diff --git a/.changeset/patch-enforce-lockdown-strict.md b/.changeset/patch-enforce-lockdown-strict.md new file mode 100644 index 00000000000..61264eb4b5b --- /dev/null +++ b/.changeset/patch-enforce-lockdown-strict.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Lockdown validation now enforces `strict: true` for public repositories. diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index f263b439abd..5c3c62d4b70 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -23,7 +23,7 @@ # # Generates an ACE editor session link when invoked with /ace command on pull request comments # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"27465bad2a2328fd5f4ea18e00881a4996ec1ccb258079f63b922025c714470f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"27465bad2a2328fd5f4ea18e00881a4996ec1ccb258079f63b922025c714470f"} name: "ACE Editor Session" "on": @@ -88,6 +88,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index a9d026f89e0..5ae65ff17f3 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"78287fe84a612788fa9e2681f317889ce12753d3ada6d1d39ea39bf0ae5fc47b"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"78287fe84a612788fa9e2681f317889ce12753d3ada6d1d39ea39bf0ae5fc47b","strict":true} name: "Agent Performance Analyzer - Meta-Orchestrator" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 60b29a4f172..4cff79aa9ef 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"df8ee8e4d6ff58de0774bef7fbf88c90b0aab97064e3fe92662c062977bfdb32"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"df8ee8e4d6ff58de0774bef7fbf88c90b0aab97064e3fe92662c062977bfdb32","strict":true} name: "Agent Persona Explorer" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 1dbf7037aa2..abeafd6e0dd 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"7039c1f6c974b0231340e2aff8c6a986faee8cb863dd865ba29d0c951c387ca8"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"7039c1f6c974b0231340e2aff8c6a986faee8cb863dd865ba29d0c951c387ca8","strict":true} name: "AI Moderator" "on": @@ -101,6 +101,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 623af6d664e..b3ab702372c 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/serena-go.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"79e0293df146b166f4756691d48758815d02702f4f41f9b2bf9c41229f56ccf7"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"79e0293df146b166f4756691d48758815d02702f4f41f9b2bf9c41229f56ccf7","strict":true} name: "Archie" "on": @@ -105,6 +105,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index f7dd5f06f2e..c47b4cb523d 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -28,7 +28,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ec4bf7cb905b85ccdcc95c21b2ed16912b1c6737fcbfcecb1cbc252559791663"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ec4bf7cb905b85ccdcc95c21b2ed16912b1c6737fcbfcecb1cbc252559791663","strict":true} name: "Artifacts Summary" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 829dd403140..2dee4634b3b 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6c1d8bd03b40c870af0eefed58e094dd08815f03d478c369b40b48d9ecd35f9f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6c1d8bd03b40c870af0eefed58e094dd08815f03d478c369b40b48d9ecd35f9f","strict":true} name: "Agentic Workflow Audit Agent" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 24bcdab2751..6dfe9f6b49a 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6d5ae739b2ba3b6bbba0566b0e444cf837a7639539ddad0361430acf57eee28c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6d5ae739b2ba3b6bbba0566b0e444cf837a7639539ddad0361430acf57eee28c","strict":true} name: "Auto-Triage Issues" "on": @@ -89,6 +89,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 476f443f66b..3cab719d083 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"878b2619a7ef728ee36423c6ded4bda471ba66d830dc760d5437153fdc594dc1"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"878b2619a7ef728ee36423c6ded4bda471ba66d830dc760d5437153fdc594dc1"} name: "Blog Auditor" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 27c1f577067..af4f47b969a 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -23,7 +23,7 @@ # # Investigates suspicious repository activity and maintains a single triage issue # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"45b5b917f22b3ce4657e92078ab1e4c13bda07e7c2497a72f877acf95ead5941"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"45b5b917f22b3ce4657e92078ab1e4c13bda07e7c2497a72f877acf95ead5941","strict":true} name: "Bot Detection" "on": @@ -78,6 +78,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index c1ee6dc153b..4bcec16615f 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/brave.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"1f0b9c5f3a6d5a7d20a40ad39984bdd13fe40c0e47eb008b568fc7641f264ed6"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"1f0b9c5f3a6d5a7d20a40ad39984bdd13fe40c0e47eb008b568fc7641f264ed6","strict":true} name: "Brave Web Search Agent" "on": @@ -91,6 +91,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 9f76fa2f5ba..546c8d79f81 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"298055babdc6d453ead986983230edf4cbb2c74f82c5a110850af9b8a64e89c2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"298055babdc6d453ead986983230edf4cbb2c74f82c5a110850af9b8a64e89c2","strict":true} name: "Breaking Change Checker" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index d8d9e2622f5..95d8edc58ae 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -29,7 +29,7 @@ # - shared/jqschema.md # - shared/safe-output-app.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"30ae52017856bedddf21f6ea82fde8c336122be8d203aea1514f1cb2b3ce4268"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"30ae52017856bedddf21f6ea82fde8c336122be8d203aea1514f1cb2b3ce4268","strict":true} name: "Changeset Generator" "on": @@ -99,6 +99,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/chroma-issue-indexer.lock.yml b/.github/workflows/chroma-issue-indexer.lock.yml index 6ae49b25efc..ff309f48afe 100644 --- a/.github/workflows/chroma-issue-indexer.lock.yml +++ b/.github/workflows/chroma-issue-indexer.lock.yml @@ -26,7 +26,7 @@ # Imports: # - shared/mcp/chroma.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"dbc1d32a392c06506e26b62a1ca05966a17d9f802ce08e8f9fcad9e93603737f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"dbc1d32a392c06506e26b62a1ca05966a17d9f802ce08e8f9fcad9e93603737f","strict":true} name: "Chroma Issue Indexer" "on": @@ -79,6 +79,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 82a99a2a815..2794869793c 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -30,7 +30,7 @@ # - shared/ci-data-analysis.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"5191e6c822b25fd810bcb75bbe5eaa6062a26a820ff6c01145e7e2b2507f0426"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"5191e6c822b25fd810bcb75bbe5eaa6062a26a820ff6c01145e7e2b2507f0426","strict":true} name: "CI Optimization Coach" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 747be1ec74b..6191ea84d6f 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -25,7 +25,7 @@ # # Source: githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fcaeacfaaa62a6775511b360ff105863e4d913c99f71eab55489bcd96db114f0","stop_time":"2026-03-03 16:27:58"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"fcaeacfaaa62a6775511b360ff105863e4d913c99f71eab55489bcd96db114f0","stop_time":"2026-03-03 16:27:58","strict":true} # # Effective stop-time: 2026-03-03 16:27:58 @@ -91,6 +91,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 78fbd4a4832..b292ad3c845 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -23,7 +23,7 @@ # # Reviews project documentation from the perspective of a Claude Code user who does not use GitHub Copilot or Copilot CLI # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"5686ea2651d50165672d00ee1181e76e2493c8a1eed6993edfe9a0b6da21d0cd"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"5686ea2651d50165672d00ee1181e76e2493c8a1eed6993edfe9a0b6da21d0cd","strict":true} name: "Claude Code User Documentation Review" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 1a18e39e076..40aea0582fc 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -23,7 +23,7 @@ # # Inspects the gh-aw CLI to identify inconsistencies, typos, bugs, or documentation gaps by running commands and analyzing output # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f7d49ddba44953f5a8e723d907b90c1807d87ed13f3399e9d0737974e377ff6f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f7d49ddba44953f5a8e723d907b90c1807d87ed13f3399e9d0737974e377ff6f"} name: "CLI Consistency Checker" "on": @@ -75,6 +75,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index fb95a193c56..4d1e50a90be 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -28,7 +28,7 @@ # - shared/jqschema.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f1edaf6fb88a3f4f73256faa6a1c60181f239cbc5e01436d07f90b282d6bff79"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f1edaf6fb88a3f4f73256faa6a1c60181f239cbc5e01436d07f90b282d6bff79"} name: "CLI Version Checker" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 8db836ac97a..268d875c73c 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -27,7 +27,7 @@ # - shared/jqschema.md # - shared/mcp/serena-go.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f0cbb935127a3229a5af7be73bfbe1e18cd4d83455bfab734bc621259e3a9b8c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f0cbb935127a3229a5af7be73bfbe1e18cd4d83455bfab734bc621259e3a9b8c","strict":true} name: "/cloclo" "on": @@ -129,6 +129,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 85d058b9087..b89b2602a37 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -23,7 +23,7 @@ # # Automatically fixes code scanning alerts by creating pull requests with remediation # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"356d127ca6b12cd898b6897498aa23822d2a75188b7e7564bc8b833190056a4b"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"356d127ca6b12cd898b6897498aa23822d2a75188b7e7564bc8b833190056a4b","strict":true} name: "Code Scanning Fixer" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index c3bda3f66ed..7a061973de4 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6ba60c66818393095f34e20338d7b05c7e2cf5f3cc398105e210b2d12622b7fa"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6ba60c66818393095f34e20338d7b05c7e2cf5f3cc398105e210b2d12622b7fa","strict":true} name: "Code Simplifier" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 4373279aefb..c638d01bd69 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -23,7 +23,7 @@ # # Test Codex engine with GitHub remote MCP server # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"5ab6849e01b879f9ef5b024355eb7f903b410418619f128c6a71bbe826a24fd1"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"5ab6849e01b879f9ef5b024355eb7f903b410418619f128c6a71bbe826a24fd1","strict":true} name: "Codex GitHub Remote MCP Test" "on": @@ -74,6 +74,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 4b41df56a03..616f8fc803b 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"4a29095b6ca7c901495d8242d934dc97c34547f19593886381bd2baa41502596"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4a29095b6ca7c901495d8242d934dc97c34547f19593886381bd2baa41502596","strict":true} name: "Commit Changes Analyzer" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 23e5b718f0b..87d2a7f1b9b 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8b8e7739047a7e1a0c6540f7574b93437f0a2b7607c424e28a72fd5745c56be5"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"8b8e7739047a7e1a0c6540f7574b93437f0a2b7607c424e28a72fd5745c56be5","strict":true} name: "Constraint Solving — Problem of the Day" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 5afa02d2ff5..c1426c32c91 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"4de9281fdf89dba8197d91de6339b21a8b01ddb1645d17de1f09b3a70fc4cf53"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4de9281fdf89dba8197d91de6339b21a8b01ddb1645d17de1f09b3a70fc4cf53","strict":true} name: "Contribution Check" "on": @@ -79,6 +79,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 8a430a2de36..a36fc1be151 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -30,7 +30,7 @@ # - shared/reporting.md # - shared/copilot-pr-analysis-base.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"a88ce0593a1526aef0523962fb3a6bbe3bcdbec6849da5b83a9acbe22c6c028a"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a88ce0593a1526aef0523962fb3a6bbe3bcdbec6849da5b83a9acbe22c6c028a","strict":true} name: "Copilot Agent PR Analysis" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index e9024c546f5..fe93a4449e7 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c81c971ba20815fcbef5154f00f789ca3105d6cc7bdef95f60c13260289abbf2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c81c971ba20815fcbef5154f00f789ca3105d6cc7bdef95f60c13260289abbf2","strict":true} name: "Copilot CLI Deep Research Agent" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index bde783ed8c4..cf9952718ed 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -31,7 +31,7 @@ # - shared/reporting.md # - shared/copilot-pr-analysis-base.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d2ca13ea191854985bb6baeeb127f65bc6983ef11c13a367ba002c289a97042a"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d2ca13ea191854985bb6baeeb127f65bc6983ef11c13a367ba002c289a97042a"} name: "Daily Copilot PR Merged Report" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 4bd2abadd7f..77b3039406a 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -31,7 +31,7 @@ # - shared/reporting.md # - shared/copilot-pr-analysis-base.