From 6c0883bd1e14f6a3d1c47b06cd2f9ca899f66522 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:36:10 +0000 Subject: [PATCH 1/8] Initial plan From 7c3d5289c1e4d25e632ebc1a2dacd5aafe2b0a76 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:46:47 +0000 Subject: [PATCH 2/8] Implement parallel setup operations for agent job - Create install_parallel_setup.sh script for parallel execution - Add parallel_installation.go with config and generation logic - Update Copilot and Claude engines to use parallel installation - Modify generateMCPSetup to skip Docker downloads when parallel - Update tests to reflect new parallel installation behavior - All installations (AWF, CLI, Docker) now run in parallel Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 12 +- .../workflows/agent-persona-explorer.lock.yml | 12 +- .github/workflows/ai-moderator.lock.yml | 12 +- .github/workflows/archie.lock.yml | 12 +- .github/workflows/artifacts-summary.lock.yml | 12 +- .github/workflows/audit-workflows.lock.yml | 14 +- .github/workflows/auto-triage-issues.lock.yml | 12 +- .github/workflows/blog-auditor.lock.yml | 14 +- .github/workflows/brave.lock.yml | 12 +- .../breaking-change-checker.lock.yml | 12 +- .github/workflows/changeset.lock.yml | 9 +- .../workflows/chroma-issue-indexer.lock.yml | 12 +- .github/workflows/ci-coach.lock.yml | 12 +- .github/workflows/ci-doctor.lock.yml | 12 +- .../claude-code-user-docs-review.lock.yml | 14 +- .../cli-consistency-checker.lock.yml | 12 +- .../workflows/cli-version-checker.lock.yml | 14 +- .github/workflows/cloclo.lock.yml | 14 +- .../workflows/code-scanning-fixer.lock.yml | 12 +- .github/workflows/code-simplifier.lock.yml | 12 +- .../commit-changes-analyzer.lock.yml | 14 +- .../workflows/copilot-agent-analysis.lock.yml | 14 +- .../copilot-cli-deep-research.lock.yml | 12 +- .../copilot-pr-merged-report.lock.yml | 12 +- .../copilot-pr-nlp-analysis.lock.yml | 12 +- .../copilot-pr-prompt-analysis.lock.yml | 12 +- actions/setup/sh/install_parallel_setup.sh | 138 +++++++++++++++ pkg/workflow/agentic_workflow_test.go | 8 +- pkg/workflow/claude_engine.go | 25 +-- pkg/workflow/compiler_yaml_main_job.go | 16 +- pkg/workflow/copilot_engine_installation.go | 30 ++-- pkg/workflow/firewall_workflow_test.go | 31 +++- pkg/workflow/mcp_setup_generator.go | 13 +- pkg/workflow/mcp_setup_generator_test.go | 4 +- pkg/workflow/parallel_installation.go | 166 ++++++++++++++++++ 35 files changed, 586 insertions(+), 168 deletions(-) create mode 100755 actions/setup/sh/install_parallel_setup.sh create mode 100644 pkg/workflow/parallel_installation.go diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 89e1cb4f66..ab13f37004 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -154,8 +154,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +172,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 8da673f4bc..9776442ad0 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -156,8 +156,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -168,8 +174,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 657659919c..f7a868a321 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -161,8 +161,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -173,8 +179,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 7676c0a5e0..54ea451792 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -180,8 +180,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -192,8 +198,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index dcf551ce3b..2ab0c34833 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -141,8 +141,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -153,8 +159,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 20bd113041..8f212cdb73 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -214,10 +214,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -228,8 +232,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 593548bcfa..91cff68d42 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -144,8 +144,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -156,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index a6f5dbc05a..b92f9b44dc 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -145,10 +145,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,8 +163,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index bbeb8ce4c2..9b2feaf625 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -171,8 +171,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -183,8 +189,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index ae5fb9a9be..29c8bb0f9a 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -138,8 +138,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -150,8 +156,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 8d6b0f1a08..7366067467 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -188,6 +188,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -198,8 +205,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index b7bf545d0e..ae4ca0844f 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -145,8 +145,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 python:alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -157,8 +163,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 python:alpine - name: Start MCP gateway id: start-mcp-gateway env: diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 1c93d8ad10..c0628f90b0 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -194,8 +194,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -206,8 +212,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index a1cb717b16..642ae748e5 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -163,8 +163,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -175,8 +181,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 0ca6622889..0eaf651575 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -153,10 +153,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -167,8 +171,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 086c96e32e..699dcd02eb 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -137,8 +137,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -149,8 +155,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 64961cf07a..424907343b 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -160,10 +160,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -174,8 +178,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 5d4e60ec43..a43c932eb6 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -241,10 +241,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -255,8 +259,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 73c0e4b2bb..493d993c01 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -157,8 +157,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -169,8 +175,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index d1f6d53bb6..a6444a3b8a 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -144,8 +144,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -156,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 11c6615722..370a58520d 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -147,10 +147,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -161,8 +165,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 7bf7cf60e6..4ad12afa94 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -177,10 +177,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -191,8 +195,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 56f5dbb706..95431079a1 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -152,8 +152,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -164,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 628984584d..31b7090e46 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -142,10 +142,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 85cc1dc664..2cc34661c1 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -202,8 +202,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -214,8 +220,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 2b56728247..6fc4173ca2 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -173,8 +173,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -185,8 +191,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/actions/setup/sh/install_parallel_setup.sh b/actions/setup/sh/install_parallel_setup.sh new file mode 100755 index 0000000000..0ceb662489 --- /dev/null +++ b/actions/setup/sh/install_parallel_setup.sh @@ -0,0 +1,138 @@ +#!/usr/bin/env bash +# Install dependencies in parallel to reduce sequential execution time +# Usage: install_parallel_setup.sh [--awf VERSION] [--copilot VERSION] [--claude VERSION] [--docker IMAGE1 IMAGE2 ...] +# +# This script parallelizes independent setup operations: +# - AWF binary installation (if --awf is specified) +# - Copilot CLI installation (if --copilot is specified) +# - Claude Code CLI installation (if --claude is specified) +# - Docker image downloads (if --docker is specified) +# +# All operations run in parallel using background jobs, with proper error handling +# that preserves exit codes from failed jobs. + +set -euo pipefail + +# Parse arguments +AWF_VERSION="" +COPILOT_VERSION="" +CLAUDE_VERSION="" +DOCKER_IMAGES=() + +while [[ $# -gt 0 ]]; do + case $1 in + --awf) + AWF_VERSION="$2" + shift 2 + ;; + --copilot) + COPILOT_VERSION="$2" + shift 2 + ;; + --claude) + CLAUDE_VERSION="$2" + shift 2 + ;; + --docker) + shift + # Collect all remaining args as docker images + while [[ $# -gt 0 ]] && [[ ! $1 =~ ^-- ]]; do + DOCKER_IMAGES+=("$1") + shift + done + ;; + *) + echo "ERROR: Unknown option: $1" + echo "Usage: $0 [--awf VERSION] [--copilot VERSION] [--claude VERSION] [--docker IMAGE1 IMAGE2 ...]" + exit 1 + ;; + esac +done + +# Track background job PIDs +PIDS=() +JOB_NAMES=() + +# Error handling: collect exit codes from background jobs +EXIT_CODES=() + +echo "Starting parallel setup operations..." + +# Start AWF installation in background if requested +if [ -n "$AWF_VERSION" ]; then + echo "Starting AWF binary installation (version: $AWF_VERSION)..." + { + bash /opt/gh-aw/actions/install_awf_binary.sh "$AWF_VERSION" + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("AWF binary") +fi + +# Start Copilot CLI installation in background if requested +if [ -n "$COPILOT_VERSION" ]; then + echo "Starting Copilot CLI installation (version: $COPILOT_VERSION)..." + { + bash /opt/gh-aw/actions/install_copilot_cli.sh "$COPILOT_VERSION" + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("Copilot CLI") +fi + +# Start Claude Code CLI installation in background if requested +if [ -n "$CLAUDE_VERSION" ]; then + echo "Starting Claude Code CLI installation (version: $CLAUDE_VERSION)..." + { + # Claude is installed via npm, so we use a temporary Node.js setup + # Note: Node.js should already be set up before this script is called + npm install -g "@anthropic-ai/claude-code@$CLAUDE_VERSION" + claude-code --version + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("Claude Code CLI") +fi + +# Start Docker image downloads in background if requested +if [ ${#DOCKER_IMAGES[@]} -gt 0 ]; then + echo "Starting Docker image downloads (${#DOCKER_IMAGES[@]} images)..." + { + bash /opt/gh-aw/actions/download_docker_images.sh "${DOCKER_IMAGES[@]}" + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("Docker images") +fi + +# Wait for all background jobs to complete and collect exit codes +echo "Waiting for ${#PIDS[@]} parallel operations to complete..." + +FAILED_JOBS=() +for i in "${!PIDS[@]}"; do + PID="${PIDS[$i]}" + JOB_NAME="${JOB_NAMES[$i]}" + + # Wait for specific PID and capture its exit code + if wait "$PID"; then + echo "✓ ${JOB_NAME} completed successfully" + EXIT_CODES+=("0") + else + EXIT_CODE=$? + echo "✗ ${JOB_NAME} failed with exit code ${EXIT_CODE}" + EXIT_CODES+=("${EXIT_CODE}") + FAILED_JOBS+=("${JOB_NAME}") + fi +done + +# Report results +if [ ${#FAILED_JOBS[@]} -eq 0 ]; then + echo "✓ All ${#PIDS[@]} parallel setup operations completed successfully" + exit 0 +else + echo "✗ ${#FAILED_JOBS[@]} of ${#PIDS[@]} operations failed:" + for JOB in "${FAILED_JOBS[@]}"; do + echo " - ${JOB}" + done + exit 1 +fi diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go index ae9eac4202..b443cb7be5 100644 --- a/pkg/workflow/agentic_workflow_test.go +++ b/pkg/workflow/agentic_workflow_test.go @@ -150,7 +150,7 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) { var yaml strings.Builder engine := NewCopilotEngine() - c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData) + c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData, false) result := yaml.String() // Verify the install step is present @@ -185,7 +185,7 @@ func TestAgenticWorkflowsInstallStepWithCustomToken(t *testing.T) { var yaml strings.Builder engine := NewCopilotEngine() - c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData) + c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData, false) result := yaml.String() // Verify the install step is present @@ -214,7 +214,7 @@ func TestAgenticWorkflowsInstallStepSkippedWithImport(t *testing.T) { var yaml strings.Builder engine := NewCopilotEngine() - c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData) + c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData, false) result := yaml.String() // Verify the install step is NOT present when import exists @@ -239,7 +239,7 @@ func TestAgenticWorkflowsInstallStepPresentWithoutImport(t *testing.T) { var yaml strings.Builder engine := NewCopilotEngine() - c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData) + c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData, false) result := yaml.String() // Verify the install step IS present when no import exists diff --git a/pkg/workflow/claude_engine.go b/pkg/workflow/claude_engine.go index f88eafcbca..be6cec9faf 100644 --- a/pkg/workflow/claude_engine.go +++ b/pkg/workflow/claude_engine.go @@ -106,26 +106,17 @@ func (e *ClaudeEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHub // Add AWF installation if firewall is enabled if isFirewallEnabled(workflowData) { - // Install AWF after Node.js setup but before Claude CLI installation - firewallConfig := getFirewallConfig(workflowData) - agentConfig := getAgentConfig(workflowData) - var awfVersion string - if firewallConfig != nil { - awfVersion = firewallConfig.Version - } - - // Install AWF binary (or skip if custom command is specified) - awfInstall := generateAWFInstallationStep(awfVersion, agentConfig) - if len(awfInstall) > 0 { - steps = append(steps, awfInstall) + // Use parallel installation for AWF + Claude CLI + // This is handled by generateParallelInstallationStep in compiler_yaml_main_job.go + // Skip individual AWF and Claude steps here - they'll be combined + claudeLog.Print("Skipping individual AWF and Claude installation steps (will use parallel installation)") + } else { + // No firewall, just install Claude CLI sequentially + if len(npmSteps) > 1 { + steps = append(steps, npmSteps[1:]...) // Install Claude CLI and subsequent steps } } - // Add Claude CLI installation step after sandbox installation - if len(npmSteps) > 1 { - steps = append(steps, npmSteps[1:]...) // Install Claude CLI and subsequent steps - } - return steps } diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 239a542eef..251cfdbf75 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -140,6 +140,17 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat } } + // Add parallel installation step if applicable + // This parallelizes AWF binary, CLI, and Docker image downloads + if ShouldUseParallelInstallation(data, engine) { + compilerYamlLog.Print("Generating parallel installation step") + parallelConfig := GetParallelInstallConfig(data, engine) + parallelStep := generateParallelInstallationStep(parallelConfig) + for _, line := range parallelStep { + yaml.WriteString(line + "\n") + } + } + // GH_AW_SAFE_OUTPUTS is now set at job level, no setup step needed // Add GitHub MCP lockdown detection step if needed @@ -148,8 +159,9 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat // Add GitHub MCP app token minting step if configured c.generateGitHubMCPAppTokenMintingStep(yaml, data) - // Add MCP setup - c.generateMCPSetup(yaml, data.Tools, engine, data) + // Add MCP setup (skip Docker downloads if parallel installation is used) + skipDockerDownload := ShouldUseParallelInstallation(data, engine) + c.generateMCPSetup(yaml, data.Tools, engine, data, skipDockerDownload) // Stop-time safety checks are now handled by a dedicated job (stop_time_check) // No longer generated in the main job steps diff --git a/pkg/workflow/copilot_engine_installation.go b/pkg/workflow/copilot_engine_installation.go index a923210368..6381f0877d 100644 --- a/pkg/workflow/copilot_engine_installation.go +++ b/pkg/workflow/copilot_engine_installation.go @@ -121,25 +121,21 @@ func (e *CopilotEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHu } else { copilotInstallLog.Print("Skipping SRT installation (custom command specified)") } - } else if isFirewallEnabled(workflowData) { - // Install AWF after Node.js setup but before Copilot CLI installation - firewallConfig := getFirewallConfig(workflowData) - agentConfig := getAgentConfig(workflowData) - var awfVersion string - if firewallConfig != nil { - awfVersion = firewallConfig.Version - } - // Install AWF binary (or skip if custom command is specified) - awfInstall := generateAWFInstallationStep(awfVersion, agentConfig) - if len(awfInstall) > 0 { - steps = append(steps, awfInstall) + // Add Copilot CLI installation step after SRT installation (sequential for SRT) + if len(npmSteps) > 1 { + steps = append(steps, npmSteps[1:]...) // Install Copilot CLI and subsequent steps + } + } else if isFirewallEnabled(workflowData) { + // Use parallel installation for AWF + Copilot CLI + // This is handled by generateParallelInstallationStep in compiler_yaml_main_job.go + // Skip individual AWF and Copilot steps here - they'll be combined + copilotInstallLog.Print("Skipping individual AWF and Copilot installation steps (will use parallel installation)") + } else { + // No firewall, just install Copilot CLI sequentially + if len(npmSteps) > 1 { + steps = append(steps, npmSteps[1:]...) // Install Copilot CLI and subsequent steps } - } - - // Add Copilot CLI installation step after sandbox installation - if len(npmSteps) > 1 { - steps = append(steps, npmSteps[1:]...) // Install Copilot CLI and subsequent steps } return steps diff --git a/pkg/workflow/firewall_workflow_test.go b/pkg/workflow/firewall_workflow_test.go index 52bbba48e2..2dd7cc76f2 100644 --- a/pkg/workflow/firewall_workflow_test.go +++ b/pkg/workflow/firewall_workflow_test.go @@ -38,15 +38,32 @@ func TestFirewallWorkflowNetworkConfiguration(t *testing.T) { engine := NewClaudeEngine() steps := engine.GetInstallationSteps(workflowData) - // With AWF enabled: secret validation, Node.js setup, AWF install, Claude install - if len(steps) != 4 { - t.Errorf("Expected 4 installation steps with firewall enabled (secret validation + Node.js setup + AWF install + Claude install), got %d", len(steps)) + // With AWF enabled (using parallel installation): secret validation, Node.js setup + // AWF and Claude CLI installation are deferred to parallel installation step + if len(steps) != 2 { + t.Errorf("Expected 2 installation steps with firewall enabled (secret validation + Node.js setup), got %d", len(steps)) } - // Check AWF installation step (3rd step, index 