diff --git a/.changeset/minor-rename-safe-inputs-to-mcp-scripts.md b/.changeset/minor-rename-safe-inputs-to-mcp-scripts.md new file mode 100644 index 00000000000..8309f8b99fc --- /dev/null +++ b/.changeset/minor-rename-safe-inputs-to-mcp-scripts.md @@ -0,0 +1,4 @@ +--- +"gh-aw": minor +--- +Renamed the SafeInputs workflow integration to MCP Scripts (frontmatter field `SafeInputs`/`safe-inputs`, Go refs, docs, tooling, logs) and added the `safe-inputs-to-mcp-scripts` codemod so existing workflows can be migrated automatically. diff --git a/.changeset/patch-log-mcp-startup-and-smoke-claude-status.md b/.changeset/patch-log-mcp-startup-and-smoke-claude-status.md index 6f5990e0081..1a291d67b1d 100644 --- a/.changeset/patch-log-mcp-startup-and-smoke-claude-status.md +++ b/.changeset/patch-log-mcp-startup-and-smoke-claude-status.md @@ -2,4 +2,4 @@ "gh-aw": patch --- -Broadcast MCP server startup logs (safe-inputs, safe-outputs, Serena) with `DEBUG="*"` and GitHub Actions notices so failures expose detailed diagnostics, and extend the smoke-claude workflow with the agentic-workflows `status` query while persisting its summary. +Broadcast MCP server startup logs (mcp-scripts, safe-outputs, Serena) with `DEBUG="*"` and GitHub Actions notices so failures expose detailed diagnostics, and extend the smoke-claude workflow with the agentic-workflows `status` query while persisting its summary. diff --git a/.changeset/patch-safe-inputs-runner.md b/.changeset/patch-safe-inputs-runner.md index 5201991714e..ba79b8e304b 100644 --- a/.changeset/patch-safe-inputs-runner.md +++ b/.changeset/patch-safe-inputs-runner.md @@ -2,4 +2,4 @@ "gh-aw": patch --- -Ensure script-based safe-inputs delegate execution to the shared runner so subprocess stdout/stderr are returned. +Ensure script-based mcp-scripts delegate execution to the shared runner so subprocess stdout/stderr are returned. diff --git a/.github/aw/campaign.md b/.github/aw/campaign.md index ba9e97199e6..865fd039160 100644 --- a/.github/aw/campaign.md +++ b/.github/aw/campaign.md @@ -109,7 +109,7 @@ KPI workflows are campaigns where the first-class output is a **metric** and an **Inputs (when you need knobs):** - Use `workflow_dispatch` inputs for user-controlled parameters (e.g., target threshold, window size) and have a deterministic `steps:` block normalize those inputs into a JSON config the agent reads. -- Use `safe-inputs:` when the agent needs a constrained, auditable tool to fetch privileged data (it’s not a human input mechanism). +- Use `mcp-scripts:` when the agent needs a constrained, auditable tool to fetch privileged data (it’s not a human input mechanism). **Minimum viable KPI spec (keep it explicit):** diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md index 97b848ab90d..17341743379 100644 --- a/.github/aw/github-agentic-workflows.md +++ b/.github/aw/github-agentic-workflows.md @@ -1110,7 +1110,7 @@ The YAML frontmatter supports these fields: run: echo "Custom threat check" ``` -- **`safe-inputs:`** - Define custom lightweight MCP tools as JavaScript, shell, Python, or Go scripts (object) +- **`mcp-scripts:`** - Define custom lightweight MCP tools as JavaScript, shell, Python, or Go scripts (object) - Tools mounted in MCP server with access to specified secrets - Each tool requires `description` and one of: `script` (JavaScript), `run` (shell), `py` (Python), or `go` (Go) - Tool configuration properties: @@ -1124,7 +1124,7 @@ The YAML frontmatter supports these fields: - `timeout:` - Execution timeout in seconds (default: 60) - Example: ```yaml - safe-inputs: + mcp-scripts: search-issues: description: "Search GitHub issues using API" inputs: diff --git a/.github/aw/runbooks/workflow-health.md b/.github/aw/runbooks/workflow-health.md index 788a19df993..3ebe72915dd 100644 --- a/.github/aw/runbooks/workflow-health.md +++ b/.github/aw/runbooks/workflow-health.md @@ -39,12 +39,12 @@ Use this runbook when: ### Input/Secret Validation Failures **Symptoms**: -- Safe-inputs action fails +- MCP Scripts action fails - Environment variable not available - Template expression evaluation errors **Common Causes**: -- Safe-inputs action not configured +- MCP Scripts action not configured - Missing required secrets - Incorrect secret references @@ -77,7 +77,7 @@ Missing-tool errors typically appear in this format: ``` Error: Tool 'github:read_issue' not found -Error: missing tool configuration for safeinputs-gh +Error: missing tool configuration for mcpscripts-gh ``` To identify which tools are missing: @@ -192,19 +192,19 @@ tools: Analyze repository issues and provide insights. ``` -### Configuring Safe-Inputs and Safe-Outputs +### Configuring MCP Scripts and Safe-Outputs -**Problem**: Workflow fails with missing safeinputs-gh or safe-output errors. +**Problem**: Workflow fails with missing mcpscripts-gh or safe-output errors. -**Solution**: Configure safe-inputs and safe-outputs in the workflow. +**Solution**: Configure mcp-scripts and safe-outputs in the workflow. -#### Adding Safe-Inputs +#### Adding MCP Scripts -Safe-inputs securely pass GitHub context to AI agents: +MCP Scripts securely pass GitHub context to AI agents: ```aw --- -safe-inputs: +mcp-scripts: issue: title: ${{ github.event.issue.title }} body: ${{ github.event.issue.body }} @@ -212,7 +212,7 @@ safe-inputs: --- ``` -The safe-inputs are automatically made available to the agent as environment variables. +The mcp-scripts are automatically made available to the agent as environment variables. #### Adding