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"7b5ea7e48c0e812dc34e0645f3a65f1696e700b9ce7b6b4d41bc5efc60d2e804"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"7b5ea7e48c0e812dc34e0645f3a65f1696e700b9ce7b6b4d41bc5efc60d2e804","strict":true} name: "Copilot PR Conversation NLP Analysis" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 55e3a24e59e..d486021f73c 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -30,7 +30,7 @@ # - shared/reporting.md # - shared/copilot-pr-analysis-base.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"56f6338bcbf866f2e3bfb38458b14a063fc5cbf78c88e3980396609a23234e26"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"56f6338bcbf866f2e3bfb38458b14a063fc5cbf78c88e3980396609a23234e26","strict":true} name: "Copilot PR Prompt Pattern Analysis" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 2b86e861df8..35525e2d7ad 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -32,7 +32,7 @@ # - shared/session-analysis-charts.md # - shared/session-analysis-strategies.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0e97b7dc1f36ccddaef55702eb1a54e51b2c23280be5b5c6c5f21199230a34b4"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0e97b7dc1f36ccddaef55702eb1a54e51b2c23280be5b5c6c5f21199230a34b4","strict":true} name: "Copilot Session Insights" "on": @@ -86,6 +86,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index b221d250e31..33b07ed942e 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -23,7 +23,7 @@ # # Generates new agentic workflow markdown files based on user requests when invoked with /craft command # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ec234868e45fe0e4849c2b73f9ef1181d4d0e9072b1f6beaef8b2d7d403860f4"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ec234868e45fe0e4849c2b73f9ef1181d4d0e9072b1f6beaef8b2d7d403860f4","strict":true} name: "Workflow Craft Agent" "on": @@ -88,6 +88,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 2792386fab5..2b3c69b7927 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"15c319e318a6b9de87fc6b5acd2a3c80463bb2ac5970875c00ce5325d428a71d"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"15c319e318a6b9de87fc6b5acd2a3c80463bb2ac5970875c00ce5325d428a71d","strict":true} name: "Architecture Diagram Generator" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 763bf14032a..fda642d6d84 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"43fc2ec5935f4044529bec2ad354af59f9e74913f3c5b920c0df10ab206b96c9"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"43fc2ec5935f4044529bec2ad354af59f9e74913f3c5b920c0df10ab206b96c9","strict":true} name: "Auto-Assign Issue" "on": @@ -75,6 +75,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 503a0db4a04..ba810dc2760 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -23,7 +23,7 @@ # # Daily test workflow using Claude with custom safe-output job containing choice inputs # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"31a8a1b584135f0ed4cdd3a2450e0021a0313f15b9972029be69b9f417a76e4c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"31a8a1b584135f0ed4cdd3a2450e0021a0313f15b9972029be69b9f417a76e4c","strict":true} name: "Daily Choice Type Test" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 612addbe2ab..e444f70d111 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -28,7 +28,7 @@ # - shared/go-make.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"a573baa1f4c6a22b57c781ccbf0dce23b1dd16f5ab2609d3a27782be2705a95a"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a573baa1f4c6a22b57c781ccbf0dce23b1dd16f5ab2609d3a27782be2705a95a","strict":true} name: "Daily CLI Performance Agent" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index ec42fce5a3b..c9d06c3ddb7 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -23,7 +23,7 @@ # # Daily exploratory testing of audit, logs, and compile tools in gh-aw CLI # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"58157c3361534be3a0e560ec4352c03e1c40abb58017d361979084761537bfc0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"58157c3361534be3a0e560ec4352c03e1c40abb58017d361979084761537bfc0","strict":true} name: "Daily CLI Tools Exploratory Tester" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index bde33011be7..170c6117b82 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/trends.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"752483afe6f2289138ae778d8f63609e565d68836cd56772963bd0feacca2da1"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"752483afe6f2289138ae778d8f63609e565d68836cd56772963bd0feacca2da1","strict":true} name: "Daily Code Metrics and Trend Tracking Agent" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 8faa7b3804c..2ad188d27f8 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"43b61ccd4023929211202d467bd670da7af659d6869c4582f175822d3493c087"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"43b61ccd4023929211202d467bd670da7af659d6869c4582f175822d3493c087","strict":true} name: "Daily Compiler Quality Check" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index bbbab62af4b..b4266c72779 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -29,7 +29,7 @@ # - shared/python-dataviz.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e169cd5719222d687b57691ae17a415ba5ba39aa88f602bda576f21848355982"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e169cd5719222d687b57691ae17a415ba5ba39aa88f602bda576f21848355982","strict":true} name: "Daily Copilot Token Consumption Report" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index b91a6796e71..af0ae283f12 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -23,7 +23,7 @@ # # Self-healing companion to the Daily Documentation Updater that detects documentation gaps missed by DDUw and proposes corrections # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ea22cf3cae7f01b85d1c7223dfff4219798b9c1821418b55b53182a2c992c638"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ea22cf3cae7f01b85d1c7223dfff4219798b9c1821418b55b53182a2c992c638","strict":true} name: "Daily Documentation Healer" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 670d79c2f46..ac41ae47261 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -23,7 +23,7 @@ # # Automatically reviews and updates documentation to ensure accuracy and completeness # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"9cc6295dbd7c765e3874d3994dddfdcff53d62e24627a054ec25bbbfe8a48b00"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"9cc6295dbd7c765e3874d3994dddfdcff53d62e24627a054ec25bbbfe8a48b00","strict":true} name: "Daily Documentation Updater" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 950674844e3..3fcc388398b 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -23,7 +23,7 @@ # # Posts a daily poetic verse about the gh-aw project to a discussion thread # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"3fe8069e73efba5ca03ea4db342e0206f7f91ab0173b8e9897869d15d9c78230"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"3fe8069e73efba5ca03ea4db342e0206f7f91ab0173b8e9897869d15d9c78230","strict":true} name: "Daily Fact About gh-aw" "on": @@ -70,6 +70,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 71fa93b9f33..18f9bce13be 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"70afbdd1e3c59b27fde620365bdd2f0f14030571674bb7ed196cb3c56bf34979"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"70afbdd1e3c59b27fde620365bdd2f0f14030571674bb7ed196cb3c56bf34979","strict":true} name: "Daily File Diet" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index e175bfdd341..f54c01ff638 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -28,7 +28,7 @@ # - shared/reporting.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"3ecc36515ae075ce2373fb80d13b85414144c5e3cd5fc9a75197173e3f4b65e2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"3ecc36515ae075ce2373fb80d13b85414144c5e3cd5fc9a75197173e3f4b65e2","strict":true} name: "Daily Firewall Logs Collector and Reporter" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index a6ebb7fccb8..2b8015e5127 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -31,7 +31,7 @@ # - shared/reporting.md # - shared/trends.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0b2b5a8686d1b1cbb7ae3b1539786c390d00c6b808d981771054a8a1c24c581b"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0b2b5a8686d1b1cbb7ae3b1539786c390d00c6b808d981771054a8a1c24c581b","strict":true} name: "Daily Issues Report Generator" "on": @@ -87,6 +87,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index d786c91cada..5b965ecf01e 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"56700867131a6ee6860f7cbb916c96782b4c656bfe5342b4be473da1c3eb0c82"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"56700867131a6ee6860f7cbb916c96782b4c656bfe5342b4be473da1c3eb0c82","strict":true} name: "Daily Malicious Code Scan Agent" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 4dfa90dc444..7fc20c8dd60 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -28,7 +28,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"595d7d1155099c3a8595cae572c2112d06f01a59698ce96ddeccd87f1da82d96"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"595d7d1155099c3a8595cae572c2112d06f01a59698ce96ddeccd87f1da82d96","strict":true} name: "Daily MCP Tool Concurrency Analysis" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 36bdb81c133..a5b12dd315d 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -28,7 +28,7 @@ # - shared/docs-server-lifecycle.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8f84bb2f90e6a52e64d8b619fa2b429f3d8bc1150ab7268f650c93dca9c16473"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"8f84bb2f90e6a52e64d8b619fa2b429f3d8bc1150ab7268f650c93dca9c16473","strict":true} name: "Multi-Device Docs Tester" "on": @@ -87,6 +87,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index af573ad8a36..2520ffb5fd8 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -31,7 +31,7 @@ # - shared/reporting.md # - shared/trends.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"1ac39a8230fd053ed51356e22c975e01f92adacbc0b2c86481e600549aa107d7"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"1ac39a8230fd053ed51356e22c975e01f92adacbc0b2c86481e600549aa107d7","strict":true} name: "Daily News" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index f48f36c4aee..9745dde7c63 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"1b990129663822b2a2ec35c48272d37d9b5fd2588701da99710163ff9f98f551"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"1b990129663822b2a2ec35c48272d37d9b5fd2588701da99710163ff9f98f551","strict":true} name: "Daily Observability Report for AWF Firewall and MCP Gateway" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 642690d7afb..ecf60b3a6cd 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e122dc205e62037c58443024bb7827fc2c4474c74536e2043be657fe4d9c79a2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e122dc205e62037c58443024bb7827fc2c4474c74536e2043be657fe4d9c79a2","strict":true} name: "Daily Project Performance Summary Generator (Using Safe Inputs)" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 3ceebdd8b53..caea619a8de 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -28,7 +28,7 @@ # - shared/github-queries-safe-input.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"4981509a6079c94c5b8fd172d8812c9c5bab1f192cba2eae4352305af61e06c0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4981509a6079c94c5b8fd172d8812c9c5bab1f192cba2eae4352305af61e06c0","strict":true} name: "Daily Regulatory Report Generator" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 071ca69f7a8..e5b4bfe7643 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"381a6c01f344b342056507311653cad014f3159ed676431b41d1357e1c9fd3be"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"381a6c01f344b342056507311653cad014f3159ed676431b41d1357e1c9fd3be","strict":true} name: "Daily Rendering Scripts Verifier" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index e6ec652edcc..db6b91ada20 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/trends.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d280003c53503f710cbc175043762a3178ecce060643056b10bb62925563677f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d280003c53503f710cbc175043762a3178ecce060643056b10bb62925563677f","strict":true} name: "The Daily Repository Chronicle" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index ddb4b8c196c..00b78d9855d 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -28,7 +28,7 @@ # - shared/jqschema.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"34459ba98cad0356b507423708958b0455022e2797d063650cc338a06efe8309"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"34459ba98cad0356b507423708958b0455022e2797d063650cc338a06efe8309","strict":true} name: "Daily Safe Output Tool Optimizer" "on": @@ -85,6 +85,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 6d13617c1f2..00e4aa97c37 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"21aed5a790b18a69e43b11e8b77c34a541af72fe195f21731240765cc3554c83"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"21aed5a790b18a69e43b11e8b77c34a541af72fe195f21731240765cc3554c83","strict":true} name: "Daily Safe Outputs Conformance Checker" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 17664ce62fb..8ea23afc45c 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f2aa146eb6b0f4cbf136d67791c53ae36f856bb0e601f602bac114089b381231"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f2aa146eb6b0f4cbf136d67791c53ae36f856bb0e601f602bac114089b381231","strict":true} name: "Daily Secrets Analysis Agent" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 57fa600359f..e3e65d7941b 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"faae0c6b8934d1bddba33b3806bb7a6af5f34053fc5d210772b64dbf26c2baa0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"faae0c6b8934d1bddba33b3806bb7a6af5f34053fc5d210772b64dbf26c2baa0","strict":true} name: "Daily Security Red Team Agent" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 9a7cdfd0074..4688a63a333 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/semgrep.