2) - awfStepStr := strings.Join(steps[2], "\n") - if !strings.Contains(awfStepStr, "Install awf binary") { - t.Error("Third step should install AWF binary") + // Verify that AWF installation is skipped (will be handled by parallel installation) + for _, step := range steps { + stepStr := strings.Join(step, "\n") + if strings.Contains(stepStr, "Install awf binary") { + t.Error("AWF installation should be deferred to parallel installation step") + } + } + + // Verify that parallel installation should be used + if !ShouldUseParallelInstallation(workflowData, engine) { + t.Error("Parallel installation should be enabled with firewall and Claude engine") + } + + // Verify parallel installation config includes AWF + config := GetParallelInstallConfig(workflowData, engine) + if config.AWFVersion == "" { + t.Error("Parallel installation should include AWF version") + } + if config.ClaudeVersion == "" { + t.Error("Parallel installation should include Claude version") } }) diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go index 9371e06c8e..b07e7396f1 100644 --- a/pkg/workflow/mcp_setup_generator.go +++ b/pkg/workflow/mcp_setup_generator.go @@ -13,7 +13,9 @@ import ( var mcpSetupGeneratorLog = logger.New("workflow:mcp_setup_generator") // generateMCPSetup generates the MCP server configuration setup -func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, engine CodingAgentEngine, workflowData *WorkflowData) { +// If skipDockerDownload is true, Docker image download step is skipped +// (used when parallel installation is enabled) +func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, engine CodingAgentEngine, workflowData *WorkflowData, skipDockerDownload bool) { mcpSetupGeneratorLog.Print("Generating MCP server configuration setup") // Collect tools that need MCP server configuration var mcpTools []string @@ -68,8 +70,13 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, ensureDefaultMCPGatewayConfig(workflowData) // Collect all Docker images that will be used and generate download step - dockerImages := collectDockerImages(tools, workflowData) - generateDownloadDockerImagesStep(yaml, dockerImages) + // Skip if parallel installation is handling downloads + if !skipDockerDownload { + dockerImages := collectDockerImages(tools, workflowData) + generateDownloadDockerImagesStep(yaml, dockerImages) + } else { + mcpSetupGeneratorLog.Print("Skipping Docker download step (handled by parallel installation)") + } // If no MCP tools, no configuration needed if len(mcpTools) == 0 { diff --git a/pkg/workflow/mcp_setup_generator_test.go b/pkg/workflow/mcp_setup_generator_test.go index f4e6b8a890..81cb8b1b2c 100644 --- a/pkg/workflow/mcp_setup_generator_test.go +++ b/pkg/workflow/mcp_setup_generator_test.go @@ -63,7 +63,7 @@ func TestSafeInputsStepCodeGenerationStability(t *testing.T) { for i := 0; i < iterations; i++ { var yaml strings.Builder - compiler.generateMCPSetup(&yaml, workflowData.Tools, mockEngine, workflowData) + compiler.generateMCPSetup(&yaml, workflowData.Tools, mockEngine, workflowData, false) outputs[i] = yaml.String() } @@ -219,7 +219,7 @@ func TestMCPGatewayVersionFromFrontmatter(t *testing.T) { var yaml strings.Builder mockEngine := &CustomEngine{} - compiler.generateMCPSetup(&yaml, workflowData.Tools, mockEngine, workflowData) + compiler.generateMCPSetup(&yaml, workflowData.Tools, mockEngine, workflowData, false) setupOutput := yaml.String() // The setup output should contain the container image with the correct version diff --git a/pkg/workflow/parallel_installation.go b/pkg/workflow/parallel_installation.go new file mode 100644 index 0000000000..5c2f7782c3 --- /dev/null +++ b/pkg/workflow/parallel_installation.go @@ -0,0 +1,166 @@ +package workflow + +import ( + "fmt" + "strings" + + "github.com/githubnext/gh-aw/pkg/constants" + "github.com/githubnext/gh-aw/pkg/logger" +) + +var parallelInstallLog = logger.New("workflow:parallel_installation") + +// ParallelInstallConfig holds configuration for parallel installation +type ParallelInstallConfig struct { + AWFVersion string // AWF binary version to install (empty to skip) + CopilotVersion string // Copilot CLI version to install (empty to skip) + ClaudeVersion string // Claude Code CLI version to install (empty to skip) + DockerImages []string // Docker images to download (empty to skip) +} + +// generateParallelInstallationStep generates a single step that installs dependencies in parallel +// This parallelizes AWF binary installation, CLI installation, and Docker image downloads +// to reduce sequential execution time by 8-12 seconds. +func generateParallelInstallationStep(config ParallelInstallConfig) GitHubActionStep { + if config.AWFVersion == "" && config.CopilotVersion == "" && config.ClaudeVersion == "" && len(config.DockerImages) == 0 { + parallelInstallLog.Print("No parallel installations configured, skipping") + return GitHubActionStep([]string{}) + } + + // Count how many operations will run in parallel + operationCount := 0 + if config.AWFVersion != "" { + operationCount++ + } + if config.CopilotVersion != "" { + operationCount++ + } + if config.ClaudeVersion != "" { + operationCount++ + } + if len(config.DockerImages) > 0 { + operationCount++ + } + + parallelInstallLog.Printf("Generating parallel installation step for %d operations", operationCount) + + stepLines := []string{ + " - name: Install dependencies in parallel", + " run: |", + " # Install dependencies in parallel to reduce setup time", + " # This parallelizes AWF binary, CLI, and Docker image downloads", + " bash /opt/gh-aw/actions/install_parallel_setup.sh \\", + } + + // Add AWF installation argument + if config.AWFVersion != "" { + stepLines = append(stepLines, fmt.Sprintf(" --awf %s \\", config.AWFVersion)) + } + + // Add Copilot installation argument + if config.CopilotVersion != "" { + stepLines = append(stepLines, fmt.Sprintf(" --copilot %s \\", config.CopilotVersion)) + } + + // Add Claude installation argument + if config.ClaudeVersion != "" { + stepLines = append(stepLines, fmt.Sprintf(" --claude %s \\", config.ClaudeVersion)) + } + + // Add Docker images argument + if len(config.DockerImages) > 0 { + var dockerArgs strings.Builder + dockerArgs.WriteString(" --docker") + for _, image := range config.DockerImages { + dockerArgs.WriteString(fmt.Sprintf(" %s", image)) + } + stepLines = append(stepLines, dockerArgs.String()) + } else { + // Remove trailing backslash from last line if no docker images + lastLine := stepLines[len(stepLines)-1] + if strings.HasSuffix(lastLine, " \\") { + stepLines[len(stepLines)-1] = strings.TrimSuffix(lastLine, " \\") + } + } + + return GitHubActionStep(stepLines) +} + +// ShouldUseParallelInstallation determines if parallel installation should be used +// based on the workflow configuration. Parallel installation is used when: +// - AWF binary needs to be installed (firewall enabled) +// - CLI needs to be installed (Copilot or Claude) +// - Docker images need to be downloaded +// - SRT is NOT enabled (SRT has sequential dependencies) +func ShouldUseParallelInstallation(workflowData *WorkflowData, engine CodingAgentEngine) bool { + // Don't use parallel installation if custom command is specified + if workflowData.EngineConfig != nil && workflowData.EngineConfig.Command != "" { + return false + } + + // Don't use parallel installation for SRT (has sequential dependencies) + if isSRTEnabled(workflowData) { + return false + } + + // Use parallel installation if firewall is enabled (AWF binary needed) + // and we're installing a CLI (Copilot or Claude) + if isFirewallEnabled(workflowData) { + engineID := engine.GetID() + if engineID == "copilot" || engineID == "claude" { + return true + } + } + + // Also use parallel if we have Docker images to download + dockerImages := collectDockerImages(workflowData.Tools, workflowData) + if len(dockerImages) > 0 && (isFirewallEnabled(workflowData) || engine.GetID() == "copilot" || engine.GetID() == "claude") { + return true + } + + return false +} + +// GetParallelInstallConfig extracts the parallel installation configuration +// from the workflow data and engine configuration +func GetParallelInstallConfig(workflowData *WorkflowData, engine CodingAgentEngine) ParallelInstallConfig { + config := ParallelInstallConfig{} + + // Get AWF version if firewall is enabled + if isFirewallEnabled(workflowData) { + agentConfig := getAgentConfig(workflowData) + // Only install AWF if no custom command is specified + if agentConfig == nil || agentConfig.Command == "" { + firewallConfig := getFirewallConfig(workflowData) + if firewallConfig != nil && firewallConfig.Version != "" { + config.AWFVersion = firewallConfig.Version + } else { + config.AWFVersion = string(constants.DefaultFirewallVersion) + } + } + } + + // Get CLI version based on engine + engineID := engine.GetID() + if engineID == "copilot" { + version := string(constants.DefaultCopilotVersion) + if workflowData.EngineConfig != nil && workflowData.EngineConfig.Version != "" { + version = workflowData.EngineConfig.Version + } + // Only use parallel if installing globally (not for SRT local installation) + if !isSRTEnabled(workflowData) { + config.CopilotVersion = version + } + } else if engineID == "claude" { + version := string(constants.DefaultClaudeCodeVersion) + if workflowData.EngineConfig != nil && workflowData.EngineConfig.Version != "" { + version = workflowData.EngineConfig.Version + } + config.ClaudeVersion = version + } + + // Get Docker images + config.DockerImages = collectDockerImages(workflowData.Tools, workflowData) + + return config +} From fd2777e72f00ad9189e50abf4034b1825aa560c9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:51:07 +0000 Subject: [PATCH 3/8] Fix failing tests for parallel installation - Update firewall_version_pinning_test.go to check parallel installation - Update firewall_default_enablement_test.go to verify parallel config - All tests now verify AWF is deferred to parallel installation step Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- pkg/workflow/claude_engine_network_test.go | 34 +++++++-- .../firewall_default_enablement_test.go | 28 +++++-- pkg/workflow/firewall_version_pinning_test.go | 76 ++++++++++--------- 3 files changed, 88 insertions(+), 50 deletions(-) diff --git a/pkg/workflow/claude_engine_network_test.go b/pkg/workflow/claude_engine_network_test.go index bdc5d5c15d..1980912a20 100644 --- a/pkg/workflow/claude_engine_network_test.go +++ b/pkg/workflow/claude_engine_network_test.go @@ -19,8 +19,9 @@ func TestClaudeEngineNetworkPermissions(t *testing.T) { } steps := engine.GetInstallationSteps(workflowData) + // Without firewall: secret validation + Node.js setup + Claude install if len(steps) != 3 { - t.Errorf("Expected 3 installation steps without network permissions (secret validation + Node.js setup + install), got %d", len(steps)) + t.Errorf("Expected 3 installation steps without network permissions (secret validation + Node.js setup + Claude install), got %d", len(steps)) } }) @@ -37,15 +38,32 @@ func TestClaudeEngineNetworkPermissions(t *testing.T) { } steps := engine.GetInstallationSteps(workflowData) - // With AWF enabled: secret validation + Node.js setup + AWF install + Claude install - if len(steps) != 4 { - t.Errorf("Expected 4 installation steps with network permissions and AWF (secret validation + Node.js setup + AWF install + Claude install), got %d", len(steps)) + // With AWF enabled (using parallel installation): secret validation + Node.js setup + // AWF and Claude CLI installation are deferred to parallel installation step + if len(steps) != 2 { + t.Errorf("Expected 2 installation steps with firewall enabled (secret validation + Node.js setup), got %d", len(steps)) } - // Check AWF installation step (3rd step, index 2) - awfStepStr := strings.Join(steps[2], "\n") - if !strings.Contains(awfStepStr, "Install awf binary") { - t.Error("Third step should install AWF binary") + // Verify that AWF installation is skipped (will be handled by parallel installation) + for _, step := range steps { + stepStr := strings.Join(step, "\n") + if strings.Contains(stepStr, "Install awf binary") { + t.Error("AWF installation should be deferred to parallel installation step") + } + } + + // Verify that parallel installation should be used + if !ShouldUseParallelInstallation(workflowData, engine) { + t.Error("Parallel installation should be enabled with firewall and Claude engine") + } + + // Verify parallel installation config includes AWF + config := GetParallelInstallConfig(workflowData, engine) + if config.AWFVersion == "" { + t.Error("Parallel installation should include AWF version") + } + if config.ClaudeVersion == "" { + t.Error("Parallel installation should include Claude version") } }) diff --git a/pkg/workflow/firewall_default_enablement_test.go b/pkg/workflow/firewall_default_enablement_test.go index 09094d0671..500fdb1623 100644 --- a/pkg/workflow/firewall_default_enablement_test.go +++ b/pkg/workflow/firewall_default_enablement_test.go @@ -177,18 +177,32 @@ func TestCopilotFirewallDefaultIntegration(t *testing.T) { engine := NewCopilotEngine() steps := engine.GetInstallationSteps(workflowData) - // Verify AWF installation step is present - found := false + // AWF installation should NOT be in engine installation steps + // It's deferred to parallel installation step for _, step := range steps { stepStr := strings.Join(step, "\n") - if strings.Contains(stepStr, "Install awf binary") || strings.Contains(stepStr, "awf --version") { - found = true - break + if strings.Contains(stepStr, "Install awf binary") { + t.Error("AWF installation should be deferred to parallel installation step") } } - if !found { - t.Error("Expected AWF installation steps to be included") + // Verify that parallel installation should be used + if !ShouldUseParallelInstallation(workflowData, engine) { + t.Error("Parallel installation should be enabled with network restrictions and Copilot engine") + } + + // Verify parallel installation config includes AWF + config := GetParallelInstallConfig(workflowData, engine) + if config.AWFVersion == "" { + t.Error("Parallel installation config should include AWF version") + } + + // Generate the parallel installation step to verify it contains AWF + parallelStep := generateParallelInstallationStep(config) + parallelStepStr := strings.Join(parallelStep, "\n") + + if !strings.Contains(parallelStepStr, "--awf") || !strings.Contains(parallelStepStr, "install_parallel_setup.sh") { + t.Error("Expected AWF installation to be included in parallel installation step") } }) diff --git a/pkg/workflow/firewall_version_pinning_test.go b/pkg/workflow/firewall_version_pinning_test.go index 977686783c..2e54ae77f7 100644 --- a/pkg/workflow/firewall_version_pinning_test.go +++ b/pkg/workflow/firewall_version_pinning_test.go @@ -60,7 +60,7 @@ func TestAWFInstallationStepDefaultVersion(t *testing.T) { }) } -// TestCopilotEngineFirewallInstallation verifies that Copilot engine includes AWF installation when firewall is enabled +// TestCopilotEngineFirewallInstallation verifies that Copilot engine uses parallel installation when firewall is enabled func TestCopilotEngineFirewallInstallation(t *testing.T) { t.Run("includes AWF installation step when firewall enabled", func(t *testing.T) { engine := NewCopilotEngine() @@ -78,33 +78,41 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { steps := engine.GetInstallationSteps(workflowData) - // Find the AWF installation step - var foundAWFStep bool - var awfStepStr string + // AWF installation should NOT be in engine installation steps anymore + // It's deferred to parallel installation step for _, step := range steps { stepStr := strings.Join(step, "\n") if strings.Contains(stepStr, "Install awf binary") { - foundAWFStep = true - awfStepStr = stepStr - break + t.Error("AWF installation should be deferred to parallel installation step") } } - if !foundAWFStep { - t.Fatal("Expected to find AWF installation step when firewall is enabled") + // Verify that parallel installation should be used + if !ShouldUseParallelInstallation(workflowData, engine) { + t.Error("Parallel installation should be enabled with firewall and Copilot engine") } + // Verify parallel installation config includes AWF with default version + config := GetParallelInstallConfig(workflowData, engine) + if config.AWFVersion != string(constants.DefaultFirewallVersion) { + t.Errorf("Expected AWF version %s, got %s", string(constants.DefaultFirewallVersion), config.AWFVersion) + } + + // Generate the parallel installation step to verify it contains AWF installation + parallelStep := generateParallelInstallationStep(config) + parallelStepStr := strings.Join(parallelStep, "\n") + // Verify it passes the default version to the script - if !strings.Contains(awfStepStr, string(constants.DefaultFirewallVersion)) { - t.Errorf("AWF installation step should pass default version %s to script", string(constants.DefaultFirewallVersion)) + if !strings.Contains(parallelStepStr, string(constants.DefaultFirewallVersion)) { + t.Errorf("Parallel installation step should include default version %s", string(constants.DefaultFirewallVersion)) } - // Verify it calls the install_awf_binary.sh script - if !strings.Contains(awfStepStr, "install_awf_binary.sh") { - t.Error("AWF installation should call install_awf_binary.sh script") + // Verify it calls the install_parallel_setup.sh script + if !strings.Contains(parallelStepStr, "install_parallel_setup.sh") { + t.Error("Parallel installation should call install_parallel_setup.sh script") } - // Verify it's NOT using the old unverified installer script pattern - if strings.Contains(awfStepStr, "raw.githubusercontent.com") { - t.Error("AWF installation should NOT download from raw.githubusercontent.com") + // Verify it includes --awf flag + if !strings.Contains(parallelStepStr, "--awf") { + t.Error("Parallel installation should include --awf flag") } }) @@ -126,35 +134,33 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { steps := engine.GetInstallationSteps(workflowData) - // Find the AWF installation step - var foundAWFStep bool - var awfStepStr string + // AWF installation should NOT be in engine installation steps anymore + // It's deferred to parallel installation step for _, step := range steps { stepStr := strings.Join(step, "\n") if strings.Contains(stepStr, "Install awf binary") { - foundAWFStep = true - awfStepStr = stepStr - break + t.Error("AWF installation should be deferred to parallel installation step") } } - if !foundAWFStep { - t.Fatal("Expected to find AWF installation step when firewall is enabled") + // Verify parallel installation config includes AWF with custom version + config := GetParallelInstallConfig(workflowData, engine) + if config.AWFVersion != customVersion { + t.Errorf("Expected AWF version %s, got %s", customVersion, config.AWFVersion) } + // Generate the parallel installation step to verify it contains custom version + parallelStep := generateParallelInstallationStep(config) + parallelStepStr := strings.Join(parallelStep, "\n") + // Verify it passes the custom version to the script - if !strings.Contains(awfStepStr, customVersion) { - t.Errorf("AWF installation step should pass custom version %s to script", customVersion) - } - - // Verify it calls the install_awf_binary.sh script - if !strings.Contains(awfStepStr, "install_awf_binary.sh") { - t.Error("AWF