }, - "run": "./gh-aw logs --start-date -1d -o /tmp/gh-aw/aw-mcp/logs" - } - ] - ] - } - ] - }, - "post-steps": { - "description": "Custom workflow steps to run after AI execution", - "oneOf": [ - { - "type": "object", - "additionalProperties": true - }, - { - "type": "array", - "items": { - "oneOf": [ - { - "type": "string" - }, - { - "type": "object", - "additionalProperties": true - } - ] - }, - "examples": [ - [ - { - "name": "Verify Post-Steps Execution", - "run": "echo \"\u2705 Post-steps are executing correctly\"\necho \"This step runs after the AI agent completes\"\n" - }, - { - "name": "Upload Test Results", - "if": "always()", - "uses": "actions/upload-artifact@v4", - "with": { - "name": "post-steps-test-results", - "path": "/tmp/gh-aw/", - "retention-days": 1, - "if-no-files-found": "ignore" - } - } - ] - ] - } - ] - }, - "engine": { - "description": "AI engine configuration that specifies which AI processor interprets and executes the markdown content of the workflow. Defaults to 'copilot'.", - "default": "copilot", - "examples": [ - "copilot", - "claude", - "codex", - { - "id": "copilot", - "version": "beta" - }, - { - "id": "claude", - "model": "claude-3-5-sonnet-20241022", - "max-turns": 15 - } - ], - "$ref": "#/$defs/engine_config" - }, - "mcp-servers": { - "type": "object", - "description": "MCP server definitions", - "examples": [ - { - "filesystem": { - "type": "stdio", - "command": "npx", - "args": ["-y", "@modelcontextprotocol/server-filesystem"] - } - }, - { - "custom-server": { - "type": "http", - "url": "https://api.example.com/mcp" - } - } - ], - "patternProperties": { - "^[a-zA-Z0-9_-]+$": { - "oneOf": [ - { - "$ref": "#/$defs/stdio_mcp_tool" - }, - { - "$ref": "#/$defs/http_mcp_tool" - } - ] - } - }, - "additionalProperties": false - }, - "tools": { - "type": "object", - "description": "Tools and MCP (Model Context Protocol) servers available to the AI engine for GitHub API access, browser automation, file editing, and more", - "examples": [ - { - "playwright": { - "version": "v1.41.0" - } - }, - { - "github": { - "mode": "remote" - } - }, - { - "github": { - "mode": "local", - "version": "latest" - } - }, - { - "bash": null - } - ], - "properties": { - "github": { - "description": "GitHub API tools for repository operations (issues, pull requests, content management)", - "oneOf": [ - { - "type": "null", - "description": "Empty GitHub tool configuration (enables all read-only GitHub API functions)" - }, - { - "type": "boolean", - "description": "Boolean to explicitly enable (true) or disable (false) the GitHub MCP server. When set to false, the GitHub MCP server is not mounted." - }, - { - "type": "string", - "description": "Simple GitHub tool configuration (enables all GitHub API functions)" - }, - { - "type": "object", - "description": "GitHub tools object configuration with restricted function access", - "properties": { - "allowed": { - "type": "array", - "description": "List of allowed GitHub API functions (e.g., 'create_issue', 'update_issue', 'add_comment')", - "items": { - "type": "string" - } - }, - "mode": { - "type": "string", - "enum": ["local", "remote"], - "description": "MCP server mode: 'local' (Docker-based, default) or 'remote' (hosted at api.githubcopilot.com)" - }, - "version": { - "type": ["string", "number"], - "description": "Optional version specification for the GitHub MCP server (used with 'local' type). Can be a string (e.g., 'v1.0.0', 'latest') or number (e.g., 20, 3.11). Numeric values are automatically converted to strings at runtime.", - "examples": ["v1.0.0", "latest", 20, 3.11] - }, - "args": { - "type": "array", - "description": "Optional additional arguments to append to the generated MCP server command (used with 'local' type)", - "items": { - "type": "string" - } - }, - "read-only": { - "type": "boolean", - "description": "Enable read-only mode to restrict GitHub MCP server to read-only operations only" - }, - "lockdown": { - "type": "boolean", - "description": "Enable lockdown mode to limit content surfaced from public repositories (only items authored by users with push access). Default: false", - "default": false - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "Optional custom GitHub token (e.g., '${{ secrets.CUSTOM_PAT }}'). For 'remote' type, defaults to GH_AW_GITHUB_TOKEN if not specified." - }, - "toolsets": { - "type": "array", - "description": "Array of GitHub MCP server toolset names to enable specific groups of GitHub API functionalities", - "items": { - "type": "string", - "description": "Toolset name", - "enum": [ - "all", - "default", - "action-friendly", - "context", - "repos", - "issues", - "pull_requests", - "actions", - "code_security", - "dependabot", - "discussions", - "experiments", - "gists", - "labels", - "notifications", - "orgs", - "projects", - "search", - "secret_protection", - "security_advisories", - "stargazers", - "users" - ] - }, - "minItems": 1, - "$comment": "At least one toolset is required when toolsets array is specified. Use null or omit the field to use all toolsets." - } - }, - "additionalProperties": false, - "examples": [ - { - "toolsets": ["pull_requests", "actions", "repos"] - }, - { - "allowed": ["search_pull_requests", "pull_request_read", "list_pull_requests", "get_file_contents", "list_commits", "get_commit"] - }, - { - "read-only": true - }, - { - "toolsets": ["pull_requests", "repos"] - } - ] - } - ], - "examples": [ - null, - { - "toolsets": ["pull_requests", "actions", "repos"] - }, - { - "allowed": ["search_pull_requests", "pull_request_read", "get_file_contents"] - }, - { - "read-only": true, - "toolsets": ["repos", "issues"] - }, - false - ] - }, - "bash": { - "description": "Bash shell command execution tool. Supports wildcards: '*' (all commands), 'command *' (command with any args, e.g., 'date *', 'echo *'). Default safe commands: echo, ls, pwd, cat, head, tail, grep, wc, sort, uniq, date.", - "oneOf": [ - { - "type": "null", - "description": "Enable bash tool with all shell commands allowed (security consideration: use restricted list in production)" - }, - { - "type": "boolean", - "description": "Enable bash tool - true allows all commands (equivalent to ['*']), false disables the tool" - }, - { - "type": "array", - "description": "List of allowed commands and patterns. Wildcards: '*' allows all commands, 'command *' allows command with any args (e.g., 'date *', 'echo *').", - "items": { - "type": "string", - "description": "Command or pattern: 'echo' (exact match), 'echo *' (command with any args)" - } - } - ], - "examples": [ - true, - ["git fetch", "git checkout", "git status", "git diff", "git log", "make recompile", "make fmt", "make lint", "make test-unit", "cat", "echo", "ls"], - ["echo", "ls", "cat"], - ["gh pr list *", "gh search prs *", "jq *"], - ["date *", "echo *", "cat", "ls"] - ] - }, - "web-fetch": { - "description": "Web content fetching tool for downloading web pages and API responses (subject to network permissions)", - "oneOf": [ - { - "type": "null", - "description": "Enable web fetch tool with default configuration" - }, - { - "type": "object", - "description": "Web fetch tool configuration object", - "additionalProperties": false - } - ] - }, - "web-search": { - "description": "Web search tool for performing internet searches and retrieving search results (subject to network permissions)", - "oneOf": [ - { - "type": "null", - "description": "Enable web search tool with default configuration" - }, - { - "type": "object", - "description": "Web search tool configuration object", - "additionalProperties": false - } - ] - }, - "edit": { - "description": "File editing tool for reading, creating, and modifying files in the repository", - "oneOf": [ - { - "type": "null", - "description": "Enable edit tool" - }, - { - "type": "object", - "description": "Edit tool configuration object", - "additionalProperties": false - } - ] - }, - "playwright": { - "description": "Playwright browser automation tool for web scraping, testing, and UI interactions in containerized browsers", - "oneOf": [ - { - "type": "null", - "description": "Enable Playwright tool with default settings (localhost access only for security)" - }, - { - "type": "object", - "description": "Playwright tool configuration with custom version and domain restrictions", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Optional Playwright container version (e.g., 'v1.41.0', 1.41, 20). Numeric values are automatically converted to strings at runtime.", - "examples": ["v1.41.0", 1.41, 20] - }, - "allowed_domains": { - "description": "Domains allowed for Playwright browser network access. Defaults to localhost only for security.", - "oneOf": [ - { - "type": "array", - "description": "List of allowed domains or patterns (e.g., ['github.com', '*.example.com'])", - "items": { - "type": "string" - } - }, - { - "type": "string", - "description": "Single allowed domain (e.g., 'github.com')" - } - ] - }, - "args": { - "type": "array", - "description": "Optional additional arguments to append to the generated MCP server command", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - } - ] - }, - "agentic-workflows": { - "description": "GitHub Agentic Workflows MCP server for workflow introspection and analysis. Provides tools for checking status, compiling workflows, downloading logs, and auditing runs.", - "oneOf": [ - { - "type": "boolean", - "description": "Enable agentic-workflows tool with default settings" - }, - { - "type": "null", - "description": "Enable agentic-workflows tool with default settings (same as true)" - } - ], - "examples": [true, null] - }, - "cache-memory": { - "description": "Cache memory MCP configuration for persistent memory storage", - "oneOf": [ - { - "type": "boolean", - "description": "Enable cache-memory with default settings" - }, - { - "type": "null", - "description": "Enable cache-memory with default settings (same as true)" - }, - { - "type": "object", - "description": "Cache-memory configuration object", - "properties": { - "key": { - "type": "string", - "description": "Custom cache key for memory MCP data (restore keys are auto-generated by splitting on '-')" - }, - "description": { - "type": "string", - "description": "Optional description for the cache that will be shown in the agent prompt" - }, - "retention-days": { - "type": "integer", - "minimum": 1, - "maximum": 90, - "description": "Number of days to retain uploaded artifacts (1-90 days, default: repository setting)" - }, - "restore-only": { - "type": "boolean", - "description": "If true, only restore the cache without saving it back. Uses actions/cache/restore instead of actions/cache. No artifact upload step will be generated." - } - }, - "additionalProperties": false, - "examples": [ - { - "key": "memory-audit-${{ github.workflow }}" - }, - { - "key": "memory-copilot-analysis", - "retention-days": 30 - } - ] - }, - { - "type": "array", - "description": "Array of cache-memory configurations for multiple caches", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string", - "description": "Cache identifier for this cache entry" - }, - "key": { - "type": "string", - "description": "Cache key for this memory cache (supports GitHub Actions expressions like ${{ github.workflow }}, ${{ github.run_id }}). Restore keys are auto-generated by splitting on '-'." - }, - "description": { - "type": "string", - "description": "Optional description for this cache that will be shown in the agent prompt" - }, - "retention-days": { - "type": "integer", - "minimum": 1, - "maximum": 90, - "description": "Number of days to retain uploaded artifacts (1-90 days, default: repository setting)" - }, - "restore-only": { - "type": "boolean", - "description": "If true, only restore the cache without saving it back. Uses actions/cache/restore instead of actions/cache. No artifact upload step will be generated." - } - }, - "required": ["id", "key"], - "additionalProperties": false - }, - "minItems": 1, - "examples": [ - [ - { - "id": "default", - "key": "memory-default" - }, - { - "id": "session", - "key": "memory-session" - } - ] - ] - } - ], - "examples": [ - true, - null, - { - "key": "memory-audit-workflow" - }, - [ - { - "id": "default", - "key": "memory-default" - }, - { - "id": "logs", - "key": "memory-logs" - } - ] - ] - }, - "safety-prompt": { - "type": "boolean", - "description": "Enable or disable XPIA (Cross-Prompt Injection Attack) security warnings in the prompt. Defaults to true (enabled). Set to false to disable security warnings." - }, - "timeout": { - "type": "integer", - "minimum": 1, - "description": "Timeout in seconds for tool/MCP server operations. Applies to all tools and MCP servers if supported by the engine. Default varies by engine (Claude: 60s, Codex: 120s).", - "examples": [60, 120, 300] - }, - "startup-timeout": { - "type": "integer", - "minimum": 1, - "description": "Timeout in seconds for MCP server startup. Applies to MCP server initialization if supported by the engine. Default: 120 seconds." - }, - "serena": { - "description": "Serena MCP server for AI-powered code intelligence with language service integration", - "oneOf": [ - { - "type": "null", - "description": "Enable Serena with default settings" - }, - { - "type": "array", - "description": "Short syntax: array of language identifiers to enable (e.g., [\"go\", \"typescript\"])", - "items": { - "type": "string", - "enum": ["go", "typescript", "python", "java", "rust", "csharp"] - } - }, - { - "type": "object", - "description": "Serena configuration with custom version and language-specific settings", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Optional Serena MCP version. Numeric values are automatically converted to strings at runtime.", - "examples": ["latest", "0.1.0", 1.0] - }, - "args": { - "type": "array", - "description": "Optional additional arguments to append to the generated MCP server command", - "items": { - "type": "string" - } - }, - "languages": { - "type": "object", - "description": "Language-specific configuration for Serena language services", - "properties": { - "go": { - "oneOf": [ - { - "type": "null", - "description": "Enable Go language service with default version" - }, - { - "type": "object", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Go version (e.g., \"1.21\", 1.21)" - }, - "go-mod-file": { - "type": "string", - "description": "Path to go.mod file for Go version detection (e.g., \"go.mod\", \"backend/go.mod\")" - }, - "gopls-version": { - "type": "string", - "description": "Version of gopls to install (e.g., \"latest\", \"v0.14.2\")" - } - }, - "additionalProperties": false - } - ] - }, - "typescript": { - "oneOf": [ - { - "type": "null", - "description": "Enable TypeScript language service with default version" - }, - { - "type": "object", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Node.js version for TypeScript (e.g., \"22\", 22)" - } - }, - "additionalProperties": false - } - ] - }, - "python": { - "oneOf": [ - { - "type": "null", - "description": "Enable Python language service with default version" - }, - { - "type": "object", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Python version (e.g., \"3.12\", 3.12)" - } - }, - "additionalProperties": false - } - ] - }, - "java": { - "oneOf": [ - { - "type": "null", - "description": "Enable Java language service with default version" - }, - { - "type": "object", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Java version (e.g., \"21\", 21)" - } - }, - "additionalProperties": false - } - ] - }, - "rust": { - "oneOf": [ - { - "type": "null", - "description": "Enable Rust language service with default version" - }, - { - "type": "object", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Rust version (e.g., \"stable\", \"1.75\")" - } - }, - "additionalProperties": false - } - ] - }, - "csharp": { - "oneOf": [ - { - "type": "null", - "description": "Enable C# language service with default version" - }, - { - "type": "object", - "properties": { - "version": { - "type": ["string", "number"], - "description": ".NET version for