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"7a5a221735702a7991fbde05fac553787d4cfc4450c09c4962ab14031c99a869"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"7a5a221735702a7991fbde05fac553787d4cfc4450c09c4962ab14031c99a869","strict":true} name: "Daily Semgrep Scan" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 1a0109bae87..c72f31af3b9 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c4b7c52a6c58b8c054b75b4e9240efd1b9435789fa1f35652462876451aed8b2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c4b7c52a6c58b8c054b75b4e9240efd1b9435789fa1f35652462876451aed8b2","strict":true} name: "Daily Syntax Error Quality Check" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 4f42853738f..9b3eababd0b 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"5cd3e800be141c9f7d3c827c683abb13e8db1661f5b12e1d6af506e135cbe5a4"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"5cd3e800be141c9f7d3c827c683abb13e8db1661f5b12e1d6af506e135cbe5a4"} name: "Daily Team Evolution Insights" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 70db548ed21..d362d840cd2 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -33,7 +33,7 @@ # Imports: # - githubnext/agentics/workflows/shared/reporting.md@d3422bf940923ef1d43db5559652b8e1e71869f3 # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ca307870d9450bb5749137eaec17bcf28b1ef69da1cce257a7c7f9b864312cf6","stop_time":"2026-02-09 04:24:39"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ca307870d9450bb5749137eaec17bcf28b1ef69da1cce257a7c7f9b864312cf6","stop_time":"2026-02-09 04:24:39","strict":true} # # Effective stop-time: 2026-02-09 04:24:39 @@ -90,6 +90,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 8191b57527e..4e28a0e709e 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/safe-output-app.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0935d96e21c4e3fcee9b2a941f983c92b12d0ea27c07d196b6d43a60eb7e482f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0935d96e21c4e3fcee9b2a941f983c92b12d0ea27c07d196b6d43a60eb7e482f","strict":true} name: "Daily Testify Uber Super Expert" "on": @@ -85,6 +85,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index b5fec3c2c92..a794ddc87e1 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -23,7 +23,7 @@ # # Automatically updates GitHub Actions versions and creates a PR if changes are detected # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"9d7967bd6136b5508b4c77453fb2f1f2caf089b92359ad5375989524d06ba347"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"9d7967bd6136b5508b4c77453fb2f1f2caf089b92359ad5375989524d06ba347","strict":true} name: "Daily Workflow Updater" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 93b20ef34e0..f71bddf6d70 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -23,7 +23,7 @@ # # Daily dead code assessment and removal — identifies unreachable Go functions using static analysis and creates a PR to remove a batch each day # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fa086fa48d23515e37fdf92ef825e11e376fcedf5ffe99f7e5d9ce5164deb071"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"fa086fa48d23515e37fdf92ef825e11e376fcedf5ffe99f7e5d9ce5164deb071","strict":true} name: "Dead Code Removal Agent" "on": @@ -79,6 +79,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index e95da0b37e7..e70ed7741a7 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/weekly-issues-data-fetch.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"a6d0e46b1953d18e70a4029c7369fb96273432fdd02f2f5ca890a750bcfeb2b1"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a6d0e46b1953d18e70a4029c7369fb96273432fdd02f2f5ca890a750bcfeb2b1","strict":true} name: "DeepReport - Intelligence Gathering Agent" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 5b7e91a716f..29691ebda4e 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -28,7 +28,7 @@ # - shared/jqschema.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e01a758d3c758d82eabd4d9eb701b44134df6d64acef6cfda2bfc18ba603d73d"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e01a758d3c758d82eabd4d9eb701b44134df6d64acef6cfda2bfc18ba603d73d","strict":true} name: "Delight" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index ebda1c4df0f..d27ad004e41 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6e0fca12f8bed9a8517bf5358ecc83c96dbcf89f2da3aed33ce0d75a66a7695d"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6e0fca12f8bed9a8517bf5358ecc83c96dbcf89f2da3aed33ce0d75a66a7695d","strict":true} name: "Dependabot Burner" "on": @@ -78,6 +78,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index f5a833e9700..fda8a98514e 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -23,7 +23,7 @@ # # Checks for Go module and NPM dependency updates and analyzes Dependabot PRs for compatibility and breaking changes # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"25006728692ed67f0a5eff4aa4ad386e376932f4bc29965fa0689ccf517cdc4d"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"25006728692ed67f0a5eff4aa4ad386e376932f4bc29965fa0689ccf517cdc4d","strict":true} name: "Dependabot Dependency Checker" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 8eff28fae30..c61e25c4892 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -23,7 +23,7 @@ # # Monitors development workflow activities and provides real-time alerts and insights on pull requests and CI status # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"aa448b3fcead039b6003089c1039cb3d15ce90ec940704c2e34f745bc25cc03f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"aa448b3fcead039b6003089c1039cb3d15ce90ec940704c2e34f745bc25cc03f","strict":true} name: "Dev Hawk" "on": @@ -86,6 +86,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index f402155e038..09fd0a3595d 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -23,7 +23,7 @@ # # Daily status report for gh-aw project # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8c8abae2e173ed0fcbd79e5003187cf9b17e04ae7fd24f874ccbd71611af6387"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"8c8abae2e173ed0fcbd79e5003187cf9b17e04ae7fd24f874ccbd71611af6387"} name: "Dev" "on": @@ -75,6 +75,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 6704b7d5481..a74ec6c713b 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ba20f92152708c40f6b55c5384131f6e54f60e07c1d5f0fe932645b137b1ee2e"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ba20f92152708c40f6b55c5384131f6e54f60e07c1d5f0fe932645b137b1ee2e","strict":true} name: "Developer Documentation Consolidator" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 7f91d91616b..6080110cf48 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"16af25ab41ce0041c3db1e91145eacb6fa58d80cd9b2fecc6f8fc9a3f16a6641"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"16af25ab41ce0041c3db1e91145eacb6fa58d80cd9b2fecc6f8fc9a3f16a6641","strict":true} name: "Dictation Prompt Generator" "on": @@ -79,6 +79,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 1925c8e7d38..ddbb66fbfa6 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -28,7 +28,7 @@ # - shared/jqschema.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"369306db8e069e8fb4ba4a3dbc0d85f4455b1aa0b39e52107b7822a8ef096aba"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"369306db8e069e8fb4ba4a3dbc0d85f4455b1aa0b39e52107b7822a8ef096aba","strict":true} name: "Discussion Task Miner - Code Quality Improvement Agent" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 91f90d6f3a7..83afe9685fc 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/docs-server-lifecycle.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e8b3b6fdeb5e2a00c46175267f7a516ef828264d884f2aa2b29474d0ce2b2592"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e8b3b6fdeb5e2a00c46175267f7a516ef828264d884f2aa2b29474d0ce2b2592","strict":true} name: "Documentation Noob Tester" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index b88fae564a4..c7f391cad8d 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -23,7 +23,7 @@ # # Automated cleanup policy for stale draft pull requests to reduce clutter and improve triage efficiency # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c6eb2caa9620b443d909c6fdf3be709069b7b91df9578cbf98351a04923d8a25"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c6eb2caa9620b443d909c6fdf3be709069b7b91df9578cbf98351a04923d8a25","strict":true} name: "Draft PR Cleanup" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index f86721a4b56..b39e21975de 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/serena-go.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fcd0677bc45a2e116662616286ca59ac108757b01a1588e6c83c767465fc9871"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"fcd0677bc45a2e116662616286ca59ac108757b01a1588e6c83c767465fc9871","strict":true} name: "Duplicate Code Detector" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 5bf7014e6ac..c303d2d99e7 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -23,7 +23,7 @@ # # Example workflow demonstrating proper permission provisioning and security best practices # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"cbc025e1319832edb0b85151db2c36cdde748e467faf1d0d20c646d33e8a0542"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cbc025e1319832edb0b85151db2c36cdde748e467faf1d0d20c646d33e8a0542"} name: "Example: Properly Provisioned Permissions" "on": @@ -74,6 +74,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 0ec291feba3..4f5a619e5e4 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b2b481f42784eb25bc36cfd587b8b96ac047f581e1d27b81d4f1563711bb420c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"b2b481f42784eb25bc36cfd587b8b96ac047f581e1d27b81d4f1563711bb420c","strict":true} name: "Weekly Workflow Analysis" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index b6aabdcebc4..29100220eb6 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -23,7 +23,7 @@ # # Security testing to find escape paths in the AWF (Agent Workflow Firewall) # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"74e501e0d13e7e5a3b2d21418bc8460f5c0023998ac599caa303fec99234b69e"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"74e501e0d13e7e5a3b2d21418bc8460f5c0023998ac599caa303fec99234b69e","strict":true} name: "The Great Escapi" "on": @@ -89,6 +89,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 75e4a56930b..2d8ec453e43 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -23,7 +23,7 @@ # # Tests network firewall functionality and validates security rules for workflow network access # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"2a0e834ee3cd0e91a2b612df54c1ffa488ab6e446f79ede1851d9af4a6365de0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"2a0e834ee3cd0e91a2b612df54c1ffa488ab6e446f79ede1851d9af4a6365de0","strict":true} name: "Firewall Test Agent" "on": @@ -74,6 +74,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 9cfe71b5341..d2bac776f9f 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c9f371e2c9f855df56da69aa6fa020ab7f3762c68248c087fdbb48e2615c6bc2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c9f371e2c9f855df56da69aa6fa020ab7f3762c68248c087fdbb48e2615c6bc2","strict":true} name: "Functional Pragmatist" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index a103f9f9961..954ee4fb5e5 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -28,7 +28,7 @@ # - shared/python-dataviz.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e314a7caa709a40bada89d9ecc8da3d787fc666e3fc168e0b6ccc2d17f0fd89f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e314a7caa709a40bada89d9ecc8da3d787fc666e3fc168e0b6ccc2d17f0fd89f","strict":true} name: "GitHub MCP Structural Analysis" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index b217dfb1516..ec0091cdd44 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"4dfbb7c20c8c63aa5741b2465985b3e579cc02728ba2187d3a28a8f548d39d2c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4dfbb7c20c8c63aa5741b2465985b3e579cc02728ba2187d3a28a8f548d39d2c","strict":true} name: "GitHub MCP Remote Server Tools Report Generator" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 9d1ca6c96ee..9af9721b4a0 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -23,7 +23,7 @@ # # Daily test of GitHub remote MCP authentication with GitHub Actions token # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"db9f3ebc997b550ea21426bffe49626f5370c470f814cac5e5846ac09231c0c4"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"db9f3ebc997b550ea21426bffe49626f5370c470f814cac5e5846ac09231c0c4","strict":true} name: "GitHub Remote MCP Authentication Test" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 9a55d926c5a..96b00004117 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -29,7 +29,7 @@ # - ../skills/documentation/SKILL.md # - shared/mcp/serena-go.