installation should call install_awf_binary.sh script") + if !strings.Contains(parallelStepStr, customVersion) { + t.Errorf("Parallel installation step should include custom version %s", customVersion) } - // Verify it's NOT using the old unverified installer script pattern - if strings.Contains(awfStepStr, "raw.githubusercontent.com") { - t.Error("AWF installation should NOT download from raw.githubusercontent.com") + // Verify it calls the install_parallel_setup.sh script + if !strings.Contains(parallelStepStr, "install_parallel_setup.sh") { + t.Error("Parallel installation should call install_parallel_setup.sh script") } }) From e12a7935d1ec579b0afa45153783129fa75afb6f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:56:00 +0000 Subject: [PATCH 4/8] Fix remaining test failures and linting issues - Fix staticcheck issues in parallel_installation.go - Update TestNetworkPermissionsIntegration to check parallel installation - All tests now pass with parallel installation implementation Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- pkg/workflow/claude_engine_network_test.go | 37 ++++++++++++++----- .../firewall_default_enablement_test.go | 2 +- pkg/workflow/firewall_version_pinning_test.go | 4 +- pkg/workflow/parallel_installation.go | 7 ++-- 4 files changed, 35 insertions(+), 15 deletions(-) diff --git a/pkg/workflow/claude_engine_network_test.go b/pkg/workflow/claude_engine_network_test.go index 1980912a20..2edc40b18f 100644 --- a/pkg/workflow/claude_engine_network_test.go +++ b/pkg/workflow/claude_engine_network_test.go @@ -204,21 +204,40 @@ func TestNetworkPermissionsIntegration(t *testing.T) { Firewall: &FirewallConfig{Enabled: true}, } + workflowData := &WorkflowData{ + EngineConfig: config, + NetworkPermissions: networkPermissions, + } + // Get installation steps - steps := engine.GetInstallationSteps(&WorkflowData{EngineConfig: config, NetworkPermissions: networkPermissions}) - // With AWF enabled: secret validation + Node.js setup + AWF install + Claude install - if len(steps) != 4 { - t.Fatalf("Expected 4 installation steps (secret validation + Node.js setup + AWF install + Claude install), got %d", len(steps)) + steps := engine.GetInstallationSteps(workflowData) + // With AWF enabled (using parallel installation): secret validation + Node.js setup + // AWF and Claude CLI installation are deferred to parallel installation step + if len(steps) != 2 { + t.Fatalf("Expected 2 installation steps (secret validation + Node.js setup), got %d", len(steps)) + } + + // Verify that AWF installation is NOT in engine installation steps + for _, step := range steps { + stepStr := strings.Join(step, "\n") + if strings.Contains(stepStr, "Install awf binary") { + t.Error("AWF installation should be deferred to parallel installation step") + } + } + + // Verify that parallel installation should be used + if !ShouldUseParallelInstallation(workflowData, engine) { + t.Error("Parallel installation should be enabled with firewall and Claude engine") } - // Verify AWF installation step (third step, index 2) - awfStep := strings.Join(steps[2], "\n") - if !strings.Contains(awfStep, "Install awf binary") { - t.Error("Third step should install AWF binary") + // Verify parallel installation config includes AWF + parallelConfig := GetParallelInstallConfig(workflowData, engine) + if parallelConfig.AWFVersion == "" { + t.Error("Parallel installation config should include AWF version") } // Get execution steps - execSteps := engine.GetExecutionSteps(&WorkflowData{Name: "test-workflow", EngineConfig: config, NetworkPermissions: networkPermissions}, "test-log") + execSteps := engine.GetExecutionSteps(workflowData, "test-log") if len(execSteps) == 0 { t.Fatal("Expected at least one execution step") } diff --git a/pkg/workflow/firewall_default_enablement_test.go b/pkg/workflow/firewall_default_enablement_test.go index 500fdb1623..f059bdee0b 100644 --- a/pkg/workflow/firewall_default_enablement_test.go +++ b/pkg/workflow/firewall_default_enablement_test.go @@ -200,7 +200,7 @@ func TestCopilotFirewallDefaultIntegration(t *testing.T) { // Generate the parallel installation step to verify it contains AWF parallelStep := generateParallelInstallationStep(config) parallelStepStr := strings.Join(parallelStep, "\n") - + if !strings.Contains(parallelStepStr, "--awf") || !strings.Contains(parallelStepStr, "install_parallel_setup.sh") { t.Error("Expected AWF installation to be included in parallel installation step") } diff --git a/pkg/workflow/firewall_version_pinning_test.go b/pkg/workflow/firewall_version_pinning_test.go index 2e54ae77f7..6fd68a9512 100644 --- a/pkg/workflow/firewall_version_pinning_test.go +++ b/pkg/workflow/firewall_version_pinning_test.go @@ -101,7 +101,7 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { // Generate the parallel installation step to verify it contains AWF installation parallelStep := generateParallelInstallationStep(config) parallelStepStr := strings.Join(parallelStep, "\n") - + // Verify it passes the default version to the script if !strings.Contains(parallelStepStr, string(constants.DefaultFirewallVersion)) { t.Errorf("Parallel installation step should include default version %s", string(constants.DefaultFirewallVersion)) @@ -152,7 +152,7 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { // Generate the parallel installation step to verify it contains custom version parallelStep := generateParallelInstallationStep(config) parallelStepStr := strings.Join(parallelStep, "\n") - + // Verify it passes the custom version to the script if !strings.Contains(parallelStepStr, customVersion) { t.Errorf("Parallel installation step should include custom version %s", customVersion) diff --git a/pkg/workflow/parallel_installation.go b/pkg/workflow/parallel_installation.go index 5c2f7782c3..7793450a4d 100644 --- a/pkg/workflow/parallel_installation.go +++ b/pkg/workflow/parallel_installation.go @@ -72,7 +72,7 @@ func generateParallelInstallationStep(config ParallelInstallConfig) GitHubAction var dockerArgs strings.Builder dockerArgs.WriteString(" --docker") for _, image := range config.DockerImages { - dockerArgs.WriteString(fmt.Sprintf(" %s", image)) + fmt.Fprintf(&dockerArgs, " %s", image) } stepLines = append(stepLines, dockerArgs.String()) } else { @@ -142,7 +142,8 @@ func GetParallelInstallConfig(workflowData *WorkflowData, engine CodingAgentEngi // Get CLI version based on engine engineID := engine.GetID() - if engineID == "copilot" { + switch engineID { + case "copilot": version := string(constants.DefaultCopilotVersion) if workflowData.EngineConfig != nil && workflowData.EngineConfig.Version != "" { version = workflowData.EngineConfig.Version @@ -151,7 +152,7 @@ func GetParallelInstallConfig(workflowData *WorkflowData, engine CodingAgentEngi if !isSRTEnabled(workflowData) { config.CopilotVersion = version } - } else if engineID == "claude" { + case "claude": version := string(constants.DefaultClaudeCodeVersion) if workflowData.EngineConfig != nil && workflowData.EngineConfig.Version != "" { version = workflowData.EngineConfig.Version From 13203f788f63a751a30010df4b8b4aeeb7add6a7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 30 Jan 2026 00:37:01 +0000 Subject: [PATCH 5/8] Plan refactoring to use engine interface for installation URLs Addressing comments: 1. @pelikhan: Need to get download URLs from engine interface instead of hardcoding 2. @dsyme: CI failures appear to be from merge conflicts with main, not related to parallel installation Plan: - Add method to engine interface for getting installation info (URLs, methods) - Refactor parallel installation to be engine-agnostic - Support Codex and Custom engines - Pass installation details from compiler to script Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 4 ++-- .github/workflows/changeset.lock.yml | 4 ++-- .../workflows/cli-consistency-checker.lock.yml | 4 ++-- .github/workflows/cli-version-checker.lock.yml | 4 ++-- .../workflows/copilot-pr-nlp-analysis.lock.yml | 4 ++-- .../copilot-pr-prompt-analysis.lock.yml | 4 ++-- .../copilot-session-insights.lock.yml | 14 ++++++++------ .github/workflows/craft.lock.yml | 12 ++++++++---- .../daily-assign-issue-to-user.lock.yml | 12 ++++++++---- .github/workflows/daily-choice-test.lock.yml | 14 ++++++++------ .../workflows/daily-cli-performance.lock.yml | 12 ++++++++---- .github/workflows/daily-code-metrics.lock.yml | 14 ++++++++------ .../workflows/daily-compiler-quality.lock.yml | 12 ++++++++---- .../daily-copilot-token-report.lock.yml | 12 ++++++++---- .github/workflows/daily-doc-updater.lock.yml | 14 ++++++++------ .github/workflows/daily-fact.lock.yml | 9 +++++++-- .github/workflows/daily-file-diet.lock.yml | 12 ++++++++---- .../workflows/daily-firewall-report.lock.yml | 12 ++++++++---- .github/workflows/daily-issues-report.lock.yml | 9 +++++++-- .../daily-malicious-code-scan.lock.yml | 12 ++++++++---- .../daily-multi-device-docs-tester.lock.yml | 18 ++++++++++-------- .github/workflows/daily-news.lock.yml | 16 ++++++++++------ .../daily-observability-report.lock.yml | 9 +++++++-- .../daily-performance-summary.lock.yml | 9 +++++++-- .github/workflows/daily-regulatory.lock.yml | 12 ++++++++---- .../workflows/daily-repo-chronicle.lock.yml | 16 ++++++++++------ .../daily-safe-output-optimizer.lock.yml | 14 ++++++++------ .../workflows/daily-secrets-analysis.lock.yml | 12 ++++++++---- .github/workflows/daily-semgrep-scan.lock.yml | 12 ++++++++---- .../daily-team-evolution-insights.lock.yml | 14 ++++++++------ .github/workflows/daily-team-status.lock.yml | 12 ++++++++---- .../daily-testify-uber-super-expert.lock.yml | 12 ++++++++---- .../workflows/daily-workflow-updater.lock.yml | 12 ++++++++---- .github/workflows/deep-report.lock.yml | 13 +++++++++---- .github/workflows/delight.lock.yml | 12 ++++++++---- .github/workflows/dependabot-bundler.lock.yml | 12 ++++++++---- .github/workflows/dependabot-burner.lock.yml | 12 ++++++++---- .../workflows/dependabot-go-checker.lock.yml | 12 ++++++++---- .github/workflows/dev-hawk.lock.yml | 12 ++++++++---- .github/workflows/dev.lock.yml | 12 ++++++++---- .../developer-docs-consolidator.lock.yml | 14 ++++++++------ .github/workflows/dictation-prompt.lock.yml | 12 ++++++++---- .../workflows/discussion-task-miner.lock.yml | 12 ++++++++---- .github/workflows/docs-noob-tester.lock.yml | 16 ++++++++++------ .github/workflows/draft-pr-cleanup.lock.yml | 12 ++++++++---- .../workflows/duplicate-code-detector.lock.yml | 9 +++++++-- .../example-custom-error-patterns.lock.yml | 12 ++++++++---- .../example-permissions-warning.lock.yml | 12 ++++++++---- .../example-workflow-analyzer.lock.yml | 14 ++++++++------ .github/workflows/firewall-escape.lock.yml | 16 ++++++++++------ .github/workflows/firewall.lock.yml | 14 +++++++++----- .../github-mcp-structural-analysis.lock.yml | 14 ++++++++------ .../workflows/github-mcp-tools-report.lock.yml | 14 ++++++++------ .../github-remote-mcp-auth-test.lock.yml | 12 ++++++++---- .github/workflows/glossary-maintainer.lock.yml | 12 ++++++++---- .github/workflows/go-fan.lock.yml | 14 ++++++++------ .github/workflows/go-logger.lock.yml | 14 ++++++++------ .github/workflows/go-pattern-detector.lock.yml | 14 ++++++++------ .github/workflows/grumpy-reviewer.lock.yml | 12 ++++++++---- .github/workflows/hourly-ci-cleaner.lock.yml | 12 ++++++++---- .../workflows/instructions-janitor.lock.yml | 14 ++++++++------ .github/workflows/issue-arborist.lock.yml | 9 +++++++-- .github/workflows/issue-monster.lock.yml | 12 ++++++++---- .github/workflows/issue-triage-agent.lock.yml | 12 ++++++++---- .github/workflows/jsweep.lock.yml | 14 +++++++++----- .../workflows/layout-spec-maintainer.lock.yml | 12 ++++++++---- .github/workflows/lockfile-stats.lock.yml | 14 ++++++++------ .github/workflows/mcp-inspector.lock.yml | 16 ++++++++++------ .github/workflows/mergefest.lock.yml | 12 ++++++++---- .github/workflows/metrics-collector.lock.yml | 12 ++++++++---- .../workflows/notion-issue-summary.lock.yml | 12 ++++++++---- .github/workflows/org-health-report.lock.yml | 12 ++++++++---- .github/workflows/pdf-summary.lock.yml | 12 ++++++++---- .github/workflows/plan.lock.yml | 12 ++++++++---- .github/workflows/poem-bot.lock.yml | 12 ++++++++---- .github/workflows/portfolio-analyst.lock.yml | 12 ++++++++---- .github/workflows/pr-nitpick-reviewer.lock.yml | 12 ++++++++---- .github/workflows/pr-triage-agent.lock.yml | 12 ++++++++---- .../prompt-clustering-analysis.lock.yml | 14 ++++++++------ .github/workflows/python-data-charts.lock.yml | 12 ++++++++---- .github/workflows/q.lock.yml | 12 ++++++++---- .github/workflows/release.lock.yml | 16 ++++++++++------ .github/workflows/repo-audit-analyzer.lock.yml | 12 ++++++++---- .github/workflows/repo-tree-map.lock.yml | 12 ++++++++---- .../repository-quality-improver.lock.yml | 12 ++++++++---- .github/workflows/research.lock.yml | 16 ++++++++++------ .github/workflows/safe-output-health.lock.yml | 14 ++++++++------ .../schema-consistency-checker.lock.yml | 14 ++++++++------ .github/workflows/scout.lock.yml | 14 ++++++++------ .../workflows/secret-scanning-triage.lock.yml | 12 ++++++++---- .../workflows/security-alert-burndown.lock.yml | 12 ++++++++---- .github/workflows/security-compliance.lock.yml | 12 ++++++++---- .github/workflows/security-fix-pr.lock.yml | 12 ++++++++---- .github/workflows/security-guard.lock.yml | 12 ++++++++---- .github/workflows/security-review.lock.yml | 12 ++++++++---- .../semantic-function-refactor.lock.yml | 14 ++++++++------ .github/workflows/sergo.lock.yml | 14 ++++++++------ .../workflows/slide-deck-maintainer.lock.yml | 16 ++++++++++------ .github/workflows/smoke-claude.lock.yml | 14 ++++++++------ .github/workflows/smoke-codex.lock.yml | 9 +++++++-- .github/workflows/smoke-copilot.lock.yml | 16 ++++++++++------ .github/workflows/smoke-test-tools.lock.yml | 16 ++++++++++------ .../workflows/stale-repo-identifier.lock.yml | 12 ++++++++---- .../workflows/static-analysis-report.lock.yml | 14 ++++++++------ .github/workflows/step-name-alignment.lock.yml | 14 ++++++++------ .github/workflows/sub-issue-closer.lock.yml | 12 ++++++++---- .github/workflows/super-linter.lock.yml | 12 ++++++++---- .../workflows/technical-doc-writer.lock.yml | 12 ++++++++---- .github/workflows/terminal-stylist.lock.yml | 12 ++++++++---- .../test-create-pr-error-handling.lock.yml | 14 ++++++++------ .github/workflows/tidy.lock.yml | 12 ++++++++---- .github/workflows/typist.lock.yml | 14 ++++++++------ .../workflows/ubuntu-image-analyzer.lock.yml | 12 ++++++++---- .github/workflows/unbloat-docs.lock.yml | 14 ++++++++------ .github/workflows/video-analyzer.lock.yml | 12 ++++++++---- .../workflows/weekly-issue-summary.lock.yml | 16 ++++++++++------ .github/workflows/workflow-generator.lock.yml | 12 ++++++++---- .../workflows/workflow-health-manager.lock.yml | 12 ++++++++---- .github/workflows/workflow-normalizer.lock.yml | 16 ++++++++++------ .../workflow-skill-extractor.lock.yml | 12 ++++++++---- 120 files changed, 946 insertions(+), 538 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 2ab0c34833..48805174f3 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -736,7 +736,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -804,7 +804,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 80e7f2782a..99949cdc35 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -940,7 +940,7 @@ jobs: mkdir -p "$HOME/.cache" INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && codex -c model=gpt-5.1-codex-mini exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -989,7 +989,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 699dcd02eb..d3b32cf70c 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -802,7 +802,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -870,7 +870,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 30136bdc9e..e77db7cd91 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1241,7 +1241,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.jsr.io,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- /bin/bash -c 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,WebFetch,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1295,7 +1295,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.jsr.io,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 2cc34661c1..5e97afac8d 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1531,7 +1531,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1602,7 +1602,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 6fc4173ca2..04d0d3650f 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1074,7 +1074,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1142,7 +1142,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index a2c87ccfcf..6eac632ef9 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -201,10 +201,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -215,8 +219,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 5ebadddc9f..04b2f784c9 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -173,8 +173,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -185,8 +191,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index abaaee3f02..2c44936685 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -136,8 +136,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -148,8 +154,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 5c667ccd19..a7de6000a8 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -140,10 +140,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -154,8 +158,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index d47be00d10..8eb02a89ca 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -151,8 +151,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -163,8 +169,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 7e8948af70..08239c9f7e 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -190,10 +190,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -204,8 +208,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index d666832a81..2f9c3e403e 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -152,8 +152,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -164,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 4b8c1bfba2..04f47fef2b 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -200,8 +200,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -212,8 +218,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 65bcf78285..b4d71ff3ee 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -152,10 +152,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 13e88ca88b..b61e97915c 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -134,6 +134,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -144,8 +151,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index c72d74f26a..f7f647d9fc 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -144,8 +144,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -156,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index aea58cfaab..a7bfe30534 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -196,8 +196,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -208,8 +214,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 87bbd8527c..aa792e96d7 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -198,6 +198,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -208,8 +215,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 2174b07956..bb7a097b26 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -141,8 +141,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -153,8 +159,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index ec73f9ba22..602c0de6f4 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -151,10 +151,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -165,8 +169,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1036,7 +1038,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --tty --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.jsr.io,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- /bin/bash -c 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --max-turns 30 --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash(cat),Bash(cd*),Bash(curl*),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(kill*),Bash(ls),Bash(ls*),Bash(lsof*),Bash(npm install*),Bash(npm run build*),Bash(npm run preview*),Bash(npx playwright*),Bash(pwd),Bash(pwd*),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,NotebookEdit,NotebookRead,Read,Task,TodoWrite,Write,mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users,mcp__playwright__browser_click,mcp__playwright__browser_close,mcp__playwright__browser_console_messages,mcp__playwright__browser_drag,mcp__playwright__browser_evaluate,mcp__playwright__browser_file_upload,mcp__playwright__browser_fill_form,mcp__playwright__browser_handle_dialog,mcp__playwright__browser_hover,mcp__playwright__browser_install,mcp__playwright__browser_navigate,mcp__playwright__browser_navigate_back,mcp__playwright__browser_network_requests,mcp__playwright__browser_press_key,mcp__playwright__browser_resize,mcp__playwright__browser_select_option,mcp__playwright__browser_snapshot,mcp__playwright__browser_tabs,mcp__playwright__browser_take_screenshot,mcp__playwright__browser_type,mcp__playwright__browser_wait_for'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -1094,7 +1096,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.jsr.io,anthropic.com,api.anthropic.com,api.github.