C# (e.g., \"8.0\", 8.0)" - } - }, - "additionalProperties": false - } - ] - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - } - ] - }, - "repo-memory": { - "description": "Repo memory configuration for git-based persistent storage", - "oneOf": [ - { - "type": "boolean", - "description": "Enable repo-memory with default settings" - }, - { - "type": "null", - "description": "Enable repo-memory with default settings (same as true)" - }, - { - "type": "object", - "description": "Repo-memory configuration object", - "properties": { - "target-repo": { - "type": "string", - "description": "Target repository for memory storage (default: current repository). Format: owner/repo" - }, - "branch-name": { - "type": "string", - "description": "Git branch name for memory storage (default: memory/default)" - }, - "file-glob": { - "oneOf": [ - { - "type": "string", - "description": "Single file glob pattern for allowed files" - }, - { - "type": "array", - "description": "Array of file glob patterns for allowed files", - "items": { - "type": "string" - } - } - ] - }, - "max-file-size": { - "type": "integer", - "minimum": 1, - "maximum": 104857600, - "description": "Maximum size per file in bytes (default: 10240 = 10KB)" - }, - "max-file-count": { - "type": "integer", - "minimum": 1, - "maximum": 1000, - "description": "Maximum file count per commit (default: 100)" - }, - "description": { - "type": "string", - "description": "Optional description for the memory that will be shown in the agent prompt" - }, - "create-orphan": { - "type": "boolean", - "description": "Create orphaned branch if it doesn't exist (default: true)" - }, - "campaign-id": { - "type": "string", - "description": "Campaign ID for campaign-specific repo-memory (optional, used to correlate memory with campaign workflows)" - } - }, - "additionalProperties": false, - "examples": [ - { - "branch-name": "memory/session-state" - }, - { - "target-repo": "myorg/memory-repo", - "branch-name": "memory/agent-notes", - "max-file-size": 524288 - } - ] - }, - { - "type": "array", - "description": "Array of repo-memory configurations for multiple memory locations", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string", - "description": "Memory identifier (required for array notation, default: 'default')" - }, - "target-repo": { - "type": "string", - "description": "Target repository for memory storage (default: current repository). Format: owner/repo" - }, - "branch-name": { - "type": "string", - "description": "Git branch name for memory storage (default: memory/{id})" - }, - "file-glob": { - "oneOf": [ - { - "type": "string", - "description": "Single file glob pattern for allowed files" - }, - { - "type": "array", - "description": "Array of file glob patterns for allowed files", - "items": { - "type": "string" - } - } - ] - }, - "max-file-size": { - "type": "integer", - "minimum": 1, - "maximum": 104857600, - "description": "Maximum size per file in bytes (default: 10240 = 10KB)" - }, - "max-file-count": { - "type": "integer", - "minimum": 1, - "maximum": 1000, - "description": "Maximum file count per commit (default: 100)" - }, - "description": { - "type": "string", - "description": "Optional description for this memory that will be shown in the agent prompt" - }, - "create-orphan": { - "type": "boolean", - "description": "Create orphaned branch if it doesn't exist (default: true)" - }, - "campaign-id": { - "type": "string", - "description": "Campaign ID for campaign-specific repo-memory (optional, used to correlate memory with campaign workflows)" - } - }, - "additionalProperties": false - }, - "minItems": 1, - "examples": [ - [ - { - "id": "default", - "branch-name": "memory/default" - }, - { - "id": "session", - "branch-name": "memory/session" - } - ] - ] - } - ], - "examples": [ - true, - null, - { - "branch-name": "memory/agent-state" - }, - [ - { - "id": "default", - "branch-name": "memory/default" - }, - { - "id": "logs", - "branch-name": "memory/logs", - "max-file-size": 524288 - } - ] - ] - } - }, - "additionalProperties": { - "oneOf": [ - { - "type": "string", - "description": "Simple tool string for basic tool configuration" - }, - { - "type": "object", - "description": "MCP server configuration object", - "properties": { - "command": { - "type": "string", - "description": "Command to execute for stdio MCP server" - }, - "args": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Arguments for the command" - }, - "env": { - "type": "object", - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "string" - } - }, - "description": "Environment variables" - }, - "mode": { - "type": "string", - "enum": ["stdio", "http", "remote", "local"], - "description": "MCP server mode" - }, - "type": { - "type": "string", - "enum": ["stdio", "http", "remote", "local"], - "description": "MCP server type" - }, - "version": { - "type": ["string", "number"], - "description": "Version of the MCP server" - }, - "toolsets": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Toolsets to enable" - }, - "url": { - "type": "string", - "description": "URL for HTTP mode MCP servers" - }, - "headers": { - "type": "object", - "patternProperties": { - "^[A-Za-z0-9_-]+$": { - "type": "string" - } - }, - "description": "HTTP headers for HTTP mode" - }, - "container": { - "type": "string", - "description": "Container image for the MCP server" - }, - "entrypointArgs": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Arguments passed to container entrypoint" - } - }, - "additionalProperties": true - } - ] - } - }, - "command": { - "type": "string", - "description": "Command name for the workflow" - }, - "cache": { - "description": "Cache configuration for workflow (uses actions/cache syntax)", - "oneOf": [ - { - "type": "object", - "description": "Single cache configuration", - "properties": { - "key": { - "type": "string", - "description": "An explicit key for restoring and saving the cache" - }, - "path": { - "oneOf": [ - { - "type": "string", - "description": "A single path to cache" - }, - { - "type": "array", - "description": "Multiple paths to cache", - "items": { - "type": "string" - } - } - ] - }, - "restore-keys": { - "oneOf": [ - { - "type": "string", - "description": "A single restore key" - }, - { - "type": "array", - "description": "Multiple restore keys", - "items": { - "type": "string" - } - } - ] - }, - "upload-chunk-size": { - "type": "integer", - "description": "The chunk size used to split up large files during upload, in bytes" - }, - "fail-on-cache-miss": { - "type": "boolean", - "description": "Fail the workflow if cache entry is not found" - }, - "lookup-only": { - "type": "boolean", - "description": "If true, only checks if cache entry exists and skips download" - } - }, - "required": ["key", "path"], - "additionalProperties": false, - "examples": [ - { - "key": "node-modules-${{ hashFiles('package-lock.json') }}", - "path": "node_modules", - "restore-keys": ["node-modules-"] - }, - { - "key": "build-cache-${{ github.sha }}", - "path": ["dist", ".cache"], - "restore-keys": "build-cache-", - "fail-on-cache-miss": false - } - ] - }, - { - "type": "array", - "description": "Multiple cache configurations", - "items": { - "type": "object", - "properties": { - "key": { - "type": "string", - "description": "An explicit key for restoring and saving the cache" - }, - "path": { - "oneOf": [ - { - "type": "string", - "description": "A single path to cache" - }, - { - "type": "array", - "description": "Multiple paths to cache", - "items": { - "type": "string" - } - } - ] - }, - "restore-keys": { - "oneOf": [ - { - "type": "string", - "description": "A single restore key" - }, - { - "type": "array", - "description": "Multiple restore keys", - "items": { - "type": "string" - } - } - ] - }, - "upload-chunk-size": { - "type": "integer", - "description": "The chunk size used to split up large files during upload, in bytes" - }, - "fail-on-cache-miss": { - "type": "boolean", - "description": "Fail the workflow if cache entry is not found" - }, - "lookup-only": { - "type": "boolean", - "description": "If true, only checks if cache entry exists and skips download" - } - }, - "required": ["key", "path"], - "additionalProperties": false - } - } - ] - }, - "safe-outputs": { - "type": "object", - "$comment": "Required if workflow creates or modifies GitHub resources. Operations requiring safe-outputs: add-comment, add-labels, add-reviewer, assign-milestone, assign-to-agent, close-discussion, close-issue, close-pull-request, create-agent-task, create-code-scanning-alert, create-discussion, copy-project, create-issue, create-project-status-update, create-pull-request, create-pull-request-review-comment, hide-comment, link-sub-issue, mark-pull-request-as-ready-for-review, missing-tool, noop, push-to-pull-request-branch, threat-detection, update-discussion, update-issue, update-project, update-pull-request, update-release, upload-asset. See documentation for complete details.", - "description": "Safe output processing configuration that automatically creates GitHub issues, comments, and pull requests from AI workflow output without requiring write permissions in the main job", - "examples": [ - { - "create-issue": { - "title-prefix": "[AI] ", - "labels": ["automation", "ai-generated"] - } - }, - { - "create-pull-request": { - "title-prefix": "[Bot] ", - "labels": ["bot"] - } - }, - { - "add-comment": null, - "create-issue": null - } - ], - "properties": { - "allowed-domains": { - "type": "array", - "description": "List of allowed domains for URI filtering in AI workflow output. URLs from other domains will be replaced with '(redacted)' for security.", - "items": { - "type": "string" - } - }, - "allowed-github-references": { - "type": "array", - "description": "List of allowed repositories for GitHub references (e.g., #123 or owner/repo#456). Use 'repo' to allow current repository. References to other repositories will be escaped with backticks. If not specified, all references are allowed.", - "items": { - "type": "string", - "pattern": "^(repo|[a-zA-Z0-9][-a-zA-Z0-9]{0,38}/[a-zA-Z0-9._-]+)$" - }, - "examples": [["repo"], ["repo", "octocat/hello-world"], ["microsoft/vscode", "microsoft/typescript"]] - }, - "create-issue": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for automatically creating GitHub issues from AI workflow output. The main job does not need 'issues: write' permission.", - "properties": { - "title-prefix": { - "type": "string", - "description": "Optional prefix to add to the beginning of the issue title (e.g., '[ai] ' or '[analysis] ')" - }, - "labels": { - "type": "array", - "description": "Optional list of labels to automatically attach to created issues (e.g., ['automation', 'ai-generated'])", - "items": { - "type": "string" - } - }, - "allowed-labels": { - "type": "array", - "description": "Optional list of allowed labels that can be used when creating issues. If omitted, any labels are allowed (including creating new ones). When specified, the agent can only use labels from this list.", - "items": { - "type": "string" - } - }, - "assignees": { - "oneOf": [ - { - "type": "string", - "description": "Single GitHub username to assign the created issue to (e.g., 'user1' or 'copilot'). Use 'copilot' to assign to GitHub Copilot using the @copilot special value." - }, - { - "type": "array", - "description": "List of GitHub usernames to assign the created issue to (e.g., ['user1', 'user2', 'copilot']). Use 'copilot' to assign to GitHub Copilot using the @copilot special value.", - "items": { - "type": "string" - } - } - ] - }, - "max": { - "type": "integer", - "description": "Maximum number of issues to create (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository issue creation. Takes precedence over trial target repo settings." - }, - "allowed-repos": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of additional repositories in format 'owner/repo' that issues can be created in. When specified, the agent can use a 'repo' field in the output to specify which repository to create the issue in. The target repository (current or target-repo) is always implicitly allowed." - }, - "expires": { - "oneOf": [ - { - "type": "integer", - "minimum": 1, - "description": "Number of days until expires" - }, - { - "type": "string", - "pattern": "^[0-9]+[hHdDwWmMyY]$", - "description": "Relative time (e.g., '2h', '7d', '2w', '1m', '1y'); minimum 2h for hour values" - } - ], - "description": "Time until the issue expires and should be automatically closed. Supports integer (days) or relative time format. Minimum duration: 2 hours. When set, a maintenance workflow will be generated." - } - }, - "additionalProperties": false, - "examples": [ - { - "title-prefix": "[ca] ", - "labels": ["automation", "dependencies"], - "assignees": "copilot" - }, - { - "title-prefix": "[duplicate-code] ", - "labels": ["code-quality", "automated-analysis"], - "assignees": "copilot" - }, - { - "allowed-repos": ["org/other-repo", "org/another-repo"], - "title-prefix": "[cross-repo] " - } - ] - }, - { - "type": "null", - "description": "Enable issue creation with default configuration" - } - ] - }, - "create-agent-task": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for creating GitHub Copilot agent tasks from agentic workflow output using gh agent-task CLI. The main job does not need write permissions.", - "properties": { - "base": { - "type": "string", - "description": "Base branch for the agent task pull request. Defaults to the current branch or repository default branch." - }, - "max": { - "type": "integer", - "description": "Maximum number of agent tasks to create (default: 1)", - "minimum": 1, - "maximum": 1 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository agent task creation. Takes precedence over trial target repo settings." - }, - "allowed-repos": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of additional repositories in format 'owner/repo' that agent tasks can be created in. When specified, the agent can use a 'repo' field in the output to specify which repository to create the agent task in. The target repository (current or target-repo) is always implicitly allowed." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable agent task creation with default configuration" - } - ] - }, - "update-project": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for managing GitHub Projects v2 boards. Smart tool that can add issue/PR items and update custom fields on existing items. By default it is update-only: if the project does not exist, the job fails with instructions to create it manually. To allow workflows to create missing projects, explicitly opt in via the agent output field create_if_missing=true (and/or provide a github-token override). NOTE: Projects v2 requires a Personal Access Token (PAT) or GitHub App token with appropriate permissions; the GITHUB_TOKEN cannot be used for Projects v2. Safe output items produced by the agent use type=update_project and may include: project (board name), content_type (issue|pull_request), content_number, fields, campaign_id, and create_if_missing.", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of project operations to perform (default: 10). Each operation may add a project item, or update its fields.", - "minimum": 1, - "maximum": 100 - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false, - "examples": [ - { - "max": 15 - }, - { - "github-token": "${{ secrets.PROJECT_GITHUB_TOKEN }}", - "max": 15 - } - ] - }, - { - "type": "null", - "description": "Enable project management with default configuration (max=10)" - } - ] - }, - "copy-project": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for copying GitHub Projects v2 boards. Creates a new project with the same structure, fields, and views as the source project. By default, draft issues are NOT copied unless explicitly requested with includeDraftIssues=true in the tool call. Requires a Personal Access Token (PAT) or GitHub App token with Projects permissions; the GITHUB_TOKEN cannot be used. Safe output items use type=copy_project and include: sourceProject (URL), owner (org/user login), title (new project name), and optional includeDraftIssues (boolean). The source-project and target-owner can be configured in the workflow frontmatter to provide defaults that the agent can use or override.", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of copy operations to perform (default: 1).", - "minimum": 1, - "maximum": 100 - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Must have Projects write permission. Overrides global github-token if specified." - }, - "source-project": { - "type": "string", - "pattern": "^https://github\\.com/(orgs|users)/[^/]+/projects/\\d+$", - "description": "Optional default source project URL to copy from (e.g., 'https://github.com/orgs/myorg/projects/42'). If specified, the agent can omit the sourceProject field in the tool call and this default will be used. The agent can still override by providing a sourceProject in the tool call." - }, - "target-owner": { - "type": "string", - "description": "Optional default target owner (organization or user login name) where the new project will be created (e.g., 'myorg' or 'username'). If specified, the agent can omit the owner field in the tool call and this default will be used. The agent can still override by providing an owner in the tool call." - } - }, - "additionalProperties": false, - "examples": [ - { - "max": 1 - }, - { - "github-token": "${{ secrets.PROJECT_GITHUB_TOKEN }}", - "max": 1 - }, - { - "source-project": "https://github.com/orgs/myorg/projects/42", - "target-owner": "myorg", - "max": 1 - } - ] - }, - { - "type": "null", - "description": "Enable project copying with default configuration (max=1)" - } - ] - }, - "create-project-status-update": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for creating GitHub Project status updates. Status updates provide stakeholder communication and historical record of project progress. Requires a Personal Access Token (PAT) or GitHub App token with Projects: Read+Write permission. The GITHUB_TOKEN cannot be used for Projects v2. Status updates are created on the specified project board and appear in the Updates tab. Typically used by campaign orchestrators to post run summaries with progress, findings, and next steps.", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of status updates to create (default: 1). Typically 1 per orchestrator run.", - "minimum": 1, - "maximum": 10 - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified. Must have Projects: Read+Write permission." - } - }, - "additionalProperties": false, - "examples": [ - { - "max": 1 - }, - { - "github-token": "${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}", - "max": 1 - } - ] - }, - { - "type": "null", - "description": "Enable project status updates with default configuration (max=1)" - } - ] - }, - "create-discussion": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for creating GitHub discussions from agentic workflow output", - "properties": { - "title-prefix": { - "type": "string", - "description": "Optional prefix for the discussion title" - }, - "category": { - "type": ["string", "number"], - "description": "Optional discussion category. Can be a category ID (string or numeric value), category name, or category slug/route. If not specified, uses the first available category. Matched first against category IDs, then against category names, then against category slugs. Numeric values are automatically converted to strings at runtime.", - "examples": ["General", "audits", 123456789] - }, - "labels": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Optional list of labels to attach to created discussions. Also used for matching when close-older-discussions is enabled - discussions must have ALL specified labels (AND logic)." - }, - "allowed-labels": { - "type": "array", - "description": "Optional list of allowed labels that can be used when creating discussions. If omitted, any labels are allowed (including creating new ones). When specified, the agent can only use labels from this list.", - "items": { - "type": "string" - } - }, - "max": { - "type": "integer", - "description": "Maximum number of discussions to create (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository discussion creation. Takes precedence over trial target repo settings." - }, - "allowed-repos": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of additional repositories in format 'owner/repo' that discussions can be created in. When specified, the agent can use a 'repo' field in the output to specify which repository to create the discussion in. The target repository (current or target-repo) is always implicitly allowed." - }, - "close-older-discussions": { - "type": "boolean", - "description": "When true, automatically close older discussions matching the same title prefix or labels as 'outdated' with a comment linking to the new discussion. Requires title-prefix or labels to be set. Maximum 10 discussions will be closed. Only runs if discussion creation succeeds.", - "default": false - }, - "expires": { - "oneOf": [ - { - "type": "integer", - "minimum": 1, - "description": "Number of days until expires" - }, - { - "type": "string", - "pattern": "^[0-9]+[hHdDwWmMyY]$", - "description": "Relative time (e.g., '2h', '7d', '2w', '1m', '1y'); minimum 2h for hour values" - } - ], - "description": "Time until the discussion expires and should be automatically closed. Supports integer (days) or relative time format like '2h' (2 hours), '7d' (7 days), '2w' (2 weeks), '1m' (1 month), '1y' (1 year). Minimum duration: 2 hours. When set, a maintenance workflow will be generated." - } - }, - "additionalProperties": false, - "examples": [ - { - "category": "audits" - }, - { - "title-prefix": "[copilot-agent-analysis] ", - "category": "audits", - "max": 1 - }, - { - "category": "General" - }, - { - "title-prefix": "[weekly-report] ", - "category": "reports", - "close-older-discussions": true - }, - { - "labels": ["weekly-report", "automation"], - "category": "reports", - "close-older-discussions": true - }, - { - "allowed-repos": ["org/other-repo"], - "category": "General" - } - ] - }, - { - "type": "null", - "description": "Enable discussion creation with default configuration" - } - ] - }, - "close-discussion": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for closing GitHub discussions with comment and resolution from agentic workflow output", - "properties": { - "required-labels": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Only close discussions that have all of these labels" - }, - "required-title-prefix": { - "type": "string", - "description": "Only close discussions with this title prefix" - }, - "required-category": { - "type": "string", - "description": "Only close discussions in this category" - }, - "target": { - "type": "string", - "description": "Target for closing: 'triggering' (default, current discussion), or '*' (any discussion with discussion_number field)" - }, - "max": { - "type": "integer", - "description": "Maximum number of discussions to close (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository operations. Takes precedence over trial target repo settings." - } - }, - "additionalProperties": false, - "examples": [ - { - "required-category": "Ideas" - }, - { - "required-labels": ["resolved", "completed"], - "max": 1 - } - ] - }, - { - "type": "null", - "description": "Enable discussion closing with default configuration" - } - ] - }, - "update-discussion": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for updating GitHub discussions from agentic workflow output", - "properties": { - "target": { - "type": "string", - "description": "Target for updates: 'triggering' (default), '*' (any discussion), or explicit discussion number" - }, - "title": { - "type": "null", - "description": "Allow updating discussion title - presence of key indicates field can be updated" - }, - "body": { - "type": "null", - "description": "Allow updating discussion body - presence of key indicates field can be updated" - }, - "labels": { - "type": "null", - "description": "Allow updating discussion labels - presence of key indicates field can be updated" - }, - "allowed-labels": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Optional list of allowed labels. If omitted, any labels are allowed (including creating new ones)." - }, - "max": { - "type": "integer", - "description": "Maximum number of discussions to update (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository discussion updates. Takes precedence over trial target repo settings." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable discussion updating with default configuration" - } - ] - }, - "close-issue": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for closing GitHub issues with comment from agentic workflow output", - "properties": { - "required-labels": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Only close issues that have all of these labels" - }, - "required-title-prefix": { - "type": "string", - "description": "Only close issues with this title prefix" - }, - "target": { - "type": "string", - "description": "Target for closing: 'triggering' (default, current issue), or '*' (any issue with issue_number field)" - }, - "max": { - "type": "integer", - "description": "Maximum number of issues to close (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository operations. Takes precedence over trial target repo settings." - } - }, - "additionalProperties": false, - "examples": [ - { - "required-title-prefix": "[refactor] " - }, - { - "required-labels": ["automated", "stale"], - "max": 10 - } - ] - }, - { - "type": "null", - "description": "Enable issue closing with default configuration" - } - ] - }, - "close-pull-request": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for closing GitHub pull requests without merging, with comment from agentic workflow output", - "properties": { - "required-labels": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Only close pull requests that have any of these labels" - }, - "required-title-prefix": { - "type": "string", - "description": "Only close pull requests with this title prefix" - }, - "target": { - "type": "string", - "description": "Target for closing: 'triggering' (default, current PR), or '*' (any PR with pull_request_number field)" - }, - "max": { - "type": "integer", - "description": "Maximum number of pull requests to close (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository operations. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false, - "examples": [ - { - "required-title-prefix": "[bot] " - }, - { - "required-labels": ["automated", "outdated"], - "max": 5 - } - ] - }, - { - "type": "null", - "description": "Enable pull request closing with default configuration" - } - ] - }, - "mark-pull-request-as-ready-for-review": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for marking draft pull requests as ready for review, with comment from agentic workflow output", - "properties": { - "required-labels": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Only mark pull requests that have any of these labels" - }, - "required-title-prefix": { - "type": "string", - "description": "Only mark pull requests with this title prefix" - }, - "target": { - "type": "string", - "description": "Target for marking: 'triggering' (default, current PR), or '*' (any PR with pull_request_number field)" - }, - "max": { - "type": "integer", - "description": "Maximum number of pull requests to mark as ready (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository operations. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false, - "examples": [ - { - "required-title-prefix": "[bot] " - }, - { - "required-labels": ["automated", "ready"], - "max": 1 - } - ] - }, - { - "type": "null", - "description": "Enable marking pull requests as ready for review with default configuration" - } - ] - }, - "add-comment": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for automatically creating GitHub issue or pull request comments from AI workflow output. The main job does not need write permissions.", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of comments to create (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target": { - "type": "string", - "description": "Target for comments: 'triggering' (default), '*' (any issue), or explicit issue number" - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository comments. Takes precedence over trial target repo settings." - }, - "allowed-repos": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of additional repositories in format 'owner/repo' that comments can be created in. When specified, the agent can use a 'repo' field in the output to specify which repository to create the comment in. The target repository (current or target-repo) is always implicitly allowed." - }, - "discussion": { - "type": "boolean", - "const": true, - "description": "Target discussion comments instead of issue/PR comments. Must be true if present." - }, - "hide-older-comments": { - "type": "boolean", - "description": "When true, minimizes/hides all previous comments from the same agentic workflow (identified by tracker-id) before creating the new comment. Default: false." - }, - "allowed-reasons": { - "type": "array", - "description": "List of allowed reasons for hiding older comments when hide-older-comments is enabled. Default: all reasons allowed (spam, abuse, off_topic, outdated, resolved).", - "items": { - "type": "string", - "enum": ["spam", "abuse", "off_topic", "outdated", "resolved"] - } - } - }, - "additionalProperties": false, - "examples": [ - { - "max": 1, - "target": "*" - }, - { - "max": 3 - } - ] - }, - { - "type": "null", - "description": "Enable issue comment creation with default configuration" - } - ] - }, - "create-pull-request": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for creating GitHub pull requests from agentic workflow output. Note: The max parameter is not supported for pull requests - workflows are always limited to creating 1 pull request per run. This design decision prevents workflow runs from creating excessive PRs and maintains repository integrity.", - "properties": { - "title-prefix": { - "type": "string", - "description": "Optional prefix for the pull request title" - }, - "labels": { - "type": "array", - "description": "Optional list of labels to attach to the pull request", - "items": { - "type": "string" - } - }, - "allowed-labels": { - "type": "array", - "description": "Optional list of allowed labels that can be used when creating pull requests. If omitted, any labels are allowed (including creating new ones). When specified, the agent can only use labels from this list.", - "items": { - "type": "string" - } - }, - "reviewers": { - "oneOf": [ - { - "type": "string", - "description": "Single reviewer username to assign to the pull request. Use 'copilot' to request a code review from GitHub Copilot using the copilot-pull-request-reviewer[bot]." - }, - { - "type": "array", - "description": "List of reviewer usernames to assign to the pull request. Use 'copilot' to request a code review from GitHub Copilot using the copilot-pull-request-reviewer[bot].", - "items": { - "type": "string" - } - } - ], - "description": "Optional reviewer(s) to assign to the pull request. Accepts either a single string or an array of usernames. Use 'copilot' to request a code review from GitHub Copilot." - }, - "draft": { - "type": "boolean", - "description": "Whether to create pull request as draft (defaults to true)" - }, - "if-no-changes": { - "type": "string", - "enum": ["warn", "error", "ignore"], - "description": "Behavior when no changes to push: 'warn' (default - log warning but succeed), 'error' (fail the action), or 'ignore' (silent success)" - }, - "allow-empty": { - "type": "boolean", - "description": "When true, allows creating a pull request without any initial changes or git patch. This is useful for preparing a feature branch that an agent can push changes to later. The branch will be created from the base branch without applying any patch. Defaults to false." - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository pull request creation. Takes precedence over trial target repo settings." - }, - "allowed-repos": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of additional repositories in format 'owner/repo' that pull requests can be created in. When specified, the agent can use a 'repo' field in the output to specify which repository to create the pull request in. The target repository (current or target-repo) is always implicitly allowed." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - }, - "expires": { - "oneOf": [ - { - "type": "integer", - "minimum": 1, - "description": "Number of days until expires" - }, - { - "type": "string", - "pattern": "^[0-9]+[hHdDwWmMyY]$", - "description": "Relative time (e.g., '2h', '7d', '2w', '1m', '1y'); minimum 2h for hour values" - } - ], - "description": "Time until the pull request expires and should be automatically closed (only for same-repo PRs without target-repo). Supports integer (days) or relative time format. Minimum duration: 2 hours." - } - }, - "additionalProperties": false, - "examples": [ - { - "title-prefix": "[docs] ", - "labels": ["documentation", "automation"], - "reviewers": "copilot", - "draft": false - }, - { - "title-prefix": "[security-fix] ", - "labels": ["security", "automated-fix"], - "reviewers": "copilot" - } - ] - }, - { - "type": "null", - "description": "Enable pull request creation with default configuration" - } - ] - }, - "create-pull-request-review-comment": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for creating GitHub pull request review comments from agentic workflow output", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of review comments to create (default: 10)", - "minimum": 1, - "maximum": 100 - }, - "side": { - "type": "string", - "description": "Side of the diff for comments: 'LEFT' or 'RIGHT' (default: 'RIGHT')", - "enum": ["LEFT", "RIGHT"] - }, - "target": { - "type": "string", - "description": "Target for review comments: 'triggering' (default, only on triggering PR), '*' (any PR, requires pull_request_number in agent output), or explicit PR number" - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository PR review comments. Takes precedence over trial target repo settings." - }, - "allowed-repos": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of additional repositories in format 'owner/repo' that PR review comments can be created in. When specified, the agent can use a 'repo' field in the output to specify which repository to create the review comment in. The target repository (current or target-repo) is always implicitly allowed." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable PR review comment creation with default configuration" - } - ] - }, - "create-code-scanning-alert": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for creating repository security advisories (SARIF format) from agentic workflow output", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of security findings to include (default: unlimited)", - "minimum": 1 - }, - "driver": { - "type": "string", - "description": "Driver name for SARIF tool.driver.name field (default: 'GitHub Agentic Workflows Security Scanner')" - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable code scanning alert creation with default configuration (unlimited findings)" - } - ] - }, - "add-labels": { - "oneOf": [ - { - "type": "null", - "description": "Null configuration allows any labels. Labels will be created if they don't already exist in the repository." - }, - { - "type": "object", - "description": "Configuration for adding labels to issues/PRs from agentic workflow output. Labels will be created if they don't already exist in the repository.", - "properties": { - "allowed": { - "type": "array", - "description": "Optional list of allowed labels that can be added. Labels will be created if they don't already exist in the repository. If omitted, any labels are allowed (including creating new ones).", - "items": { - "type": "string" - }, - "minItems": 1 - }, - "max": { - "type": "integer", - "description": "Optional maximum number of labels to add (default: 3)", - "minimum": 1 - }, - "target": { - "type": "string", - "description": "Target for labels: 'triggering' (default), '*' (any issue/PR), or explicit issue/PR number" - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository label addition. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "add-reviewer": { - "oneOf": [ - { - "type": "null", - "description": "Null configuration allows any reviewers" - }, - { - "type": "object", - "description": "Configuration for adding reviewers to pull requests from agentic workflow output", - "properties": { - "reviewers": { - "type": "array", - "description": "Optional list of allowed reviewers. If omitted, any reviewers are allowed.", - "items": { - "type": "string" - }, - "minItems": 1 - }, - "max": { - "type": "integer", - "description": "Optional maximum number of reviewers to add (default: 3)", - "minimum": 1 - }, - "target": { - "type": "string", - "description": "Target for reviewers: 'triggering' (default), '*' (any PR), or explicit PR number" - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository reviewer addition. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "assign-milestone": { - "oneOf": [ - { - "type": "null", - "description": "Null configuration allows assigning any milestones" - }, - { - "type": "object", - "description": "Configuration for assigning issues to milestones from agentic workflow output", - "properties": { - "allowed": { - "type": "array", - "description": "Optional list of allowed milestone titles that can be assigned. If omitted, any milestones are allowed.", - "items": { - "type": "string" - }, - "minItems": 1 - }, - "max": { - "type": "integer", - "description": "Optional maximum number of milestone assignments (default: 1)", - "minimum": 1 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository milestone assignment. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "assign-to-agent": { - "oneOf": [ - { - "type": "null", - "description": "Null configuration uses default agent (copilot)" - }, - { - "type": "object", - "description": "Configuration for assigning GitHub Copilot agents to issues from agentic workflow output", - "properties": { - "name": { - "type": "string", - "description": "Default agent name to assign (default: 'copilot')" - }, - "max": { - "type": "integer", - "description": "Optional maximum number of agent assignments (default: 1)", - "minimum": 1 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository agent assignment. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "assign-to-user": { - "oneOf": [ - { - "type": "null", - "description": "Enable user assignment with default configuration" - }, - { - "type": "object", - "description": "Configuration for assigning users to issues from agentic workflow output", - "properties": { - "allowed": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Optional list of allowed usernames. If specified, only these users can be assigned." - }, - "max": { - "type": "integer", - "description": "Optional maximum number of user assignments (default: 1)", - "minimum": 1 - }, - "target": { - "type": ["string", "number"], - "description": "Target issue to assign users to. Use 'triggering' (default) for the triggering issue, '*' to allow any issue, or a specific issue number." - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository user assignment. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "link-sub-issue": { - "oneOf": [ - { - "type": "null", - "description": "Enable sub-issue linking with default configuration" - }, - { - "type": "object", - "description": "Configuration for linking issues as sub-issues from agentic workflow output", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of sub-issue links to create (default: 5)", - "minimum": 1, - "maximum": 100 - }, - "parent-required-labels": { - "type": "array", - "description": "Optional list of labels that parent issues must have to be eligible for linking", - "items": { - "type": "string" - }, - "minItems": 1 - }, - "parent-title-prefix": { - "type": "string", - "description": "Optional title prefix that parent issues must have to be eligible for linking" - }, - "sub-required-labels": { - "type": "array", - "description": "Optional list of labels that sub-issues must have to be eligible for linking", - "items": { - "type": "string" - }, - "minItems": 1 - }, - "sub-title-prefix": { - "type": "string", - "description": "Optional title prefix that sub-issues must have to be eligible for linking" - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository sub-issue linking. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "update-issue": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for updating GitHub issues from agentic workflow output", - "properties": { - "status": { - "type": "null", - "description": "Allow updating issue status (open/closed) - presence of key indicates field can be updated" - }, - "target": { - "type": "string", - "description": "Target for updates: 'triggering' (default), '*' (any issue), or explicit issue number" - }, - "title": { - "type": "null", - "description": "Allow updating issue title - presence of key indicates field can be updated" - }, - "body": { - "type": "null", - "description": "Allow updating issue body - presence of key indicates field can be updated" - }, - "max": { - "type": "integer", - "description": "Maximum number of issues to update (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository issue updates. Takes precedence over trial target repo settings." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable issue updating with default configuration" - } - ] - }, - "update-pull-request": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for updating GitHub pull requests from agentic workflow output. Both title and body updates are enabled by default.", - "properties": { - "target": { - "type": "string", - "description": "Target for updates: 'triggering' (default), '*' (any PR), or explicit PR number" - }, - "title": { - "type": "boolean", - "description": "Allow updating pull request title - defaults to true, set to false to disable" - }, - "body": { - "type": "boolean", - "description": "Allow updating pull request body - defaults to true, set to false to disable" - }, - "max": { - "type": "integer", - "description": "Maximum number of pull requests to update (default: 1)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository pull request updates. Takes precedence over trial target repo settings." - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable pull request updating with default configuration (title and body updates enabled)" - } - ] - }, - "push-to-pull-request-branch": { - "oneOf": [ - { - "type": "null", - "description": "Use default configuration (branch: 'triggering', if-no-changes: 'warn')" - }, - { - "type": "object", - "description": "Configuration for pushing changes to a specific branch from agentic workflow output", - "properties": { - "branch": { - "type": "string", - "description": "The branch to push changes to (defaults to 'triggering')" - }, - "target": { - "type": "string", - "description": "Target for push operations: 'triggering' (default), '*' (any pull request), or explicit pull request number" - }, - "title-prefix": { - "type": "string", - "description": "Required prefix for pull request title. Only pull requests with this prefix will be accepted." - }, - "labels": { - "type": "array", - "description": "Required labels for pull request validation. Only pull requests with all these labels will be accepted.", - "items": { - "type": "string" - } - }, - "if-no-changes": { - "type": "string", - "enum": ["warn", "error", "ignore"], - "description": "Behavior when no changes to push: 'warn' (default - log warning but succeed), 'error' (fail the action), or 'ignore' (silent success)" - }, - "commit-title-suffix": { - "type": "string", - "description": "Optional suffix to append to generated commit titles (e.g., ' [skip ci]' to prevent triggering CI on the commit)" - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - } - ] - }, - "hide-comment": { - "oneOf": [ - { - "type": "null", - "description": "Enable comment hiding with default configuration" - }, - { - "type": "object", - "description": "Configuration for hiding comments on GitHub issues, pull requests, or discussions from agentic workflow output", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of comments to hide (default: 5)", - "minimum": 1, - "maximum": 100 - }, - "target-repo": { - "type": "string", - "description": "Target repository in format 'owner/repo' for cross-repository comment hiding. Takes precedence over trial target repo settings." - }, - "allowed-reasons": { - "type": "array", - "description": "List of allowed reasons for hiding comments. Default: all reasons allowed (spam, abuse, off_topic, outdated, resolved).", - "items": { - "type": "string", - "enum": ["spam", "abuse", "off_topic", "outdated", "resolved"] - } - } - }, - "additionalProperties": false - } - ] - }, - "missing-tool": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for reporting missing tools from agentic workflow output", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of missing tool reports (default: unlimited)", - "minimum": 1 - }, - "create-issue": { - "type": "boolean", - "description": "Whether to create or update GitHub issues when tools are missing (default: true)", - "default": true - }, - "title-prefix": { - "type": "string", - "description": "Prefix for issue titles when creating issues for missing tools (default: '[missing tool]')", - "default": "[missing tool]" - }, - "labels": { - "type": "array", - "description": "Labels to add to created issues for missing tools", - "items": { - "type": "string" - }, - "default": [] - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable missing tool reporting with default configuration" - }, - { - "type": "boolean", - "const": false, - "description": "Explicitly disable missing tool reporting (false). Missing tool reporting is enabled by default when safe-outputs is configured." - } - ] - }, - "noop": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for no-op safe output (logging only, no GitHub API calls). Always available as a fallback to ensure human-visible artifacts.", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of noop messages (default: 1)", - "minimum": 1, - "default": 1 - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable noop output with default configuration (max: 1)" - }, - { - "type": "boolean", - "const": false, - "description": "Explicitly disable noop output (false). Noop is enabled by default when safe-outputs is configured." - } - ] - }, - "upload-asset": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for publishing assets to an orphaned git branch", - "properties": { - "branch": { - "type": "string", - "description": "Branch name (default: 'assets/${{ github.workflow }}')", - "default": "assets/${{ github.workflow }}" - }, - "max-size": { - "type": "integer", - "description": "Maximum file size in KB (default: 10240 = 10MB)", - "minimum": 1, - "maximum": 51200, - "default": 10240 - }, - "allowed-exts": { - "type": "array", - "description": "Allowed file extensions (default: common non-executable types)", - "items": { - "type": "string", - "pattern": "^\\.