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"a8396d3fdc420a67bda3195b1a040e89160fd59ac515a342320200c977c49452"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a8396d3fdc420a67bda3195b1a040e89160fd59ac515a342320200c977c49452","strict":true} name: "Glossary Maintainer" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index c0678d86729..6b24d8f2de2 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"3ca391548ba08c8a271413f4cf5a5ec319865e7da8f0a921a2d070743534688d"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"3ca391548ba08c8a271413f4cf5a5ec319865e7da8f0a921a2d070743534688d","strict":true} name: "Go Fan" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index ced158c9d83..1fae4d0c588 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/go-make.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f25ce343847e9c88cf0b683033fae1614998f81e330da7bf355bcf7a2e50e199"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f25ce343847e9c88cf0b683033fae1614998f81e330da7bf355bcf7a2e50e199","strict":true} name: "Go Logger Enhancement" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 227dfc13426..2c15c19f2ff 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/ast-grep.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d0376cb6b3eae45827ed7c21ea355b6564f20c636546a5b3a584cf8f880edfba"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d0376cb6b3eae45827ed7c21ea355b6564f20c636546a5b3a584cf8f880edfba","strict":true} name: "Go Pattern Detector" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 25014f46f4b..2f240118510 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -23,7 +23,7 @@ # # Reviews go.mod dependencies daily to detect and remove GPL-licensed transitive dependencies # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f1f3400034da3b5add3e5f4fc685db480ccc0fe3435b78acc5a6f002785e931c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f1f3400034da3b5add3e5f4fc685db480ccc0fe3435b78acc5a6f002785e931c"} name: "GPL Dependency Cleaner (gpclean)" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 3f565b3dee2..543187450c6 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -23,7 +23,7 @@ # # Performs critical code review with a focus on edge cases, potential bugs, and code quality issues # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"403d9936fc6249000fae23cde6a8f3c8cc9247d18a0878db821aa3fa2766b340"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"403d9936fc6249000fae23cde6a8f3c8cc9247d18a0878db821aa3fa2766b340","strict":true} name: "Grumpy Code Reviewer 🔥" "on": @@ -93,6 +93,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 1af10e6c18d..a111f57c06e 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -27,7 +27,7 @@ # Imports: # - ../agents/ci-cleaner.agent.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f715c77536157d46d383a993c4e231ed9f29a36b211b1b17df979aae0699f650"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f715c77536157d46d383a993c4e231ed9f29a36b211b1b17df979aae0699f650","strict":true} name: "CI Cleaner" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 41f20ac9df4..cf6ac7042eb 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -23,7 +23,7 @@ # # Reviews and cleans up instruction files to ensure clarity, consistency, and adherence to best practices # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"2b58ac826f62d19d5c8c1a4e00a7fcb7716118e1f6a7035bb9a05f66507246d3"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"2b58ac826f62d19d5c8c1a4e00a7fcb7716118e1f6a7035bb9a05f66507246d3","strict":true} name: "Instructions Janitor" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 545d8b98791..7cf1f5e11d3 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/jqschema.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"1f2a33fe267f0f46c6ccc56a29048e0710ca193557b58f725e47657db011d73c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"1f2a33fe267f0f46c6ccc56a29048e0710ca193557b58f725e47657db011d73c","strict":true} name: "Issue Arborist" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index bb8d2dd564b..601a66480b3 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -23,7 +23,7 @@ # # The Cookie Monster of issues - assigns issues to Copilot coding agent one at a time # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"2ababe1bdc7d094c401b9491ec0f362786fabd31e1e5fc1025db33681912136a"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"2ababe1bdc7d094c401b9491ec0f362786fabd31e1e5fc1025db33681912136a","strict":true} name: "Issue Monster" "on": @@ -85,6 +85,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 41b8c511b3c..b5b54099e9f 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -26,7 +26,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"cc01e3ec4eab67fdae7e840ee5453082e44c0dfb5ea5c4830515dfec24afad81"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cc01e3ec4eab67fdae7e840ee5453082e44c0dfb5ea5c4830515dfec24afad81","strict":true} name: "Issue Triage Agent" "on": @@ -79,6 +79,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 748b9cb6c8e..4aab8571a26 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -23,7 +23,7 @@ # # Daily JavaScript unbloater that cleans one .cjs file per day, prioritizing files with @ts-nocheck to enable type checking # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"3b152ad44091be5971f16c1244a76cc06b0bdc61a021b3b7027b743cf6b09a88"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"3b152ad44091be5971f16c1244a76cc06b0bdc61a021b3b7027b743cf6b09a88","strict":true} name: "jsweep - JavaScript Unbloater" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 080c60c894c..8a82051efc0 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -23,7 +23,7 @@ # # Maintains scratchpad/layout.md with patterns of file paths, folder names, and artifact names used in lock.yml files # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c61c2fc6fdaad7fbb37a50e21b4925d4b6fdc6c7dcf7a4e48bed6fe2dafebd86"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c61c2fc6fdaad7fbb37a50e21b4925d4b6fdc6c7dcf7a4e48bed6fe2dafebd86","strict":true} name: "Layout Specification Maintainer" "on": @@ -78,6 +78,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 1c0345e6868..7c0fddd4faf 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8e7c90b156e9a9c5a415792db7e51dd31799eb95a17d36b2034ccb3ceb3d71d6"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"8e7c90b156e9a9c5a415792db7e51dd31799eb95a17d36b2034ccb3ceb3d71d6","strict":true} name: "Lockfile Statistics Analysis Agent" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 00d97a5f97a..ad9cc0423a0 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -42,7 +42,7 @@ # - shared/mcp/tavily.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e92fc7f19a13329f2f521f2c3ade949e9a30c1bd31c9752c012a660be935c8a8"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e92fc7f19a13329f2f521f2c3ade949e9a30c1bd31c9752c012a660be935c8a8"} name: "MCP Inspector Agent" "on": @@ -96,6 +96,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index be7a9fc2491..c9413c7fbc9 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -23,7 +23,7 @@ # # Automatically merges the main branch into pull request branches when invoked with /mergefest command # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c981d37f11bc2c11773de35070124859129139ba95aff08624c563605165439f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c981d37f11bc2c11773de35070124859129139ba95aff08624c563605165439f","strict":true} name: "Mergefest" "on": @@ -88,6 +88,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 24a9a6579d4..4e0377d5af6 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -23,7 +23,7 @@ # # Collects daily performance metrics for the agent ecosystem and stores them in repo-memory # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b5f384f27d5b48e0c6e4600f71718bafab6244d85c1bf0e04afeadeef6c76147"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"b5f384f27d5b48e0c6e4600f71718bafab6244d85c1bf0e04afeadeef6c76147","strict":true} name: "Metrics Collector - Infrastructure Agent" "on": @@ -79,6 +79,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 232c55c5b08..75ae1cc0145 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/notion.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"92dea2779599cc352b88f4ecc85cd97c218fdb3693e7d906216308624b4aab66"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"92dea2779599cc352b88f4ecc85cd97c218fdb3693e7d906216308624b4aab66","strict":true} name: "Issue Summary to Notion" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 5ae3aef32e7..2de59df8b13 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -29,7 +29,7 @@ # - shared/python-dataviz.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"69c42ab10b276922ff8a54f27c02a0dacef4ccf036124cd8aeba296e1e7062b2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"69c42ab10b276922ff8a54f27c02a0dacef4ccf036124cd8aeba296e1e7062b2","strict":true} name: "Organization Health Report" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index a9b4c0c8d13..b0d78a33bc1 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/markitdown.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6d3174d6f6e18cf0e99b8c93c294401c6d7ddb699196eaa13776f0b49f5909ed"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6d3174d6f6e18cf0e99b8c93c294401c6d7ddb699196eaa13776f0b49f5909ed","strict":true} name: "Resource Summarizer Agent" "on": @@ -111,6 +111,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 4cd1e5133ee..1e5426c659e 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -23,7 +23,7 @@ # # Generates project plans and task breakdowns when invoked with /plan command in issues or PRs # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0557f488754d46db0b535c04267efa16ae72869133b87a4a9a8de87a96067ed3"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0557f488754d46db0b535c04267efa16ae72869133b87a4a9a8de87a96067ed3","strict":true} name: "Plan Command" "on": @@ -93,6 +93,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 3fb098fa84f..058ecac3fff 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e24bfae6e6ba9dc7f6a26fe8161c93e8774e99aa4873bb6744f0c887c91a4483"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e24bfae6e6ba9dc7f6a26fe8161c93e8774e99aa4873bb6744f0c887c91a4483","strict":true} name: "Poem Bot - A Creative Agentic Workflow" "on": @@ -103,6 +103,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index f22efc2e702..767c4c07360 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"5ce7de38be10ce6c0508b9539cac1a60934fd8a5c24645a3bc0c86a00940cad7"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"5ce7de38be10ce6c0508b9539cac1a60934fd8a5c24645a3bc0c86a00940cad7","strict":true} name: "Automated Portfolio Analyst" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 144ac2218fc..6d43893d2c5 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"02499e8cdb83ed473b50353b2f91edd95d5c962027fc11a8aaf5b11e67096427"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"02499e8cdb83ed473b50353b2f91edd95d5c962027fc11a8aaf5b11e67096427","strict":true} name: "PR Nitpick Reviewer 🔍" "on": @@ -121,6 +121,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 7fdb435f8e6..e944423b52c 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -23,7 +23,7 @@ # # Automates PR categorization, risk assessment, and prioritization for agent-created pull requests # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"94a5ac625c0b7b109a6b1fbcbd0f959c3b8b63a5bbd1db2a0bae2cacb3ef9d24"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"94a5ac625c0b7b109a6b1fbcbd0f959c3b8b63a5bbd1db2a0bae2cacb3ef9d24","strict":true} name: "PR Triage Agent" "on": @@ -76,6 +76,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index ba59d9ef496..62f9e8c0021 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -30,7 +30,7 @@ # - shared/reporting.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c6051d7e8a777bfa29db0e37e958bd0e676e466bf208a60121ccabbb7e25b658"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c6051d7e8a777bfa29db0e37e958bd0e676e466bf208a60121ccabbb7e25b658","strict":true} name: "Copilot Agent Prompt Clustering Analysis" "on": @@ -86,6 +86,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 1318ff7c403..10547830c4f 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -29,7 +29,7 @@ # - shared/trends.md # - shared/charts-with-trending.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fea56ce855d62d8ab45a91075e76e3d0e962187e06f6b07d7ca24ecf50d2f4c0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"fea56ce855d62d8ab45a91075e76e3d0e962187e06f6b07d7ca24ecf50d2f4c0","strict":true} name: "Python Data Visualization Generator" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index b6dc61646d2..aca7505f0e1 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/serena-go.