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,skimdb.npmjs.com,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b24a7f1c65..485a57b17c 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -257,8 +257,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -269,8 +275,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1604,7 +1608,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcp.tavily.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,mcp.tavily.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1677,7 +1681,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 3787baacc6..dece7a18e5 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -153,6 +153,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -163,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 11acf8b10f..4761326380 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -188,6 +188,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -198,8 +205,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 0c8d183825..de9617dc97 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -144,8 +144,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -156,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 45801c061f..dccfc41238 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -177,8 +177,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -189,8 +195,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1385,7 +1389,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1456,7 +1460,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 5ca463ee25..b0bc7910c1 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -184,10 +184,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -198,8 +202,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index f02e1a84c7..713b7a79a0 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -142,8 +142,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -154,8 +160,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 8c460552bd..af501c63dc 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -142,8 +142,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine semgrep/semgrep:latest - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -154,8 +160,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine semgrep/semgrep:latest - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 5b8f082c5d..0aeeb68319 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -147,10 +147,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -161,8 +165,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index ed0b77816c..f39f7e4252 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -150,8 +150,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -162,8 +168,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 0e615150fc..6fc15f2947 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -154,8 +154,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +172,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 20d6fac720..928db7a0c7 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -137,8 +137,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -149,8 +155,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 40e9b7c228..4021d917d5 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -198,6 +198,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -208,8 +215,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1345,7 +1350,7 @@ jobs: mkdir -p "$HOME/.cache" INSTRUCTION="$(cat "$GH_AW_PROMPT")" mkdir -p "$CODEX_HOME/logs" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,*.pythonhosted.org,anaconda.org,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION" \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1398,7 +1403,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,*.pythonhosted.org,anaconda.org,api.npms.io,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 81501b47eb..2d32849aad 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -155,8 +155,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -167,8 +173,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/dependabot-bundler.lock.yml b/.github/workflows/dependabot-bundler.lock.yml index 7921a1103c..49906b09ff 100644 --- a/.github/workflows/dependabot-bundler.lock.yml +++ b/.github/workflows/dependabot-bundler.lock.yml @@ -157,8 +157,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -169,8 +175,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index aa3672d8b4..bdce3eae50 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -145,8 +145,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -157,8 +163,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 1165d71478..7491b6c752 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -138,8 +138,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -150,8 +156,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 1f45c4def8..7665f6ae91 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -167,8 +167,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -179,8 +185,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ad2b931a6d..2fee9460ad 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -134,8 +134,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -146,8 +152,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index a4b4e5e4ec..0b14d312a3 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -158,10 +158,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -172,8 +176,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 1e12ce62f3..d9d8a02a4a 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -140,8 +140,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -152,8 +158,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index db1497d52b..d6514c6edd 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -155,8 +155,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -167,8 +173,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 071f9fe4a1..c9d0d646a4 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -141,8 +141,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -153,8 +159,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -832,7 +836,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -903,7 +907,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index d42fe76c6a..0eedffcb41 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -136,8 +136,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -148,8 +154,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 1f2857e2a7..6e1c02ca57 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -145,6 +145,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -155,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/example-custom-error-patterns.lock.yml b/.github/workflows/example-custom-error-patterns.lock.yml index 40c263a799..fb439be453 100644 --- a/.github/workflows/example-custom-error-patterns.lock.yml +++ b/.github/workflows/example-custom-error-patterns.lock.yml @@ -123,8 +123,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -135,8 +141,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 - name: Start MCP gateway id: start-mcp-gateway env: diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 4b6def5418..43392652d0 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -122,8 +122,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -134,8 +140,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 - name: Start MCP gateway id: start-mcp-gateway env: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 598b59ae44..67e378c0f5 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -146,10 +146,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -160,8 +164,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index c7d75c7858..5179c228bc 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -168,8 +168,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -180,8 +186,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -946,7 +950,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1014,7 +1018,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index ddae15a9c9..30034903c5 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -122,8 +122,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -134,8 +140,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 - name: Start MCP gateway id: start-mcp-gateway env: @@ -363,7 +367,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 59558bed95..0a012320ad 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -182,10 +182,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -196,8 +200,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 24b1bebe32..3045b190a1 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -159,10 +159,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -173,8 +177,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index ab76b9d37e..36bb28713d 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -137,8 +137,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -149,8 +155,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index c5754a7413..1bd05bdc4e 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -153,8 +153,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -165,8 +171,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 1a9083400e..8a08cfd083 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -156,10 +156,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -170,8 +174,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 09cbc8da07..4aad47289c 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -172,10 +172,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -186,8 +190,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index c57089ed23..003b51bd67 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -147,10 +147,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/ast-grep:latest node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -161,8 +165,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcp/ast-grep:latest node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index b2f4769399..5b14576fe8 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -182,8 +182,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -194,8 +200,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index ac8ba80354..79e7e23dd9 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -166,8 +166,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -178,8 +184,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 1697116eeb..85dc9069aa 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -152,10 +152,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 691b1e6c2d..e0a725ad73 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -156,6 +156,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +173,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 8a77d40471..d895a4277b 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -149,8 +149,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -161,8 +167,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 7e72884910..5802b96497 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -121,8 +121,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -133,8 +139,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 68bd399156..bb75529a26 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -158,8 +158,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -170,8 +176,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -874,7 +878,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 81c83a17cc..cb4e1c9a1b 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -145,8 +145,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -157,8 +163,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index f5411bf558..eaa090b0bd 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -156,10 +156,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -170,8 +174,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 775d0f8006..3a1ef9f3dc 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -195,8 +195,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.30.2 mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -207,8 +213,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1220,7 +1224,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,learn.microsoft.com,localhost,mcp.datadoghq.com,mcp.deepwiki.com,mcp.tavily.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,learn.microsoft.com,localhost,mcp.datadoghq.com,mcp.deepwiki.com,mcp.tavily.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool arxiv --allow-tool '\''arxiv(get_paper_details)'\'' --allow-tool '\''arxiv(get_paper_pdf)'\'' --allow-tool '\''arxiv(search_arxiv)'\'' --allow-tool ast-grep --allow-tool '\''ast-grep(*)'\'' --allow-tool brave-search --allow-tool '\''brave-search(*)'\'' --allow-tool context7 --allow-tool '\''context7(query-docs)'\'' --allow-tool '\''context7(resolve-library-id)'\'' --allow-tool datadog --allow-tool '\''datadog(get_datadog_metric)'\'' --allow-tool '\''datadog(search_datadog_dashboards)'\'' --allow-tool '\''datadog(search_datadog_metrics)'\'' --allow-tool '\''datadog(search_datadog_slos)'\'' --allow-tool deepwiki --allow-tool '\''deepwiki(ask_question)'\'' --allow-tool '\''deepwiki(read_wiki_contents)'\'' --allow-tool '\''deepwiki(read_wiki_structure)'\'' --allow-tool fabric-rti --allow-tool '\''fabric-rti(get_eventstream)'\'' --allow-tool '\''fabric-rti(get_eventstream_definition)'\'' --allow-tool '\''fabric-rti(kusto_get_entities_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_function_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_shots)'\'' --allow-tool '\''fabric-rti(kusto_get_table_schema)'\'' --allow-tool '\''fabric-rti(kusto_known_services)'\'' --allow-tool '\''fabric-rti(kusto_list_databases)'\'' --allow-tool '\''fabric-rti(kusto_list_tables)'\'' --allow-tool '\''fabric-rti(kusto_query)'\'' --allow-tool '\''fabric-rti(kusto_sample_function_data)'\'' --allow-tool '\''fabric-rti(kusto_sample_table_data)'\'' --allow-tool '\''fabric-rti(list_eventstreams)'\'' --allow-tool gh-aw --allow-tool github --allow-tool markitdown --allow-tool '\''markitdown(*)'\'' --allow-tool memory --allow-tool '\''memory(delete_memory)'\'' --allow-tool '\''memory(list_memories)'\'' --allow-tool '\''memory(retrieve_memory)'\'' --allow-tool '\''memory(store_memory)'\'' --allow-tool microsoftdocs --allow-tool '\''microsoftdocs(*)'\'' --allow-tool notion --allow-tool '\''notion(get_database)'\'' --allow-tool '\''notion(get_page)'\'' --allow-tool '\''notion(query_database)'\'' --allow-tool '\''notion(search_pages)'\'' --allow-tool safeoutputs --allow-tool sentry --allow-tool '\''sentry(analyze_issue_with_seer)'\'' --allow-tool '\''sentry(find_dsns)'\'' --allow-tool '\''sentry(find_organizations)'\'' --allow-tool '\''sentry(find_projects)'\'' --allow-tool '\''sentry(find_releases)'\'' --allow-tool '\''sentry(find_teams)'\'' --allow-tool '\''sentry(get_doc)'\'' --allow-tool '\''sentry(get_event_attachment)'\'' --allow-tool '\''sentry(get_issue_details)'\'' --allow-tool '\''sentry(get_trace_details)'\'' --allow-tool '\''sentry(search_docs requires SENTRY_OPENAI_API_KEY)'\'' --allow-tool '\''sentry(search_events)'\'' --allow-tool '\''sentry(search_issues)'\'' --allow-tool '\''sentry(whoami)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool tavily --allow-tool '\''tavily(*)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1304,7 +1308,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index db43c0ece4..992144e6fc 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -159,8 +159,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -171,8 +177,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 6ce2189b75..22b34fdd95 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -138,8 +138,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -150,8 +156,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index a047ced747..219f8e326f 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -143,8 +143,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/notion node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -155,8 +161,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcp/notion node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 8601823fc1..6a15114046 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -181,10 +181,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 3e6044df57..96fb66d039 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -202,8 +202,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/markitdown node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -214,8 +220,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index f97116f882..0f911c51cd 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -172,8 +172,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -184,8 +190,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 0308268061..6998c7712f 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -191,8 +191,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -203,8 +209,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 9b2081cd43..f3796e9542 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -203,8 +203,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -215,8 +221,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 8f0ce7fa73..b0175c7c0a 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -203,8 +203,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -215,8 +221,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 4965d62a15..a338ff1c97 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -145,8 +145,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -157,8 +163,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index ccc93b65b5..99929c37c8 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -229,10 +229,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -243,8 +247,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 008ff87257..6306a9d3af 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -175,8 +175,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -187,8 +193,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 47ac4bd330..9a799a7d04 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -231,8 +231,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -243,8 +249,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 7825906629..6539469474 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -156,8 +156,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -168,8 +174,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -753,7 +757,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,githubnext.github.