[a-zA-Z0-9]+$" - } - }, - "max": { - "type": "integer", - "description": "Maximum number of assets to upload (default: 10)", - "minimum": 1, - "maximum": 100 - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for this specific output type. Overrides global github-token if specified." - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable asset publishing with default configuration" - } - ] - }, - "update-release": { - "oneOf": [ - { - "type": "object", - "description": "Configuration for updating GitHub release descriptions", - "properties": { - "max": { - "type": "integer", - "description": "Maximum number of releases to update (default: 1)", - "minimum": 1, - "maximum": 10, - "default": 1 - }, - "target-repo": { - "type": "string", - "description": "Target repository for cross-repo release updates (format: owner/repo). If not specified, updates releases in the workflow's repository.", - "pattern": "^[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+$" - } - }, - "additionalProperties": false - }, - { - "type": "null", - "description": "Enable release updates with default configuration" - } - ] - }, - "staged": { - "type": "boolean", - "description": "If true, emit step summary messages instead of making GitHub API calls (preview mode)", - "examples": [true, false] - }, - "env": { - "type": "object", - "description": "Environment variables to pass to safe output jobs", - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "string", - "description": "Environment variable value, typically a secret reference like ${{ secrets.TOKEN_NAME }}" - } - }, - "additionalProperties": false - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token to use for safe output jobs. Typically a secret reference like ${{ secrets.GITHUB_TOKEN }} or ${{ secrets.CUSTOM_PAT }}", - "examples": ["${{ secrets.GITHUB_TOKEN }}", "${{ secrets.CUSTOM_PAT }}", "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"] - }, - "app": { - "type": "object", - "description": "GitHub App credentials for minting installation access tokens. When configured, a token will be generated using the app credentials and used for all safe output operations.", - "properties": { - "app-id": { - "type": "string", - "description": "GitHub App ID. Should reference a variable (e.g., ${{ vars.APP_ID }}).", - "examples": ["${{ vars.APP_ID }}", "${{ secrets.APP_ID }}"] - }, - "private-key": { - "type": "string", - "description": "GitHub App private key. Should reference a secret (e.g., ${{ secrets.APP_PRIVATE_KEY }}).", - "examples": ["${{ secrets.APP_PRIVATE_KEY }}"] - }, - "owner": { - "type": "string", - "description": "Optional: The owner of the GitHub App installation. If empty, defaults to the current repository owner.", - "examples": ["my-organization", "${{ github.repository_owner }}"] - }, - "repositories": { - "type": "array", - "description": "Optional: Comma or newline-separated list of repositories to grant access to. If owner is set and repositories is empty, access will be scoped to all repositories in the provided repository owner's installation. If owner and repositories are empty, access will be scoped to only the current repository.", - "items": { - "type": "string" - }, - "examples": [["repo1", "repo2"], ["my-repo"]] - } - }, - "required": ["app-id", "private-key"], - "additionalProperties": false - }, - "max-patch-size": { - "type": "integer", - "description": "Maximum allowed size for git patches in kilobytes (KB). Defaults to 1024 KB (1 MB). If patch exceeds this size, the job will fail.", - "minimum": 1, - "maximum": 10240, - "default": 1024 - }, - "threat-detection": { - "oneOf": [ - { - "type": "boolean", - "description": "Enable or disable threat detection for safe outputs (defaults to true when safe-outputs are configured)" - }, - { - "type": "object", - "description": "Threat detection configuration object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Whether threat detection is enabled", - "default": true - }, - "prompt": { - "type": "string", - "description": "Additional custom prompt instructions to append to threat detection analysis" - }, - "engine": { - "description": "AI engine configuration specifically for threat detection (overrides main workflow engine). Set to false to disable AI-based threat detection. Supports same format as main engine field when not false.", - "oneOf": [ - { - "type": "boolean", - "const": false, - "description": "Disable AI engine for threat detection (only run custom steps)" - }, - { - "$ref": "#/$defs/engine_config" - } - ] - }, - "steps": { - "type": "array", - "description": "Array of extra job steps to run after detection", - "items": { - "$ref": "#/$defs/githubActionsStep" - } - } - }, - "additionalProperties": false - } - ] - }, - "jobs": { - "type": "object", - "description": "Custom safe-output jobs that can be executed based on agentic workflow output. Job names containing dashes will be automatically normalized to underscores (e.g., 'send-notification' becomes 'send_notification').", - "patternProperties": { - "^[a-zA-Z_][a-zA-Z0-9_-]*$": { - "type": "object", - "description": "Custom safe-output job configuration. The job name will be normalized to use underscores instead of dashes.", - "properties": { - "name": { - "type": "string", - "description": "Display name for the job" - }, - "description": { - "type": "string", - "description": "Description of the safe-job (used in MCP tool registration)" - }, - "runs-on": { - "description": "Runner specification for this job", - "oneOf": [ - { - "type": "string" - }, - { - "type": "array", - "items": { - "type": "string" - } - } - ] - }, - "if": { - "type": "string", - "description": "Conditional expression for job execution" - }, - "needs": { - "description": "Job dependencies beyond the main job", - "oneOf": [ - { - "type": "string" - }, - { - "type": "array", - "items": { - "type": "string" - } - } - ] - }, - "env": { - "type": "object", - "description": "Job-specific environment variables", - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "string" - } - }, - "additionalProperties": false - }, - "permissions": { - "$ref": "#/properties/permissions" - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token for this specific job" - }, - "output": { - "type": "string", - "description": "Output configuration for the safe job" - }, - "inputs": { - "type": "object", - "description": "Input parameters for the safe job (workflow_dispatch syntax) - REQUIRED: at least one input must be defined", - "minProperties": 1, - "maxProperties": 25, - "patternProperties": { - "^[a-zA-Z_][a-zA-Z0-9_-]*$": { - "type": "object", - "properties": { - "description": { - "type": "string", - "description": "Input parameter description" - }, - "required": { - "type": "boolean", - "description": "Whether this input is required", - "default": false - }, - "default": { - "type": "string", - "description": "Default value for the input" - }, - "type": { - "type": "string", - "enum": ["string", "boolean", "choice"], - "description": "Input parameter type", - "default": "string" - }, - "options": { - "type": "array", - "description": "Available options for choice type inputs", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - }, - "steps": { - "type": "array", - "description": "Custom steps to execute in the safe job", - "items": { - "$ref": "#/$defs/githubActionsStep" - } - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - }, - "messages": { - "type": "object", - "description": "Custom message templates for safe-output footer and notification messages. Available placeholders: {workflow_name} (workflow name), {run_url} (GitHub Actions run URL), {triggering_number} (issue/PR/discussion number), {workflow_source} (owner/repo/path@ref), {workflow_source_url} (GitHub URL to source), {operation} (safe-output operation name for staged mode).", - "properties": { - "footer": { - "type": "string", - "description": "Custom footer message template for AI-generated content. Available placeholders: {workflow_name}, {run_url}, {triggering_number}, {workflow_source}, {workflow_source_url}. Example: '> Generated by [{workflow_name}]({run_url})'", - "examples": ["> Generated by [{workflow_name}]({run_url})", "> AI output from [{workflow_name}]({run_url}) for #{triggering_number}"] - }, - "footer-install": { - "type": "string", - "description": "Custom installation instructions template appended to the footer. Available placeholders: {workflow_source}, {workflow_source_url}. Example: '> Install: `gh aw add {workflow_source}`'", - "examples": ["> Install: `gh aw add {workflow_source}`", "> [Add this workflow]({workflow_source_url})"] - }, - "staged-title": { - "type": "string", - "description": "Custom title template for staged mode preview. Available placeholders: {operation}. Example: '\ud83c\udfad Preview: {operation}'", - "examples": ["\ud83c\udfad Preview: {operation}", "## Staged Mode: {operation}"] - }, - "staged-description": { - "type": "string", - "description": "Custom description template for staged mode preview. Available placeholders: {operation}. Example: 'The following {operation} would occur if staged mode was disabled:'", - "examples": ["The following {operation} would occur if staged mode was disabled:"] - }, - "run-started": { - "type": "string", - "description": "Custom message template for workflow activation comment. Available placeholders: {workflow_name}, {run_url}, {event_type}. Default: 'Agentic [{workflow_name}]({run_url}) triggered by this {event_type}.'", - "examples": ["Agentic [{workflow_name}]({run_url}) triggered by this {event_type}.", "[{workflow_name}]({run_url}) started processing this {event_type}."] - }, - "run-success": { - "type": "string", - "description": "Custom message template for successful workflow completion. Available placeholders: {workflow_name}, {run_url}. Default: '\u2705 Agentic [{workflow_name}]({run_url}) completed successfully.'", - "examples": ["\u2705 Agentic [{workflow_name}]({run_url}) completed successfully.", "\u2705 [{workflow_name}]({run_url}) finished."] - }, - "run-failure": { - "type": "string", - "description": "Custom message template for failed workflow. Available placeholders: {workflow_name}, {run_url}, {status}. Default: '\u274c Agentic [{workflow_name}]({run_url}) {status} and wasn't able to produce a result.'", - "examples": ["\u274c Agentic [{workflow_name}]({run_url}) {status} and wasn't able to produce a result.", "\u274c [{workflow_name}]({run_url}) {status}."] - }, - "detection-failure": { - "type": "string", - "description": "Custom message template for detection job failure. Available placeholders: {workflow_name}, {run_url}. Default: '\u26a0\ufe0f Security scanning failed for [{workflow_name}]({run_url}). Review the logs for details.'", - "examples": ["\u26a0\ufe0f Security scanning failed for [{workflow_name}]({run_url}). Review the logs for details.", "\u26a0\ufe0f Detection job failed in [{workflow_name}]({run_url})."] - } - }, - "additionalProperties": false - }, - "mentions": { - "description": "Configuration for @mention filtering in safe outputs. Controls whether and how @mentions in AI-generated content are allowed or escaped.", - "oneOf": [ - { - "type": "boolean", - "description": "Simple boolean mode: false = always escape mentions, true = always allow mentions (error in strict mode)" - }, - { - "type": "object", - "description": "Advanced configuration for @mention filtering with fine-grained control", - "properties": { - "allow-team-members": { - "type": "boolean", - "description": "Allow mentions of repository team members (collaborators with any permission level, excluding bots). Default: true", - "default": true - }, - "allow-context": { - "type": "boolean", - "description": "Allow mentions inferred from event context (issue/PR authors, assignees, commenters). Default: true", - "default": true - }, - "allowed": { - "type": "array", - "description": "List of user/bot names always allowed to be mentioned. Bots are not allowed by default unless listed here.", - "items": { - "type": "string", - "minLength": 1 - } - }, - "max": { - "type": "integer", - "description": "Maximum number of mentions allowed per message. Default: 50", - "minimum": 1, - "default": 50 - } - }, - "additionalProperties": false - } - ] - }, - "runs-on": { - "type": "string", - "description": "Runner specification for all safe-outputs jobs (activation, create-issue, add-comment, etc.). Single runner label (e.g., 'ubuntu-slim', 'ubuntu-latest', 'windows-latest', 'self-hosted'). Defaults to 'ubuntu-slim'. See https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/" - } - }, - "additionalProperties": false - }, - "secret-masking": { - "type": "object", - "description": "Configuration for secret redaction behavior in workflow outputs and artifacts", - "properties": { - "steps": { - "type": "array", - "description": "Additional secret redaction steps to inject after the built-in secret redaction. Use this to mask secrets in generated files using custom patterns.", - "items": { - "$ref": "#/$defs/githubActionsStep" - }, - "examples": [ - [ - { - "name": "Redact custom secrets", - "run": "find /tmp/gh-aw -type f -exec sed -i 's/password123/REDACTED/g' {} +" - } - ] - ] - } - }, - "additionalProperties": false - }, - "roles": { - "description": "Repository access roles required to trigger agentic workflows. Defaults to ['admin', 'maintainer', 'write'] for security. Use 'all' to allow any authenticated user (\u26a0\ufe0f security consideration).", - "oneOf": [ - { - "type": "string", - "enum": ["all"], - "description": "Allow any authenticated user to trigger the workflow (\u26a0\ufe0f disables permission checking entirely - use with caution)" - }, - { - "type": "array", - "description": "List of repository permission levels that can trigger the workflow. Permission checks are automatically applied to potentially unsafe triggers.", - "items": { - "type": "string", - "enum": ["admin", "maintainer", "maintain", "write", "triage"], - "description": "Repository permission level: 'admin' (full access), 'maintainer'/'maintain' (repository management), 'write' (push access), 'triage' (issue management)" - }, - "minItems": 1 - } - ] - }, - "bots": { - "type": "array", - "description": "Allow list of bot identifiers that can trigger the workflow even if they don't meet the required role permissions. When the actor is in this list, the bot must be active (installed) on the repository to trigger the workflow.", - "items": { - "type": "string", - "minLength": 1, - "description": "Bot identifier/name (e.g., 'dependabot[bot]', 'renovate[bot]', 'github-actions[bot]')" - } - }, - "strict": { - "type": "boolean", - "default": true, - "$comment": "Strict mode enforces several security constraints that are validated in Go code (pkg/workflow/strict_mode_validation.go) rather than JSON Schema: (1) Write Permissions + Safe Outputs: When strict=true AND permissions contains write values (contents:write, issues:write, pull-requests:write), safe-outputs must be configured. This relationship is too complex for JSON Schema as it requires checking if ANY permission property has a 'write' value. (2) Network Requirements: When strict=true, the 'network' field must be present and cannot contain wildcard '*'. (3) MCP Container Network: Custom MCP servers with containers require explicit network configuration. (4) Action Pinning: Actions must be pinned to commit SHAs. These are enforced during compilation via validateStrictMode().", - "description": "Enable strict mode validation for enhanced security and compliance. Strict mode enforces: (1) Write Permissions - refuses contents:write, issues:write, pull-requests:write; requires safe-outputs instead, (2) Network Configuration - requires explicit network configuration with no wildcard '*' in allowed domains, (3) Action Pinning - enforces actions pinned to commit SHAs instead of tags/branches, (4) MCP Network - requires network configuration for custom MCP servers with containers, (5) Deprecated Fields - refuses deprecated frontmatter fields. Can be enabled per-workflow via 'strict: true' in frontmatter, or disabled via 'strict: false'. CLI flag takes precedence over frontmatter (gh aw compile --strict enforces strict mode). Defaults to true. See: https://github.github.io/gh-aw/reference/frontmatter/#strict-mode-strict", - "examples": [true, false] - }, - "safe-inputs": { - "type": "object", - "description": "Safe inputs configuration for defining custom lightweight MCP tools as JavaScript, shell scripts, or Python scripts. Tools are mounted in