Safe-Outputs @@ -230,7 +230,7 @@ safe-outputs: --- ``` -**Example**: Complete workflow with safe-inputs and safe-outputs +**Example**: Complete workflow with mcp-scripts and safe-outputs ```aw --- @@ -246,7 +246,7 @@ tools: github: mode: remote toolsets: [default] -safe-inputs: +mcp-scripts: issue: title: ${{ github.event.issue.title }} body: ${{ github.event.issue.body }} @@ -303,7 +303,7 @@ The DeepReport Intelligence Briefing (Discussion #7277) identified several workf 1. **Weekly Issue Summary workflow** - Failed in recent runs 2. **Dev workflow** - Missing GitHub MCP read_issue capability (Run #20435819459) -3. **Daily Copilot PR Merged workflow** - Missing safeinputs-gh tool +3. **Daily Copilot PR Merged workflow** - Missing mcpscripts-gh tool ### Investigation @@ -318,8 +318,8 @@ The DeepReport Intelligence Briefing (Discussion #7277) identified several workf - The workflow attempted to read issue information without GitHub MCP toolset **Daily Copilot PR Merged**: -- Error: "missing tool configuration for safeinputs-gh" -- Root cause: Safe-inputs action not set up in workflow +- Error: "missing tool configuration for mcpscripts-gh" +- Root cause: MCP Scripts action not set up in workflow - PR merge data not being passed securely to agent ### Resolution @@ -340,10 +340,10 @@ tools: ``` **Daily Copilot PR Merged**: -Added safe-inputs configuration: +Added mcp-scripts configuration: ```aw -safe-inputs: +mcp-scripts: pull_request: number: ${{ github.event.pull_request.number }} title: ${{ github.event.pull_request.title }} @@ -353,7 +353,7 @@ safe-inputs: 1. **MCP-first approach**: Always configure GitHub MCP server when workflows need GitHub API access 2. **Permission planning**: Define required permissions upfront based on workflow operations -3. **Safe-inputs for context**: Use safe-inputs to securely pass GitHub event context to agents +3. **MCP Scripts for context**: Use mcp-scripts to securely pass GitHub event context to agents 4. **Test after compilation**: Always test workflows manually after making configuration changes 5. **Monitor systematically**: Use `gh aw logs` for regular workflow health monitoring @@ -396,7 +396,7 @@ tools: --- ``` -**Issue-triggered workflow with safe-inputs**: +**Issue-triggered workflow with mcp-scripts**: ```aw --- on: @@ -405,7 +405,7 @@ on: permissions: contents: read issues: write -safe-inputs: +mcp-scripts: issue: title: ${{ github.event.issue.title }} body: ${{ github.event.issue.body }} diff --git a/.github/aw/upgrade-agentic-workflows.md b/.github/aw/upgrade-agentic-workflows.md index 8b1762b04fa..f10e14cb185 100644 --- a/.github/aw/upgrade-agentic-workflows.md +++ b/.github/aw/upgrade-agentic-workflows.md @@ -102,7 +102,7 @@ Before attempting to compile, apply automatic codemods: This will automatically update workflow files with changes like: - Replacing 'timeout_minutes' with 'timeout-minutes' - Replacing 'network.firewall' with 'sandbox.agent: false' - - Removing deprecated 'safe-inputs.mode' field + - Removing deprecated 'mcp-scripts.mode' field 2. **Review the Changes** - Note which workflows were updated by the codemods diff --git a/.github/skills/debugging-workflows/SKILL.md b/.github/skills/debugging-workflows/SKILL.md index 6de57841dbe..74d9392f836 100644 --- a/.github/skills/debugging-workflows/SKILL.md +++ b/.github/skills/debugging-workflows/SKILL.md @@ -233,7 +233,7 @@ Use GitHub context like ${{ github.event.issue.number }}. ↓ 2. Activation Job - Validates permissions - - Processes safe-inputs + - Processes mcp-scripts - Sanitizes context ↓ 3. AI Agent Job @@ -258,7 +258,7 @@ Use GitHub context like ${{ github.event.issue.number }}. |-----------|---------|---------------| | **Engine** | AI model to use | `engine: copilot`, `claude`, `codex` | | **Tools** | APIs available to agent | `tools:` section with MCP servers | -| **Safe-Inputs** | Context passed to agent | `safe-inputs:` with GitHub expressions | +| **MCP Scripts** | Context passed to agent | `mcp-scripts:` with GitHub expressions | | **Safe-Outputs** | Resources agent can create | `safe-outputs:` with allowed operations | | **Permissions** | GitHub token permissions | `permissions:` block | | **Network** | Allowed network access | `network:` with domain/ecosystem lists | @@ -309,16 +309,19 @@ permissions: ### Safe-Input Errors **Symptoms**: -- "missing tool configuration for safeinputs-gh" +- "missing tool configuration for mcpscripts-gh" - Environment variable not available -**Solution**: Configure safe-inputs: +**Solution**: Configure mcp-scripts: ```yaml -safe-inputs: +mcp-scripts: issue: - title: ${{ github.event.issue.title }} - body: ${{ github.event.issue.body }} + script: | + return { title: process.env.ISSUE_TITLE, body: process.env.ISSUE_BODY }; + env: + ISSUE_TITLE: ${{ github.event.issue.title }} + ISSUE_BODY: ${{ github.event.issue.body }} ``` ### Safe-Output Errors diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index d2f99b3d32c..328a5b6e30e 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -31,7 +31,7 @@ # - shared/reporting.md # - shared/copilot-pr-analysis-base.