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,githubnext.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -821,7 +825,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,githubnext.github.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,githubnext.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index a1f7ee84ea..8abb5ed556 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -158,8 +158,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -170,8 +176,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 56ba78bd80..e88fa6878a 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -141,8 +141,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -153,8 +159,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index cc054684f6..da346fdf1f 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -154,8 +154,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +172,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 99646c78f8..730c6ea9cc 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -144,8 +144,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -156,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -709,7 +713,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,mcp.tavily.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,mcp.tavily.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -779,7 +783,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 88b6ed8aa0..617564ba1a 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -181,10 +181,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -195,8 +199,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index a692c1c05e..2cb17f218d 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -159,10 +159,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -173,8 +177,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 2af783877e..093bdb2086 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -235,10 +235,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -249,8 +253,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/secret-scanning-triage.lock.yml b/.github/workflows/secret-scanning-triage.lock.yml index 501f380034..ee0daf9b42 100644 --- a/.github/workflows/secret-scanning-triage.lock.yml +++ b/.github/workflows/secret-scanning-triage.lock.yml @@ -159,8 +159,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -171,8 +177,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index 36a706788b..8a7b3f4d98 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -135,8 +135,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -147,8 +153,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 1b9134d356..97b23f4d05 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -152,8 +152,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -164,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index cf6b045cf7..5f01fbc3de 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -162,8 +162,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -174,8 +180,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index a813bd828d..7822a228be 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -142,8 +142,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -154,8 +160,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index f8bb76b78d..cb70c4341a 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -187,8 +187,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -199,8 +205,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 1fc5231d0a..235e907021 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -145,10 +145,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -159,8 +163,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 74e93c0fe8..9261d11756 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -157,10 +157,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -171,8 +175,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 3ae67752dd..5bdc1ce899 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -166,8 +166,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -178,8 +184,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -889,7 +893,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,www.npmjs.com,www.npmjs.org,yarnpkg.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,jsr.io,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(cat*)'\'' --allow-tool '\''shell(cd*)'\'' --allow-tool '\''shell(curl*)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find*)'\'' --allow-tool '\''shell(git add:*)'\'' --allow-tool '\''shell(git branch:*)'\'' --allow-tool '\''shell(git checkout:*)'\'' --allow-tool '\''shell(git commit:*)'\'' --allow-tool '\''shell(git merge:*)'\'' --allow-tool '\''shell(git rm:*)'\'' --allow-tool '\''shell(git status)'\'' --allow-tool '\''shell(git switch:*)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(grep*)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(head*)'\'' --allow-tool '\''shell(kill*)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(ls*)'\'' --allow-tool '\''shell(lsof*)'\'' --allow-tool '\''shell(npm ci*)'\'' --allow-tool '\''shell(npm install*)'\'' --allow-tool '\''shell(npm run*)'\'' --allow-tool '\''shell(npx @marp-team/marp-cli*)'\'' --allow-tool '\''shell(npx http-server*)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(pwd*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(tail*)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -957,7 +961,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,bun.sh,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,jsr.io,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,skimdb.npmjs.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index a32267202a..929ec18fe2 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -192,10 +192,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -219,8 +223,6 @@ jobs: permission-discussions: read permission-issues: read permission-pull-requests: read - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 7668c85bbd..7d82d06cd8 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -193,6 +193,13 @@ jobs: run: npm install -g --silent @openai/codex@0.92.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -203,8 +210,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 31cd27ce08..432c0833fb 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -185,8 +185,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -197,8 +203,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1444,7 +1448,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkg.go.dev,playwright.download.prss.microsoft.com,ppa.launchpad.net,proxy.golang.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1513,7 +1517,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 00731db057..b55aa4c85e 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -168,8 +168,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -180,8 +186,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -668,7 +672,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.pythonhosted.org,adoptium.net,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,bun.sh,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.oracle.com,files.pythonhosted.org,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,gradle.org,host.docker.internal,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.oracle.com,maven.pkg.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,pkg.go.dev,pkgs.dev.azure.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,proxy.golang.org,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo.yarnpkg.com,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.githubusercontent.com,*.jsr.io,*.pythonhosted.org,adoptium.net,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.apache.org,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,bun.sh,cdn.azul.com,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.java.net,download.oracle.com,files.pythonhosted.org,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,goproxy.io,gradle.org,host.docker.internal,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.oracle.com,maven.pkg.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,pkg.go.dev,pkgs.dev.azure.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,proxy.golang.org,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo.yarnpkg.com,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,skimdb.npmjs.com,sum.golang.org,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -736,7 +740,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.githubusercontent.com,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index b8869eed1e..1eb7b8ddb1 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -223,10 +223,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index a184e79cca..855738b5ff 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -180,10 +180,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -194,8 +198,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 83be1c0f37..d22364c613 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -152,10 +152,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -166,8 +170,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 8454c104e1..c8f8f24671 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -136,8 +136,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -148,8 +154,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index d8e140e33b..8ae1001aba 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -160,8 +160,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -172,8 +178,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 9f9a65d967..45091e4065 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -172,8 +172,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -184,8 +190,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 7ebbe43865..04b4c9b870 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -135,8 +135,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -147,8 +153,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index dc541f6dc3..28e343101e 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -149,10 +149,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -163,8 +167,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index e7c01a49f1..1f5e9cfaea 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -183,8 +183,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -195,8 +201,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 3ad1129e5b..0557ffad38 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -144,10 +144,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -158,8 +162,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 8101ed45dd..54354f03e5 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -141,8 +141,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -153,8 +159,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index ad2bb95155..be9f3962aa 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -197,10 +197,14 @@ jobs: with: node-version: '24' package-manager-cache: false - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - - name: Install Claude Code CLI - run: npm install -g --silent @anthropic-ai/claude-code@2.1.22 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --claude 2.1.22 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -211,8 +215,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index ff93f8d05d..262c63cd74 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -151,8 +151,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -163,8 +169,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 8c2b7de302..e56e6ebdab 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -158,8 +158,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -170,8 +176,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -1300,7 +1304,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -1371,7 +1375,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 221982d9d0..f0eec31695 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -167,8 +167,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -179,8 +185,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index c0c53bb36a..b5b1e360c9 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -153,8 +153,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -165,8 +171,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index dbd383cd37..25e003bf26 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -159,8 +159,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -171,8 +177,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -908,7 +912,7 @@ jobs: set -o pipefail GH_AW_TOOL_BINS=""; command -v go >/dev/null 2>&1 && GH_AW_TOOL_BINS="$(go env GOROOT)/bin:$GH_AW_TOOL_BINS"; [ -n "$JAVA_HOME" ] && GH_AW_TOOL_BINS="$JAVA_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CARGO_HOME" ] && GH_AW_TOOL_BINS="$CARGO_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$GEM_HOME" ] && GH_AW_TOOL_BINS="$GEM_HOME/bin:$GH_AW_TOOL_BINS"; [ -n "$CONDA" ] && GH_AW_TOOL_BINS="$CONDA/bin:$GH_AW_TOOL_BINS"; [ -n "$PIPX_BIN_DIR" ] && GH_AW_TOOL_BINS="$PIPX_BIN_DIR:$GH_AW_TOOL_BINS"; [ -n "$SWIFT_PATH" ] && GH_AW_TOOL_BINS="$SWIFT_PATH:$GH_AW_TOOL_BINS"; [ -n "$DOTNET_ROOT" ] && GH_AW_TOOL_BINS="$DOTNET_ROOT:$GH_AW_TOOL_BINS"; export GH_AW_TOOL_BINS mkdir -p "$HOME/.cache" - sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ + sudo -E awf --env-all --env "ANDROID_HOME=${ANDROID_HOME}" --env "ANDROID_NDK=${ANDROID_NDK}" --env "ANDROID_NDK_HOME=${ANDROID_NDK_HOME}" --env "ANDROID_NDK_LATEST_HOME=${ANDROID_NDK_LATEST_HOME}" --env "ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT}" --env "ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT}" --env "AZURE_EXTENSION_DIR=${AZURE_EXTENSION_DIR}" --env "CARGO_HOME=${CARGO_HOME}" --env "CHROMEWEBDRIVER=${CHROMEWEBDRIVER}" --env "CONDA=${CONDA}" --env "DOTNET_ROOT=${DOTNET_ROOT}" --env "EDGEWEBDRIVER=${EDGEWEBDRIVER}" --env "GECKOWEBDRIVER=${GECKOWEBDRIVER}" --env "GEM_HOME=${GEM_HOME}" --env "GEM_PATH=${GEM_PATH}" --env "GOPATH=${GOPATH}" --env "GOROOT=${GOROOT}" --env "HOMEBREW_CELLAR=${HOMEBREW_CELLAR}" --env "HOMEBREW_PREFIX=${HOMEBREW_PREFIX}" --env "HOMEBREW_REPOSITORY=${HOMEBREW_REPOSITORY}" --env "JAVA_HOME=${JAVA_HOME}" --env "JAVA_HOME_11_X64=${JAVA_HOME_11_X64}" --env "JAVA_HOME_17_X64=${JAVA_HOME_17_X64}" --env "JAVA_HOME_21_X64=${JAVA_HOME_21_X64}" --env "JAVA_HOME_25_X64=${JAVA_HOME_25_X64}" --env "JAVA_HOME_8_X64=${JAVA_HOME_8_X64}" --env "NVM_DIR=${NVM_DIR}" --env "PIPX_BIN_DIR=${PIPX_BIN_DIR}" --env "PIPX_HOME=${PIPX_HOME}" --env "RUSTUP_HOME=${RUSTUP_HOME}" --env "SELENIUM_JAR_PATH=${SELENIUM_JAR_PATH}" --env "SWIFT_PATH=${SWIFT_PATH}" --env "VCPKG_INSTALLATION_ROOT=${VCPKG_INSTALLATION_ROOT}" --env "GH_AW_TOOL_BINS=$GH_AW_TOOL_BINS" --container-workdir "${GITHUB_WORKSPACE}" --mount /tmp:/tmp:rw --mount "${HOME}/.cache:${HOME}/.cache:rw" --mount "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw" --mount /usr/bin/cat:/usr/bin/cat:ro --mount /usr/bin/curl:/usr/bin/curl:ro --mount /usr/bin/date:/usr/bin/date:ro --mount /usr/bin/find:/usr/bin/find:ro --mount /usr/bin/gh:/usr/bin/gh:ro --mount /usr/bin/grep:/usr/bin/grep:ro --mount /usr/bin/jq:/usr/bin/jq:ro --mount /usr/bin/yq:/usr/bin/yq:ro --mount /usr/bin/cp:/usr/bin/cp:ro --mount /usr/bin/cut:/usr/bin/cut:ro --mount /usr/bin/diff:/usr/bin/diff:ro --mount /usr/bin/head:/usr/bin/head:ro --mount /usr/bin/ls:/usr/bin/ls:ro --mount /usr/bin/mkdir:/usr/bin/mkdir:ro --mount /usr/bin/rm:/usr/bin/rm:ro --mount /usr/bin/sed:/usr/bin/sed:ro --mount /usr/bin/sort:/usr/bin/sort:ro --mount /usr/bin/tail:/usr/bin/tail:ro --mount /usr/bin/wc:/usr/bin/wc:ro --mount /usr/bin/which:/usr/bin/which:ro --mount /usr/local/bin/copilot:/usr/local/bin/copilot:ro --mount /home/runner/.copilot:/home/runner/.copilot:rw --mount /opt/hostedtoolcache:/opt/hostedtoolcache:ro --mount /opt/gh-aw:/opt/gh-aw:ro --allow-domains '*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,localhost,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.11.2 --agent-image act \ -- 'source /opt/gh-aw/actions/sanitize_path.sh "$GH_AW_TOOL_BINS$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: @@ -976,7 +980,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} - GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" + GH_AW_ALLOWED_DOMAINS: "*.jsr.io,*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,binstar.org,bootstrap.pypa.io,bun.sh,conda.anaconda.org,conda.binstar.org,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,files.pythonhosted.org,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,ppa.launchpad.net,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_API_URL: ${{ github.api_url }} with: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index afb56bb0ee..768998d94e 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -142,8 +142,14 @@ jobs: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.397 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --copilot 0.0.397 \ + --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -154,8 +160,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs From 14b50fa654b2f3296450450e077e9ccde446b401 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 30 Jan 2026 00:47:13 +0000 Subject: [PATCH 6/8] Refactor to use engine-agnostic CLI installation Addressing @pelikhan's feedback: Compiler now gets installation info from engine instead of hardcoding URLs in shell script. Changes: - Add CLIInstallInfo structure with method (script/npm/download) and URLs - Update install_parallel_setup.sh to handle generic CLI installation - Support Copilot (script), Claude (npm), and Codex (npm) engines - Remove duplicate CLI installation steps for all engines - Installation URLs are now provided by compiler, not hardcoded in scripts This maintains support for Codex and Custom engines as requested. Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 4 +- .../workflows/agent-persona-explorer.lock.yml | 4 +- .github/workflows/ai-moderator.lock.yml | 4 +- .github/workflows/archie.lock.yml | 4 +- .github/workflows/artifacts-summary.lock.yml | 4 +- .github/workflows/audit-workflows.lock.yml | 4 +- .github/workflows/auto-triage-issues.lock.yml | 4 +- .github/workflows/blog-auditor.lock.yml | 4 +- .github/workflows/brave.lock.yml | 4 +- .../breaking-change-checker.lock.yml | 4 +- .github/workflows/changeset.lock.yml | 12 +- .../workflows/chroma-issue-indexer.lock.yml | 4 +- .github/workflows/ci-coach.lock.yml | 4 +- .github/workflows/ci-doctor.lock.yml | 4 +- .../claude-code-user-docs-review.lock.yml | 4 +- .../cli-consistency-checker.lock.yml | 4 +- .../workflows/cli-version-checker.lock.yml | 4 +- .github/workflows/cloclo.lock.yml | 4 +- .../workflows/code-scanning-fixer.lock.yml | 4 +- .github/workflows/code-simplifier.lock.yml | 4 +- .../codex-github-remote-mcp-test.lock.yml | 13 +- .../commit-changes-analyzer.lock.yml | 4 +- .../workflows/copilot-agent-analysis.lock.yml | 4 +- .../copilot-cli-deep-research.lock.yml | 4 +- .../copilot-pr-merged-report.lock.yml | 4 +- .../copilot-pr-nlp-analysis.lock.yml | 4 +- .../copilot-pr-prompt-analysis.lock.yml | 4 +- .../copilot-session-insights.lock.yml | 4 +- .github/workflows/craft.lock.yml | 4 +- .../daily-assign-issue-to-user.lock.yml | 4 +- .github/workflows/daily-choice-test.lock.yml | 4 +- .../workflows/daily-cli-performance.lock.yml | 4 +- .github/workflows/daily-code-metrics.lock.yml | 4 +- .../workflows/daily-compiler-quality.lock.yml | 4 +- .../daily-copilot-token-report.lock.yml | 4 +- .github/workflows/daily-doc-updater.lock.yml | 4 +- .github/workflows/daily-fact.lock.yml | 5 +- .github/workflows/daily-file-diet.lock.yml | 4 +- .../workflows/daily-firewall-report.lock.yml | 4 +- .../workflows/daily-issues-report.lock.yml | 5 +- .../daily-malicious-code-scan.lock.yml | 4 +- .../daily-multi-device-docs-tester.lock.yml | 4 +- .github/workflows/daily-news.lock.yml | 4 +- .../daily-observability-report.lock.yml | 5 +- .../daily-performance-summary.lock.yml | 5 +- .github/workflows/daily-regulatory.lock.yml | 4 +- .../workflows/daily-repo-chronicle.lock.yml | 4 +- .../daily-safe-output-optimizer.lock.yml | 4 +- .../workflows/daily-secrets-analysis.lock.yml | 4 +- .github/workflows/daily-semgrep-scan.lock.yml | 4 +- .../daily-team-evolution-insights.lock.yml | 4 +- .github/workflows/daily-team-status.lock.yml | 4 +- .../daily-testify-uber-super-expert.lock.yml | 4 +- .../workflows/daily-workflow-updater.lock.yml | 4 +- .github/workflows/deep-report.lock.yml | 5 +- .github/workflows/delight.lock.yml | 4 +- .github/workflows/dependabot-bundler.lock.yml | 4 +- .github/workflows/dependabot-burner.lock.yml | 4 +- .../workflows/dependabot-go-checker.lock.yml | 4 +- .github/workflows/dev-hawk.lock.yml | 4 +- .github/workflows/dev.lock.yml | 4 +- .../developer-docs-consolidator.lock.yml | 4 +- .github/workflows/dictation-prompt.lock.yml | 4 +- .../workflows/discussion-task-miner.lock.yml | 4 +- .github/workflows/docs-noob-tester.lock.yml | 4 +- .github/workflows/draft-pr-cleanup.lock.yml | 4 +- .../duplicate-code-detector.lock.yml | 5 +- .../example-custom-error-patterns.lock.yml | 4 +- .../example-permissions-warning.lock.yml | 4 +- .../example-workflow-analyzer.lock.yml | 4 +- .github/workflows/firewall-escape.lock.yml | 4 +- .github/workflows/firewall.lock.yml | 4 +- .../github-mcp-structural-analysis.lock.yml | 4 +- .../github-mcp-tools-report.lock.yml | 4 +- .../github-remote-mcp-auth-test.lock.yml | 4 +- .../workflows/glossary-maintainer.lock.yml | 4 +- .github/workflows/go-fan.lock.yml | 4 +- .github/workflows/go-logger.lock.yml | 4 +- .../workflows/go-pattern-detector.lock.yml | 4 +- .github/workflows/grumpy-reviewer.lock.yml | 4 +- .github/workflows/hourly-ci-cleaner.lock.yml | 4 +- .../workflows/instructions-janitor.lock.yml | 4 +- .github/workflows/issue-arborist.lock.yml | 5 +- .github/workflows/issue-monster.lock.yml | 4 +- .github/workflows/issue-triage-agent.lock.yml | 4 +- .github/workflows/jsweep.lock.yml | 4 +- .../workflows/layout-spec-maintainer.lock.yml | 4 +- .github/workflows/lockfile-stats.lock.yml | 4 +- .github/workflows/mcp-inspector.lock.yml | 4 +- .github/workflows/mergefest.lock.yml | 4 +- .github/workflows/metrics-collector.lock.yml | 4 +- .../workflows/notion-issue-summary.lock.yml | 4 +- .github/workflows/org-health-report.lock.yml | 4 +- .github/workflows/pdf-summary.lock.yml | 4 +- .github/workflows/plan.lock.yml | 4 +- .github/workflows/poem-bot.lock.yml | 4 +- .github/workflows/portfolio-analyst.lock.yml | 4 +- .../workflows/pr-nitpick-reviewer.lock.yml | 4 +- .github/workflows/pr-triage-agent.lock.yml | 4 +- .../prompt-clustering-analysis.lock.yml | 4 +- .github/workflows/python-data-charts.lock.yml | 4 +- .github/workflows/q.lock.yml | 4 +- .github/workflows/release.lock.yml | 4 +- .../workflows/repo-audit-analyzer.lock.yml | 4 +- .github/workflows/repo-tree-map.lock.yml | 4 +- .../repository-quality-improver.lock.yml | 4 +- .github/workflows/research.lock.yml | 4 +- .github/workflows/safe-output-health.lock.yml | 4 +- .../schema-consistency-checker.lock.yml | 4 +- .github/workflows/scout.lock.yml | 4 +- .../workflows/secret-scanning-triage.lock.yml | 4 +- .../security-alert-burndown.lock.yml | 4 +- .../workflows/security-compliance.lock.yml | 4 +- .github/workflows/security-fix-pr.lock.yml | 4 +- .github/workflows/security-guard.lock.yml | 4 +- .github/workflows/security-review.lock.yml | 4 +- .../semantic-function-refactor.lock.yml | 4 +- .github/workflows/sergo.lock.yml | 4 +- .../workflows/slide-deck-maintainer.lock.yml | 4 +- .github/workflows/smoke-claude.lock.yml | 4 +- .github/workflows/smoke-codex.lock.yml | 5 +- .github/workflows/smoke-copilot.lock.yml | 4 +- .github/workflows/smoke-test-tools.lock.yml | 4 +- .../workflows/stale-repo-identifier.lock.yml | 4 +- .../workflows/static-analysis-report.lock.yml | 4 +- .../workflows/step-name-alignment.lock.yml | 4 +- .github/workflows/sub-issue-closer.lock.yml | 4 +- .github/workflows/super-linter.lock.yml | 4 +- .../workflows/technical-doc-writer.lock.yml | 4 +- .github/workflows/terminal-stylist.lock.yml | 4 +- .../test-create-pr-error-handling.lock.yml | 4 +- .github/workflows/tidy.lock.yml | 4 +- .github/workflows/typist.lock.yml | 4 +- .../workflows/ubuntu-image-analyzer.lock.yml | 4 +- .github/workflows/unbloat-docs.lock.yml | 4 +- .github/workflows/video-analyzer.lock.yml | 4 +- .../workflows/weekly-issue-summary.lock.yml | 4 +- .github/workflows/workflow-generator.lock.yml | 4 +- .../workflow-health-manager.lock.yml | 4 +- .../workflows/workflow-normalizer.lock.yml | 4 +- .../workflow-skill-extractor.lock.yml | 4 +- actions/setup/sh/install_parallel_setup.sh | 142 ++++++++++++++---- pkg/workflow/claude_engine_network_test.go | 7 +- pkg/workflow/codex_engine.go | 41 ++--- .../firewall_default_enablement_test.go | 6 + pkg/workflow/firewall_version_pinning_test.go | 7 + pkg/workflow/firewall_workflow_test.go | 4 +- pkg/workflow/parallel_installation.go | 105 ++++++++++--- 148 files changed, 660 insertions(+), 241 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index e153fcac2a..c921cb7a2b 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -160,7 +160,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index a8914b66fa..66d291e2c2 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -162,7 +162,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 5c386090a6..58c55c0fb4 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -168,7 +168,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 7feeb39bbb..6a41e08ec1 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -189,7 +189,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 48805174f3..a73f564e6f 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -147,7 +147,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 8af9aaf597..7bbe5169f0 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -220,7 +220,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index d97e5b5828..6673b76d97 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -150,7 +150,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 6ad87971cd..6bbd8eecd3 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -151,7 +151,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 698bd99a33..638f1b2b08 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -177,7 +177,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 5f9d0ac575..1049fc1d33 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -144,7 +144,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 99949cdc35..ee6f703b72 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -179,21 +179,15 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index ae4ca0844f..bff9d16a94 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -151,7 +151,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 python:alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index c0628f90b0..9e4dfa0002 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -200,7 +200,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 36ffbb9a14..82b2452adb 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -170,7 +170,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 45044e4c8f..41bcff8c01 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -159,7 +159,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index d3b32cf70c..a2077f0a77 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -143,7 +143,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index e77db7cd91..e45ca75cfd 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -166,7 +166,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 0f7de59130..3487001111 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -250,7 +250,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 07afa7ef2b..e6a88235a6 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -163,7 +163,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 80294c40e2..9b3e2163bf 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -150,7 +150,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 8c32a8c176..1a98437694 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -127,8 +127,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 + - name: Install dependencies in parallel + run: | + # Install dependencies in parallel to reduce setup time + # This parallelizes AWF binary, CLI, and Docker image downloads + bash /opt/gh-aw/actions/install_parallel_setup.sh \ + --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -139,8 +146,6 @@ jobs: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 - name: Start MCP gateway id: start-mcp-gateway env: diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index da6cc6220c..dc28592356 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -153,7 +153,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index cc1b5325fd..8cfcb70866 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -183,7 +183,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 95431079a1..244a26ed9b 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -158,7 +158,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 31b7090e46..1705e680ff 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -148,7 +148,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker node:lts-alpine - name: Write Safe Outputs Config run: | diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 5e97afac8d..9a0cbb8cd7 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -208,7 +208,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 04d0d3650f..57bf323e6d 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -179,7 +179,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 6eac632ef9..895e10e882 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -207,7 +207,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 04b2f784c9..6f52c84da1 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -179,7 +179,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 2c44936685..42cf419162 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -142,7 +142,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index a7de6000a8..7bbaa7c8c6 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -146,7 +146,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 8eb02a89ca..c3c66ddb86 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -157,7 +157,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 08239c9f7e..59b86cef23 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -196,7 +196,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 2f9c3e403e..a5d36748ec 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -158,7 +158,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 04f47fef2b..6dee5e3e6d 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -206,7 +206,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index b4d71ff3ee..14b77b43e2 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -158,7 +158,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index b61e97915c..50a8632419 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -132,14 +132,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index f7f647d9fc..64356bfa7c 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -150,7 +150,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index a7bfe30534..24c58c40ce 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -202,7 +202,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index aa792e96d7..792a039c70 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -196,14 +196,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index bb7a097b26..f2eef77d04 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -147,7 +147,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 602c0de6f4..5079696037 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -157,7 +157,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 485a57b17c..f2e20fc7f9 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -263,7 +263,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index dece7a18e5..f7fc903b04 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -151,14 +151,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 4761326380..9711e7e70b 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -186,14 +186,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index de9617dc97..d977594de8 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -150,7 +150,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index dccfc41238..3bd082f6bb 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -183,7 +183,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index b0bc7910c1..851a4f3799 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -190,7 +190,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 713b7a79a0..4101d45d46 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -148,7 +148,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index af501c63dc..8e8bd3bd86 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -148,7 +148,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine semgrep/semgrep:latest - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 0aeeb68319..4fa236352c 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -153,7 +153,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index f39f7e4252..68a5cc8a3b 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -156,7 +156,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 6fc15f2947..989a2a6826 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -160,7 +160,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 928db7a0c7..7ffaca9960 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -143,7 +143,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 4021d917d5..5226e139c2 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -196,14 +196,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 2d32849aad..723c656866 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -161,7 +161,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/dependabot-bundler.lock.yml b/.github/workflows/dependabot-bundler.lock.yml index 49906b09ff..8094fb4586 100644 --- a/.github/workflows/dependabot-bundler.lock.yml +++ b/.github/workflows/dependabot-bundler.lock.yml @@ -163,7 +163,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index bdce3eae50..d3c334429b 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -151,7 +151,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 7491b6c752..04097ade10 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -144,7 +144,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 7665f6ae91..93b177f323 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -173,7 +173,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 2fee9460ad..4046ab5435 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -140,7 +140,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 0b14d312a3..977454193a 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -164,7 +164,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index d9d8a02a4a..eddf9b9831 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -146,7 +146,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index d6514c6edd..06ae41e9d1 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -161,7 +161,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index c9d0d646a4..916f9ebb91 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -147,7 +147,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 0eedffcb41..6c60f4c3fa 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -142,7 +142,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 6e1c02ca57..705e012c46 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -143,14 +143,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/example-custom-error-patterns.lock.yml b/.github/workflows/example-custom-error-patterns.lock.yml index fb439be453..4ccce07d0e 100644 --- a/.github/workflows/example-custom-error-patterns.lock.yml +++ b/.github/workflows/example-custom-error-patterns.lock.yml @@ -129,7 +129,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 43392652d0..60513fe457 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -128,7 +128,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 67e378c0f5..5bc0b4b24c 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -152,7 +152,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 5179c228bc..4fbd6feac4 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -174,7 +174,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 30034903c5..e0fde77928 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -128,7 +128,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 0a012320ad..9569574c5c 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -188,7 +188,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 3045b190a1..ac8c52ecdb 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -165,7 +165,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 36bb28713d..8ef4c6e929 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -143,7 +143,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 1bd05bdc4e..091650df77 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -159,7 +159,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 8a08cfd083..af76074f05 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -162,7 +162,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 4aad47289c..069c2f5044 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -178,7 +178,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 003b51bd67..4fd2a6e8be 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -153,7 +153,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/ast-grep:latest node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 5b14576fe8..1ebb538134 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -188,7 +188,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 79e7e23dd9..73a3f9e966 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -172,7 +172,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 85dc9069aa..95b639dba5 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -158,7 +158,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index e0a725ad73..692b4a0ade 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -154,14 +154,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index d895a4277b..b5c7332907 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -155,7 +155,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 5802b96497..6a03c1ce64 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -127,7 +127,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index bb75529a26..a971707bac 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -164,7 +164,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index cb4e1c9a1b..97dfdbb2d5 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -151,7 +151,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index eaa090b0bd..c6ca4238da 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -162,7 +162,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 3a1ef9f3dc..90b1f94024 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -201,7 +201,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker docker.io/mcp/brave-search ghcr.io/github/github-mcp-server:v0.30.2 mcp/arxiv-mcp-server mcp/ast-grep:latest mcp/context7 mcp/markitdown mcp/memory mcp/notion node:lts-alpine python:alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 992144e6fc..6680d322ab 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -165,7 +165,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 22b34fdd95..8e1ca2d69b 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -144,7 +144,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 219f8e326f..3bec098c16 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -149,7 +149,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/notion node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 6a15114046..8f17ca490d 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -187,7 +187,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Write Safe Outputs Config run: | diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 96fb66d039..e66ea09977 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -208,7 +208,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/markitdown node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 0f911c51cd..422fcb959b 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -178,7 +178,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 6998c7712f..bc1afec5df 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -197,7 +197,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index f3796e9542..a0ea68988c 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -209,7 +209,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index b0175c7c0a..d16a5465c6 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -209,7 +209,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index a338ff1c97..acd8db8a71 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -151,7 +151,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 99929c37c8..727c56c9b1 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -235,7 +235,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 6306a9d3af..7dcbd8d746 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -181,7 +181,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 9a799a7d04..4fe64eb217 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -237,7 +237,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6539469474..30a5c398d8 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -162,7 +162,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 8abb5ed556..17e25423aa 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -164,7 +164,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index e88fa6878a..fbd721b711 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -147,7 +147,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index da346fdf1f..b04dd1d248 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -160,7 +160,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 730c6ea9cc..47f2f98bee 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -150,7 +150,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 617564ba1a..d124a7ba85 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -187,7 +187,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 2cb17f218d..c327067702 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -165,7 +165,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 093bdb2086..a0fa87d3f6 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -241,7 +241,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcp/arxiv-mcp-server mcp/markitdown node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/secret-scanning-triage.lock.yml b/.github/workflows/secret-scanning-triage.lock.yml index ee0daf9b42..acf18bcc4b 100644 --- a/.github/workflows/secret-scanning-triage.lock.yml +++ b/.github/workflows/secret-scanning-triage.lock.yml @@ -165,7 +165,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index 8a7b3f4d98..a77050f3de 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -141,7 +141,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 97b23f4d05..f5eea1e412 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -158,7 +158,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 5f01fbc3de..9d7e732253 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -168,7 +168,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 7822a228be..7e41f141c2 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -148,7 +148,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index cb70c4341a..07b5649866 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -193,7 +193,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 235e907021..12d3bde8df 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -151,7 +151,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 9261d11756..397eb86e60 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -163,7 +163,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 5bdc1ce899..1c6c385159 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -172,7 +172,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 929ec18fe2..d29388172e 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -198,7 +198,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 7d82d06cd8..6af620216a 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -191,14 +191,15 @@ jobs: package-manager-cache: false - name: Install Codex run: npm install -g --silent @openai/codex@0.92.0 - - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.11.2 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ + --cli-npm @openai/codex \ + --cli-version 0.92.0 \ + --cli-verify "codex --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 432c0833fb..49a5537a09 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -191,7 +191,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker alpine:latest ghcr.io/github/github-mcp-server:v0.30.2 ghcr.io/githubnext/gh-aw-mcpg:v0.0.84 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index b55aa4c85e..637ce47cd6 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -174,7 +174,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 1eb7b8ddb1..7cb0701890 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -229,7 +229,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Write Safe Outputs Config run: | diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 855738b5ff..563ea9d2cf 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -186,7 +186,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index d22364c613..b076635e22 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -158,7 +158,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index c8f8f24671..2c374425f4 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -142,7 +142,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 8ae1001aba..b3c52c761e 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -166,7 +166,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 45091e4065..ad4184766b 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -178,7 +178,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 04b4c9b870..ca0c0c6456 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -141,7 +141,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 28e343101e..1f103f2b3f 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -155,7 +155,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 1f5e9cfaea..f4d9669256 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -189,7 +189,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 0557ffad38..394d1fce8d 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -150,7 +150,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 54354f03e5..2d9ff30fb1 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -147,7 +147,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index be9f3962aa..a51114f11c 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -203,7 +203,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --claude 2.1.22 \ + --cli-npm @anthropic-ai/claude-code \ + --cli-version 2.1.22 \ + --cli-verify "claude-code --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 mcr.microsoft.com/playwright/mcp node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 262c63cd74..b6e2107e38 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -157,7 +157,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index e56e6ebdab..154bb075fc 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -164,7 +164,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index f0eec31695..7ca7bc971b 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -173,7 +173,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index b5b1e360c9..e4618cf132 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -159,7 +159,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 25e003bf26..209f00f514 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -165,7 +165,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 768998d94e..be50696186 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -148,7 +148,9 @@ jobs: # This parallelizes AWF binary, CLI, and Docker image downloads bash /opt/gh-aw/actions/install_parallel_setup.sh \ --awf v0.11.2 \ - --copilot 0.0.397 \ + --cli-script https://raw.githubusercontent.com/github/copilot-cli/main/install.sh \ + --cli-version 0.0.397 \ + --cli-verify "copilot --version" \ --docker ghcr.io/github/github-mcp-server:v0.30.2 node:lts-alpine - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown diff --git a/actions/setup/sh/install_parallel_setup.sh b/actions/setup/sh/install_parallel_setup.sh index 0ceb662489..e30d87bb17 100755 --- a/actions/setup/sh/install_parallel_setup.sh +++ b/actions/setup/sh/install_parallel_setup.sh @@ -1,13 +1,21 @@ #!/usr/bin/env bash # Install dependencies in parallel to reduce sequential execution time -# Usage: install_parallel_setup.sh [--awf VERSION] [--copilot VERSION] [--claude VERSION] [--docker IMAGE1 IMAGE2 ...] +# Usage: install_parallel_setup.sh [OPTIONS] # # This script parallelizes independent setup operations: # - AWF binary installation (if --awf is specified) -# - Copilot CLI installation (if --copilot is specified) -# - Claude Code CLI installation (if --claude is specified) +# - CLI installation via script, npm, or download (if --cli-* is specified) # - Docker image downloads (if --docker is specified) # +# Options: +# --awf VERSION Install AWF binary with version VERSION +# --cli-script URL Install CLI using installer script from URL +# --cli-npm PACKAGE Install CLI using npm install -g PACKAGE +# --cli-download URL Install CLI by downloading binary from URL +# --cli-version VERSION Version for CLI installation (optional) +# --cli-verify CMD Command to verify CLI installation (optional) +# --docker IMAGE... Download Docker images (space-separated list) +# # All operations run in parallel using background jobs, with proper error handling # that preserves exit codes from failed jobs. @@ -15,8 +23,12 @@ set -euo pipefail # Parse arguments AWF_VERSION="" -COPILOT_VERSION="" -CLAUDE_VERSION="" +CLI_METHOD="" +CLI_SCRIPT_URL="" +CLI_NPM_PACKAGE="" +CLI_DOWNLOAD_URL="" +CLI_VERSION="" +CLI_VERIFY_CMD="" DOCKER_IMAGES=() while [[ $# -gt 0 ]]; do @@ -25,12 +37,27 @@ while [[ $# -gt 0 ]]; do AWF_VERSION="$2" shift 2 ;; - --copilot) - COPILOT_VERSION="$2" + --cli-script) + CLI_METHOD="script" + CLI_SCRIPT_URL="$2" + shift 2 + ;; + --cli-npm) + CLI_METHOD="npm" + CLI_NPM_PACKAGE="$2" shift 2 ;; - --claude) - CLAUDE_VERSION="$2" + --cli-download) + CLI_METHOD="download" + CLI_DOWNLOAD_URL="$2" + shift 2 + ;; + --cli-version) + CLI_VERSION="$2" + shift 2 + ;; + --cli-verify) + CLI_VERIFY_CMD="$2" shift 2 ;; --docker) @@ -43,7 +70,7 @@ while [[ $# -gt 0 ]]; do ;; *) echo "ERROR: Unknown option: $1" - echo "Usage: $0 [--awf VERSION] [--copilot VERSION] [--claude VERSION] [--docker IMAGE1 IMAGE2 ...]" + echo "Usage: $0 [--awf VERSION] [--cli-script URL | --cli-npm PACKAGE | --cli-download URL] [--cli-version VERSION] [--cli-verify CMD] [--docker IMAGE1 IMAGE2 ...]" exit 1 ;; esac @@ -69,29 +96,78 @@ if [ -n "$AWF_VERSION" ]; then JOB_NAMES+=("AWF binary") fi -# Start Copilot CLI installation in background if requested -if [ -n "$COPILOT_VERSION" ]; then - echo "Starting Copilot CLI installation (version: $COPILOT_VERSION)..." - { - bash /opt/gh-aw/actions/install_copilot_cli.sh "$COPILOT_VERSION" - exit $? - } & - PIDS+=($!) - JOB_NAMES+=("Copilot CLI") -fi - -# Start Claude Code CLI installation in background if requested -if [ -n "$CLAUDE_VERSION" ]; then - echo "Starting Claude Code CLI installation (version: $CLAUDE_VERSION)..." - { - # Claude is installed via npm, so we use a temporary Node.js setup - # Note: Node.js should already be set up before this script is called - npm install -g "@anthropic-ai/claude-code@$CLAUDE_VERSION" - claude-code --version - exit $? - } & - PIDS+=($!) - JOB_NAMES+=("Claude Code CLI") +# Start CLI installation in background if requested +if [ -n "$CLI_METHOD" ]; then + case "$CLI_METHOD" in + script) + echo "Starting CLI installation via script (URL: $CLI_SCRIPT_URL)..." + { + # Download installer script + INSTALLER_TEMP="/tmp/cli-install-$$.sh" + curl -fsSL "$CLI_SCRIPT_URL" -o "$INSTALLER_TEMP" + + # Execute the installer with version if specified + if [ -n "$CLI_VERSION" ]; then + sudo VERSION="$CLI_VERSION" bash "$INSTALLER_TEMP" + else + sudo bash "$INSTALLER_TEMP" + fi + + # Cleanup + rm -f "$INSTALLER_TEMP" + + # Verify installation if command provided + if [ -n "$CLI_VERIFY_CMD" ]; then + eval "$CLI_VERIFY_CMD" + fi + + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("CLI (script)") + ;; + npm) + echo "Starting CLI installation via npm (package: $CLI_NPM_PACKAGE)..." + { + # Install via npm + if [ -n "$CLI_VERSION" ]; then + npm install -g "${CLI_NPM_PACKAGE}@${CLI_VERSION}" + else + npm install -g "$CLI_NPM_PACKAGE" + fi + + # Verify installation if command provided + if [ -n "$CLI_VERIFY_CMD" ]; then + eval "$CLI_VERIFY_CMD" + fi + + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("CLI (npm)") + ;; + download) + echo "Starting CLI installation via direct download (URL: $CLI_DOWNLOAD_URL)..." + { + # Download binary + CLI_TEMP="/tmp/cli-binary-$$" + curl -fsSL "$CLI_DOWNLOAD_URL" -o "$CLI_TEMP" + + # Make executable and install + chmod +x "$CLI_TEMP" + sudo mv "$CLI_TEMP" /usr/local/bin/ + + # Verify installation if command provided + if [ -n "$CLI_VERIFY_CMD" ]; then + eval "$CLI_VERIFY_CMD" + fi + + exit $? + } & + PIDS+=($!) + JOB_NAMES+=("CLI (download)") + ;; + esac fi # Start Docker image downloads in background if requested diff --git a/pkg/workflow/claude_engine_network_test.go b/pkg/workflow/claude_engine_network_test.go index 2edc40b18f..b7ba7091c3 100644 --- a/pkg/workflow/claude_engine_network_test.go +++ b/pkg/workflow/claude_engine_network_test.go @@ -62,8 +62,8 @@ func TestClaudeEngineNetworkPermissions(t *testing.T) { if config.AWFVersion == "" { t.Error("Parallel installation should include AWF version") } - if config.ClaudeVersion == "" { - t.Error("Parallel installation should include Claude version") + if config.CLIInfo == nil { + t.Error("Parallel installation should include CLI info") } }) @@ -235,6 +235,9 @@ func TestNetworkPermissionsIntegration(t *testing.T) { if parallelConfig.AWFVersion == "" { t.Error("Parallel installation config should include AWF version") } + if parallelConfig.CLIInfo == nil { + t.Error("Parallel installation should include CLI info") + } // Get execution steps execSteps := engine.GetExecutionSteps(workflowData, "test-log") diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go index b76557b077..81d549ee86 100644 --- a/pkg/workflow/codex_engine.go +++ b/pkg/workflow/codex_engine.go @@ -75,8 +75,27 @@ func (e *CodexEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHubA return []GitHubActionStep{} } - // Use base installation steps (secret validation + npm install) - steps := GetBaseInstallationSteps(EngineInstallConfig{ + // Check if parallel installation will be used + useParallel := isFirewallEnabled(workflowData) + + if useParallel { + // When using parallel installation, only return secret validation step + // CLI installation will be handled by the parallel installation step + codexEngineLog.Print("Using parallel installation, only adding secret validation") + + var steps []GitHubActionStep + secretValidation := GenerateMultiSecretValidationStep( + []string{"CODEX_API_KEY", "OPENAI_API_KEY"}, + "Codex", + "https://githubnext.github.io/gh-aw/reference/engines/#openai-codex", + ) + steps = append(steps, secretValidation) + return steps + } + + // Sequential installation (no firewall): use base installation steps (secret validation + npm install) + codexEngineLog.Print("Using sequential installation") + return GetBaseInstallationSteps(EngineInstallConfig{ Secrets: []string{"CODEX_API_KEY", "OPENAI_API_KEY"}, DocsURL: "https://githubnext.github.io/gh-aw/reference/engines/#openai-codex", NpmPackage: "@openai/codex", @@ -84,24 +103,6 @@ func (e *CodexEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHubA Name: "Codex", CliName: "codex", }, workflowData) - - // Add AWF installation step if firewall is enabled - if isFirewallEnabled(workflowData) { - firewallConfig := getFirewallConfig(workflowData) - agentConfig := getAgentConfig(workflowData) - var awfVersion string - if firewallConfig != nil { - awfVersion = firewallConfig.Version - } - - // Install AWF binary (or skip if custom command is specified) - awfInstall := generateAWFInstallationStep(awfVersion, agentConfig) - if len(awfInstall) > 0 { - steps = append(steps, awfInstall) - } - } - - return steps } // GetDeclaredOutputFiles returns the output files that Codex may produce diff --git a/pkg/workflow/firewall_default_enablement_test.go b/pkg/workflow/firewall_default_enablement_test.go index f059bdee0b..909df93142 100644 --- a/pkg/workflow/firewall_default_enablement_test.go +++ b/pkg/workflow/firewall_default_enablement_test.go @@ -196,6 +196,9 @@ func TestCopilotFirewallDefaultIntegration(t *testing.T) { if config.AWFVersion == "" { t.Error("Parallel installation config should include AWF version") } + if config.CLIInfo == nil { + t.Error("Parallel installation should include CLI info") + } // Generate the parallel installation step to verify