an MCP server and have access to secrets specified by the user. Only one of 'script' (JavaScript), 'run' (shell), or 'py' (Python) must be specified per tool.", - "patternProperties": { - "^([a-ln-z][a-z0-9_-]*|m[a-np-z][a-z0-9_-]*|mo[a-ce-z][a-z0-9_-]*|mod[a-df-z][a-z0-9_-]*|mode[a-z0-9_-]+)$": { - "type": "object", - "description": "Custom tool definition. The key is the tool name (lowercase alphanumeric with dashes/underscores).", - "required": ["description"], - "properties": { - "description": { - "type": "string", - "description": "Tool description that explains what the tool does. This is required and will be shown to the AI agent." - }, - "inputs": { - "type": "object", - "description": "Optional input parameters for the tool using workflow syntax. Each property defines an input with its type and description.", - "additionalProperties": { - "type": "object", - "properties": { - "type": { - "type": "string", - "enum": ["string", "number", "boolean", "array", "object"], - "default": "string", - "description": "The JSON schema type of the input parameter." - }, - "description": { - "type": "string", - "description": "Description of the input parameter." - }, - "required": { - "type": "boolean", - "default": false, - "description": "Whether this input is required." - }, - "default": { - "description": "Default value for the input parameter." - } - }, - "additionalProperties": false - } - }, - "script": { - "type": "string", - "description": "JavaScript implementation (CommonJS format). The script receives input parameters as a JSON object and should return a result. Cannot be used together with 'run', 'py', or 'go'." - }, - "run": { - "type": "string", - "description": "Shell script implementation. The script receives input parameters as environment variables (JSON-encoded for complex types). Cannot be used together with 'script', 'py', or 'go'." - }, - "py": { - "type": "string", - "description": "Python script implementation. The script receives input parameters as environment variables (INPUT_* prefix, uppercased). Cannot be used together with 'script', 'run', or 'go'." - }, - "go": { - "type": "string", - "description": "Go script implementation. The script is executed using 'go run' and receives input parameters as JSON via stdin. Cannot be used together with 'script', 'run', or 'py'." - }, - "env": { - "type": "object", - "description": "Environment variables to pass to the tool, typically for secrets. Use ${{ secrets.NAME }} syntax.", - "additionalProperties": { - "type": "string" - }, - "examples": [ - { - "GH_TOKEN": "${{ secrets.GITHUB_TOKEN }}", - "API_KEY": "${{ secrets.MY_API_KEY }}" - } - ] - }, - "timeout": { - "type": "integer", - "description": "Timeout in seconds for tool execution. Default is 60 seconds. Applies to shell (run) and Python (py) tools.", - "default": 60, - "minimum": 1, - "examples": [30, 60, 120, 300] - } - }, - "additionalProperties": false, - "oneOf": [ - { - "required": ["script"], - "not": { - "anyOf": [ - { - "required": ["run"] - }, - { - "required": ["py"] - }, - { - "required": ["go"] - } - ] - } - }, - { - "required": ["run"], - "not": { - "anyOf": [ - { - "required": ["script"] - }, - { - "required": ["py"] - }, - { - "required": ["go"] - } - ] - } - }, - { - "required": ["py"], - "not": { - "anyOf": [ - { - "required": ["script"] - }, - { - "required": ["run"] - }, - { - "required": ["go"] - } - ] - } - }, - { - "required": ["go"], - "not": { - "anyOf": [ - { - "required": ["script"] - }, - { - "required": ["run"] - }, - { - "required": ["py"] - } - ] - } - } - ] - } - }, - "examples": [ - { - "search-issues": { - "description": "Search GitHub issues using the GitHub API", - "inputs": { - "query": { - "type": "string", - "description": "Search query for issues", - "required": true - }, - "limit": { - "type": "number", - "description": "Maximum number of results", - "default": 10 - } - }, - "script": "const { Octokit } = require('@octokit/rest');\nconst octokit = new Octokit({ auth: process.env.GH_TOKEN });\nconst result = await octokit.search.issuesAndPullRequests({ q: inputs.query, per_page: inputs.limit });\nreturn result.data.items;", - "env": { - "GH_TOKEN": "${{ secrets.GITHUB_TOKEN }}" - } - } - }, - { - "run-linter": { - "description": "Run a custom linter on the codebase", - "inputs": { - "path": { - "type": "string", - "description": "Path to lint", - "default": "." - } - }, - "run": "eslint $INPUT_PATH --format json", - "env": { - "INPUT_PATH": "${{ inputs.path }}" - } - } - } - ], - "additionalProperties": false - }, - "runtimes": { - "type": "object", - "description": "Runtime environment version overrides. Allows customizing runtime versions (e.g., Node.js, Python) or defining new runtimes. Runtimes from imported shared workflows are also merged.", - "patternProperties": { - "^[a-z][a-z0-9-]*$": { - "type": "object", - "description": "Runtime configuration object identified by runtime ID (e.g., 'node', 'python', 'go')", - "properties": { - "version": { - "type": ["string", "number"], - "description": "Runtime version as a string (e.g., '22', '3.12', 'latest') or number (e.g., 22, 3.12). Numeric values are automatically converted to strings at runtime.", - "examples": ["22", "3.12", "latest", 22, 3.12] - }, - "action-repo": { - "type": "string", - "description": "GitHub Actions repository for setting up the runtime (e.g., 'actions/setup-node', 'custom/setup-runtime'). Overrides the default setup action." - }, - "action-version": { - "type": "string", - "description": "Version of the setup action to use (e.g., 'v4', 'v5'). Overrides the default action version." - } - }, - "additionalProperties": false - } - }, - "additionalProperties": false - }, - "github-token": { - "$ref": "#/$defs/github_token", - "description": "GitHub token expression to use for all steps that require GitHub authentication. Typically a secret reference like ${{ secrets.GITHUB_TOKEN }} or ${{ secrets.CUSTOM_PAT }}. If not specified, defaults to ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}. This value can be overridden by safe-outputs github-token or individual safe-output github-token fields." - } - }, - "additionalProperties": false, - "allOf": [ - { - "if": { - "properties": { - "on": { - "type": "object", - "anyOf": [ - { - "properties": { - "slash_command": { - "not": { - "type": "null" - } - } - }, - "required": ["slash_command"] - }, - { - "properties": { - "command": { - "not": { - "type": "null" - } - } - }, - "required": ["command"] - } - ] - } - } - }, - "then": { - "properties": { - "on": { - "not": { - "anyOf": [ - { - "properties": { - "issue_comment": { - "not": { - "type": "null" - } - } - }, - "required": ["issue_comment"] - }, - { - "properties": { - "pull_request_review_comment": { - "not": { - "type": "null" - } - } - }, - "required": ["pull_request_review_comment"] - }, - { - "properties": { - "label": { - "not": { - "type": "null" - } - } - }, - "required": ["label"] - } - ] - } - } - } - } - } - ], - "$defs": { - "engine_config": { - "examples": [ - "claude", - "copilot", - { - "id": "claude", - "model": "claude-3-5-sonnet-20241022", - "max-turns": 15 - }, - { - "id": "copilot", - "version": "beta" - }, - { - "id": "claude", - "concurrency": { - "group": "gh-aw-claude", - "cancel-in-progress": false - } - } - ], - "oneOf": [ - { - "type": "string", - "enum": ["claude", "codex", "copilot", "custom"], - "description": "Simple engine name: 'claude' (default, Claude Code), 'copilot' (GitHub Copilot CLI), 'codex' (OpenAI Codex CLI), or 'custom' (user-defined steps)" - }, - { - "type": "object", - "description": "Extended engine configuration object with advanced options for model selection, turn limiting, environment variables, and custom steps", - "properties": { - "id": { - "type": "string", - "enum": ["claude", "codex", "custom", "copilot"], - "description": "AI engine identifier: 'claude' (Claude Code), 'codex' (OpenAI Codex CLI), 'copilot' (GitHub Copilot CLI), or 'custom' (user-defined GitHub Actions steps)" - }, - "version": { - "type": ["string", "number"], - "description": "Optional version of the AI engine action (e.g., 'beta', 'stable', 20). Has sensible defaults and can typically be omitted. Numeric values are automatically converted to strings at runtime.", - "examples": ["beta", "stable", 20, 3.11] - }, - "model": { - "type": "string", - "description": "Optional specific LLM model to use (e.g., 'claude-3-5-sonnet-20241022', 'gpt-4'). Has sensible defaults and can typically be omitted." - }, - "max-turns": { - "oneOf": [ - { - "type": "integer", - "description": "Maximum number of chat iterations per run as an integer value" - }, - { - "type": "string", - "description": "Maximum number of chat iterations per run as a string value" - } - ], - "description": "Maximum number of chat iterations per run. Helps prevent runaway loops and control costs. Has sensible defaults and can typically be omitted. Note: Only supported by the claude engine." - }, - "concurrency": { - "oneOf": [ - { - "type": "string", - "description": "Simple concurrency group name. Gets converted to GitHub Actions concurrency format with the specified group." - }, - { - "type": "object", - "description": "GitHub Actions concurrency configuration for the agent job. Controls how many agentic workflow runs can run concurrently.", - "properties": { - "group": { - "type": "string", - "description": "Concurrency group identifier. Use GitHub Actions expressions like ${{ github.workflow }} or ${{ github.ref }}. Defaults to 'gh-aw-{engine-id}' if not specified." - }, - "cancel-in-progress": { - "type": "boolean", - "description": "Whether to cancel in-progress runs of the same concurrency group. Defaults to false for agentic workflow runs." - } - }, - "required": ["group"], - "additionalProperties": false - } - ], - "description": "Agent job concurrency configuration. Defaults to single job per engine across all workflows (group: 'gh-aw-{engine-id}'). Supports full GitHub Actions concurrency syntax." - }, - "user-agent": { - "type": "string", - "description": "Custom user agent string for GitHub MCP server configuration (codex engine only)" - }, - "env": { - "type": "object", - "description": "Custom environment variables to pass to the AI engine, including secret overrides (e.g., OPENAI_API_KEY: ${{ secrets.CUSTOM_KEY }})", - "additionalProperties": { - "type": "string" - } - }, - "steps": { - "type": "array", - "description": "Custom GitHub Actions steps for 'custom' engine. Define your own deterministic workflow steps instead of using AI processing.", - "items": { - "type": "object", - "additionalProperties": true - } - }, - "error_patterns": { - "type": "array", - "description": "Custom error patterns for validating agent logs", - "items": { - "type": "object", - "description": "Error pattern definition", - "properties": { - "id": { - "type": "string", - "description": "Unique identifier for this error pattern" - }, - "pattern": { - "type": "string", - "description": "Ecma script regular expression pattern to match log lines" - }, - "level_group": { - "type": "integer", - "minimum": 0, - "description": "Capture group index (1-based) that contains the error level. Use 0 to infer from pattern content." - }, - "message_group": { - "type": "integer", - "minimum": 0, - "description": "Capture group index (1-based) that contains the error message. Use 0 to use the entire match." - }, - "description": { - "type": "string", - "description": "Human-readable description of what this pattern matches" - } - }, - "required": ["pattern"], - "additionalProperties": false - } - }, - "config": { - "type": "string", - "description": "Additional TOML configuration text that will be appended to the generated config.toml in the action (codex engine only)" - }, - "args": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Optional array of command-line arguments to pass to the AI engine CLI. These arguments are injected after all other args but before the prompt." - } - }, - "required": ["id"], - "additionalProperties": false - } - ] - }, - "stdio_mcp_tool": { - "type": "object", - "description": "Stdio MCP tool configuration", - "properties": { - "type": { - "type": "string", - "enum": ["stdio", "local"], - "description": "MCP connection type for stdio (local is an alias for stdio)" - }, - "registry": { - "type": "string", - "description": "URI to the installation location when MCP is installed from a registry" - }, - "command": { - "type": "string", - "minLength": 1, - "$comment": "Mutually exclusive with 'container' - only one execution mode can be specified. Validated by 'not.allOf' constraint below.", - "description": "Command for stdio MCP connections" - }, - "container": { - "type": "string", - "pattern": "^[a-zA-Z0-9][a-zA-Z0-9/:_.-]*$", - "$comment": "Mutually exclusive with 'command' - only one execution mode can be specified. Validated by 'not.allOf' constraint below.", - "description": "Container image for stdio MCP connections" - }, - "version": { - "type": ["string", "number"], - "description": "Optional version/tag for the container image (e.g., 'latest', 'v1.0.0', 20, 3.11). Numeric values are automatically converted to strings at runtime.", - "examples": ["latest", "v1.0.0", 20, 3.11] - }, - "args": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Arguments for command or container execution" - }, - "entrypointArgs": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Arguments to add after the container image (container entrypoint arguments)" - }, - "env": { - "type": "object", - "patternProperties": { - "^[A-Z_][A-Z0-9_]*$": { - "type": "string" - } - }, - "additionalProperties": false, - "description": "Environment variables for MCP server" - }, - "network": { - "type": "object", - "$comment": "Requires 'container' to be specified - network configuration only applies to container-based MCP servers. Validated by 'if/then' constraint in 'allOf' below.", - "properties": { - "allowed": { - "type": "array", - "items": { - "type": "string", - "pattern": "^[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*$", - "description": "Allowed domain name" - }, - "minItems": 1, - "uniqueItems": true, - "description": "List of allowed domain names for network access" - }, - "proxy-args": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Custom proxy arguments for container-based MCP servers" - } - }, - "additionalProperties": false, - "description": "Network configuration for container-based MCP servers" - }, - "allowed": { - "type": "array", - "description": "List of allowed tool functions", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false, - "$comment": "Validation constraints: (1) Mutual exclusion: 'command' and 'container' cannot both be specified. (2) Requirement: Either 'command' or 'container' must be provided (via 'anyOf'). (3) Dependency: 'network' requires 'container' (validated in 'allOf'). (4) Type constraint: When 'type' is 'stdio' or 'local', either 'command' or 'container' is required.", - "anyOf": [ - { - "required": ["type"] - }, - { - "required": ["command"] - }, - { - "required": ["container"] - } - ], - "not": { - "allOf": [ - { - "required": ["command"] - }, - { - "required": ["container"] - } - ] - }, - "allOf": [ - { - "if": { - "required": ["network"] - }, - "then": { - "required": ["container"] - } - }, - { - "if": { - "properties": { - "type": { - "enum": ["stdio", "local"] - } - } - }, - "then": { - "anyOf": [ - { - "required": ["command"] - }, - { - "required": ["container"] - } - ] - } - } - ] - }, - "http_mcp_tool": { - "type": "object", - "description": "HTTP MCP tool configuration", - "properties": { - "type": { - "type": "string", - "enum": ["http"], - "description": "MCP connection type for HTTP" - }, - "registry": { - "type": "string", - "description": "URI to the installation location when MCP is installed from a registry" - }, - "url": { - "type": "string", - "minLength": 1, - "description": "URL for HTTP MCP connections" - }, - "headers": { - "type": "object", - "patternProperties": { - "^[A-Za-z0-9_-]+$": { - "type": "string" - } - }, - "additionalProperties": false, - "description": "HTTP headers for HTTP MCP connections" - }, - "allowed": { - "type": "array", - "description": "List of allowed tool functions", - "items": { - "type": "string" - } - } - }, - "required": ["url"], - "additionalProperties": false - }, - "github_token": { - "type": "string", - "pattern": "^\\$\\{\\{\\s*secrets\\.