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"cb6ed8dab707b132d94308cfeeaff3742ef7760d4c81f0b8b323517152ecc608"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cb6ed8dab707b132d94308cfeeaff3742ef7760d4c81f0b8b323517152ecc608","strict":true} name: "Q" "on": @@ -129,6 +129,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 464f0dc2b58..ea0cfc26cce 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -23,7 +23,7 @@ # # Aligns code style with repository conventions, detects security issues, and improves tests # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0e922937e3bbf78c7fb8096f24dc950acfeecc9a2f4fd0947b31dbf5715990d8"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0e922937e3bbf78c7fb8096f24dc950acfeecc9a2f4fd0947b31dbf5715990d8","strict":true} name: "Code Refiner" "on": @@ -92,6 +92,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index d9f773befed..3dfcc2df88c 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -23,7 +23,7 @@ # # Build, test, and release gh-aw extension, then generate and prepend release highlights # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"4b2b1455692142cdb61d59c9a0979e84af7b5adf88b385d7f58bf26654945b1c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4b2b1455692142cdb61d59c9a0979e84af7b5adf88b385d7f58bf26654945b1c"} name: "Release" "on": @@ -88,6 +88,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "false" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 8ac76608e3b..9c4831f4309 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"83f67c7db0b6f9679570e272c311a7239fa2f9444319c2bf3b86710a3cdaa6ec"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"83f67c7db0b6f9679570e272c311a7239fa2f9444319c2bf3b86710a3cdaa6ec","strict":true} name: "Repository Audit & Agentic Workflow Opportunity Analyzer" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index e2f60ea070b..e17d733d2da 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"3353c3598b8b70f6c9ad4b1b6d40b6ce12bc6a526a3d0323c46b8b7f71c9b16c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"3353c3598b8b70f6c9ad4b1b6d40b6ce12bc6a526a3d0323c46b8b7f71c9b16c","strict":true} name: "Repository Tree Map Generator" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index f6f8542c584..4be3b1fcb05 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6bb1a0d4a4a46eebdfbddfe915d6345a17575dd0489817be13e208c9921460da"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6bb1a0d4a4a46eebdfbddfe915d6345a17575dd0489817be13e208c9921460da","strict":true} name: "Repository Quality Improvement Agent" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index eb036e4d209..d8cafa30431 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/tavily.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d0a1dc5317a1a485182e80d6b6942132e16b2af637d6e359401d4cb31928f55e"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d0a1dc5317a1a485182e80d6b6942132e16b2af637d6e359401d4cb31928f55e","strict":true} name: "Basic Research Agent" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index edb5bca0831..e28aaf868eb 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -28,7 +28,7 @@ # - shared/jqschema.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"00020e00cf1cd2251ab99ac78f281500ee26b1c69695f71ec416769285c291a9"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"00020e00cf1cd2251ab99ac78f281500ee26b1c69695f71ec416769285c291a9","strict":true} name: "Safe Output Health Monitor" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index c1432ee363e..a539578d4c4 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"7cb844c9c9c32229b2755637af132ad41de3ddbda8eff01a2f5a5f753fb303a6"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"7cb844c9c9c32229b2755637af132ad41de3ddbda8eff01a2f5a5f753fb303a6","strict":true} name: "Schema Consistency Checker" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index d29b57f2e45..31d02c02aa6 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -33,7 +33,7 @@ # - shared/mcp/tavily.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ab1cde07589013cf3883a1da93d56db5e5aa305c3baae6e98dae8954cf10dcdd"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ab1cde07589013cf3883a1da93d56db5e5aa305c3baae6e98dae8954cf10dcdd","strict":true} name: "Scout" "on": @@ -148,6 +148,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 72b6e8b0dfb..f80453442a3 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -23,7 +23,7 @@ # # Orchestrator workflow for campaign 'security-alert-burndown' # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"44e9ad89fc3f881e52e25ebc92ed461a8df570529c59e8a155cfb0e503531a80"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"44e9ad89fc3f881e52e25ebc92ed461a8df570529c59e8a155cfb0e503531a80","strict":true} name: "Security Alert Burndown" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 24a94ab4398..a1ead447ecb 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -23,7 +23,7 @@ # # Fix critical vulnerabilities before audit deadline with full tracking and reporting # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"01738ba16ae7253d0909165ffb3f971ef84f616ce8f131598481ca66c9c0827f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"01738ba16ae7253d0909165ffb3f971ef84f616ce8f131598481ca66c9c0827f","strict":true} name: "Security Compliance Campaign" "on": @@ -89,6 +89,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 59eb70a141e..550efd15293 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -23,7 +23,7 @@ # # Security-focused AI agent that reviews pull requests to identify changes that could weaken security posture or extend AWF boundaries # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d5881d67be07fecc7e9406368eba2019fc2dc659a2db705ea58278f705731b16"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d5881d67be07fecc7e9406368eba2019fc2dc659a2db705ea58278f705731b16","strict":true} name: "Security Review Agent 🔒" "on": @@ -93,6 +93,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 0f410343441..9ea667dabf3 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"58b9c667bf6db3acec9c27027d1346b4cd6bb700b508ed533569938971852631"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"58b9c667bf6db3acec9c27027d1346b4cd6bb700b508ed533569938971852631","strict":true} name: "Semantic Function Refactoring" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 764e64f107a..d0bb2caaab0 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"02bf772df769e1b8dcee8170592780e7f1203860768210b7bf353632372b9d86"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"02bf772df769e1b8dcee8170592780e7f1203860768210b7bf353632372b9d86","strict":true} name: "Sergo - Serena Go Expert" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 380b1cd0077..a72c59ac579 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -23,7 +23,7 @@ # # Maintains the gh-aw slide deck by scanning repository content and detecting layout issues using Playwright # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0b3d7f1cb6dbc12d69cb6f2f524b6c7eaec295bbc300df932437af7677e97e6c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0b3d7f1cb6dbc12d69cb6f2f524b6c7eaec295bbc300df932437af7677e97e6c","strict":true} name: "Slide Deck Maintainer" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-agent.lock.yml b/.github/workflows/smoke-agent.lock.yml index 80e3b5a01aa..4cb9950e8ff 100644 --- a/.github/workflows/smoke-agent.lock.yml +++ b/.github/workflows/smoke-agent.lock.yml @@ -23,7 +23,7 @@ # # Smoke test that validates assign-to-agent with the agentic-workflows custom agent # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"53b841f3533e56fd2307fdc9ead2cc276bcb4fa7ff3e547aec2f1c2244f47833"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"53b841f3533e56fd2307fdc9ead2cc276bcb4fa7ff3e547aec2f1c2244f47833","strict":true} name: "Smoke Agent" "on": @@ -91,6 +91,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index cf7dbb45925..2a89d98413a 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -35,7 +35,7 @@ # # inlined-imports: true # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"db18e693a8f2c6dae969b17dfe2e0c3a3f7ea10e8e1292e71b8674294e5dfc6b"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"db18e693a8f2c6dae969b17dfe2e0c3a3f7ea10e8e1292e71b8674294e5dfc6b","strict":true} name: "Smoke Claude" "on": @@ -105,6 +105,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index ea4aed79638..1a77f47d92d 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -28,7 +28,7 @@ # - shared/gh.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"b0d2bc9b08bd9968ab2dfacf004f1df93a0d83e2137a45bb5d634ba4ffefab44"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"b0d2bc9b08bd9968ab2dfacf004f1df93a0d83e2137a45bb5d634ba4ffefab44","strict":true} name: "Smoke Codex" "on": @@ -98,6 +98,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 744ed2a8cac..65eb8b39695 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -29,7 +29,7 @@ # - shared/github-queries-safe-input.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"cf1f5c608523795735700f940e81346adf7deda93a6d6f7ce67469c7230d52d1"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cf1f5c608523795735700f940e81346adf7deda93a6d6f7ce67469c7230d52d1","strict":true} name: "Smoke Copilot ARM64" "on": @@ -97,6 +97,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 4d478fc006d..ea9093148b6 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -29,7 +29,7 @@ # - shared/github-queries-safe-input.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"73a535e5d847637934c1146674b9529b8472bda1f5f403896b1d1c8f78944ec7"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"73a535e5d847637934c1146674b9529b8472bda1f5f403896b1d1c8f78944ec7","strict":true} name: "Smoke Copilot" "on": @@ -99,6 +99,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 3f6a07a3de6..72f7392a9f1 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -23,7 +23,7 @@ # # Smoke test validating cross-repo pull request creation in githubnext/gh-aw-side-repo # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"7df6ac5fd0e9496ec5425a827a1abda3ebb1f52b59b4d1edc78b2358cdf1a856"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"7df6ac5fd0e9496ec5425a827a1abda3ebb1f52b59b4d1edc78b2358cdf1a856","strict":true} name: "Smoke Create Cross-Repo PR" "on": @@ -92,6 +92,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index b68b783d776..0d90d098963 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -28,7 +28,7 @@ # - shared/gh.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0daf3e3fd70f487864a1ae11dafd92fb015aed0e0bd633ce78a72118bac22825"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0daf3e3fd70f487864a1ae11dafd92fb015aed0e0bd633ce78a72118bac22825","strict":true} name: "Smoke Gemini" "on": @@ -98,6 +98,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 3c04c81fe9b..fa65c274203 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -23,7 +23,7 @@ # # Test creating multiple pull requests in a single workflow run # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f118d2ac9ab4ae2772a4462cb10352fba8e98d3ec1d7a4f26bd1ae2e26ad594f"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f118d2ac9ab4ae2772a4462cb10352fba8e98d3ec1d7a4f26bd1ae2e26ad594f","strict":true} name: "Smoke Multi PR" "on": @@ -93,6 +93,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index b64354a3561..cf73a23b3cd 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -23,7 +23,7 @@ # # Smoke Project - Test project operations # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"62a1e7c54409a4610460677bbb71df79e88b6581934b10f182758930d66df8db"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"62a1e7c54409a4610460677bbb71df79e88b6581934b10f182758930d66df8db","strict":true} name: "Smoke Project" "on": @@ -91,6 +91,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 449f7a08c54..edffa102d61 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -23,7 +23,7 @@ # # Test temporary ID functionality for issue chaining and cross-references # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f821cce0a855c7806ea2b3d6f2e9bfa9817e799afdb0e9376d227b7793517bb2"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f821cce0a855c7806ea2b3d6f2e9bfa9817e799afdb0e9376d227b7793517bb2","strict":true} name: "Smoke Temporary ID" "on": @@ -91,6 +91,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 6442b91e9e8..f0726dc90f7 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -23,7 +23,7 @@ # # Smoke test to validate common development tools are available in the agent container # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"69df18949531a58c78eb1e303a1873629791d179b7184bb229c00a1a90c572e7"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"69df18949531a58c78eb1e303a1873629791d179b7184bb229c00a1a90c572e7","strict":true} name: "Agent Container Smoke Test" "on": @@ -93,6 +93,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 823753f1258..aebb7dcc515 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -23,7 +23,7 @@ # # Smoke test validating cross-repo pull request updates in githubnext/gh-aw-side-repo by adding lines from Homer's Odyssey to the README # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"0dbcea46ce3435c40cb5ca9fcbd9feb04e8720f1b0b3b89993c94ae5d7bf3cd0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"0dbcea46ce3435c40cb5ca9fcbd9feb04e8720f1b0b3b89993c94ae5d7bf3cd0","strict":true} name: "Smoke Update Cross-Repo PR" "on": @@ -92,6 +92,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index d69c1f7815b..d21ef87a730 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -23,7 +23,7 @@ # # Reusable workflow to validate checkout from fork works correctly in workflow_call context # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"e4682ae552e6f61a928617dd63c45800073bec5a985c27eb1f470bf4ef3a19f0"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e4682ae552e6f61a928617dd63c45800073bec5a985c27eb1f470bf4ef3a19f0","strict":true} name: "Smoke Workflow Call" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index a7ebeb3a0a9..8cdbf2aaedc 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -29,7 +29,7 @@ # - shared/python-dataviz.