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"d2ca13ea191854985bb6baeeb127f65bc6983ef11c13a367ba002c289a97042a"} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"476bd0bfa5dd66057d8a5211101da6d6bf861f660f6733e9a678f12075cb93b9"} name: "Daily Copilot PR Merged Report" "on": @@ -626,18 +626,18 @@ jobs: bash /opt/gh-aw/actions/start_safe_outputs_server.sh - - name: Setup Safe Inputs Config + - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/safe-inputs/logs - cat > /opt/gh-aw/safe-inputs/tools.json << 'GH_AW_SAFE_INPUTS_TOOLS_EOF' + mkdir -p /opt/gh-aw/mcp-scripts/logs + cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { - "serverName": "safeinputs", + "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/mcp-scripts/logs", "tools": [ { "name": "gh", - "description": "Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", + "description": "Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", "inputSchema": { "properties": { "args": { @@ -659,30 +659,30 @@ jobs: } ] } - GH_AW_SAFE_INPUTS_TOOLS_EOF - cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'GH_AW_SAFE_INPUTS_SERVER_EOF' + GH_AW_MCP_SCRIPTS_TOOLS_EOF + cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); - const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); + const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); - const port = parseInt(process.env.GH_AW_SAFE_INPUTS_PORT || "3000", 10); - const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; + const port = parseInt(process.env.GH_AW_MCP_SCRIPTS_PORT || "3000", 10); + const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/mcp-scripts/logs" }).catch(error => { - console.error("Failed to start safe-inputs HTTP server:", error); + console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); - GH_AW_SAFE_INPUTS_SERVER_EOF - chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs + GH_AW_MCP_SCRIPTS_SERVER_EOF + chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs - - name: Setup Safe Inputs Tool Files + - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/safe-inputs/gh.sh << 'GH_AW_SAFE_INPUTS_SH_GH_EOF' + cat > /opt/gh-aw/mcp-scripts/gh.sh << 'GH_AW_MCP_SCRIPTS_SH_GH_EOF' #!/bin/bash - # Auto-generated safe-input tool: gh - # Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. + # Auto-generated mcp-script tool: gh + # Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues. set -euo pipefail @@ -690,11 +690,11 @@ jobs: echo " token: ${GH_AW_GH_TOKEN:0:6}..." GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS - GH_AW_SAFE_INPUTS_SH_GH_EOF - chmod +x /opt/gh-aw/safe-inputs/gh.sh + GH_AW_MCP_SCRIPTS_SH_GH_EOF + chmod +x /opt/gh-aw/mcp-scripts/gh.sh - - name: Generate Safe Inputs MCP Server Config - id: safe-inputs-config + - name: Generate MCP Scripts Server Config + id: mcp-scripts-config run: | # Generate a secure random API key (360 bits of entropy, 40+ chars) # Mask immediately to prevent timing vulnerabilities @@ -705,34 +705,34 @@ jobs: # Set outputs for next steps { - echo "safe_inputs_api_key=${API_KEY}" - echo "safe_inputs_port=${PORT}" + echo "mcp_scripts_api_key=${API_KEY}" + echo "mcp_scripts_port=${PORT}" } >> "$GITHUB_OUTPUT" - echo "Safe Inputs MCP server will run on port ${PORT}" + echo "MCP Scripts server will run on port ${PORT}" - - name: Start Safe Inputs MCP HTTP Server - id: safe-inputs-start + - name: Start MCP Scripts HTTP Server + id: mcp-scripts-start env: DEBUG: '*' - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-config.outputs.safe_inputs_port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }} GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_DEBUG: 1 run: | # Environment variables are set above to prevent template injection export DEBUG - export GH_AW_SAFE_INPUTS_PORT - export GH_AW_SAFE_INPUTS_API_KEY + export GH_AW_MCP_SCRIPTS_PORT + export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway env: GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-start.outputs.api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-start.outputs.port }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} @@ -755,7 +755,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_AW_GH_TOKEN -e GH_DEBUG -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -771,11 +771,11 @@ jobs: "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, - "safeinputs": { + "mcpscripts": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", + "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { - "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" + "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" } }, "safeoutputs": { @@ -941,14 +941,14 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Parse Safe Inputs logs for step summary + - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() @@ -989,7 +989,7 @@ jobs: path: | /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/safe-inputs/logs/ + /tmp/gh-aw/mcp-scripts/logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ diff --git a/.github/workflows/copilot-pr-merged-report.md b/.github/workflows/copilot-pr-merged-report.md index 2f7b07b356e..53b948c985d 100644 --- a/.github/workflows/copilot-pr-merged-report.md +++ b/.github/workflows/copilot-pr-merged-report.md @@ -75,9 +75,9 @@ echo "Looking for PRs merged since: $DATE_24H_AGO" **Step 1.2: Search for Merged Copilot PRs** -Use the `safeinputs-gh` safe-input tool to search for merged PRs from Copilot: +Use the `mcpscripts-gh` mcp-script tool to search for merged PRs from Copilot: ``` -safeinputs-gh with args: "pr list --repo ${{ github.repository }} --search \"head:copilot/ is:merged merged:>=$DATE_24H_AGO\" --state merged --limit 100 --json number,title,mergedAt,additions,deletions,files,url" +mcpscripts-gh with args: "pr list --repo ${{ github.repository }} --search \"head:copilot/ is:merged merged:>=$DATE_24H_AGO\" --state merged --limit 100 --json number,title,mergedAt,additions,deletions,files,url" ``` This