[A-Za-z_][A-Za-z0-9_]*(\\s*\\|\\|\\s*secrets\\.[A-Za-z_][A-Za-z0-9_]*)*\\s*\\}\\}$", - "description": "GitHub token expression using secrets. Pattern details: `[A-Za-z_][A-Za-z0-9_]*` matches a valid secret name (starts with a letter or underscore, followed by letters, digits, or underscores). The full pattern matches expressions like `${{ secrets.NAME }}` or `${{ secrets.NAME1 || secrets.NAME2 }}`.", - "examples": ["${{ secrets.GITHUB_TOKEN }}", "${{ secrets.CUSTOM_PAT }}", "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"] - }, - "githubActionsStep": { - "type": "object", - "description": "GitHub Actions workflow step", - "properties": { - "name": { - "type": "string", - "description": "A name for your step to display on GitHub" - }, - "id": { - "type": "string", - "description": "A unique identifier for the step" - }, - "if": { - "type": "string", - "description": "Conditional expression to determine if step should run" - }, - "uses": { - "type": "string", - "description": "Selects an action to run as part of a step in your job" - }, - "run": { - "type": "string", - "description": "Runs command-line programs using the operating system's shell" - }, - "with": { - "type": "object", - "description": "Input parameters defined by the action", - "additionalProperties": true - }, - "env": { - "type": "object", - "description": "Environment variables for the step", - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "string" - } - }, - "additionalProperties": false - }, - "continue-on-error": { - "type": "boolean", - "description": "Prevents a job from failing when a step fails" - }, - "timeout-minutes": { - "type": "number", - "description": "The maximum number of minutes to run the step before killing the process" - }, - "working-directory": { - "type": "string", - "description": "Working directory for the step" - }, - "shell": { - "type": "string", - "description": "Shell to use for the run command" - } - }, - "additionalProperties": false, - "anyOf": [ - { - "required": ["uses"] - }, - { - "required": ["run"] - } - ] - } - } -} diff --git a/.github/workflows/daily-compliance-checker.lock.yml b/.github/workflows/daily-compliance-checker.lock.yml index 8a335cf3..5c4d523f 100644 --- a/.github/workflows/daily-compliance-checker.lock.yml +++ b/.github/workflows/daily-compliance-checker.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Daily Compliance Checker" "on": schedule: - - cron: "27 4 * * *" + - cron: "36 5 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -147,7 +147,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,7 +159,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -456,7 +456,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Daily Compliance Checker", experimental: false, supports_tools_allowlist: true, @@ -472,7 +472,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -623,10 +623,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -787,7 +785,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -889,7 +887,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -999,7 +997,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1036,7 +1034,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index a6b561cd..cc44ec4e 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -31,7 +31,7 @@ name: "Multi-Device Docs Tester" "on": schedule: - - cron: "2 0 * * *" + - cron: "13 17 * * *" # Friendly format: daily (scattered) workflow_dispatch: inputs: @@ -57,7 +57,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -98,7 +98,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -928,7 +928,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1032,7 +1032,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1135,7 +1135,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1177,7 +1177,7 @@ jobs: published_count: ${{ steps.upload_assets.outputs.published_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 46688a81..e7158211 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Duplicate Code Detector" "on": schedule: - - cron: "0 2 * * *" + - cron: "1 10 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -130,7 +130,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -142,7 +142,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -489,7 +489,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Duplicate Code Detector", experimental: false, supports_tools_allowlist: true, @@ -505,7 +505,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -651,10 +651,8 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -808,7 +806,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -910,7 +908,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1020,7 +1018,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index d2a28c98..4313c84a 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -50,7 +50,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -92,7 +92,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -145,7 +145,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -157,7 +157,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -462,7 +462,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Go Fan", experimental: false, supports_tools_allowlist: true, @@ -478,7 +478,7 @@ jobs: staged: false, allowed_domains: ["defaults","github","go","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -665,10 +665,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcr.microsoft.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,proxy.golang.org,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat go.mod)'\'' --allow-tool '\''shell(cat go.sum)'\'' --allow-tool '\''shell(cat specs/mods/*)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find pkg -name '\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(go list -m all)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''import'\''\'\'''\'' --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls -la specs/mods/)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcr.microsoft.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,proxy.golang.org,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat go.mod)'\'' --allow-tool '\''shell(cat go.sum)'\'' --allow-tool '\''shell(cat specs/mods/*)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find pkg -name '\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(go list -m all)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''import'\''\'\'''\'' --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls -la specs/mods/)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -829,7 +827,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -933,7 +931,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1044,7 +1042,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1081,7 +1079,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index e6cbcfa4..2b590954 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Go Logger Enhancement" "on": schedule: - - cron: "29 15 * * *" + - cron: "0 12 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -147,7 +147,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,7 +159,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -445,7 +445,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Go Logger Enhancement", experimental: false, supports_tools_allowlist: true, @@ -461,7 +461,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -643,10 +643,8 @@ jobs: timeout-minutes: 15 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*.go'\''\'\'''\'' -type f ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go build -o awmg)'\'' --allow-tool '\''shell(go test ./...)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(grep -n '\''\'\'''\''func '\''\'\'''\'' internal/*.go)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''var log = logger.New'\''\'\'''\'' internal --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head -n * internal/**/*.go)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*.go'\''\'\'''\'' -type f ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go build -o awmg)'\'' --allow-tool '\''shell(go test ./...)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(grep -n '\''\'\'''\''func '\''\'\'''\'' internal/*.go)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''var log = logger.New'\''\'\'''\'' internal --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head -n * internal/**/*.go)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -808,7 +806,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -922,7 +920,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1034,7 +1032,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1097,7 +1095,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index ed8c3421..95f23375 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Issue Monster" "on": schedule: - - cron: "10 */1 * * *" + - cron: "47 */1 * * *" # Friendly format: every 1h (scattered) # skip-if-match: # Skip-if-match processed as search check in pre-activation job # max: 9 @@ -55,7 +55,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -98,7 +98,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -140,7 +140,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -152,7 +152,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -456,7 +456,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Issue Monster", experimental: false, supports_tools_allowlist: true, @@ -472,7 +472,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -618,10 +618,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -775,7 +773,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -879,7 +877,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -974,7 +972,7 @@ jobs: activated: ${{ ((steps.check_membership.outputs.is_team_member == 'true') && (steps.check_skip_if_match.outputs.skip_check_ok == 'true')) && (steps.check_skip_if_no_match.outputs.skip_no_match_check_ok == 'true') }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1043,7 +1041,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/language-support-tester.lock.yml b/.github/workflows/language-support-tester.lock.yml index ee3a14e7..6c9ca439 100644 --- a/.github/workflows/language-support-tester.lock.yml +++ b/.github/workflows/language-support-tester.lock.yml @@ -26,7 +26,7 @@ name: "Language Support Tester" "on": schedule: - - cron: "50 2 * * *" + - cron: "31 10 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -764,7 +764,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -864,7 +864,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -974,7 +974,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.2 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/large-payload-tester.lock.yml b/.github/workflows/large-payload-tester.lock.yml index d8e488c1..2e051645 100644 --- a/.github/workflows/large-payload-tester.lock.yml +++ b/.github/workflows/large-payload-tester.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.42.3). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -21,12 +21,12 @@ # # Test the MCP Gateway's ability to handle large payloads and provide agent access to stored payload files # -# frontmatter-hash: 77cc2b4b1429942d8d9a9adf8548a308f47718458cedfa95590effca35b03b0c +# frontmatter-hash: f7eecabc3339d0d9ca988eab8db9525c30f85459d0f085a9ef422d32511b9ffd name: "Large Payload Tester" "on": schedule: - - cron: "12 1 * * *" + - cron: "3 14 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.3 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -87,16 +87,12 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.3 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - - name: Checkout .github and .agents folders + - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: - sparse-checkout: | - .github - .agents - depth: 1 persist-credentials: false - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh @@ -134,7 +130,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server @@ -148,7 +144,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.99 ghcr.io/github/github-mcp-server:v0.30.3 mcp/filesystem node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcp/filesystem node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -401,7 +397,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/mcp-test-fs:/tmp/mcp-test-fs:ro -v /tmp/jq-payloads:/tmp/jq-payloads:rw ghcr.io/github/gh-aw-mcpg:v0.0.99' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.98' mkdir -p /home/runner/.copilot cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -411,8 +407,7 @@ jobs: "type": "stdio", "container": "mcp/filesystem", "mounts": [ - "/tmp/mcp-test-fs:/workspace/test-data:ro", - "/tmp/jq-payloads:/workspace/mcp-payloads:ro" + "/tmp/mcp-test-fs:/workspace/test-data:ro" ], "tools": [ "*" @@ -458,8 +453,8 @@ jobs: engine_name: "GitHub Copilot CLI", model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", - agent_version: "0.0.403", - cli_version: "v0.42.3", + agent_version: "0.0.402", + cli_version: "v0.42.2", workflow_name: "Large Payload Tester", experimental: false, supports_tools_allowlist: true, @@ -476,7 +471,7 @@ jobs: allowed_domains: ["defaults"], firewall_enabled: true, awf_version: "v0.13.4", - awmg_version: "v0.0.99", + awmg_version: "v0.0.98", steps: { firewall: "squid" }, @@ -565,7 +560,7 @@ jobs: PROMPT_EOF cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - {{#runtime-import .github/workflows/large-payload-tester.md}} + {{#runtime-import workflows/large-payload-tester.md}} PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -755,7 +750,6 @@ jobs: /tmp/gh-aw/mcp-logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log - /tmp/gh-aw/agent/ if-no-files-found: ignore conclusion: @@ -777,7 +771,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.3 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -877,7 +871,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.3 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -919,7 +913,7 @@ jobs: env: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI - run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.403 + run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): @@ -987,7 +981,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@v0.42.3 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/large-payload-tester.md b/.github/workflows/large-payload-tester.md index 29b9d751..924f65ed 100644 --- a/.github/workflows/large-payload-tester.md +++ b/.github/workflows/large-payload-tester.md @@ -26,14 +26,10 @@ mcp-servers: ALLOWED_PATHS: "/workspace" mounts: - "/tmp/mcp-test-fs:/workspace/test-data:ro" - - "/tmp/jq-payloads:/workspace/mcp-payloads:ro" sandbox: mcp: container: "ghcr.io/github/gh-aw-mcpg" - mounts: - - "/tmp/mcp-test-fs:/tmp/mcp-test-fs:ro" - - "/tmp/jq-payloads:/tmp/jq-payloads:rw" safe-outputs: create-issue: diff --git a/.github/workflows/mcp-gateway-log-analyzer.lock.yml b/.github/workflows/mcp-gateway-log-analyzer.lock.yml index 6c30a590..3270ceb5 100644 --- a/.github/workflows/mcp-gateway-log-analyzer.lock.yml +++ b/.github/workflows/mcp-gateway-log-analyzer.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "MCP Gateway Log Analyzer" "on": schedule: - - cron: "3 2 * * *" + - cron: "40 12 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -89,7 +89,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -131,7 +131,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -143,7 +143,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -440,7 +440,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "MCP Gateway Log Analyzer", experimental: false, supports_tools_allowlist: true, @@ -456,7 +456,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -602,10 +602,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -760,7 +758,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -862,7 +860,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -972,7 +970,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/nightly-docs-reconciler.lock.yml b/.github/workflows/nightly-docs-reconciler.lock.yml index 7e57a39f..e78f8134 100644 --- a/.github/workflows/nightly-docs-reconciler.lock.yml +++ b/.github/workflows/nightly-docs-reconciler.