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"cb88eff6090a5e966484e7a4dd6f39dcd1b246e1547c910ce2695d7faf605d00"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"cb88eff6090a5e966484e7a4dd6f39dcd1b246e1547c910ce2695d7faf605d00","strict":true} name: "Stale Repository Identifier" "on": @@ -91,6 +91,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 9a02482c22a..78f8f985a0d 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"6e704ad580181ed88b36b117249a9b0079ae21982ff1e28edffa187b14b3262c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"6e704ad580181ed88b36b117249a9b0079ae21982ff1e28edffa187b14b3262c","strict":true} name: "Static Analysis Report" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 61939646639..5b878ea4aff 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -23,7 +23,7 @@ # # Scans step names in .lock.yml files and aligns them with step intent and project glossary # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f3709d61fe0cc0c6bf246d73a899b74f43b4e79a87a9d28494002e568df3c44c"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f3709d61fe0cc0c6bf246d73a899b74f43b4e79a87a9d28494002e568df3c44c","strict":true} name: "Step Name Alignment" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 2e81a24524b..575e9f506ce 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -23,7 +23,7 @@ # # Scheduled workflow that recursively closes parent issues when all sub-issues are 100% complete # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"a264c4ba93f8e06faac6ccf53833c472a92e3eb4fd9930e9910a4719562e3337"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a264c4ba93f8e06faac6ccf53833c472a92e3eb4fd9930e9910a4719562e3337","strict":true} name: "Sub-Issue Closer" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 10ea60dcf5f..72a2bbad8d0 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"f589eb100de1af477481827cec7cd2a51a7e5a7ae88149a8204ab6c20ad5f7db"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f589eb100de1af477481827cec7cd2a51a7e5a7ae88149a8204ab6c20ad5f7db","strict":true} name: "Super Linter Report" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 7443fb45c41..c0466a227b3 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -28,7 +28,7 @@ # - ../agents/technical-doc-writer.agent.md # - ../skills/documentation/SKILL.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"d344e91215e214c742c60a7c71f20c15fd9f545fa90bfe88550b392cbd69fb93"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d344e91215e214c742c60a7c71f20c15fd9f545fa90bfe88550b392cbd69fb93","strict":true} name: "Rebuild the documentation after making changes" "on": @@ -84,6 +84,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index f45791f2c01..206f31637d6 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/mcp/serena-go.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"94c758fe26224b557e793dbf2a020c24db55906e549a9e2f81e4c1cefd47d242"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"94c758fe26224b557e793dbf2a020c24db55906e549a9e2f81e4c1cefd47d242","strict":true} name: "Terminal Stylist" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index c505a6fb1bb..7bacca13f77 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -23,7 +23,7 @@ # # Test workflow to verify create_pull_request error handling # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"56ed383223178c83cf59d59dc38aa7e14a9cf53f0a4bc96927b48cfdf328eb16"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"56ed383223178c83cf59d59dc38aa7e14a9cf53f0a4bc96927b48cfdf328eb16","strict":true} name: "Test Create PR Error Handling" "on": @@ -74,6 +74,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 08f800a731b..34ca6c9c7d7 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"4bd8c07c60ebeaf4e44c563129d014bb1e8565000ce66a6a74cea2bc733a6c70"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4bd8c07c60ebeaf4e44c563129d014bb1e8565000ce66a6a74cea2bc733a6c70","strict":true} name: "Test Dispatcher Workflow" "on": @@ -73,6 +73,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index f7b24555b80..b0dff3af7bc 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"919aa9db316c03def96f98fa19bea30f29ce46d039263de87340d928180c4ab8"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"919aa9db316c03def96f98fa19bea30f29ce46d039263de87340d928180c4ab8","strict":true} name: "Test Project URL Explicit Requirement" "on": @@ -73,6 +73,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 37f2bd47d96..0d0b457601e 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -22,7 +22,7 @@ # For more information: https://github.github.com/gh-aw/introduction/overview/ # # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c1289924ef5c241c6bf7aede9e9822e6fe5e48cd5d6242834bb75725a19e6fd8"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c1289924ef5c241c6bf7aede9e9822e6fe5e48cd5d6242834bb75725a19e6fd8","strict":true} name: "Test Workflow" "on": @@ -78,6 +78,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 960f369781a..8db4d3e4777 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -23,7 +23,7 @@ # # Automatically formats and tidies code files (Go, JS, TypeScript) when code changes are pushed or on command # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c1ab537bf460e015b81437b1d7b086f0abfa3872ab893889dc7ca6173e4e0d73"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c1ab537bf460e015b81437b1d7b086f0abfa3872ab893889dc7ca6173e4e0d73","strict":true} name: "Tidy" "on": @@ -101,6 +101,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 0a6ebeed34c..8790698f7a0 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -28,7 +28,7 @@ # - shared/mcp/serena-go.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"a84f1d31ef089afc1ac4110815e97c8509584a617fb3384a318fe01d5e960c67"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a84f1d31ef089afc1ac4110815e97c8509584a617fb3384a318fe01d5e960c67","strict":true} name: "Typist - Go Type Analysis" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 3cf8a21d085..d5bb856ae66 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -23,7 +23,7 @@ # # Weekly analysis of the default Ubuntu Actions runner image and guidance for creating Docker mimics # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c193dd6ba034f16860806d18b40a9d2afbe981db46a99a273e4b1f0ab4c7e182"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c193dd6ba034f16860806d18b40a9d2afbe981db46a99a273e4b1f0ab4c7e182","strict":true} name: "Ubuntu Actions Image Analyzer" "on": @@ -80,6 +80,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a8f62532769..46527b6c31c 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -28,7 +28,7 @@ # - shared/docs-server-lifecycle.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"88e71e22b573468f6464e7c650c955b2a9acb1114525099be57c44ba2209bd2b"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"88e71e22b573468f6464e7c650c955b2a9acb1114525099be57c44ba2209bd2b","strict":true} name: "Documentation Unbloat" "on": @@ -97,6 +97,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index a46fc02d809..d4c13ec3f38 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/ffmpeg.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"94cc0589aede07110b1d6cf1389de05ec934688bb94f1c2d067d22c1b6b31915"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"94cc0589aede07110b1d6cf1389de05ec934688bb94f1c2d067d22c1b6b31915","strict":true} name: "Video Analysis Agent" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 7ad35a26fbf..b1a2828a5b6 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -23,7 +23,7 @@ # # Checks that the workflow editors listed in the documentation are still valid, takes Playwright screenshots, and opens a PR to update the docs with preview images # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"14d8bdeb32a4dc257f4ddd7b84ee9f5339b6369fc2521f4b8640cc1fa9ca22a7"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"14d8bdeb32a4dc257f4ddd7b84ee9f5339b6369fc2521f4b8640cc1fa9ca22a7","strict":true} name: "Weekly Editors Health Check" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 254ff442eb6..dd1309fe498 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -29,7 +29,7 @@ # - shared/reporting.md # - shared/trends.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"ccb4a4b9b79c5fda99bccf6c37c613c84d09d13bd2d0b60ed372613aa03e78d1"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"ccb4a4b9b79c5fda99bccf6c37c613c84d09d13bd2d0b60ed372613aa03e78d1","strict":true} name: "Weekly Issue Summary" "on": @@ -82,6 +82,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 5688345a3d2..450a306d05c 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -23,7 +23,7 @@ # # Reviews changes to the Safe Outputs specification and ensures the conformance checker script is up to date # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"8c2101979950b517597aa3c9a241c7dbe762d2db9cc38c38b4fd4a70faa990a4"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"8c2101979950b517597aa3c9a241c7dbe762d2db9cc38c38b4fd4a70faa990a4","strict":true} name: "Weekly Safe Outputs Specification Review" "on": @@ -77,6 +77,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 463107973ef..02aa912f7d4 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -23,7 +23,7 @@ # # Workflow generator that updates issue status and assigns to Copilot coding agent for workflow design # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"43b3ac4dc74d732a6ae6dfd8e6577f9b1783197374933e17e0cfc71c9baa12a4"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"43b3ac4dc74d732a6ae6dfd8e6577f9b1783197374933e17e0cfc71c9baa12a4","strict":true} name: "Workflow Generator" "on": @@ -86,6 +86,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" GITHUB_MCP_LOCKDOWN_EXPLICIT: "true" GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 2a4df85c1c4..50f7d6a060e 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"089ab4490bcf03158fd24f624870b99b5649c592d2cbdace93adc44c729d3853"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"089ab4490bcf03158fd24f624870b99b5649c592d2cbdace93adc44c729d3853","strict":true} name: "Workflow Health Manager - Meta-Orchestrator" "on": @@ -83,6 +83,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 964704dd2a9..ad5f7d5647a 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"c4d3ae709d0b09bf46341c2e6f1f18e49a86247b10f23da62fe5336d26267505"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c4d3ae709d0b09bf46341c2e6f1f18e49a86247b10f23da62fe5336d26267505","strict":true} name: "Workflow Normalizer" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 3795ed0add0..01718a8735c 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v1","frontmatter_hash":"fa23a957b1efd0ee21238a12543a2571f315073a9c05439e5155136ca2a6650d"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"fa23a957b1efd0ee21238a12543a2571f315073a9c05439e5155136ca2a6650d","strict":true} name: "Workflow Skill Extractor" "on": @@ -81,6 +81,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/actions/setup/js/validate_lockdown_requirements.cjs b/actions/setup/js/validate_lockdown_requirements.cjs index ea03f5b2e80..1d2c9460fa8 100644 --- a/actions/setup/js/validate_lockdown_requirements.cjs +++ b/actions/setup/js/validate_lockdown_requirements.cjs @@ -8,6 +8,10 @@ * GH_AW_GITHUB_MCP_SERVER_TOKEN, or custom github-token). Without any custom token, * the workflow will fail with a clear error message. * + * Additionally, workflows running on public repositories must be compiled with + * strict mode enabled (GH_AW_COMPILED_STRICT=true). This ensures that public + * repository workflows meet the security requirements enforced by strict mode. + * * This validation runs at the start of the workflow to fail fast if requirements * are not met, providing clear guidance to the user. * @@ -22,42 +26,70 @@ function validateLockdownRequirements(core) { if (!lockdownEnabled) { // Lockdown not explicitly enabled, no validation needed core.info("Lockdown mode not explicitly enabled, skipping validation"); - return; - } + } else { + core.info("Lockdown mode is explicitly enabled, validating requirements..."); + + // Check if any custom GitHub token is configured + // This matches the token selection logic used by the MCP gateway: + // GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || custom github-token + const hasGhAwToken = !!process.env.GH_AW_GITHUB_TOKEN; + const hasGhAwMcpToken = !!process.env.GH_AW_GITHUB_MCP_SERVER_TOKEN; + const hasCustomToken = !!process.env.CUSTOM_GITHUB_TOKEN; + const hasAnyCustomToken = hasGhAwToken || hasGhAwMcpToken || hasCustomToken; + + core.info(`GH_AW_GITHUB_TOKEN configured: ${hasGhAwToken}`); + core.info(`GH_AW_GITHUB_MCP_SERVER_TOKEN configured: ${hasGhAwMcpToken}`); + core.info(`Custom github-token configured: ${hasCustomToken}`); - core.info("Lockdown mode is explicitly enabled, validating requirements..."); + if (!hasAnyCustomToken) { + const errorMessage = + "Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.\\n" + + "\\n" + + "Please configure one of the following as a repository secret:\\n" + + " - GH_AW_GITHUB_TOKEN (recommended)\\n" + + " - GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)\\n" + + " - Custom github-token in your workflow frontmatter\\n" + + "\\n" + + "See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx\\n" + + "\\n" + + "To set a token:\\n" + + ' gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"'; - // Check if any custom GitHub token is configured - // This matches the token selection logic used by the MCP gateway: - // GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || custom github-token - const hasGhAwToken = !!process.env.GH_AW_GITHUB_TOKEN; - const hasGhAwMcpToken = !!process.env.GH_AW_GITHUB_MCP_SERVER_TOKEN; - const hasCustomToken = !!process.env.CUSTOM_GITHUB_TOKEN; - const hasAnyCustomToken = hasGhAwToken || hasGhAwMcpToken || hasCustomToken; + core.setFailed(errorMessage); + throw new Error(errorMessage); + } - core.info(`GH_AW_GITHUB_TOKEN configured: ${hasGhAwToken}`); - core.info(`GH_AW_GITHUB_MCP_SERVER_TOKEN configured: ${hasGhAwMcpToken}`); - core.info(`Custom github-token configured: ${hasCustomToken}`); + core.info("✓ Lockdown mode requirements validated: Custom GitHub token is configured"); + } + + // Enforce strict mode for public repositories. + // Workflows compiled without strict mode must not run on public repositories, + // as strict mode enforces important security constraints for public exposure. + const isPublic = process.env.GITHUB_REPOSITORY_VISIBILITY === "public"; + const isStrict = process.env.GH_AW_COMPILED_STRICT === "true"; - if (!hasAnyCustomToken) { + core.info(`Repository visibility: ${process.env.GITHUB_REPOSITORY_VISIBILITY || "unknown"}`); + core.info(`Compiled with strict mode: ${isStrict}`); + + if (isPublic && !isStrict) { const errorMessage = - "Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.