diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 696f1dd4b09..2fb43105221 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -21,7 +21,7 @@ # # Generates Mermaid diagrams to visualize issue and pull request relationships when invoked with the /archie command # -# frontmatter-hash: baba8456db1f8b524a33a8bff0b322343f1cb00e4a54e7cbf1d70a3ae4fd9107 +# frontmatter-hash: 64ffad2e62d589ff586ce1a944a8fd0e9e5a71edd9eea661b55657df350b6930 name: "Archie" "on": @@ -631,26 +631,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) - # --allow-tool write timeout-minutes: 10 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/archie.md b/.github/workflows/archie.md index 69e40328f28..7a1c9ab4c15 100644 --- a/.github/workflows/archie.md +++ b/.github/workflows/archie.md @@ -19,7 +19,7 @@ tools: toolsets: - default edit: - bash: + bash: true safe-outputs: add-comment: max: 1 @@ -213,4 +213,4 @@ A successful Archie run: ## Begin Your Analysis -Examine the current context, analyze any linked references, generate your Mermaid diagrams using Serena, validate them, and post your visualization comment! +Examine the current context, analyze any linked references, generate your Mermaid diagrams using Serena, validate them, and post your visualization comment! \ No newline at end of file diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 2fb245683a6..d21607524b6 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -26,7 +26,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# frontmatter-hash: 0b0e8ff9ce885125b359364aa3d61b6cb25e5b7a0337dee5f1d16e501b8c72d1 +# frontmatter-hash: f32074b45081af12d316ed299d774cd3b3864da6bdcd3bf3927880fbfef19501 name: "Artifacts Summary" "on": @@ -670,26 +670,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) - # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,bun.sh,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,get.pnpm.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/artifacts-summary.md b/.github/workflows/artifacts-summary.md index c16522f6377..68169376a3d 100644 --- a/.github/workflows/artifacts-summary.md +++ b/.github/workflows/artifacts-summary.md @@ -15,7 +15,7 @@ sandbox: agent: awf # Firewall enabled (migrated from network.firewall) tools: edit: - bash: + bash: true github: toolsets: [actions, repos] safe-outputs: diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 013fb0b5a1e..a3f7f7e25a3 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -21,7 +21,7 @@ # # Automatically fixes code scanning alerts by creating pull requests with remediation # -# frontmatter-hash: db23396c88368a8a4ae67a081c2670a29099890ce486d349da5fa1e69d5c244c +# frontmatter-hash: 0597ad0df613bbb3cb159272bda8297794f7ae994dbcaa20b7ae721c8b6b8158 name: "Code Scanning Fixer" "on": @@ -684,15 +684,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md index c5982d9a5f5..660925eaf72 100644 --- a/.github/workflows/code-scanning-fixer.md +++ b/.github/workflows/code-scanning-fixer.md @@ -18,7 +18,7 @@ tools: branch-name: memory/campaigns file-glob: [security-alert-burndown/**] edit: - bash: + bash: true cache-memory: safe-outputs: add-labels: @@ -217,4 +217,4 @@ If any step fails: - **Never Execute Untrusted Code**: Use read-only analysis tools - **Track Progress**: Cache ensures no duplicate work -Remember: Your goal is to provide a secure, well-tested fix that can be reviewed and merged safely. Focus on quality and correctness over speed. +Remember: Your goal is to provide a secure, well-tested fix that can be reviewed and merged safely. Focus on quality and correctness over speed. \ No newline at end of file diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 832051336d2..7e679f427bc 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -26,7 +26,7 @@ # - shared/go-make.md # - shared/reporting.md # -# frontmatter-hash: 18a4a615748963ed8fdadc07d89f4437bbfc0ca57c8c92e9c16a71e18994e829 +# frontmatter-hash: 6a7627dbf91cb157295287e0e2083f26fdda22959240f171b8a7e7cdfe0e390b name: "Daily CLI Performance Agent" "on": @@ -913,27 +913,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeinputs - # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeinputs --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-cli-performance.md b/.github/workflows/daily-cli-performance.md index 703935840c3..407a17958cf 100644 --- a/.github/workflows/daily-cli-performance.md +++ b/.github/workflows/daily-cli-performance.md @@ -15,7 +15,7 @@ tools: description: "Historical CLI compilation performance benchmark results" file-glob: ["memory/cli-performance/*.json", "memory/cli-performance/*.jsonl", "memory/cli-performance/*.txt"] max-file-size: 512000 # 500KB - bash: + bash: true edit: github: toolsets: [default, issues] @@ -679,4 +679,4 @@ Each entry contains: } ``` -Begin your daily performance analysis now! +Begin your daily performance analysis now! \ No newline at end of file diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index dfd836e2ab6..e8cf30d3f1f 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -27,7 +27,7 @@ # - shared/reporting.md # - shared/trends.md # -# frontmatter-hash: 624fd4665a245a054f9c6ebf7ad42316a4f71a101b783eb2df6c7e21614794af +# frontmatter-hash: 2093093330961528c7a428449d17d960ede3238c3029308021c5b6d9fe04047c name: "Daily Code Metrics and Trend Tracking Agent" "on": diff --git a/.github/workflows/daily-code-metrics.md