diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index b8b3d5a1b01..f87c36718a2 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -173,7 +173,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -185,7 +185,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.12 ghcr.io/github/gh-aw-firewall/squid:0.13.12 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -535,7 +535,7 @@ jobs: staged: false, allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.13.7", + awf_version: "v0.13.12", awmg_version: "v0.0.103", steps: { firewall: "squid" @@ -681,7 +681,7 @@ jobs: timeout-minutes: 60 run: | set -o pipefail - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 327bed5682f..6115e810a1e 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -140,7 +140,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -152,7 +152,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.12 ghcr.io/github/gh-aw-firewall/squid:0.13.12 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -751,7 +751,7 @@ jobs: staged: false, allowed_domains: ["defaults","github"], firewall_enabled: true, - awf_version: "v0.13.7", + awf_version: "v0.13.12", awmg_version: "v0.0.103", steps: { firewall: "squid" @@ -913,7 +913,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq *)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx index 2d66565b11c..950a8d5f72e 100644 --- a/docs/src/content/docs/agent-factory-status.mdx +++ b/docs/src/content/docs/agent-factory-status.mdx @@ -71,6 +71,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn, | [DeepReport - Intelligence Gathering Agent](https://github.com/github/gh-aw/blob/main/.github/workflows/deep-report.md) | codex | [![DeepReport - Intelligence Gathering Agent](https://github.com/github/gh-aw/actions/workflows/deep-report.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/deep-report.lock.yml) | `0 15 * * 1-5` | - | | [Delight](https://github.com/github/gh-aw/blob/main/.github/workflows/delight.md) | copilot | [![Delight](https://github.com/github/gh-aw/actions/workflows/delight.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/delight.lock.yml) | - | - | | [Dependabot Dependency Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-go-checker.md) | copilot | [![Dependabot Dependency Checker](https://github.com/github/gh-aw/actions/workflows/dependabot-go-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-go-checker.lock.yml) | `0 9 * * 1,3,5` | - | +| [Dependabot Project Manager](https://github.com/github/gh-aw/blob/main/.github/workflows/dependabot-project-manager.md) | copilot | [![Dependabot Project Manager](https://github.com/github/gh-aw/actions/workflows/dependabot-project-manager.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dependabot-project-manager.lock.yml) | - | - | | [Dev](https://github.com/github/gh-aw/blob/main/.github/workflows/dev.md) | copilot | [![Dev](https://github.com/github/gh-aw/actions/workflows/dev.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dev.lock.yml) | - | - | | [Dev Hawk](https://github.com/github/gh-aw/blob/main/.github/workflows/dev-hawk.md) | copilot | [![Dev Hawk](https://github.com/github/gh-aw/actions/workflows/dev-hawk.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/dev-hawk.lock.yml) | - | - | | [Developer Documentation Consolidator](https://github.com/github/gh-aw/blob/main/.github/workflows/developer-docs-consolidator.md) | claude | [![Developer Documentation Consolidator](https://github.com/github/gh-aw/actions/workflows/developer-docs-consolidator.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/developer-docs-consolidator.lock.yml) | - | - | diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md index ffb802a26bb..272533e8127 100644 --- a/docs/src/content/docs/reference/frontmatter.md +++ b/docs/src/content/docs/reference/frontmatter.md @@ -100,7 +100,7 @@ See [GitHub Tokens](/gh-aw/reference/tokens/) for complete documentation. ### Plugins (`plugins:`) -Specifies plugins to install before workflow execution. Plugins are installed using engine-specific CLI commands (`copilot install plugin`, `claude install plugin`, `codex install plugin`). +Specifies plugins to install before workflow execution. Plugins are installed using engine-specific CLI commands (`copilot plugin install`, `claude plugin install`, `codex plugin install`). **Array format** (simple): ```yaml wrap diff --git a/pkg/workflow/plugin_compilation_test.go b/pkg/workflow/plugin_compilation_test.go index ce6b075ba13..5e9beedb5c1 100644 --- a/pkg/workflow/plugin_compilation_test.go +++ b/pkg/workflow/plugin_compilation_test.go @@ -37,7 +37,7 @@ plugins: Test single plugin installation `, - expectedPlugins: []string{"copilot install plugin github/test-plugin"}, + expectedPlugins: []string{"copilot plugin install github/test-plugin"}, expectedTokenString: "secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN", }, { @@ -57,9 +57,9 @@ plugins: Test multiple plugins `, expectedPlugins: []string{ - "claude install plugin github/plugin1", - "claude install plugin acme/plugin2", - "claude install plugin org/plugin3", + "claude plugin install github/plugin1", + "claude plugin install acme/plugin2", + "claude plugin install org/plugin3", }, expectedTokenString: "secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN", }, @@ -77,7 +77,7 @@ plugins: Test Codex plugin `, - expectedPlugins: []string{"codex install plugin openai/codex-plugin"}, + expectedPlugins: []string{"codex plugin install openai/codex-plugin"}, expectedTokenString: "secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN", }, } @@ -146,8 +146,8 @@ plugins: Test object format with custom token `, expectedPlugins: []string{ - "copilot install plugin github/test-plugin", - "copilot install plugin acme/custom-plugin", + "copilot plugin install github/test-plugin", + "copilot plugin install acme/custom-plugin", }, expectedToken: "GITHUB_TOKEN: ${{ secrets.CUSTOM_PLUGIN_TOKEN }}", shouldNotContain: "GH_AW_PLUGINS_TOKEN", @@ -168,7 +168,7 @@ plugins: Test object format without custom token `, expectedPlugins: []string{ - "claude install plugin github/plugin1", + "claude plugin install github/plugin1", }, expectedToken: "secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN", shouldNotContain: "", @@ -247,7 +247,7 @@ Test with top-level github-token lockContent := string(content) // Verify plugin install command is present - assert.Contains(t, lockContent, "copilot install plugin github/test-plugin", + assert.Contains(t, lockContent, "copilot plugin install github/test-plugin", "Lock file should contain plugin install command") // Verify top-level github-token is used (not cascading) @@ -358,9 +358,9 @@ func TestPluginCompilationAllEngines(t *testing.T) { engineID string expectedCmd string }{ - {"copilot", "copilot install plugin github/test-plugin"}, - {"claude", "claude install plugin github/test-plugin"}, - {"codex", "codex install plugin github/test-plugin"}, + {"copilot", "copilot plugin install github/test-plugin"}, + {"claude", "claude plugin install github/test-plugin"}, + {"codex", "codex plugin install github/test-plugin"}, } for _, engine := range engines { @@ -440,7 +440,7 @@ Test without plugins lockContent := string(content) // Verify no plugin installation steps are present - assert.NotContains(t, lockContent, "install plugin", + assert.NotContains(t, lockContent, "plugin install", "Lock file should not contain plugin installation when no plugins specified") } diff --git a/pkg/workflow/plugin_installation.go b/pkg/workflow/plugin_installation.go index 6b3ca782163..2f49d544829 100644 --- a/pkg/workflow/plugin_installation.go +++ b/pkg/workflow/plugin_installation.go @@ -64,14 +64,16 @@ func generatePluginInstallStep(plugin, engineID, githubToken string) GitHubActio var command string switch engineID { case "copilot": - command = fmt.Sprintf("copilot install plugin %s", plugin) + command = fmt.Sprintf("copilot plugin install %s", plugin) case "claude": - command = fmt.Sprintf("claude install plugin %s", plugin) + // TODO: validate the correct claude CLI plugin install command syntax + command = fmt.Sprintf("claude plugin install %s", plugin) case "codex": - command = fmt.Sprintf("codex install plugin %s", plugin) + // TODO: validate the correct codex CLI plugin install command syntax + command = fmt.Sprintf("codex plugin install %s", plugin) default: // For unknown engines, use a generic format - command = fmt.Sprintf("%s install plugin %s", engineID, plugin) + command = fmt.Sprintf("%s plugin install %s", engineID, plugin) } // Quote the step name to avoid YAML syntax issues with special characters diff --git a/pkg/workflow/plugin_installation_test.go b/pkg/workflow/plugin_installation_test.go index 4f63f092a8a..a30c4678bbe 100644 --- a/pkg/workflow/plugin_installation_test.go +++ b/pkg/workflow/plugin_installation_test.go @@ -35,7 +35,7 @@ func TestGeneratePluginInstallationSteps(t *testing.T) { engineID: "copilot", githubToken: "${{ secrets.CUSTOM_TOKEN }}", expectSteps: 1, - expectCmds: []string{"copilot install plugin github/test-plugin"}, + expectCmds: []string{"copilot plugin install github/test-plugin"}, expectTokens: []string{"${{ secrets.CUSTOM_TOKEN }}"}, }, { @@ -45,8 +45,8 @@ func TestGeneratePluginInstallationSteps(t *testing.T) { githubToken: "${{ secrets.CUSTOM_TOKEN }}", expectSteps: 2, expectCmds: []string{ - "claude install plugin github/plugin1", - "claude install plugin acme/plugin2", + "claude plugin install github/plugin1", + "claude plugin install acme/plugin2", }, expectTokens: []string{ "${{ secrets.CUSTOM_TOKEN }}", @@ -59,7 +59,7 @@ func TestGeneratePluginInstallationSteps(t *testing.T) { engineID: "codex", githubToken: "", expectSteps: 1, - expectCmds: []string{"codex install plugin org/codex-plugin"}, + expectCmds: []string{"codex plugin install org/codex-plugin"}, expectTokens: []string{"${{ secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"}, // Cascading fallback }, } @@ -203,7 +203,7 @@ func TestPluginInstallationIntegration(t *testing.T) { } // Verify plugin installation step is present - assert.Contains(t, allStepsText, fmt.Sprintf("%s install plugin github/test-plugin", e.engineID), + assert.Contains(t, allStepsText, fmt.Sprintf("%s plugin install github/test-plugin", e.engineID), "Installation steps should include plugin installation command") // Verify GITHUB_TOKEN is set @@ -278,7 +278,7 @@ func TestPluginObjectFormatWithCustomToken(t *testing.T) { } // Verify plugin installation step is present - assert.Contains(t, allStepsText, fmt.Sprintf("%s install plugin github/test-plugin", e.engineID), + assert.Contains(t, allStepsText, fmt.Sprintf("%s plugin install github/test-plugin", e.engineID), "Installation steps should include plugin installation command") // Verify custom token is used (not the cascading fallback)