\\n" + + "This workflow is running on a public repository but was not compiled with strict mode.\\n" + "\\n" + - "Please configure one of the following as a repository secret:\\n" + - " - GH_AW_GITHUB_TOKEN (recommended)\\n" + - " - GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)\\n" + - " - Custom github-token in your workflow frontmatter\\n" + + "Public repository workflows must be compiled with strict mode enabled to meet\\n" + + "the security requirements for public exposure.\\n" + "\\n" + - "See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx\\n" + + "To fix this, recompile the workflow with strict mode:\\n" + + " gh aw compile --strict\\n" + "\\n" + - "To set a token:\\n" + - ' gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"'; + "See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/security.mdx"; core.setFailed(errorMessage); throw new Error(errorMessage); } - core.info("✓ Lockdown mode requirements validated: Custom GitHub token is configured"); + if (isPublic && isStrict) { + core.info("✓ Strict mode requirements validated: Public repository compiled with strict mode"); + } } module.exports = validateLockdownRequirements; diff --git a/actions/setup/js/validate_lockdown_requirements.test.cjs b/actions/setup/js/validate_lockdown_requirements.test.cjs index c7ef151bd30..c14c1323aa9 100644 --- a/actions/setup/js/validate_lockdown_requirements.test.cjs +++ b/actions/setup/js/validate_lockdown_requirements.test.cjs @@ -18,12 +18,14 @@ describe("validate_lockdown_requirements", () => { delete process.env.GH_AW_GITHUB_TOKEN; delete process.env.GH_AW_GITHUB_MCP_SERVER_TOKEN; delete process.env.CUSTOM_GITHUB_TOKEN; + delete process.env.GITHUB_REPOSITORY_VISIBILITY; + delete process.env.GH_AW_COMPILED_STRICT; // Import the module validateLockdownRequirements = (await import("./validate_lockdown_requirements.cjs")).default; }); - it("should skip validation when lockdown is not explicitly enabled", () => { + it("should skip lockdown validation when lockdown is not explicitly enabled", () => { // GITHUB_MCP_LOCKDOWN_EXPLICIT not set validateLockdownRequirements(mockCore); @@ -109,7 +111,7 @@ describe("validate_lockdown_requirements", () => { expect(mockCore.setFailed).toHaveBeenCalled(); }); - it("should skip validation when GITHUB_MCP_LOCKDOWN_EXPLICIT is false", () => { + it("should skip lockdown validation when GITHUB_MCP_LOCKDOWN_EXPLICIT is false", () => { process.env.GITHUB_MCP_LOCKDOWN_EXPLICIT = "false"; // GH_AW_GITHUB_TOKEN not set @@ -118,4 +120,105 @@ describe("validate_lockdown_requirements", () => { expect(mockCore.info).toHaveBeenCalledWith("Lockdown mode not explicitly enabled, skipping validation"); expect(mockCore.setFailed).not.toHaveBeenCalled(); }); + + // Strict mode enforcement for public repositories + describe("strict mode enforcement for public repositories", () => { + it("should fail when repository is public and not compiled with strict mode", () => { + process.env.GITHUB_REPOSITORY_VISIBILITY = "public"; + process.env.GH_AW_COMPILED_STRICT = "false"; + + expect(() => { + validateLockdownRequirements(mockCore); + }).toThrow("not compiled with strict mode"); + + expect(mockCore.setFailed).toHaveBeenCalledWith(expect.stringContaining("public repository but was not compiled with strict mode")); + expect(mockCore.setFailed).toHaveBeenCalledWith(expect.stringContaining("gh aw compile --strict")); + }); + + it("should fail when repository is public and GH_AW_COMPILED_STRICT is not set", () => { + process.env.GITHUB_REPOSITORY_VISIBILITY = "public"; + // GH_AW_COMPILED_STRICT not set + + expect(() => { + validateLockdownRequirements(mockCore); + }).toThrow("not compiled with strict mode"); + + expect(mockCore.setFailed).toHaveBeenCalledWith(expect.stringContaining("public repository but was not compiled with strict mode")); + }); + + it("should pass when repository is public and compiled with strict mode", () => { + process.env.GITHUB_REPOSITORY_VISIBILITY = "public"; + process.env.GH_AW_COMPILED_STRICT = "true"; + + validateLockdownRequirements(mockCore); + + expect(mockCore.setFailed).not.toHaveBeenCalled(); + expect(mockCore.info).toHaveBeenCalledWith("✓ Strict mode requirements validated: Public repository compiled with strict mode"); + }); + + it("should pass when repository is private and not compiled with strict mode", () => { + process.env.GITHUB_REPOSITORY_VISIBILITY = "private"; + process.env.GH_AW_COMPILED_STRICT = "false"; + + validateLockdownRequirements(mockCore); + + expect(mockCore.setFailed).not.toHaveBeenCalled(); + }); + + it("should pass when repository is internal and not compiled with strict mode", () => { + process.env.GITHUB_REPOSITORY_VISIBILITY = "internal"; + process.env.GH_AW_COMPILED_STRICT = "false"; + + validateLockdownRequirements(mockCore); + + expect(mockCore.setFailed).not.toHaveBeenCalled(); + }); + + it("should pass when visibility is unknown and not compiled with strict mode", () => { + // GITHUB_REPOSITORY_VISIBILITY not set + process.env.GH_AW_COMPILED_STRICT = "false"; + + validateLockdownRequirements(mockCore); + + expect(mockCore.setFailed).not.toHaveBeenCalled(); + }); + + it("should include documentation link in strict mode error message", () => { + process.env.GITHUB_REPOSITORY_VISIBILITY = "public"; + process.env.GH_AW_COMPILED_STRICT = "false"; + + expect(() => { + validateLockdownRequirements(mockCore); + }).toThrow(); + + expect(mockCore.setFailed).toHaveBeenCalledWith(expect.stringContaining("https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/security.mdx")); + }); + + it("should validate both lockdown and strict mode when both are required", () => { + process.env.GITHUB_MCP_LOCKDOWN_EXPLICIT = "true"; + process.env.GH_AW_GITHUB_TOKEN = "ghp_test_token"; + process.env.GITHUB_REPOSITORY_VISIBILITY = "public"; + process.env.GH_AW_COMPILED_STRICT = "true"; + + validateLockdownRequirements(mockCore); + + expect(mockCore.setFailed).not.toHaveBeenCalled(); + expect(mockCore.info).toHaveBeenCalledWith("✓ Lockdown mode requirements validated: Custom GitHub token is configured"); + expect(mockCore.info).toHaveBeenCalledWith("✓ Strict mode requirements validated: Public repository compiled with strict mode"); + }); + + it("should fail on lockdown check before strict mode check when both fail", () => { + process.env.GITHUB_MCP_LOCKDOWN_EXPLICIT = "true"; + // No custom tokens - will fail on lockdown check + process.env.GITHUB_REPOSITORY_VISIBILITY = "public"; + process.env.GH_AW_COMPILED_STRICT = "false"; + + expect(() => { + validateLockdownRequirements(mockCore); + }).toThrow("Lockdown mode is enabled"); + + // Strict mode error should not be reached since lockdown check throws first + expect(mockCore.setFailed).toHaveBeenCalledWith(expect.stringContaining("Lockdown mode is enabled")); + }); + }); }); diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md index 3870a3d63bc..b68abf6e74b 100644 --- a/docs/src/content/docs/reference/frontmatter.md +++ b/docs/src/content/docs/reference/frontmatter.md @@ -390,6 +390,9 @@ When strict mode rejects individual ecosystem domains, helpful error messages su - **Frontmatter**: `strict: true/false` (per-workflow) - **CLI flag**: `gh aw compile --strict` (all workflows, overrides frontmatter) +> [!IMPORTANT] +> Workflows compiled with `strict: false` cannot run on public repositories. The workflow fails at runtime with an error message prompting recompilation with strict mode. + See [Network Permissions - Strict Mode Validation](/gh-aw/reference/network/#strict-mode-validation) for details on network validation and [CLI Commands](/gh-aw/setup/cli/#compile) for compilation options. ### Feature Flags (`features:`) diff --git a/docs/src/content/docs/reference/lockdown-mode.md b/docs/src/content/docs/reference/lockdown-mode.md index cba82f2cafa..b6f1a66b494 100644 --- a/docs/src/content/docs/reference/lockdown-mode.md +++ b/docs/src/content/docs/reference/lockdown-mode.md @@ -7,6 +7,9 @@ sidebar: **GitHub lockdown mode** is [a security feature of the GitHub MCP server](https://github.com/github/github-mcp-server/blob/main/docs/server-configuration.md#lockdown-mode) that filters content in public repositories to only surface items (issues, pull requests, comments, discussions, etc.) from users with **push access** to the repository. This protects agentic workflows from processing potentially malicious or misleading content from untrusted users. +> [!IMPORTANT] +> Workflows running on public repositories must be compiled with strict mode enabled. If `strict: false` is set in the frontmatter, the workflow will fail at runtime on public repositories. See [Strict Mode](/gh-aw/reference/frontmatter/#strict-mode-strict) for details. + To enable lockdown mode for your workflow: 1. **Set `lockdown: true` in your workflow frontmatter** diff --git a/docs/src/content/docs/troubleshooting/errors.md b/docs/src/content/docs/troubleshooting/errors.md index 4e4084e722d..648ccf7d37c 100644 --- a/docs/src/content/docs/troubleshooting/errors.md +++ b/docs/src/content/docs/troubleshooting/errors.md @@ -288,6 +288,18 @@ Enable the required repository feature (Settings → General → Features) or us Use an engine with firewall support (e.g., `copilot`), compile without `--strict` flag, or use `network: defaults`. +### Public Repository Requires Strict Mode + +`This workflow is running on a public repository but was not compiled with strict mode.` + +Recompile the workflow with strict mode enabled: + +```bash +gh aw compile --strict +``` + +Alternatively, do not set `strict: false` in the workflow frontmatter (strict mode is the default). See [Strict Mode](/gh-aw/reference/frontmatter/#strict-mode-strict) for details. + ## Toolsets Configuration Issues ### Tool Not Found After Migrating to Toolsets diff --git a/pkg/workflow/compiler_orchestrator_engine.go b/pkg/workflow/compiler_orchestrator_engine.go index 18b4bbfba44..5ceaf329933 100644 --- a/pkg/workflow/compiler_orchestrator_engine.go +++ b/pkg/workflow/compiler_orchestrator_engine.go @@ -53,20 +53,8 @@ func (c *Compiler) setupEngineAndImports(result *parser.FrontmatterResult, clean // This ensures that strict mode from one workflow doesn't affect other workflows initialStrictMode := c.strictMode - // Check strict mode in frontmatter - // Priority: CLI flag > frontmatter > schema default (true) - if !c.strictMode { - // CLI flag not set, check frontmatter - if strictValue, exists := result.Frontmatter["strict"]; exists { - // Frontmatter explicitly sets strict mode - if strictBool, ok := strictValue.(bool); ok { - c.strictMode = strictBool - } - } else { - // Neither CLI nor frontmatter set - use schema default (true) - c.strictMode = true - } - } + // Resolve effective strict mode: CLI flag > frontmatter > schema default (true) + c.strictMode = c.effectiveStrictMode(result.Frontmatter) // Perform strict mode validations orchestratorEngineLog.Printf("Performing strict mode validation (strict=%v)", c.strictMode) @@ -241,18 +229,7 @@ func (c *Compiler) setupEngineAndImports(result *parser.FrontmatterResult, clean // Re-evaluate strict mode for firewall and network validation // (it was restored after validateStrictMode but we need it again) initialStrictModeForFirewall := c.strictMode - if !c.strictMode { - // CLI flag not set, check frontmatter - if strictValue, exists := result.Frontmatter["strict"]; exists { - // Frontmatter explicitly sets strict mode - if strictBool, ok := strictValue.(bool); ok { - c.strictMode = strictBool - } - } else { - // Neither CLI nor frontmatter set - use schema default (true) - c.strictMode = true - } - } + c.strictMode = c.effectiveStrictMode(result.Frontmatter) // Validate firewall is enabled in strict mode for copilot with network restrictions orchestratorEngineLog.Printf("Validating strict firewall (strict=%v)", c.strictMode) diff --git a/pkg/workflow/compiler_yaml.go b/pkg/workflow/compiler_yaml.go index ca71eb2b531..364339c84cc 100644 --- a/pkg/workflow/compiler_yaml.go +++ b/pkg/workflow/compiler_yaml.go @@ -16,6 +16,24 @@ import ( var compilerYamlLog = logger.New("workflow:compiler_yaml") +// effectiveStrictMode computes the effective strict mode for a workflow. +// Priority: CLI flag (c.strictMode) > frontmatter strict field > default (true). +// This should be used when emitting metadata/env vars to correctly reflect the +// workflow's strictness as inferred from the source (frontmatter). +func (c *Compiler) effectiveStrictMode(frontmatter map[string]any) bool { + if c.strictMode { + // CLI flag takes precedence + return true + } + if strictVal, exists := frontmatter["strict"]; exists { + if strictBool, ok := strictVal.