it contains AWF parallelStep := generateParallelInstallationStep(config) @@ -204,6 +207,9 @@ func TestCopilotFirewallDefaultIntegration(t *testing.T) { if !strings.Contains(parallelStepStr, "--awf") || !strings.Contains(parallelStepStr, "install_parallel_setup.sh") { t.Error("Expected AWF installation to be included in parallel installation step") } + if !strings.Contains(parallelStepStr, "--cli-") { + t.Error("Expected CLI installation to be included in parallel installation step") + } }) t.Run("copilot workflow with explicit firewall:false does not include AWF", func(t *testing.T) { diff --git a/pkg/workflow/firewall_version_pinning_test.go b/pkg/workflow/firewall_version_pinning_test.go index 6fd68a9512..4762825f77 100644 --- a/pkg/workflow/firewall_version_pinning_test.go +++ b/pkg/workflow/firewall_version_pinning_test.go @@ -97,6 +97,9 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { if config.AWFVersion != string(constants.DefaultFirewallVersion) { t.Errorf("Expected AWF version %s, got %s", string(constants.DefaultFirewallVersion), config.AWFVersion) } + if config.CLIInfo == nil { + t.Error("Parallel installation should include CLI info for Copilot") + } // Generate the parallel installation step to verify it contains AWF installation parallelStep := generateParallelInstallationStep(config) @@ -114,6 +117,10 @@ func TestCopilotEngineFirewallInstallation(t *testing.T) { if !strings.Contains(parallelStepStr, "--awf") { t.Error("Parallel installation should include --awf flag") } + // Verify it includes CLI installation flags + if !strings.Contains(parallelStepStr, "--cli-") { + t.Error("Parallel installation should include CLI installation flags") + } }) t.Run("uses custom version when specified in firewall config", func(t *testing.T) { diff --git a/pkg/workflow/firewall_workflow_test.go b/pkg/workflow/firewall_workflow_test.go index 2dd7cc76f2..ca2d6fbe56 100644 --- a/pkg/workflow/firewall_workflow_test.go +++ b/pkg/workflow/firewall_workflow_test.go @@ -62,8 +62,8 @@ func TestFirewallWorkflowNetworkConfiguration(t *testing.T) { if config.AWFVersion == "" { t.Error("Parallel installation should include AWF version") } - if config.ClaudeVersion == "" { - t.Error("Parallel installation should include Claude version") + if config.CLIInfo == nil { + t.Error("Parallel installation should include CLI info") } }) diff --git a/pkg/workflow/parallel_installation.go b/pkg/workflow/parallel_installation.go index 7793450a4d..57e99d1b3e 100644 --- a/pkg/workflow/parallel_installation.go +++ b/pkg/workflow/parallel_installation.go @@ -10,19 +10,37 @@ import ( var parallelInstallLog = logger.New("workflow:parallel_installation") +// CLIInstallMethod defines how a CLI should be installed +type CLIInstallMethod string + +const ( + CLIInstallMethodScript CLIInstallMethod = "script" // Use installer script from URL + CLIInstallMethodNpm CLIInstallMethod = "npm" // Use npm install + CLIInstallMethodDownload CLIInstallMethod = "download" // Direct binary download +) + +// CLIInstallInfo contains information about how to install a CLI +type CLIInstallInfo struct { + Method CLIInstallMethod // Installation method + Version string // Version to install + PackageName string // NPM package name (for npm method) + ScriptURL string // Installer script URL (for script method) + BinaryURL string // Binary download URL (for download method) + VerifyCmd string // Command to verify installation (e.g., "copilot --version") +} + // ParallelInstallConfig holds configuration for parallel installation type ParallelInstallConfig struct { - AWFVersion string // AWF binary version to install (empty to skip) - CopilotVersion string // Copilot CLI version to install (empty to skip) - ClaudeVersion string // Claude Code CLI version to install (empty to skip) - DockerImages []string // Docker images to download (empty to skip) + AWFVersion string // AWF binary version to install (empty to skip) + CLIInfo *CLIInstallInfo // CLI installation info (nil to skip) + DockerImages []string // Docker images to download (empty to skip) } // generateParallelInstallationStep generates a single step that installs dependencies in parallel // This parallelizes AWF binary installation, CLI installation, and Docker image downloads // to reduce sequential execution time by 8-12 seconds. func generateParallelInstallationStep(config ParallelInstallConfig) GitHubActionStep { - if config.AWFVersion == "" && config.CopilotVersion == "" && config.ClaudeVersion == "" && len(config.DockerImages) == 0 { + if config.AWFVersion == "" && config.CLIInfo == nil && len(config.DockerImages) == 0 { parallelInstallLog.Print("No parallel installations configured, skipping") return GitHubActionStep([]string{}) } @@ -32,10 +50,7 @@ func generateParallelInstallationStep(config ParallelInstallConfig) GitHubAction if config.AWFVersion != "" { operationCount++ } - if config.CopilotVersion != "" { - operationCount++ - } - if config.ClaudeVersion != "" { + if config.CLIInfo != nil { operationCount++ } if len(config.DockerImages) > 0 { @@ -57,14 +72,34 @@ func generateParallelInstallationStep(config ParallelInstallConfig) GitHubAction stepLines = append(stepLines, fmt.Sprintf(" --awf %s \\", config.AWFVersion)) } - // Add Copilot installation argument - if config.CopilotVersion != "" { - stepLines = append(stepLines, fmt.Sprintf(" --copilot %s \\", config.CopilotVersion)) - } - - // Add Claude installation argument - if config.ClaudeVersion != "" { - stepLines = append(stepLines, fmt.Sprintf(" --claude %s \\", config.ClaudeVersion)) + // Add CLI installation arguments based on method + if config.CLIInfo != nil { + switch config.CLIInfo.Method { + case CLIInstallMethodScript: + // Pass script URL and version + stepLines = append(stepLines, fmt.Sprintf(" --cli-script %s \\", config.CLIInfo.ScriptURL)) + if config.CLIInfo.Version != "" { + stepLines = append(stepLines, fmt.Sprintf(" --cli-version %s \\", config.CLIInfo.Version)) + } + if config.CLIInfo.VerifyCmd != "" { + stepLines = append(stepLines, fmt.Sprintf(" --cli-verify %q \\", config.CLIInfo.VerifyCmd)) + } + case CLIInstallMethodNpm: + // Pass npm package and version + stepLines = append(stepLines, fmt.Sprintf(" --cli-npm %s \\", config.CLIInfo.PackageName)) + if config.CLIInfo.Version != "" { + stepLines = append(stepLines, fmt.Sprintf(" --cli-version %s \\", config.CLIInfo.Version)) + } + if config.CLIInfo.VerifyCmd != "" { + stepLines = append(stepLines, fmt.Sprintf(" --cli-verify %q \\", config.CLIInfo.VerifyCmd)) + } + case CLIInstallMethodDownload: + // Pass binary URL + stepLines = append(stepLines, fmt.Sprintf(" --cli-download %s \\", config.CLIInfo.BinaryURL)) + if config.CLIInfo.VerifyCmd != "" { + stepLines = append(stepLines, fmt.Sprintf(" --cli-verify %q \\", config.CLIInfo.VerifyCmd)) + } + } } // Add Docker images argument @@ -89,7 +124,7 @@ func generateParallelInstallationStep(config ParallelInstallConfig) GitHubAction // ShouldUseParallelInstallation determines if parallel installation should be used // based on the workflow configuration. Parallel installation is used when: // - AWF binary needs to be installed (firewall enabled) -// - CLI needs to be installed (Copilot or Claude) +// - CLI needs to be installed (Copilot, Claude, or Codex) // - Docker images need to be downloaded // - SRT is NOT enabled (SRT has sequential dependencies) func ShouldUseParallelInstallation(workflowData *WorkflowData, engine CodingAgentEngine) bool { @@ -104,17 +139,18 @@ func ShouldUseParallelInstallation(workflowData *WorkflowData, engine CodingAgen } // Use parallel installation if firewall is enabled (AWF binary needed) - // and we're installing a CLI (Copilot or Claude) + // and we're installing a CLI (Copilot, Claude, or Codex) if isFirewallEnabled(workflowData) { engineID := engine.GetID() - if engineID == "copilot" || engineID == "claude" { + if engineID == "copilot" || engineID == "claude" || engineID == "codex" { return true } } // Also use parallel if we have Docker images to download dockerImages := collectDockerImages(workflowData.Tools, workflowData) - if len(dockerImages) > 0 && (isFirewallEnabled(workflowData) || engine.GetID() == "copilot" || engine.GetID() == "claude") { + engineID := engine.GetID() + if len(dockerImages) > 0 && (isFirewallEnabled(workflowData) || engineID == "copilot" || engineID == "claude" || engineID == "codex") { return true } @@ -140,7 +176,7 @@ func GetParallelInstallConfig(workflowData *WorkflowData, engine CodingAgentEngi } } - // Get CLI version based on engine + // Get CLI installation info based on engine engineID := engine.GetID() switch engineID { case "copilot": @@ -150,14 +186,35 @@ func GetParallelInstallConfig(workflowData *WorkflowData, engine CodingAgentEngi } // Only use parallel if installing globally (not for SRT local installation) if !isSRTEnabled(workflowData) { - config.CopilotVersion = version + config.CLIInfo = &CLIInstallInfo{ + Method: CLIInstallMethodScript, + Version: version, + ScriptURL: "https://raw.githubusercontent.com/github/copilot-cli/main/install.sh", + VerifyCmd: "copilot --version", + } } case "claude": version := string(constants.DefaultClaudeCodeVersion) if workflowData.EngineConfig != nil && workflowData.EngineConfig.Version != "" { version = workflowData.EngineConfig.Version } - config.ClaudeVersion = version + config.CLIInfo = &CLIInstallInfo{ + Method: CLIInstallMethodNpm, + Version: version, + PackageName: "@anthropic-ai/claude-code", + VerifyCmd: "claude-code --version", + } + case "codex": + version := string(constants.DefaultCodexVersion) + if workflowData.EngineConfig != nil && workflowData.EngineConfig.Version != "" { + version = workflowData.EngineConfig.Version + } + config.CLIInfo = &CLIInstallInfo{ + Method: CLIInstallMethodNpm, + Version: version, + PackageName: "@openai/codex", + VerifyCmd: "codex --version", + } } // Get Docker images From 0d2519166b6f9aa3ee33227a5d28038d43f726de Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 30 Jan 2026 00:52:47 +0000 Subject: [PATCH 7/8] Fix test expectations for parallel installation - Update engine_includes_test.go to check for parallel installation - Update sandbox_custom_agent_test.go to allow parallel AWF installation - Fix ShouldUseParallelInstallation to require 2+ operations - All unit tests now pass with parallel installation implementation Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- pkg/workflow/engine_includes_test.go | 16 +++++++---- pkg/workflow/parallel_installation.go | 33 +++++++++++++---------- pkg/workflow/sandbox_custom_agent_test.go | 8 +++--- 3 files changed, 35 insertions(+), 22 deletions(-) diff --git a/pkg/workflow/engine_includes_test.go b/pkg/workflow/engine_includes_test.go index 700a1aaaf3..de7f5092e4 100644 --- a/pkg/workflow/engine_includes_test.go +++ b/pkg/workflow/engine_includes_test.go @@ -74,8 +74,11 @@ This should inherit the engine from the included file. lockStr := string(lockContent) // Should contain references to codex installation and execution - if !strings.Contains(lockStr, "Install Codex") { - t.Error("Expected lock file to contain 'Install Codex' step") + // Check for either sequential "Install Codex" or parallel installation step + hasCodexInstall := strings.Contains(lockStr, "Install Codex") || + (strings.Contains(lockStr, "Install dependencies in parallel") && strings.Contains(lockStr, "--cli-npm @openai/codex")) + if !hasCodexInstall { + t.Error("Expected lock file to contain Codex installation step (sequential or parallel)") } if !strings.Contains(lockStr, "codex") || !strings.Contains(lockStr, "exec") { t.Error("Expected lock file to contain 'codex exec' command") @@ -299,12 +302,15 @@ This workflow specifies claude engine directly without any includes. } lockStr := string(lockContent) - // Should contain references to claude command and npm install + // Should contain references to claude command and installation if !strings.Contains(lockStr, "claude --print") { t.Error("Expected lock file to contain claude command reference") } - if !strings.Contains(lockStr, "npm install -g --silent @anthropic-ai/claude-code") { - t.Error("Expected lock file to contain npm install command") + // Check for either sequential npm install or parallel installation + hasClaudeInstall := strings.Contains(lockStr, "npm install -g --silent @anthropic-ai/claude-code") || + (strings.Contains(lockStr, "Install dependencies in parallel") && strings.Contains(lockStr, "--cli-npm @anthropic-ai/claude-code")) + if !hasClaudeInstall { + t.Error("Expected lock file to contain Claude installation (sequential or parallel)") } } diff --git a/pkg/workflow/parallel_installation.go b/pkg/workflow/parallel_installation.go index 57e99d1b3e..4b26d6aad8 100644 --- a/pkg/workflow/parallel_installation.go +++ b/pkg/workflow/parallel_installation.go @@ -123,9 +123,8 @@ func generateParallelInstallationStep(config ParallelInstallConfig) GitHubAction // ShouldUseParallelInstallation determines if parallel installation should be used // based on the workflow configuration. Parallel installation is used when: -// - AWF binary needs to be installed (firewall enabled) -// - CLI needs to be installed (Copilot, Claude, or Codex) -// - Docker images need to be downloaded +// - Multiple independent network-bound operations need to run (AWF + CLI + Docker) +// - At minimum, need 2 or more operations to justify parallelization overhead // - SRT is NOT enabled (SRT has sequential dependencies) func ShouldUseParallelInstallation(workflowData *WorkflowData, engine CodingAgentEngine) bool { // Don't use parallel installation if custom command is specified @@ -138,23 +137,29 @@ func ShouldUseParallelInstallation(workflowData *WorkflowData, engine CodingAgen return false } - // Use parallel installation if firewall is enabled (AWF binary needed) - // and we're installing a CLI (Copilot, Claude, or Codex) + // Count how many independent operations we have + operationCount := 0 + + // AWF binary installation if isFirewallEnabled(workflowData) { - engineID := engine.GetID() - if engineID == "copilot" || engineID == "claude" || engineID == "codex" { - return true - } + operationCount++ } - // Also use parallel if we have Docker images to download - dockerImages := collectDockerImages(workflowData.Tools, workflowData) + // CLI installation (for supported engines) engineID := engine.GetID() - if len(dockerImages) > 0 && (isFirewallEnabled(workflowData) || engineID == "copilot" || engineID == "claude" || engineID == "codex") { - return true + if engineID == "copilot" || engineID == "claude" || engineID == "codex" { + operationCount++ + } + + // Docker image downloads + dockerImages := collectDockerImages(workflowData.Tools, workflowData) + if len(dockerImages) > 0 { + operationCount++ } - return false + // Use parallel installation only if we have 2 or more operations + // Single operation doesn't benefit from parallelization overhead + return operationCount >= 2 } // GetParallelInstallConfig extracts the parallel installation configuration diff --git a/pkg/workflow/sandbox_custom_agent_test.go b/pkg/workflow/sandbox_custom_agent_test.go index 884fd06dd5..a4fe5bf6b2 100644 --- a/pkg/workflow/sandbox_custom_agent_test.go +++ b/pkg/workflow/sandbox_custom_agent_test.go @@ -240,9 +240,11 @@ sandbox: t.Error("Expected standard AWF command 'sudo -E awf' with legacy type field") } - // Verify installation step is present - if !strings.Contains(lockStr, "Install awf binary") { - t.Error("Expected AWF installation step with legacy type field") + // Verify installation step is present (either individual or parallel) + hasAWFInstall := strings.Contains(lockStr, "Install awf binary") || + (strings.Contains(lockStr, "Install dependencies in parallel") && strings.Contains(lockStr, "--awf")) + if !hasAWFInstall { + t.Error("Expected AWF installation step (sequential or parallel) with legacy type field") } }) From d7b15b0ad4019fb8cd325b2edfc87ddc73cdf920 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 30 Jan 2026 00:55:52 +0000 Subject: [PATCH 8/8] Recompile workflows with engine-agnostic parallel installation - All engines (Copilot, Claude, Codex) now use generic CLI installation - Installation URLs provided by compiler, not hardcoded - Parallel installation only when 2+ independent operations exist - 9 workflows updated with new parallel installation format Co-authored-by: dsyme <7204669+dsyme@users.noreply.github.com> --- .github/workflows/codex-github-remote-mcp-test.lock.yml | 7 ------- .github/workflows/daily-fact.lock.yml | 7 ------- .github/workflows/daily-issues-report.lock.yml | 7 ------- .github/workflows/daily-observability-report.lock.yml | 7 ------- .github/workflows/daily-performance-summary.lock.yml | 7 ------- .github/workflows/deep-report.lock.yml | 7 ------- .github/workflows/duplicate-code-detector.lock.yml | 7 ------- .github/workflows/issue-arborist.lock.yml | 7 ------- .github/workflows/smoke-codex.lock.yml | 7 ------- pkg/workflow/codex_engine.go | 2 +- 10 files changed, 1 insertion(+), 64 deletions(-) diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 1a98437694..b9715bd66e 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -120,13 +120,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 50a8632419..18ef2e04e0 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -125,13 +125,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 792a039c70..b2732109c7 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -189,13 +189,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index f7fc903b04..e7de69e91f 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -144,13 +144,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 9711e7e70b..d36462ac7b 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -179,13 +179,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 5226e139c2..1446646190 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -189,13 +189,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 705e012c46..9b3842ac06 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -136,13 +136,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 692b4a0ade..c9a6bec337 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -147,13 +147,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 6af620216a..17127e4f4a 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -184,13 +184,6 @@ jobs: env: CODEX_API_KEY: ${{ secrets.CODEX_API_KEY }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - - name: Setup Node.js - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 - with: - node-version: '24' - package-manager-cache: false - - name: Install Codex - run: npm install -g --silent @openai/codex@0.92.0 - name: Install dependencies in parallel run: | # Install dependencies in parallel to reduce setup time diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go index 81d549ee86..bd93b08d52 100644 --- a/pkg/workflow/codex_engine.go +++ b/pkg/workflow/codex_engine.go @@ -82,7 +82,7 @@ func (e *CodexEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHubA // When using parallel installation, only return secret validation step // CLI installation will be handled by the parallel installation step codexEngineLog.Print("Using parallel installation, only adding secret validation") - + var steps []GitHubActionStep secretValidation := GenerateMultiSecretValidationStep( []string{"CODEX_API_KEY", "OPENAI_API_KEY"},