b/.github/workflows/daily-code-metrics.md index 2383822558f..2a893722d33 100644 --- a/.github/workflows/daily-code-metrics.md +++ b/.github/workflows/daily-code-metrics.md @@ -15,7 +15,7 @@ tools: description: "Historical code quality and health metrics" file-glob: ["*.json", "*.jsonl", "*.csv", "*.md"] max-file-size: 102400 # 100KB - bash: + bash: true safe-outputs: upload-asset: create-discussion: @@ -455,5 +455,4 @@ This ensures the quality score reflects actionable source code volatility, not n - Generate all 6 required visualization charts - Upload charts as assets for permanent URLs - Embed charts in discussion report with analysis -- Store metrics to repo memory, create discussion report with visualizations - +- Store metrics to repo memory, create discussion report with visualizations \ No newline at end of file diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index fa90c9c23fa..6c14198a366 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: a2d2939025b8cd01ec317ff980fc6209e433e71c69e2e3a10a8a84f06f364c79 +# frontmatter-hash: b3d69c6ffb6e3176c8c580511717f3a0074e13af17b473dd497edaf732186ed6 name: "Daily Malicious Code Scan Agent" "on": @@ -709,26 +709,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) - # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-malicious-code-scan.md b/.github/workflows/daily-malicious-code-scan.md index 3290d4c5b4e..bbf16203dbd 100644 --- a/.github/workflows/daily-malicious-code-scan.md +++ b/.github/workflows/daily-malicious-code-scan.md @@ -12,7 +12,7 @@ engine: copilot tools: github: toolsets: [repos, code_security] - bash: + bash: true safe-outputs: create-code-scanning-alert: driver: "Malicious Code Scanner" @@ -322,4 +322,4 @@ Your output MUST: **The workflow WILL FAIL if you don't call one of these tools.** Writing a message in your output text is NOT sufficient - you must actually invoke the tool. -Begin your daily malicious code scan now. Analyze all code changes from the last 3 days, identify suspicious patterns, and generate appropriate code-scanning alerts for any threats detected. +Begin your daily malicious code scan now. Analyze all code changes from the last 3 days, identify suspicious patterns, and generate appropriate code-scanning alerts for any threats detected. \ No newline at end of file diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 55ba0acf831..bf63bdf7319 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 39da83d7edb2fb90a6f8b3bf93d0a925fd70eae853c8ecdec648e2bcd49e319b +# frontmatter-hash: 5ad9f9b0378a3ab6e36feb0b59074643280051e45e8a0cd088773c307b5c5b47 name: "Daily Secrets Analysis Agent" "on": @@ -726,26 +726,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/daily-secrets-analysis.md b/.github/workflows/daily-secrets-analysis.md index 37d338f481d..68de5eead3a 100644 --- a/.github/workflows/daily-secrets-analysis.md +++ b/.github/workflows/daily-secrets-analysis.md @@ -14,7 +14,7 @@ tracker-id: daily-secrets-analysis tools: github: toolsets: [default, discussions] - bash: + bash: true safe-outputs: create-discussion: expires: 3d @@ -295,4 +295,4 @@ For detailed information about secret usage patterns, see: - Highlight **security concerns** prominently - Keep the report **concise but comprehensive** - Use **tables and formatting** for readability -- Include **actionable recommendations** +- Include **actionable recommendations** \ No newline at end of file diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index d7a35c1d6f7..87cc8fa678a 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/reporting.md # -# frontmatter-hash: 4200b413651f1eb03f0cc150b48b84b5bc9ac70c59249372beb5658e0b3d1e52 +# frontmatter-hash: df088f95c7fb764646a25cba7c15b97c423d4387c022b6369221d4b9ebead6f0 name: "Lockfile Statistics Analysis Agent" "on": @@ -688,18 +688,7 @@ jobs: - name: Execute Claude Code CLI id: agentic_execution # Allowed tools (sorted): - # - Bash(cat) - # - Bash(date) - # - Bash(echo) - # - Bash(grep) - # - Bash(head) - # - Bash(ls) - # - Bash(pwd) - # - Bash(sort) - # - Bash(tail) - # - Bash(uniq) - # - Bash(wc) - # - Bash(yq) + # - Bash # - BashOutput # - Edit # - Edit(/tmp/gh-aw/cache-memory/*) @@ -774,7 +763,7 @@ jobs: run: | set -o pipefail sudo -E awf --enable-chroot --tty --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,anthropic.com,api.anthropic.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,files.pythonhosted.org,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,pypi.org,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,sentry.io,statsig.anthropic.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash(cat),Bash(date),Bash(echo),Bash(grep),Bash(head),Bash(ls),Bash(pwd),Bash(sort),Bash(tail),Bash(uniq),Bash(wc),Bash(yq),BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log + -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH" && claude --print --disable-slash-commands --no-chrome --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/gh-aw/cache-memory/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/gh-aw/cache-memory/*),NotebookEdit,NotebookRead,Read,Read(/tmp/gh-aw/cache-memory/*),Task,TodoWrite,Write,Write(/tmp/gh-aw/cache-memory/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode bypassPermissions --output-format stream-json "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_CLAUDE:+ --model "$GH_AW_MODEL_AGENT_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} BASH_DEFAULT_TIMEOUT_MS: 60000 diff --git a/.github/workflows/lockfile-stats.md b/.github/workflows/lockfile-stats.md index 6b70776a908..8cc6d52984c 100644 --- a/.github/workflows/lockfile-stats.md +++ b/.github/workflows/lockfile-stats.md @@ -10,7 +10,7 @@ permissions: engine: claude tools: cache-memory: true - bash: + bash: true safe-outputs: create-discussion: category: "audits" @@ -354,4 +354,4 @@ Your output MUST: 5. Highlight interesting patterns and anomalies 6. Store successful scripts and patterns in cache memory -Begin your analysis now. Collect the data systematically, perform thorough statistical analysis, and generate an insightful report that helps understand the structure and patterns of agentic workflows in this repository. +Begin your analysis now. Collect the data systematically, perform thorough statistical analysis, and generate an insightful report that helps understand the structure and patterns of agentic workflows in this repository. \ No newline at end of file diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 9758704f4be..b0871f82809 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -39,7 +39,7 @@ # - shared/mcp/tavily.md # - shared/reporting.md # -# frontmatter-hash: b4a7ec5fd0e804617e948319ce798ddc7e6c1c042426e4ee41e2494f22ae946c +# frontmatter-hash: 628be2a853f60f9d5c04d7eddde96de120b6c816b60c720fc1d199155a2d6310 name: "MCP Inspector Agent" "on": @@ -1146,91 +1146,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool arxiv - # --allow-tool arxiv(get_paper_details) - # --allow-tool arxiv(get_paper_pdf) - # --allow-tool arxiv(search_arxiv) - # --allow-tool ast-grep - # --allow-tool ast-grep(*) - # --allow-tool brave-search - # --allow-tool brave-search(*) - # --allow-tool context7 - # --allow-tool context7(query-docs) - # --allow-tool context7(resolve-library-id) - # --allow-tool datadog - # --allow-tool datadog(get_datadog_metric) - # --allow-tool datadog(search_datadog_dashboards) - # --allow-tool datadog(search_datadog_metrics) - # --allow-tool datadog(search_datadog_slos) - # --allow-tool deepwiki - # --allow-tool deepwiki(ask_question) - # --allow-tool deepwiki(read_wiki_contents) - # --allow-tool deepwiki(read_wiki_structure) - # --allow-tool fabric-rti - # --allow-tool fabric-rti(get_eventstream) - # --allow-tool fabric-rti(get_eventstream_definition) - # --allow-tool fabric-rti(kusto_get_entities_schema) - # --allow-tool fabric-rti(kusto_get_function_schema) - # --allow-tool fabric-rti(kusto_get_shots) - # --allow-tool fabric-rti(kusto_get_table_schema) - # --allow-tool fabric-rti(kusto_known_services) - # --allow-tool fabric-rti(kusto_list_databases) - # --allow-tool fabric-rti(kusto_list_tables) - # --allow-tool fabric-rti(kusto_query) - # --allow-tool fabric-rti(kusto_sample_function_data) - # --allow-tool fabric-rti(kusto_sample_table_data) - # --allow-tool fabric-rti(list_eventstreams) - # --allow-tool github - # --allow-tool markitdown - # --allow-tool markitdown(*) - # --allow-tool memory - # --allow-tool memory(delete_memory) - # --allow-tool memory(list_memories) - # --allow-tool memory(retrieve_memory) - # --allow-tool memory(store_memory) - # --allow-tool microsoftdocs - # --allow-tool microsoftdocs(*) - # --allow-tool notion - # --allow-tool notion(get_database) - # --allow-tool notion(get_page) - # --allow-tool notion(query_database) - # --allow-tool notion(search_pages) - # --allow-tool safeoutputs - # --allow-tool sentry - # --allow-tool sentry(analyze_issue_with_seer) - # --allow-tool sentry(find_dsns) - # --allow-tool sentry(find_organizations) - # --allow-tool sentry(find_projects) - # --allow-tool sentry(find_releases) - # --allow-tool sentry(find_teams) - # --allow-tool sentry(get_doc) - # --allow-tool sentry(get_event_attachment) - # --allow-tool sentry(get_issue_details) - # --allow-tool sentry(get_trace_details) - # --allow-tool sentry(search_docs requires SENTRY_OPENAI_API_KEY) - # --allow-tool sentry(search_events) - # --allow-tool sentry(search_issues) - # --allow-tool sentry(whoami) - # --allow-tool shell(cat) - # --allow-tool shell(date) - # --allow-tool shell(echo) - # --allow-tool shell(grep) - # --allow-tool shell(head) - # --allow-tool shell(ls) - # --allow-tool shell(pwd) - # --allow-tool shell(sort) - # --allow-tool shell(tail) - # --allow-tool shell(uniq) - # --allow-tool shell(wc) - # --allow-tool shell(yq) - # --allow-tool tavily - # --allow-tool tavily(*) - # --allow-tool write timeout-minutes: 20 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.docker.com,*.docker.io,*.jsr.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,bun.sh,cdn.jsdelivr.net,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,deb.nodesource.com,deno.land,dl.k8s.io,fonts.googleapis.com,fonts.gstatic.com,gcr.io,get.pnpm.io,ghcr.io,github.com,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,learn.microsoft.com,mcp.datadoghq.com,mcp.deepwiki.com,mcp.tavily.