searches for: @@ -88,7 +88,7 @@ This searches for: **Step 1.3: Parse Results** -Parse the JSON output from the safeinputs-gh tool to extract: +Parse the JSON output from the mcpscripts-gh tool to extract: - List of PR numbers - Total number of merged PRs - Sum of lines added across all PRs @@ -103,9 +103,9 @@ For each merged PR found in Phase 1: **Step 2.1: Get PR Files** -Use the `safeinputs-gh` tool to get detailed file information: +Use the `mcpscripts-gh` tool to get detailed file information: ``` -safeinputs-gh with args: "pr view --repo ${{ github.repository }} --json files" +mcpscripts-gh with args: "pr view --repo ${{ github.repository }} --json files" ``` **Step 2.2: Count Test Files** @@ -122,19 +122,19 @@ For token usage information, we need to find the workflow run associated with th 1. Get commits from the PR: ``` - safeinputs-gh with args: "pr view --repo ${{ github.repository }} --json commits" + mcpscripts-gh with args: "pr view --repo ${{ github.repository }} --json commits" ``` 2. For the latest commit, find associated workflow runs: ``` - safeinputs-gh with args: "api repos/${{ github.repository }}/commits//check-runs" + mcpscripts-gh with args: "api repos/${{ github.repository }}/commits//check-runs" ``` 3. From the check runs, identify GitHub Actions workflow runs 4. Get workflow run usage data: ``` - safeinputs-gh with args: "api repos/${{ github.repository }}/actions/runs//timing" + mcpscripts-gh with args: "api repos/${{ github.repository }}/actions/runs//timing" ``` This returns timing information including billable time. @@ -263,7 +263,7 @@ A successful report: - ✅ Creates discussion in "audits" category - ✅ Completes within 10-minute timeout -Begin your analysis now. Use the `gh` safe-input tool for all GitHub CLI operations. +Begin your analysis now. Use the `gh` mcp-script tool for all GitHub CLI operations. **Important**: If no action is needed after completing your analysis, you **MUST** call the `noop` safe-output tool with a brief explanation. Failing to call any safe-output tool is the most common cause of safe-output workflow failures. diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 086eb138db1..7ad681c59f4 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -28,7 +28,7 @@ # - shared/go-make.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"a573baa1f4c6a22b57c781ccbf0dce23b1dd16f5ab2609d3a27782be2705a95a","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"51987ab5257e9b3550645f687dc7466a89ae9cadf175e1661c673806228f207b","strict":true} name: "Daily CLI Performance Agent" "on": @@ -708,18 +708,18 @@ jobs: bash /opt/gh-aw/actions/start_safe_outputs_server.sh - - name: Setup Safe Inputs Config + - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/safe-inputs/logs - cat > /opt/gh-aw/safe-inputs/tools.json << 'GH_AW_SAFE_INPUTS_TOOLS_EOF' + mkdir -p /opt/gh-aw/mcp-scripts/logs + cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { - "serverName": "safeinputs", + "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/mcp-scripts/logs", "tools": [ { "name": "go", - "description": "Execute any Go command. This tool is accessible as 'safeinputs-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", + "description": "Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", "inputSchema": { "properties": { "args": { @@ -737,7 +737,7 @@ jobs: }, { "name": "make", - "description": "Execute any Make target. This tool is accessible as 'safeinputs-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", + "description": "Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", "inputSchema": { "properties": { "args": { @@ -755,30 +755,30 @@ jobs: } ] } - GH_AW_SAFE_INPUTS_TOOLS_EOF - cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'GH_AW_SAFE_INPUTS_SERVER_EOF' + GH_AW_MCP_SCRIPTS_TOOLS_EOF + cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); - const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); + const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); - const port = parseInt(process.env.GH_AW_SAFE_INPUTS_PORT || "3000", 10); - const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; + const port = parseInt(process.env.GH_AW_MCP_SCRIPTS_PORT || "3000", 10); + const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/mcp-scripts/logs" }).catch(error => { - console.error("Failed to start safe-inputs HTTP server:", error); + console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); - GH_AW_SAFE_INPUTS_SERVER_EOF - chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs + GH_AW_MCP_SCRIPTS_SERVER_EOF + chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs - - name: Setup Safe Inputs Tool Files + - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/safe-inputs/go.sh << 'GH_AW_SAFE_INPUTS_SH_GO_EOF' + cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash - # Auto-generated safe-input tool: go - # Execute any Go command. This tool is accessible as 'safeinputs-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. + # Auto-generated mcp-script tool: go + # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. set -euo pipefail @@ -786,23 +786,23 @@ jobs: go $INPUT_ARGS - GH_AW_SAFE_INPUTS_SH_GO_EOF - chmod +x /opt/gh-aw/safe-inputs/go.sh - cat > /opt/gh-aw/safe-inputs/make.sh << 'GH_AW_SAFE_INPUTS_SH_MAKE_EOF' + GH_AW_MCP_SCRIPTS_SH_GO_EOF + chmod +x /opt/gh-aw/mcp-scripts/go.sh + cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash - # Auto-generated safe-input tool: make - # Execute any Make target. This