(bool); ok { + return strictBool + } + } + // Default: strict mode is on when no explicit setting + return true +} + // buildJobsAndValidate builds all workflow jobs and validates their dependencies. // It resets the job manager, builds jobs from the workflow data, and performs // dependency and duplicate step validation. @@ -118,7 +136,7 @@ func (c *Compiler) generateWorkflowHeader(yaml *strings.Builder, data *WorkflowD // Single-line format to minimize merge conflicts and be unaffected by LOC changes if frontmatterHash != "" { yaml.WriteString("#\n") - metadata := GenerateLockMetadata(frontmatterHash, data.StopTime) + metadata := GenerateLockMetadata(frontmatterHash, data.StopTime, c.effectiveStrictMode(data.RawFrontmatter)) metadataJSON, err := metadata.ToJSON() if err != nil { // Fallback to legacy format if JSON serialization fails @@ -615,6 +633,10 @@ func (c *Compiler) generateCreateAwInfo(yaml *strings.Builder, data *WorkflowDat fmt.Fprintf(yaml, " GH_AW_INFO_AWF_VERSION: \"%s\"\n", firewallVersion) fmt.Fprintf(yaml, " GH_AW_INFO_AWMG_VERSION: \"%s\"\n", mcpGatewayVersion) fmt.Fprintf(yaml, " GH_AW_INFO_FIREWALL_TYPE: \"%s\"\n", firewallType) + // Always include strict mode flag for lockdown validation. + // validateLockdownRequirements uses this to enforce strict: true for public repositories. + // Use effectiveStrictMode to infer strictness from the source (frontmatter), not just the CLI flag. + fmt.Fprintf(yaml, " GH_AW_COMPILED_STRICT: \"%t\"\n", c.effectiveStrictMode(data.RawFrontmatter)) // Include lockdown validation env vars when lockdown is explicitly enabled. // validateLockdownRequirements is called from generate_aw_info.cjs and uses these vars. githubTool, hasGitHub := data.Tools["github"] diff --git a/pkg/workflow/compiler_yaml_strict_mode_test.go b/pkg/workflow/compiler_yaml_strict_mode_test.go new file mode 100644 index 00000000000..e40892dc6aa --- /dev/null +++ b/pkg/workflow/compiler_yaml_strict_mode_test.go @@ -0,0 +1,71 @@ +//go:build !integration + +package workflow + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +// TestEffectiveStrictMode verifies the strict mode resolution priority: +// CLI flag (--strict) > frontmatter strict field > default (true) +func TestEffectiveStrictMode(t *testing.T) { + tests := []struct { + name string + cliStrict bool + frontmatter map[string]any + expected bool + }{ + { + name: "CLI flag true overrides frontmatter false", + cliStrict: true, + frontmatter: map[string]any{"strict": false}, + expected: true, + }, + { + name: "CLI flag true with no frontmatter strict field", + cliStrict: true, + frontmatter: map[string]any{}, + expected: true, + }, + { + name: "CLI flag false, frontmatter strict true", + cliStrict: false, + frontmatter: map[string]any{"strict": true}, + expected: true, + }, + { + name: "CLI flag false, frontmatter strict false", + cliStrict: false, + frontmatter: map[string]any{"strict": false}, + expected: false, + }, + { + name: "CLI flag false, no frontmatter strict field defaults to true", + cliStrict: false, + frontmatter: map[string]any{}, + expected: true, + }, + { + name: "CLI flag false, nil frontmatter defaults to true", + cliStrict: false, + frontmatter: nil, + expected: true, + }, + { + name: "CLI flag false, non-bool strict field in frontmatter defaults to true", + cliStrict: false, + frontmatter: map[string]any{"strict": "yes"}, + expected: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + compiler := &Compiler{strictMode: tt.cliStrict} + result := compiler.effectiveStrictMode(tt.frontmatter) + assert.Equal(t, tt.expected, result, "effectiveStrictMode should return %v", tt.expected) + }) + } +} diff --git a/pkg/workflow/lock_schema.go b/pkg/workflow/lock_schema.go index 86e5e16cd61..a42485c786f 100644 --- a/pkg/workflow/lock_schema.go +++ b/pkg/workflow/lock_schema.go @@ -16,8 +16,10 @@ var lockSchemaLog = logger.New("workflow:lock_schema") type LockSchemaVersion string const ( - // LockSchemaV1 is the current lock file schema version + // LockSchemaV1 is the legacy lock file schema version (no strict field) LockSchemaV1 LockSchemaVersion = "v1" + // LockSchemaV2 is the current lock file schema version (adds strict field) + LockSchemaV2 LockSchemaVersion = "v2" ) // LockMetadata represents the structured metadata embedded in lock files @@ -26,11 +28,13 @@ type LockMetadata struct { FrontmatterHash string `json:"frontmatter_hash,omitempty"` StopTime string `json:"stop_time,omitempty"` CompilerVersion string `json:"compiler_version,omitempty"` + Strict bool `json:"strict,omitempty"` } // SupportedSchemaVersions lists all schema versions this build can consume var SupportedSchemaVersions = []LockSchemaVersion{ LockSchemaV1, + LockSchemaV2, } // IsSchemaVersionSupported checks if a schema version is supported @@ -114,11 +118,12 @@ func formatSupportedVersions() string { // GenerateLockMetadata creates a LockMetadata struct for embedding in lock files // For release builds, the compiler version is included in the metadata -func GenerateLockMetadata(frontmatterHash string, stopTime string) *LockMetadata { +func GenerateLockMetadata(frontmatterHash string, stopTime string, strict bool) *LockMetadata { metadata := &LockMetadata{ - SchemaVersion: LockSchemaV1, + SchemaVersion: LockSchemaV2, FrontmatterHash: frontmatterHash, StopTime: stopTime, + Strict: strict, } // Include compiler version only for release builds diff --git a/pkg/workflow/lock_schema_test.go b/pkg/workflow/lock_schema_test.go index 984a2b4eec7..945c3e83d3c 100644 --- a/pkg/workflow/lock_schema_test.go +++ b/pkg/workflow/lock_schema_test.go @@ -71,12 +71,25 @@ name: test expectError: true, }, { - name: "future version", - content: `# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"future"} + name: "v2 with strict field", + content: `# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"abc","strict":true} name: test `, expectMetadata: &LockMetadata{ - SchemaVersion: "v2", + SchemaVersion: LockSchemaV2, + FrontmatterHash: "abc", + Strict: true, + }, + expectLegacy: false, + expectError: false, + }, + { + name: "future version (v3)", + content: `# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"future"} +name: test +`, + expectMetadata: &LockMetadata{ + SchemaVersion: "v3", FrontmatterHash: "future", }, expectLegacy: false, @@ -114,6 +127,7 @@ name: test assert.Equal(t, tt.expectMetadata.SchemaVersion, metadata.SchemaVersion, "Schema version mismatch") assert.Equal(t, tt.expectMetadata.FrontmatterHash, metadata.FrontmatterHash, "Frontmatter hash mismatch") assert.Equal(t, tt.expectMetadata.CompilerVersion, metadata.CompilerVersion, "Compiler version mismatch") + assert.Equal(t, tt.expectMetadata.Strict, metadata.Strict, "Strict flag mismatch") } else if !tt.expectError { assert.Nil(t, metadata, "Expected nil metadata") } @@ -137,6 +151,14 @@ name: test lockPath: "test.lock.yml", expectError: false, }, + { + name: "valid v2 schema", + content: `# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"abc","strict":true} +name: test +`, + lockPath: "test-v2.lock.yml", + expectError: false, + }, { name: "legacy format is accepted", content: `# frontmatter-hash: 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef @@ -147,12 +169,12 @@ name: test }, { name: "unsupported future version fails", - content: `# gh-aw-metadata: {"schema_version":"v2"} + content: `# gh-aw-metadata: {"schema_version":"v3"} name: test `, lockPath: "future.lock.yml", expectError: true, - errorText: "unsupported schema version 'v2'", + errorText: "unsupported schema version 'v3'", }, { name: "missing metadata fails", @@ -202,8 +224,13 @@ func TestIsSchemaVersionSupported(t *testing.T) { supported: true, }, { - name: "v2 is not supported", - version: "v2", + name: "v2 is supported", + version: LockSchemaV2, + supported: true, + }, + { + name: "v3 is not supported", + version: "v3", supported: false, }, { @@ -240,13 +267,26 @@ func TestGenerateLockMetadata(t *testing.T) { SetVersion("dev") hash := "abcd1234" stopTime := "2026-02-17 20:00:00" - metadata := GenerateLockMetadata(hash, stopTime) + metadata := GenerateLockMetadata(hash, stopTime, false) assert.NotNil(t, metadata, "Metadata should be created") - assert.Equal(t, LockSchemaV1, metadata.SchemaVersion, "Should use current schema version") + assert.Equal(t, LockSchemaV2, metadata.SchemaVersion, "Should use current schema version") assert.Equal(t, hash, metadata.FrontmatterHash, "Should preserve frontmatter hash") assert.Equal(t, stopTime, metadata.StopTime, "Should preserve stop time") assert.Empty(t, metadata.CompilerVersion, "Dev builds should not include version") + assert.False(t, metadata.Strict, "Non-strict build should have Strict=false") +} + +func TestGenerateLockMetadataStrict(t *testing.T) { + hash := "abcd1234" + stopTime := "2026-02-17 20:00:00" + metadata := GenerateLockMetadata(hash, stopTime, true) + + assert.NotNil(t, metadata, "Metadata should be created") + assert.Equal(t, LockSchemaV2, metadata.SchemaVersion, "Should use v2 schema version") + assert.Equal(t, hash, metadata.FrontmatterHash, "Should preserve frontmatter hash") + assert.Equal(t, stopTime, metadata.StopTime, "Should preserve stop time") + assert.True(t, metadata.Strict, "Strict build should have Strict=true") } func TestGenerateLockMetadataReleaseBuild(t *testing.T) { @@ -263,10 +303,10 @@ func TestGenerateLockMetadataReleaseBuild(t *testing.T) { SetVersion("v0.1.2") hash := "abcd1234" stopTime := "2026-02-17 20:00:00" - metadata := GenerateLockMetadata(hash, stopTime) + metadata := GenerateLockMetadata(hash, stopTime, false) assert.NotNil(t, metadata, "Metadata should be created") - assert.Equal(t, LockSchemaV1, metadata.SchemaVersion, "Should use current schema version") + assert.Equal(t, LockSchemaV2, metadata.SchemaVersion, "Should use current schema version") assert.Equal(t, hash, metadata.FrontmatterHash, "Should preserve frontmatter hash") assert.Equal(t, stopTime, metadata.StopTime, "Should preserve stop time") assert.Equal(t, "v0.1.2", metadata.CompilerVersion, "Release builds should include version") @@ -274,19 +314,20 @@ func TestGenerateLockMetadataReleaseBuild(t *testing.T) { func TestGenerateLockMetadataWithoutStopTime(t *testing.T) { hash := "abcd1234" - metadata := GenerateLockMetadata(hash, "") + metadata := GenerateLockMetadata(hash, "", false) assert.NotNil(t, metadata, "Metadata should be created") - assert.Equal(t, LockSchemaV1, metadata.SchemaVersion, "Should use current schema version") + assert.Equal(t, LockSchemaV2, metadata.SchemaVersion, "Should use current schema version") assert.Equal(t, hash, metadata.FrontmatterHash, "Should preserve frontmatter hash") assert.Empty(t, metadata.StopTime, "Stop time should be empty") } func TestLockMetadataToJSON(t *testing.T) { tests := []struct { - name string - metadata *LockMetadata - contains []string + name string + metadata *LockMetadata + contains []string + notContains []string }{ { name: "basic metadata", @@ -298,6 +339,7 @@ func TestLockMetadataToJSON(t *testing.T) { `"schema_version":"v1"`, `"frontmatter_hash":"test123"`, }, + notContains: []string{`"strict"`}, }, { name: "metadata with empty hash", @@ -322,6 +364,32 @@ func TestLockMetadataToJSON(t *testing.T) { `"compiler_version":"v0.1.2"`, }, }, + { + name: "v2 metadata with strict=true", + metadata: &LockMetadata{ + SchemaVersion: LockSchemaV2, + FrontmatterHash: "test123", + Strict: true, + }, + contains: []string{ + `"schema_version":"v2"`, + `"frontmatter_hash":"test123"`, + `"strict":true`, + }, + }, + { + name: "v2 metadata with strict=false omits strict field", + metadata: &LockMetadata{ + SchemaVersion: LockSchemaV2, + FrontmatterHash: "test123", + Strict: false, + }, + contains: []string{ + `"schema_version":"v2"`, + `"frontmatter_hash":"test123"`, + }, + notContains: []string{`"strict"`}, + }, } for _, tt := range tests { @@ -332,6 +400,9 @@ func TestLockMetadataToJSON(t *testing.T) { for _, expected := range tt.contains { assert.Contains(t, json, expected, "JSON should contain expected field") } + for _, unexpected := range tt.notContains { + assert.NotContains(t, json, unexpected, "JSON should not contain unexpected field") + } }) } } @@ -453,6 +524,7 @@ func TestFormatSupportedVersions(t *testing.T) { formatted := formatSupportedVersions() assert.NotEmpty(t, formatted, "Should format versions") assert.Contains(t, formatted, "v1", "Should include v1") + assert.Contains(t, formatted, "v2", "Should include v2") } func TestLockMetadataJSONCompact(t *testing.T) { @@ -470,8 +542,8 @@ func TestLockMetadataJSONCompact(t *testing.T) { func TestSchemaVersionAsString(t *testing.T) { // Verify LockSchemaVersion can be used as string - version := LockSchemaV1 - assert.Equal(t, "v1", string(version)) + assert.Equal(t, "v1", string(LockSchemaV1)) + assert.Equal(t, "v2", string(LockSchemaV2)) } func TestExtractMetadataWithStopTime(t *testing.T) { diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden index a2eb4378949..9bb64bae268 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -49,6 +49,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 662ad7bb38d..4ed4b550d6d 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -63,6 +63,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden index 25ef15a48d6..8e919c0d39d 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden @@ -49,6 +49,7 @@ jobs: GH_AW_INFO_AWF_VERSION: "v0.23.0" GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" + GH_AW_COMPILED_STRICT: "true" uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: |