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool arxiv --allow-tool '\''arxiv(get_paper_details)'\'' --allow-tool '\''arxiv(get_paper_pdf)'\'' --allow-tool '\''arxiv(search_arxiv)'\'' --allow-tool ast-grep --allow-tool '\''ast-grep(*)'\'' --allow-tool brave-search --allow-tool '\''brave-search(*)'\'' --allow-tool context7 --allow-tool '\''context7(query-docs)'\'' --allow-tool '\''context7(resolve-library-id)'\'' --allow-tool datadog --allow-tool '\''datadog(get_datadog_metric)'\'' --allow-tool '\''datadog(search_datadog_dashboards)'\'' --allow-tool '\''datadog(search_datadog_metrics)'\'' --allow-tool '\''datadog(search_datadog_slos)'\'' --allow-tool deepwiki --allow-tool '\''deepwiki(ask_question)'\'' --allow-tool '\''deepwiki(read_wiki_contents)'\'' --allow-tool '\''deepwiki(read_wiki_structure)'\'' --allow-tool fabric-rti --allow-tool '\''fabric-rti(get_eventstream)'\'' --allow-tool '\''fabric-rti(get_eventstream_definition)'\'' --allow-tool '\''fabric-rti(kusto_get_entities_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_function_schema)'\'' --allow-tool '\''fabric-rti(kusto_get_shots)'\'' --allow-tool '\''fabric-rti(kusto_get_table_schema)'\'' --allow-tool '\''fabric-rti(kusto_known_services)'\'' --allow-tool '\''fabric-rti(kusto_list_databases)'\'' --allow-tool '\''fabric-rti(kusto_list_tables)'\'' --allow-tool '\''fabric-rti(kusto_query)'\'' --allow-tool '\''fabric-rti(kusto_sample_function_data)'\'' --allow-tool '\''fabric-rti(kusto_sample_table_data)'\'' --allow-tool '\''fabric-rti(list_eventstreams)'\'' --allow-tool github --allow-tool markitdown --allow-tool '\''markitdown(*)'\'' --allow-tool memory --allow-tool '\''memory(delete_memory)'\'' --allow-tool '\''memory(list_memories)'\'' --allow-tool '\''memory(retrieve_memory)'\'' --allow-tool '\''memory(store_memory)'\'' --allow-tool microsoftdocs --allow-tool '\''microsoftdocs(*)'\'' --allow-tool notion --allow-tool '\''notion(get_database)'\'' --allow-tool '\''notion(get_page)'\'' --allow-tool '\''notion(query_database)'\'' --allow-tool '\''notion(search_pages)'\'' --allow-tool safeoutputs --allow-tool sentry --allow-tool '\''sentry(analyze_issue_with_seer)'\'' --allow-tool '\''sentry(find_dsns)'\'' --allow-tool '\''sentry(find_organizations)'\'' --allow-tool '\''sentry(find_projects)'\'' --allow-tool '\''sentry(find_releases)'\'' --allow-tool '\''sentry(find_teams)'\'' --allow-tool '\''sentry(get_doc)'\'' --allow-tool '\''sentry(get_event_attachment)'\'' --allow-tool '\''sentry(get_issue_details)'\'' --allow-tool '\''sentry(get_trace_details)'\'' --allow-tool '\''sentry(search_docs requires SENTRY_OPENAI_API_KEY)'\'' --allow-tool '\''sentry(search_events)'\'' --allow-tool '\''sentry(search_issues)'\'' --allow-tool '\''sentry(whoami)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool tavily --allow-tool '\''tavily(*)'\'' --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/mcp-inspector.md b/.github/workflows/mcp-inspector.md index 442be4d7e06..69d7d351c96 100644 --- a/.github/workflows/mcp-inspector.md +++ b/.github/workflows/mcp-inspector.md @@ -47,7 +47,7 @@ tools: agentic-workflows: serena: ["go"] edit: - bash: + bash: true cache-memory: true --- @@ -92,4 +92,4 @@ Generate: 1. [Issue or improvement] ``` -Save to `/tmp/gh-aw/cache-memory/mcp-inspections/[DATE].json` and create discussion in "audits" category. +Save to `/tmp/gh-aw/cache-memory/mcp-inspections/[DATE].json` and create discussion in "audits" category. \ No newline at end of file diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 5e741c64cb3..ee2def22898 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -21,7 +21,7 @@ # # Intelligent assistant that answers questions, analyzes repositories, and can create PRs for workflow optimizations # -# frontmatter-hash: 3cc89a80359117eb057e150dae41c45f5bd96f157452131579cc117aa46d1605 +# frontmatter-hash: dd49646805be784cc280539e9bcaee4913e56b2b65cb9a5e08db25929fce4d59 name: "Q" "on": @@ -791,15 +791,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell - # --allow-tool write timeout-minutes: 15 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/q.md b/.github/workflows/q.md index 3b970c95677..62de27092f1 100644 --- a/.github/workflows/q.md +++ b/.github/workflows/q.md @@ -22,7 +22,7 @@ tools: - actions - discussions edit: - bash: + bash: true cache-memory: true safe-outputs: add-comment: @@ -404,4 +404,4 @@ A successful Q mission: You are Q - the expert who provides agents with the best tools for their missions. Make workflows more effective, efficient, and reliable based on real data. Keep changes minimal and well-validated. Let the automation handle lock file compilation. -Begin your investigation now. Gather live data, analyze it thoroughly, make targeted improvements, validate your changes, and create a pull request with your optimizations. +Begin your investigation now. Gather live data, analyze it thoroughly, make targeted improvements, validate your changes, and create a pull request with your optimizations. \ No newline at end of file diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index ee7c546b337..75d6a6d82ef 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -26,7 +26,7 @@ # - ../../skills/documentation/SKILL.md # - ../agents/technical-doc-writer.agent.md # -# frontmatter-hash: 221b633fcec6437dab0b5e158d24913f3fce98b408512a2ac21f2375b6c0d5bd +# frontmatter-hash: 42d7e348a6da94a574d4e0108c40481a23dabab96476f5ecedc52a91420594cf name: "Rebuild the documentation after making changes" "on": @@ -1216,15 +1216,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): - # --allow-tool github - # --allow-tool safeoutputs - # --allow-tool shell - # --allow-tool write timeout-minutes: 10 run: | set -o pipefail sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ - -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ + -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --agent technical-doc-writer --allow-all-tools --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md index f1acae9f6d7..6a8dc914f70 100644 --- a/.github/workflows/technical-doc-writer.md +++ b/.github/workflows/technical-doc-writer.md @@ -66,7 +66,7 @@ tools: github: toolsets: [default] edit: - bash: + bash: true timeout-minutes: 10 diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 636215358c7..1f21ac3285c 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -25,7 +25,7 @@ # Imports: # - shared/ffmpeg.md # -# frontmatter-hash: f44f3b560ee1193c36ae5b31a8c41f6e296d95416daade0733e5a5359dc111ab +# frontmatter-hash: 94cc0589aede07110b1d6cf1389de05ec934688bb94f1c2d067d22c1b6b31915 name: "Video Analysis Agent" "on": diff --git a/.github/workflows/video-analyzer.md b/.github/workflows/video-analyzer.md index c716a4da046..7983dd783e6 100644 --- a/.github/workflows/video-analyzer.md +++ b/.github/workflows/video-analyzer.md @@ -19,7 +19,7 @@ imports: - shared/ffmpeg.md tools: - bash: + bash: true safe-outputs: create-issue: @@ -166,5 +166,4 @@ Create your issue with the following markdown structure: --- *Generated using ffmpeg via GitHub Agentic Workflows* -``` - +``` \ No newline at end of file diff --git a/pkg/cli/codemod_bash_anonymous.go b/pkg/cli/codemod_bash_anonymous.go new file mode 100644 index 00000000000..a7a8deb835e --- /dev/null +++ b/pkg/cli/codemod_bash_anonymous.go @@ -0,0 +1,119 @@ +package cli + +import "github.com/github/gh-aw/pkg/logger" + +var bashAnonymousCodemodLog = logger.New("cli:codemod_bash_anonymous") + +// getBashAnonymousRemovalCodemod creates a codemod for removing anonymous bash tool syntax +func getBashAnonymousRemovalCodemod() Codemod { + return Codemod{ + ID: "bash-anonymous-removal", + Name: "Replace anonymous bash tool syntax with explicit true", + Description: "Replaces 'bash:' (anonymous/nil syntax) with 'bash: true' to make configuration explicit", + IntroducedIn: "0.9.0", + Apply: func(content string, frontmatter map[string]any) (string, bool, error) { + // Check if tools.bash exists + toolsValue, hasTools := frontmatter["tools"] + if !hasTools { + return content, false, nil + } + + toolsMap, ok := toolsValue.(map[string]any) + if !ok { + return content, false, nil + } + + // Check if bash field exists and is nil + bashValue, hasBash := toolsMap["bash"] + if !hasBash { + return content, false, nil + } + + // Only modify if bash is nil (anonymous syntax) + if bashValue != nil { + return content, false, nil + } + + // Parse frontmatter to get raw lines + frontmatterLines, markdown, err := parseFrontmatterLines(content) + if err != nil { + return content, false, err + } + + // Replace the bash field from anonymous to explicit true + modifiedLines, modified := replaceBashAnonymousWithTrue(frontmatterLines) + if !modified { + return content, false, nil + } + + // Reconstruct the content + newContent := reconstructContent(modifiedLines, markdown) + bashAnonymousCodemodLog.Print("Applied bash anonymous removal, replaced with 'bash: true'") + return newContent, true, nil + }, + } +} + +// replaceBashAnonymousWithTrue replaces 'bash:' with 'bash: true' in the tools block +func replaceBashAnonymousWithTrue(lines []string) ([]string, bool) { + var result []string + var modified bool + var inToolsBlock bool + var toolsIndent string + + for _, line := range lines { + trimmedLine := line + + // Trim to check content but preserve original spacing + trimmed := trimLine(trimmedLine) + + // Track if we're in the tools block + if trimmed == "tools:" { + inToolsBlock = true + toolsIndent = getIndentation(line) + result = append(result, line) + continue + } + + // Check if we've left the tools block + if inToolsBlock && len(trimmed) > 0 && !startsWith(trimmed, "#") { + if hasExitedBlock(line, toolsIndent) { + inToolsBlock = false + } + } + + // Replace bash: with bash: true if in tools block + if inToolsBlock && (trimmed == "bash:" || startsWith(trimmed, "bash: ")) { + // Check if it's just 'bash:' with nothing after the colon + if trimmed == "bash:" { + indent := getIndentation(line) + result = append(result, indent+"bash: true") + modified = true + bashAnonymousCodemodLog.Printf("Replaced 'bash:' with 'bash: true'") + continue + } + } + + result = append(result, line) + } + + return result, modified +} + +// Helper function to trim whitespace +func trimLine(s string) string { + start := 0 + for start < len(s) && (s[start] == ' ' || s[start] == '\t') { + start++ + } + end := len(s) + for end > start && (s[end-1] == ' ' || s[end-1] == '\t' || s[end-1] == '\n' || s[end-1] == '\r') { + end-- + } + return s[start:end] +} + +// Helper function to check if string starts with prefix +func startsWith(s, prefix string) bool { + return len(s) >= len(prefix) && s[:len(prefix)] == prefix +} diff --git a/pkg/cli/codemod_bash_anonymous_test.go b/pkg/cli/codemod_bash_anonymous_test.go new file mode 100644 index 00000000000..bc80df91f13 --- /dev/null +++ b/pkg/cli/codemod_bash_anonymous_test.go @@ -0,0 +1,238 @@ +//go:build !integration + +package cli + +import ( + "strings" + "testing" + + "github.com/github/gh-aw/pkg/parser" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestBashAnonymousRemovalCodemod(t *testing.T) { + codemod := getBashAnonymousRemovalCodemod() + + tests := []struct { + name string + input string + expectApply bool + expectError bool + }{ + { + name: "replaces anonymous bash with bash: true", + input: `--- +name: Test Workflow +tools: + bash: + github: +--- +# Test workflow`, + expectApply: true, + }, + { + name: "does not modify bash: true", + input: `--- +name: Test Workflow +tools: + bash: true + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify bash: false", + input: `--- +name: Test Workflow +tools: + bash: false + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify bash with array", + input: `--- +name: Test Workflow +tools: + bash: ["echo", "ls"] + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify when bash is not present", + input: `--- +name: Test Workflow +tools: + github: +--- +# Test workflow`, + expectApply: false, + }, + { + name: "does not modify when tools is not present", + input: `--- +name: Test Workflow +--- +# Test workflow`, + expectApply: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Parse frontmatter to get the map + result, err := parser.ExtractFrontmatterFromContent(tt.input) + require.NoError(t, err, "Failed to parse test input frontmatter") + + // Apply the codemod + output, applied, err := codemod.Apply(tt.input, result.Frontmatter) + + if tt.expectError { + assert.Error(t, err) + return + } + + require.NoError(t, err) + assert.Equal(t, tt.expectApply, applied, "Applied status mismatch") + + if tt.expectApply { + // Verify the output contains the replacement + assert.Contains(t, output, "bash: true", "Output should contain 'bash: true'") + assert.NotContains(t, output, "bash:\n", "Output should not contain anonymous bash:") + assert.NotContains(t, output, "bash: \n", "Output should not contain bash with space") + + // Verify the markdown body is preserved + assert.Contains(t, output, "# Test workflow", "Markdown body should be preserved") + } else { + // If not applied, output should be unchanged + assert.Equal(t, tt.input, output, "Output should be unchanged when not applied") + } + }) + } +} + +func TestBashAnonymousCodemodWithComments(t *testing.T) { + codemod := getBashAnonymousRemovalCodemod() + + input := `--- +name: Test Workflow +tools: + # Enable bash + bash: + github: +--- +# Test workflow` + + result, err := parser.ExtractFrontmatterFromContent(input) + require.NoError(t, err) + + output, applied, err := codemod.Apply(input, result.Frontmatter) + require.NoError(t, err) + assert.True(t, applied, "Should apply when bash: is present") + assert.Contains(t, output, "bash: true", "Should replace with bash: true") + assert.Contains(t, output, "# Enable bash", "Should preserve comments") +} + +func TestBashAnonymousCodemodPreservesIndentation(t *testing.T) { + codemod := getBashAnonymousRemovalCodemod() + + input := `--- +name: Test Workflow +tools: + bash: + github: + mode: remote +--- +# Test workflow` + + result, err := parser.ExtractFrontmatterFromContent(input) + require.NoError(t, err) + + output, applied, err := codemod.Apply(input, result.Frontmatter) + require.NoError(t, err) + assert.True(t, applied, "Should apply") + + // Check indentation is preserved + lines := strings.Split(output, "\n") + var foundBash bool + for _, line := range lines { + if strings.Contains(line, "bash: true") { + foundBash = true + // Should have 2-space indentation + assert.True(t, strings.HasPrefix(line, " bash: true"), "Should have proper indentation") + } + } + assert.True(t, foundBash, "Should find bash: true in output") +} + +func TestReplaceBashAnonymousWithTrue(t *testing.T) { + tests := []struct { + name string + lines []string + expectLines []string + modified bool + }{ + { + name: "replaces bash: in tools block", + lines: []string{ + "name: Test", + "tools:", + " bash:", + " github:", + }, + expectLines: []string{ + "name: Test", + "tools:", + " bash: true", + " github:", + }, + modified: true, + }, + { + name: "does not modify outside tools block", + lines: []string{ + "name: Test", + "bash:", + "tools:", + " github:", + }, + expectLines: []string{ + "name: Test", + "bash:", + "tools:", + " github:", + }, + modified: false, + }, + { + name: "does not modify bash with value", + lines: []string{ + "name: Test", + "tools:", + " bash: true", + " github:", + }, + expectLines: []string{ + "name: Test", + "tools:", + " bash: true", + " github:", + }, + modified: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, modified := replaceBashAnonymousWithTrue(tt.lines) + assert.Equal(t, tt.modified, modified, "Modified status mismatch") + assert.Equal(t, tt.expectLines, result, "Output lines mismatch") + }) + } +} diff --git a/pkg/cli/fix_codemods.go b/pkg/cli/fix_codemods.go index 9b49ea2158a..c323d241b19 100644 --- a/pkg/cli/fix_codemods.go +++ b/pkg/cli/fix_codemods.go @@ -34,5 +34,6 @@ func GetAllCodemods() []Codemod { getDiscussionFlagRemovalCodemod(), getMCPModeToTypeCodemod(), getInstallScriptURLCodemod(), + getBashAnonymousRemovalCodemod(), // Replace bash: with bash: false } } diff --git a/pkg/cli/fix_codemods_test.go b/pkg/cli/fix_codemods_test.go index e1c357da91e..8182258c119 100644 --- a/pkg/cli/fix_codemods_test.go +++ b/pkg/cli/fix_codemods_test.go @@ -43,7 +43,7 @@ func TestGetAllCodemods_ReturnsAllCodemods(t *testing.T) { codemods := GetAllCodemods() // Verify we have the expected number