tool is accessible as 'safeinputs-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. + # Auto-generated mcp-script tool: make + # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. set -euo pipefail echo "make $INPUT_ARGS" make $INPUT_ARGS - GH_AW_SAFE_INPUTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/safe-inputs/make.sh + GH_AW_MCP_SCRIPTS_SH_MAKE_EOF + chmod +x /opt/gh-aw/mcp-scripts/make.sh - - name: Generate Safe Inputs MCP Server Config - id: safe-inputs-config + - name: Generate MCP Scripts Server Config + id: mcp-scripts-config run: | # Generate a secure random API key (360 bits of entropy, 40+ chars) # Mask immediately to prevent timing vulnerabilities @@ -813,31 +813,31 @@ jobs: # Set outputs for next steps { - echo "safe_inputs_api_key=${API_KEY}" - echo "safe_inputs_port=${PORT}" + echo "mcp_scripts_api_key=${API_KEY}" + echo "mcp_scripts_port=${PORT}" } >> "$GITHUB_OUTPUT" - echo "Safe Inputs MCP server will run on port ${PORT}" + echo "MCP Scripts server will run on port ${PORT}" - - name: Start Safe Inputs MCP HTTP Server - id: safe-inputs-start + - name: Start MCP Scripts HTTP Server + id: mcp-scripts-start env: DEBUG: '*' - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-config.outputs.safe_inputs_port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }} run: | # Environment variables are set above to prevent template injection export DEBUG - export GH_AW_SAFE_INPUTS_PORT - export GH_AW_SAFE_INPUTS_API_KEY + export GH_AW_MCP_SCRIPTS_PORT + export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway env: - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-start.outputs.api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-start.outputs.port }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} @@ -859,7 +859,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -875,11 +875,11 @@ jobs: "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, - "safeinputs": { + "mcpscripts": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", + "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { - "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" + "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" } }, "safeoutputs": { @@ -1043,14 +1043,14 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Parse Safe Inputs logs for step summary + - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() @@ -1094,7 +1094,7 @@ jobs: path: | /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/safe-inputs/logs/ + /tmp/gh-aw/mcp-scripts/logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ diff --git a/.github/workflows/daily-cli-performance.md b/.github/workflows/daily-cli-performance.md index 318417879f6..04dfdc3653a 100644 --- a/.github/workflows/daily-cli-performance.md +++ b/.github/workflows/daily-cli-performance.md @@ -54,16 +54,16 @@ Run daily performance benchmarks for workflow compilation, store results in cach ## Available Safe-Input Tools This workflow imports `shared/go-make.md` which provides: -- **safeinputs-go** - Execute Go commands (e.g., args: "test ./...", "build ./cmd/gh-aw") -- **safeinputs-make** - Execute Make targets (e.g., args: "build", "test-unit", "bench") +- **mcpscripts-go** - Execute Go commands (e.g., args: "test ./...", "build ./cmd/gh-aw") +- **mcpscripts-make** - Execute Make targets (e.g., args: "build", "test-unit", "bench") -**IMPORTANT**: Always use these safe-input tools for Go and Make commands instead of running them directly via bash. +**IMPORTANT**: Always use these mcp-script tools for Go and Make commands instead of running them directly via bash. ## Phase 1: Run Performance Benchmarks ### 1.1 Run Compilation Benchmarks -Run the benchmark suite and capture results using the **safeinputs-make** tool: +Run the benchmark suite and capture results using the **mcpscripts-make** tool: **Step 1**: Create directory for results @@ -71,9 +71,9 @@ Run the benchmark suite and capture results using the **safeinputs-make** tool: mkdir -p /tmp/gh-aw/benchmarks ``` -**Step 2**: Run benchmarks using safeinputs-make +**Step 2**: Run benchmarks using mcpscripts-make -Use the **safeinputs-make** tool with args: "bench-performance" to run the critical performance benchmark suite. +Use the **mcpscripts-make** tool with args: "bench-performance" to run the critical performance benchmark suite. This will execute `make bench-performance` which runs targeted performance benchmarks and saves results to `bench_performance.txt`. diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index bf229b33e57..6edd2268d79 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -21,17 +21,17 @@ # # For more information: https://github.github.com/gh-aw/introduction/overview/ # -# Daily project performance summary (90-day window) with trend charts using safe-inputs +# Daily project performance summary (90-day window) with trend charts using mcp-scripts # # Resolved workflow manifest: # Imports: -# - shared/github-queries-safe-input.md +# - shared/github-queries-mcp-script.md # - shared/reporting.md # - shared/trending-charts-simple.