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Nightly Documentation Reconciler" "on": schedule: - - cron: "58 4 * * *" + - cron: "43 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -130,7 +130,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -142,7 +142,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -447,7 +447,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Nightly Documentation Reconciler", experimental: false, supports_tools_allowlist: true, @@ -463,7 +463,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -609,10 +609,8 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -766,7 +764,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -868,7 +866,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -978,7 +976,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/nightly-mcp-stress-test.lock.yml b/.github/workflows/nightly-mcp-stress-test.lock.yml index 7ebce332..78d3f1b4 100644 --- a/.github/workflows/nightly-mcp-stress-test.lock.yml +++ b/.github/workflows/nightly-mcp-stress-test.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.1). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -89,7 +89,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -131,7 +131,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -143,7 +143,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/github/github-mcp-server:v0.30.3 mcp/brave-search mcp/duckduckgo mcp/everart mcp/fetch mcp/filesystem mcp/gdrive mcp/git mcp/google-maps mcp/hackernews-mcp mcp/kubernetes mcp/memory mcp/puppeteer mcp/sentry mcp/sequentialthinking mcp/slack mcp/sqlite mcp/time mcp/wikipedia-mcp mcp/youtube-transcript mcr.microsoft.com/playwright/mcp mcr.microsoft.com/playwright:v1.49.1-noble node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/github/github-mcp-server:v0.30.3 mcp/brave-search mcp/duckduckgo mcp/everart mcp/fetch mcp/filesystem mcp/gdrive mcp/git mcp/google-maps mcp/hackernews-mcp mcp/kubernetes mcp/memory mcp/puppeteer mcp/sentry mcp/sequentialthinking mcp/slack mcp/sqlite mcp/time mcp/wikipedia-mcp mcp/youtube-transcript mcr.microsoft.com/playwright/mcp mcr.microsoft.com/playwright:v1.49.1-noble node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -621,7 +621,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.1", + cli_version: "v0.42.2", workflow_name: "Nightly MCP Server Stress Test", experimental: false, supports_tools_allowlist: true, @@ -637,7 +637,7 @@ jobs: staged: false, allowed_domains: ["defaults","go","containers","docker.io"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -784,10 +784,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,docker.io,gcr.io,ghcr.io,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,proxy.golang.org,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,docker.io,gcr.io,ghcr.io,github.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,proxy.golang.org,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -960,7 +958,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1062,7 +1060,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1172,7 +1170,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 4dbeaf2c..fbed34c4 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -61,7 +61,7 @@ jobs: text: ${{ steps.compute-text.outputs.text }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -122,7 +122,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -164,7 +164,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -176,7 +176,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -530,7 +530,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Plan Command", experimental: false, supports_tools_allowlist: true, @@ -546,7 +546,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -698,10 +698,8 @@ jobs: timeout-minutes: 10 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -856,7 +854,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -954,7 +952,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1057,7 +1055,7 @@ jobs: matched_command: ${{ steps.check_command_position.outputs.matched_command }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Add eyes reaction for immediate feedback @@ -1119,7 +1117,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index a75126d6..faf1a748 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -58,7 +58,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -104,7 +104,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -153,7 +153,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -165,7 +165,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -446,7 +446,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Release", experimental: false, supports_tools_allowlist: true, @@ -462,7 +462,7 @@ jobs: staged: false, allowed_domains: ["defaults","node","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -608,10 +608,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -765,7 +763,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -925,7 +923,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1025,11 +1023,11 @@ jobs: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GHCR - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io @@ -1114,7 +1112,7 @@ jobs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check team membership for workflow @@ -1251,7 +1249,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index c3ea2773..53af4e74 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -30,7 +30,7 @@ name: "Semantic Function Refactoring" "on": schedule: - - cron: "56 20 * * *" + - cron: "19 13 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -51,7 +51,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -92,7 +92,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -134,7 +134,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -146,7 +146,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -481,7 +481,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Semantic Function Refactoring", experimental: false, supports_tools_allowlist: true, @@ -497,7 +497,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -657,10 +657,8 @@ jobs: timeout-minutes: 20 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -814,7 +812,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -914,7 +912,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1024,7 +1022,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index f889657d..101c28b0 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.1). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -65,7 +65,7 @@ jobs: comment_url: ${{ steps.add-comment.outputs.comment-url }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -117,7 +117,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -176,7 +176,7 @@ jobs: - name: Install Codex run: npm install -g --silent @openai/codex@0.94.0 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -188,7 +188,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -803,7 +803,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", agent_version: "0.94.0", - cli_version: "v0.41.1", + cli_version: "v0.42.2", workflow_name: "Smoke Codex", experimental: false, supports_tools_allowlist: true, @@ -819,7 +819,7 @@ jobs: staged: false, allowed_domains: ["api.github.com","defaults","github","playwright"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -990,12 +990,9 @@ jobs: - name: Run Codex run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION" \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,172.30.0.1,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} @@ -1046,7 +1043,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,172.30.0.1,api.github.com,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: @@ -1150,7 +1147,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -1250,7 +1247,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1344,7 +1341,7 @@ jobs: activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Add hooray reaction for immediate feedback @@ -1397,7 +1394,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1434,7 +1431,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@d47697b2bf91080b55fb9c6905576c36e061011a # v0.41.1 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 0c1b7de4..75197f43 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -195,7 +195,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:latest ghcr.io/github/github-mcp-server:v0.30.3 ghcr.io/github/serena-mcp-server:latest mcr.microsoft.com/playwright/mcp node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1105,7 +1105,7 @@ jobs: # Register API key as secret to mask it from logs echo "::add-mask::${MCP_GATEWAY_API_KEY}" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:latest' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -e GH_TOKEN -e TAVILY_API_KEY -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.0.98' mkdir -p /home/runner/.copilot cat << MCPCONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -1467,7 +1467,7 @@ jobs: PROMPT_EOF cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - {{#runtime-import .github/workflows/smoke-copilot.md}} + {{#runtime-import workflows/smoke-copilot.md}} PROMPT_EOF - name: Substitute placeholders uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml index fedc9585..ee43e9e2 100644 --- a/.github/workflows/test-coverage-improver.lock.yml +++ b/.github/workflows/test-coverage-improver.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Test Coverage Improver" "on": schedule: - - cron: "22 16 * * *" + - cron: "21 4 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -147,7 +147,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,7 +159,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -453,7 +453,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Test Coverage Improver", experimental: false, supports_tools_allowlist: true, @@ -469,7 +469,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -655,10 +655,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat internal/**/*.go)'\'' --allow-tool '\''shell(cat internal/**/*_test.go)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*.go'\''\'\'''\'' -type f ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go build -o awmg)'\'' --allow-tool '\''shell(go test -coverprofile=coverage.out ./...)'\'' --allow-tool '\''shell(go test -v ./...)'\'' --allow-tool '\''shell(go tool cover -func=coverage.out)'\'' --allow-tool '\''shell(go tool cover -html=coverage.out -o coverage.html)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(grep -n '\''\'\'''\''func '\''\'\'''\'' internal/**/*.go)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat internal/**/*.go)'\'' --allow-tool '\''shell(cat internal/**/*_test.go)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*.go'\''\'\'''\'' -type f ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go build -o awmg)'\'' --allow-tool '\''shell(go test -coverprofile=coverage.out ./...)'\'' --allow-tool '\''shell(go test -v ./...)'\'' --allow-tool '\''shell(go tool cover -func=coverage.out)'\'' --allow-tool '\''shell(go tool cover -html=coverage.out -o coverage.html)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(grep -n '\''\'\'''\''func '\''\'\'''\'' internal/**/*.go)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -820,7 +818,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -934,7 +932,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1046,7 +1044,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1109,7 +1107,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default) diff --git a/.github/workflows/test-improver.lock.yml b/.github/workflows/test-improver.lock.yml index f5ad3e30..e93628ae 100644 --- a/.github/workflows/test-improver.lock.yml +++ b/.github/workflows/test-improver.lock.yml @@ -13,7 +13,7 @@ # \ /\ / (_) | | | | ( | | | | (_) \ V V /\__ \ # \/ \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/ # -# This file was automatically generated by gh-aw (v0.41.0). DO NOT EDIT. +# This file was automatically generated by gh-aw (v0.42.2). DO NOT EDIT. # # To update this file, edit the corresponding .md file and run: # gh aw compile @@ -26,7 +26,7 @@ name: "Test Improver" "on": schedule: - - cron: "29 17 * * *" + - cron: "8 14 * * *" # Friendly format: daily (scattered) workflow_dispatch: @@ -47,7 +47,7 @@ jobs: comment_repo: "" steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Check workflow file timestamps @@ -88,7 +88,7 @@ jobs: secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Checkout repository @@ -147,7 +147,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.402 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.1 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.4 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,7 +159,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent-act:0.13.4 ghcr.io/github/gh-aw-firewall/squid:0.13.4 ghcr.io/github/gh-aw-mcpg:v0.0.98 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -453,7 +453,7 @@ jobs: model: process.env.GH_AW_MODEL_AGENT_COPILOT || "", version: "", agent_version: "0.0.402", - cli_version: "v0.41.0", + cli_version: "v0.42.2", workflow_name: "Test Improver", experimental: false, supports_tools_allowlist: true, @@ -469,7 +469,7 @@ jobs: staged: false, allowed_domains: ["defaults","containers"], firewall_enabled: true, - awf_version: "v0.13.1", + awf_version: "v0.13.4", awmg_version: "v0.0.98", steps: { firewall: "squid" @@ -653,10 +653,8 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS - mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.1 --agent-image act \ - -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat internal/**/*.go)'\'' --allow-tool '\''shell(cat internal/**/*_test.go)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go test -coverprofile=coverage.out ./...)'\'' --allow-tool '\''shell(go test -v ./...)'\'' --allow-tool '\''shell(go tool cover -func=coverage.out)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(gofmt -l .)'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''func Test'\''\'\'''\'' internal/)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*_test.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dl.k8s.io,gcr.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.hub.docker.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.4 --skip-pull --agent-image act \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat internal/**/*.go)'\'' --allow-tool '\''shell(cat internal/**/*_test.go)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find internal -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(go test -coverprofile=coverage.out ./...)'\'' --allow-tool '\''shell(go test -v ./...)'\'' --allow-tool '\''shell(go tool cover -func=coverage.out)'\'' --allow-tool '\''shell(go vet ./...)'\'' --allow-tool '\''shell(gofmt -l .)'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''func Test'\''\'\'''\'' internal/)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l internal/**/*_test.go)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE @@ -818,7 +816,7 @@ jobs: total_count: ${{ steps.missing_tool.outputs.total_count }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Debug job inputs @@ -932,7 +930,7 @@ jobs: success: ${{ steps.parse_results.outputs.success }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent artifacts @@ -1044,7 +1042,7 @@ jobs: process_safe_outputs_temporary_id_map: ${{ steps.process_safe_outputs.outputs.temporary_id_map }} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download agent output artifact @@ -1107,7 +1105,7 @@ jobs: permissions: {} steps: - name: Setup Scripts - uses: github/gh-aw/actions/setup@c4c684b542cf39735ac092c09020d06b8f34eb8c # v0.41.0 + uses: github/gh-aw/actions/setup@c6d30bee9ffff7c09b8c491d5fd975284c538360 # v0.42.2 with: destination: /opt/gh-aw/actions - name: Download cache-memory artifact (default)