of codemods - expectedCount := 16 + expectedCount := 17 assert.Len(t, codemods, expectedCount, "Should return all %d codemods", expectedCount) // Verify all codemods have required fields @@ -120,6 +120,7 @@ func TestGetAllCodemods_InExpectedOrder(t *testing.T) { "add-comment-discussion-removal", "mcp-mode-to-type-migration", "install-script-url-migration", + "bash-anonymous-removal", } require.Len(t, codemods, len(expectedOrder), "Should have expected number of codemods") diff --git a/pkg/workflow/bash_anonymous_validation_test.go b/pkg/workflow/bash_anonymous_validation_test.go new file mode 100644 index 00000000000..4b40e3ec7ab --- /dev/null +++ b/pkg/workflow/bash_anonymous_validation_test.go @@ -0,0 +1,100 @@ +//go:build !integration + +package workflow + +import ( + "os" + "path/filepath" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestCompilerRejectsAnonymousBashSyntax(t *testing.T) { + // Create a temporary directory for test workflows + tmpDir := t.TempDir() + + // Create a test workflow with anonymous bash syntax + workflowContent := `--- +name: Test Workflow +engine: copilot +on: + workflow_dispatch: +tools: + bash: + github: +--- +# Test workflow +This is a test workflow with anonymous bash syntax. +` + + workflowPath := filepath.Join(tmpDir, "test-workflow.md") + err := os.WriteFile(workflowPath, []byte(workflowContent), 0644) + require.NoError(t, err, "Failed to create test workflow file") + + // Create compiler + compiler := NewCompiler() + compiler.SetSkipValidation(false) // Enable validation + + // Try to compile - should fail + err = compiler.CompileWorkflow(workflowPath) + + // Verify that compilation fails with the expected error + require.Error(t, err, "Compilation should fail for anonymous bash syntax") + assert.Contains(t, err.Error(), "anonymous syntax 'bash:' is not supported", "Error should mention anonymous syntax") + assert.Contains(t, err.Error(), "bash: true", "Error should suggest bash: true") + assert.Contains(t, err.Error(), "bash: false", "Error should suggest bash: false") + assert.Contains(t, err.Error(), "gh aw fix", "Error should suggest using gh aw fix") +} + +func TestCompilerAcceptsExplicitBashSyntax(t *testing.T) { + tmpDir := t.TempDir() + + tests := []struct { + name string + bashConfig string + }{ + { + name: "bash: true", + bashConfig: "bash: true", + }, + { + name: "bash: false", + bashConfig: "bash: false", + }, + { + name: "bash with array", + bashConfig: "bash: [\"echo\", \"ls\"]", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + workflowContent := `--- +name: Test Workflow +engine: copilot +on: + workflow_dispatch: +tools: + ` + tt.bashConfig + ` + github: +--- +# Test workflow +This is a test workflow. +` + + workflowPath := filepath.Join(tmpDir, strings.ReplaceAll(tt.name, " ", "-")+".md") + err := os.WriteFile(workflowPath, []byte(workflowContent), 0644) + require.NoError(t, err, "Failed to create test workflow file") + + compiler := NewCompiler() + compiler.SetSkipValidation(false) + + // Should compile successfully + err = compiler.CompileWorkflow(workflowPath) + assert.NoError(t, err, "Compilation should succeed for explicit bash syntax: %s", tt.bashConfig) + }) + } +} diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go index bf97ff4b0a1..ab6c9c70445 100644 --- a/pkg/workflow/compiler_orchestrator_workflow.go +++ b/pkg/workflow/compiler_orchestrator_workflow.go @@ -51,6 +51,12 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error) // Store a stable workflow identifier derived from the file name. workflowData.WorkflowID = GetWorkflowIDFromPath(cleanPath) + // Validate bash tool configuration BEFORE applying defaults + // This must happen before applyDefaults() which converts nil bash to default commands + if err := validateBashToolConfig(workflowData.ParsedTools, workflowData.Name); err != nil { + return nil, fmt.Errorf("%s: %w", cleanPath, err) + } + // Use shared action cache and resolver from the compiler actionCache, actionResolver := c.getSharedActionResolver() workflowData.ActionCache = actionCache diff --git a/pkg/workflow/tools_parser.go b/pkg/workflow/tools_parser.go index 26758d44190..f5fea961424 100644 --- a/pkg/workflow/tools_parser.go +++ b/pkg/workflow/tools_parser.go @@ -84,6 +84,10 @@ func NewTools(toolsMap map[string]any) *Tools { } if val, exists := toolsMap["bash"]; exists { tools.Bash = parseBashTool(val) + // Check if parsing returned nil - this indicates invalid configuration + if tools.Bash == nil { + toolsParserLog.Print("Warning: bash tool configuration is invalid (nil/anonymous syntax not supported)") + } } if val, exists := toolsMap["web-fetch"]; exists { tools.WebFetch = parseWebFetchTool(val) @@ -241,8 +245,21 @@ func parseGitHubTool(val any) *GitHubToolConfig { // parseBashTool converts raw bash tool configuration to BashToolConfig func parseBashTool(val any) *BashToolConfig { if val == nil { - // nil means all commands allowed - return &BashToolConfig{} + // nil is no longer supported - return nil to indicate invalid configuration + // The compiler will handle this as a validation error + return nil + } + + // Handle boolean values + if boolVal, ok := val.