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"e122dc205e62037c58443024bb7827fc2c4474c74536e2043be657fe4d9c79a2","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c18fdbf83211c18b0c1841b7350de90b0a4b88a7a5a0a0c2026345fc6054c691","strict":true} -name: "Daily Project Performance Summary Generator (Using Safe Inputs)" +name: "Daily Project Performance Summary Generator (Using MCP Scripts)" "on": schedule: - cron: "26 19 * * *" @@ -43,7 +43,7 @@ permissions: {} concurrency: group: "gh-aw-${{ github.workflow }}" -run-name: "Daily Project Performance Summary Generator (Using Safe Inputs)" +run-name: "Daily Project Performance Summary Generator (Using MCP Scripts)" jobs: activation: @@ -74,7 +74,7 @@ jobs: GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || '' }} GH_AW_INFO_VERSION: "" GH_AW_INFO_AGENT_VERSION: "latest" - GH_AW_INFO_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_INFO_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_INFO_EXPERIMENTAL: "false" GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true" GH_AW_INFO_STAGED: "false" @@ -175,7 +175,7 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' - {{#runtime-import .github/workflows/shared/github-queries-safe-input.md}} + {{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}} GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' {{#runtime-import .github/workflows/shared/trending-charts-simple.md}} @@ -745,14 +745,14 @@ jobs: bash /opt/gh-aw/actions/start_safe_outputs_server.sh - - name: Setup Safe Inputs Config + - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/safe-inputs/logs - cat > /opt/gh-aw/safe-inputs/tools.json << 'GH_AW_SAFE_INPUTS_TOOLS_EOF' + mkdir -p /opt/gh-aw/mcp-scripts/logs + cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { - "serverName": "safeinputs", + "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -842,29 +842,29 @@ jobs: } ] } - GH_AW_SAFE_INPUTS_TOOLS_EOF - cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'GH_AW_SAFE_INPUTS_SERVER_EOF' + GH_AW_MCP_SCRIPTS_TOOLS_EOF + cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); - const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); + const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); - const port = parseInt(process.env.GH_AW_SAFE_INPUTS_PORT || "3000", 10); - const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; + const port = parseInt(process.env.GH_AW_MCP_SCRIPTS_PORT || "3000", 10); + const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/mcp-scripts/logs" }).catch(error => { - console.error("Failed to start safe-inputs HTTP server:", error); + console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); - GH_AW_SAFE_INPUTS_SERVER_EOF - chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs + GH_AW_MCP_SCRIPTS_SERVER_EOF + chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs - - name: Setup Safe Inputs Tool Files + - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/safe-inputs/github-discussion-query.sh << 'GH_AW_SAFE_INPUTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash - # Auto-generated safe-input tool: github-discussion-query + # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. set -euo pipefail @@ -997,11 +997,11 @@ jobs: EOF fi - GH_AW_SAFE_INPUTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/safe-inputs/github-discussion-query.sh - cat > /opt/gh-aw/safe-inputs/github-issue-query.sh << 'GH_AW_SAFE_INPUTS_SH_GITHUB-ISSUE-QUERY_EOF' + GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF + chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh + cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash - # Auto-generated safe-input tool: github-issue-query + # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. set -euo pipefail @@ -1078,11 +1078,11 @@ jobs: fi - GH_AW_SAFE_INPUTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/safe-inputs/github-issue-query.sh - cat > /opt/gh-aw/safe-inputs/github-pr-query.sh << 'GH_AW_SAFE_INPUTS_SH_GITHUB-PR-QUERY_EOF' + GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF + chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh + cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash - # Auto-generated safe-input tool: github-pr-query + # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. set -euo pipefail @@ -1165,11 +1165,11 @@ jobs: fi - GH_AW_SAFE_INPUTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/safe-inputs/github-pr-query.sh + GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF + chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh - - name: Generate Safe Inputs MCP Server Config - id: safe-inputs-config + - name: Generate MCP Scripts Server Config + id: mcp-scripts-config run: | # Generate a secure random API key (360 bits of entropy, 40+ chars) # Mask immediately to prevent timing vulnerabilities @@ -1180,26 +1180,26 @@ jobs: # Set outputs for next steps { - echo "safe_inputs_api_key=${API_KEY}" - echo "safe_inputs_port=${PORT}" + echo "mcp_scripts_api_key=${API_KEY}" + echo "mcp_scripts_port=${PORT}" } >> "$GITHUB_OUTPUT" - echo "Safe Inputs MCP server will run on port ${PORT}" + echo "MCP Scripts server will run on port ${PORT}" - - name: Start Safe Inputs MCP HTTP Server - id: safe-inputs-start + - name: Start MCP Scripts HTTP Server + id: mcp-scripts-start env: DEBUG: '*' - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-config.outputs.safe_inputs_port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Environment variables are set above to prevent template injection export DEBUG - export GH_AW_SAFE_INPUTS_PORT - export GH_AW_SAFE_INPUTS_API_KEY + export GH_AW_MCP_SCRIPTS_PORT + export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway @@ -1207,8 +1207,8 @@ jobs: GH_AW_ASSETS_ALLOWED_EXTS: ${{ env.GH_AW_ASSETS_ALLOWED_EXTS }} GH_AW_ASSETS_BRANCH: ${{ env.GH_AW_ASSETS_BRANCH }} GH_AW_ASSETS_MAX_SIZE_KB: ${{ env.GH_AW_ASSETS_MAX_SIZE_KB }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-start.outputs.api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-start.outputs.port }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} @@ -1231,7 +1231,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -1247,11 +1247,11 @@ jobs: "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,discussions" } }, - "safeinputs": { + "mcpscripts": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", + "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { - "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" + "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" } }, "safeoutputs": { @@ -1419,14 +1419,14 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Parse Safe Inputs logs for step summary + - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() @@ -1476,7 +1476,7 @@ jobs: path: | /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/safe-inputs/logs/ + /tmp/gh-aw/mcp-scripts/logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ @@ -1517,8 +1517,8 @@ jobs: if: always() && steps.detection_guard.outputs.run_detection == 'true' uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: - WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" - WORKFLOW_DESCRIPTION: "Daily project performance summary (90-day window) with trend charts using safe-inputs" + WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" + WORKFLOW_DESCRIPTION: "Daily project performance summary (90-day window) with trend charts using mcp-scripts" HAS_PATCH: ${{ steps.collect_output.outputs.has_patch }} with: script: | @@ -1653,7 +1653,7 @@ jobs: env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} GH_AW_NOOP_MAX: "1" - GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_TRACKER_ID: "daily-performance-summary" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1667,7 +1667,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_TRACKER_ID: "daily-performance-summary" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -1681,7 +1681,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} @@ -1705,7 +1705,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }} @@ -1733,7 +1733,7 @@ jobs: GH_AW_ENGINE_ID: "copilot" GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_WORKFLOW_ID: "daily-performance-summary" - GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" outputs: code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }} code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }} @@ -1901,7 +1901,7 @@ jobs: GH_AW_ASSETS_BRANCH: "assets/${{ github.workflow }}" GH_AW_ASSETS_MAX_SIZE_KB: 10240 GH_AW_ASSETS_ALLOWED_EXTS: ".png,.jpg,.jpeg" - GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using Safe Inputs)" + GH_AW_WORKFLOW_NAME: "Daily Project Performance Summary Generator (Using MCP Scripts)" GH_AW_TRACKER_ID: "daily-performance-summary" GH_AW_ENGINE_ID: "copilot" with: diff --git a/.github/workflows/daily-performance-summary.md b/.github/workflows/daily-performance-summary.md index f62133677ad..8041e5df7fc 100644 --- a/.github/workflows/daily-performance-summary.md +++ b/.github/workflows/daily-performance-summary.md @@ -1,5 +1,5 @@ --- -description: Daily project performance summary (90-day window) with trend charts using safe-inputs +description: Daily project performance summary (90-day window) with trend charts using mcp-scripts on: schedule: daily workflow_dispatch: @@ -27,23 +27,23 @@ safe-outputs: max: 10 timeout-minutes: 30 imports: - - shared/github-queries-safe-input.md + - shared/github-queries-mcp-script.md - shared/trending-charts-simple.md - shared/reporting.md --- {{#runtime-import? .github/shared-instructions.md}} -# Daily Project Performance Summary Generator (Using Safe Inputs) +# Daily Project Performance Summary Generator (Using MCP Scripts) -You are an expert analyst that generates comprehensive daily performance summaries using **safe-input tools** to query GitHub data (PRs, issues, discussions) and creates trend visualizations. +You are an expert analyst that generates comprehensive daily performance summaries using **mcp-script tools** to query GitHub data (PRs, issues, discussions) and creates trend visualizations. -**IMPORTANT**: This workflow uses safe-input tools imported from `shared/github-queries-safe-input.md`. All data gathering MUST be done through these tools. +**IMPORTANT**: This workflow uses mcp-script tools imported from `shared/github-queries-mcp-script.md`. All data gathering MUST be done through these tools. ## Mission Generate a daily performance summary analyzing the last 90 days of project activity: -1. **Use safe-input tools** to query PRs, issues, and discussions +1. **Use mcp-script tools** to query PRs, issues, and discussions 2. Calculate key performance metrics (velocity, resolution times, activity levels) 3. Generate trend charts showing project activity and performance 4. Create a discussion with the comprehensive performance report @@ -57,7 +57,7 @@ Generate a daily performance summary analyzing the last 90 days of project activ ## Phase 1: Gather Data Using Safe-Input Tools -**CRITICAL**: Use the safe-input tools to query GitHub data. These tools are imported from `shared/github-queries-safe-input.md` and provide the same functionality as the previous Skillz-based approach. +**CRITICAL**: Use the mcp-script tools to query GitHub data. These tools are imported from `shared/github-queries-mcp-script.md` and provide the same functionality as the previous Skillz-based approach. ### Available Safe-Input Tools @@ -68,7 +68,7 @@ The following tools are