(bool); ok { + if boolVal { + // bash: true means all commands allowed + return &BashToolConfig{} + } + // bash: false means explicitly disabled + return &BashToolConfig{ + AllowedCommands: []string{}, // Empty slice indicates explicitly disabled + } } // Handle array of allowed commands @@ -258,7 +275,8 @@ func parseBashTool(val any) *BashToolConfig { return config } - return &BashToolConfig{} + // Invalid configuration + return nil } // parsePlaywrightTool converts raw playwright tool configuration to PlaywrightToolConfig diff --git a/pkg/workflow/tools_validation.go b/pkg/workflow/tools_validation.go new file mode 100644 index 00000000000..61421a86eb1 --- /dev/null +++ b/pkg/workflow/tools_validation.go @@ -0,0 +1,27 @@ +package workflow + +import ( + "fmt" + + "github.com/github/gh-aw/pkg/logger" +) + +var toolsValidationLog = logger.New("workflow:tools_validation") + +// validateBashToolConfig validates that bash tool configuration is explicit (not nil/anonymous) +func validateBashToolConfig(tools *Tools, workflowName string) error { + if tools == nil { + return nil + } + + // Check if bash is present in the raw map but Bash field is nil + // This indicates the anonymous syntax (bash:) was used + if rawMap := tools.ToMap(); rawMap != nil { + if _, hasBash := rawMap["bash"]; hasBash && tools.Bash == nil { + toolsValidationLog.Printf("Invalid bash tool configuration in workflow: %s", workflowName) + return fmt.Errorf("invalid bash tool configuration: anonymous syntax 'bash:' is not supported. Use 'bash: true' (enable all commands), 'bash: false' (disable), or 'bash: [\"cmd1\", \"cmd2\"]' (specific commands). Run 'gh aw fix' to automatically migrate") + } + } + + return nil +} diff --git a/pkg/workflow/tools_validation_test.go b/pkg/workflow/tools_validation_test.go new file mode 100644 index 00000000000..a9a4559a1c9 --- /dev/null +++ b/pkg/workflow/tools_validation_test.go @@ -0,0 +1,155 @@ +//go:build !integration + +package workflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestValidateBashToolConfig(t *testing.T) { + tests := []struct { + name string + toolsMap map[string]any + shouldError bool + errorMsg string + }{ + { + name: "nil tools config is valid", + toolsMap: nil, + shouldError: false, + }, + { + name: "no bash tool is valid", + toolsMap: map[string]any{"github": nil}, + shouldError: false, + }, + { + name: "bash: true is valid", + toolsMap: map[string]any{"bash": true}, + shouldError: false, + }, + { + name: "bash: false is valid", + toolsMap: map[string]any{"bash": false}, + shouldError: false, + }, + { + name: "bash with array is valid", + toolsMap: map[string]any{"bash": []any{"echo", "ls"}}, + shouldError: false, + }, + { + name: "bash with wildcard is valid", + toolsMap: map[string]any{"bash": []any{"*"}}, + shouldError: false, + }, + { + name: "anonymous bash (nil) is invalid", + toolsMap: map[string]any{"bash": nil}, + shouldError: true, + errorMsg: "anonymous syntax 'bash:' is not supported", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tools := NewTools(tt.toolsMap) + err := validateBashToolConfig(tools, "test-workflow") + + if tt.shouldError { + require.Error(t, err, "Expected error for %s", tt.name) + if tt.errorMsg != "" { + assert.Contains(t, err.Error(), tt.errorMsg, "Error message should contain expected text") + } + } else { + assert.NoError(t, err, "Expected no error for %s", tt.name) + } + }) + } +} + +func TestParseBashToolWithBoolean(t *testing.T) { + tests := []struct { + name string + input any + expected *BashToolConfig + }{ + { + name: "bash: true enables all commands", + input: true, + expected: &BashToolConfig{AllowedCommands: nil}, + }, + { + name: "bash: false explicitly disables", + input: false, + expected: &BashToolConfig{AllowedCommands: []string{}}, + }, + { + name: "bash: nil is invalid", + input: nil, + expected: nil, + }, + { + name: "bash with array", + input: []any{"echo", "ls"}, + expected: &BashToolConfig{ + AllowedCommands: []string{"echo", "ls"}, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := parseBashTool(tt.input) + + if tt.expected == nil { + assert.Nil(t, result, "Expected nil result") + } else { + require.NotNil(t, result, "Expected non-nil result") + if tt.expected.AllowedCommands == nil { + assert.Nil(t, result.AllowedCommands, "Expected nil AllowedCommands (all allowed)") + } else { + assert.Equal(t, tt.expected.AllowedCommands, result.AllowedCommands, "AllowedCommands should match") + } + } + }) + } +} + +func TestNewToolsWithInvalidBash(t *testing.T) { + t.Run("detects invalid bash configuration", func(t *testing.T) { + toolsMap := map[string]any{ + "bash": nil, // Anonymous syntax + } + + tools := NewTools(toolsMap) + + // The parser should set Bash to nil for invalid config + assert.Nil(t, tools.Bash, "Bash should be nil for invalid config") + + // Validation should catch this + err := validateBashToolConfig(tools, "test-workflow") + require.Error(t, err, "Expected validation error") + assert.Contains(t, err.Error(), "anonymous syntax", "Error should mention anonymous syntax") + }) + + t.Run("accepts valid bash configurations", func(t *testing.T) { + validConfigs := []map[string]any{ + {"bash": true}, + {"bash": false}, + {"bash": []any{"echo"}}, + {"bash": []any{"*"}}, + } + + for _, toolsMap := range validConfigs { + tools := NewTools(toolsMap) + assert.NotNil(t, tools.Bash, "Bash should not be nil for valid config") + + err := validateBashToolConfig(tools, "test-workflow") + assert.NoError(t, err, "Expected no validation error for valid config") + } + }) +}