available for querying GitHub data: ### 1.1 Query Pull Requests -**Use the `github-pr-query` safe-input tool** to get PR data: +**Use the `github-pr-query` mcp-script tool** to get PR data: ``` github-pr-query with state: "all", limit: 1000, jq: "." @@ -82,7 +82,7 @@ The tool provides: ### 1.2 Query Issues -**Use the `github-issue-query` safe-input tool** to get issue data: +**Use the `github-issue-query` mcp-script tool** to get issue data: ``` github-issue-query with state: "all", limit: 1000, jq: "." @@ -96,7 +96,7 @@ The tool provides: ### 1.3 Query Discussions -**Use the `github-discussion-query` safe-input tool** to get discussion data: +**Use the `github-discussion-query` mcp-script tool** to get discussion data: ``` github-discussion-query with limit: 1000, jq: "." @@ -477,7 +477,7 @@ Create a new discussion with the comprehensive performance report. ## Success Criteria A successful run will: -- ✅ **Query data using safe-input tools** (github-pr-query, github-issue-query, github-discussion-query) +- ✅ **Query data using mcp-script tools** (github-pr-query, github-issue-query, github-discussion-query) - ✅ Calculate comprehensive performance metrics from tool output - ✅ Generate 3 high-quality trend charts - ✅ Upload charts as assets @@ -486,13 +486,13 @@ A successful run will: ## Safe-Input Tools Usage Reminder -This workflow uses safe-input tools imported from `shared/github-queries-safe-input.md`: +This workflow uses mcp-script tools imported from `shared/github-queries-mcp-script.md`: 1. Tools are defined in the shared workflow with shell script implementations 2. Each tool supports jq-based filtering for efficient data querying 3. Tools are authenticated with `GITHUB_TOKEN` for GitHub API access 4. Call tools with parameters like: `github-pr-query with state: "all", limit: 1000, jq: "."` -Begin your analysis now. **Use the safe-input tools** to gather data, run Python analysis, generate charts, and create the discussion report. +Begin your analysis now. **Use the mcp-script tools** to gather data, run Python analysis, generate charts, and create the discussion report. **Important**: If no action is needed after completing your analysis, you **MUST** call the `noop` safe-output tool with a brief explanation. Failing to call any safe-output tool is the most common cause of safe-output workflow failures. diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 6f865278a18..965477155dc 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -25,10 +25,10 @@ # # Resolved workflow manifest: # Imports: -# - shared/github-queries-safe-input.md +# - shared/github-queries-mcp-script.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"4981509a6079c94c5b8fd172d8812c9c5bab1f192cba2eae4352305af61e06c0","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"238c3282ef64bdb6800bd48877c082702a91b29214ffb81ce63903042421d706","strict":true} name: "Daily Regulatory Report Generator" "on": @@ -171,7 +171,7 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' - {{#runtime-import .github/workflows/shared/github-queries-safe-input.md}} + {{#runtime-import .github/workflows/shared/github-queries-mcp-script.md}} GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} @@ -665,14 +665,14 @@ jobs: bash /opt/gh-aw/actions/start_safe_outputs_server.sh - - name: Setup Safe Inputs Config + - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/safe-inputs/logs - cat > /opt/gh-aw/safe-inputs/tools.json << 'GH_AW_SAFE_INPUTS_TOOLS_EOF' + mkdir -p /opt/gh-aw/mcp-scripts/logs + cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { - "serverName": "safeinputs", + "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/mcp-scripts/logs", "tools": [ { "name": "github-discussion-query", @@ -762,29 +762,29 @@ jobs: } ] } - GH_AW_SAFE_INPUTS_TOOLS_EOF - cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'GH_AW_SAFE_INPUTS_SERVER_EOF' + GH_AW_MCP_SCRIPTS_TOOLS_EOF + cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); - const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); + const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); - const port = parseInt(process.env.GH_AW_SAFE_INPUTS_PORT || "3000", 10); - const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; + const port = parseInt(process.env.GH_AW_MCP_SCRIPTS_PORT || "3000", 10); + const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/mcp-scripts/logs" }).catch(error => { - console.error("Failed to start safe-inputs HTTP server:", error); + console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); - GH_AW_SAFE_INPUTS_SERVER_EOF - chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs + GH_AW_MCP_SCRIPTS_SERVER_EOF + chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs - - name: Setup Safe Inputs Tool Files + - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/safe-inputs/github-discussion-query.sh << 'GH_AW_SAFE_INPUTS_SH_GITHUB-DISCUSSION-QUERY_EOF' + cat > /opt/gh-aw/mcp-scripts/github-discussion-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF' #!/bin/bash - # Auto-generated safe-input tool: github-discussion-query + # Auto-generated mcp-script tool: github-discussion-query # Query GitHub discussions with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. set -euo pipefail @@ -917,11 +917,11 @@ jobs: EOF fi - GH_AW_SAFE_INPUTS_SH_GITHUB-DISCUSSION-QUERY_EOF - chmod +x /opt/gh-aw/safe-inputs/github-discussion-query.sh - cat > /opt/gh-aw/safe-inputs/github-issue-query.sh << 'GH_AW_SAFE_INPUTS_SH_GITHUB-ISSUE-QUERY_EOF' + GH_AW_MCP_SCRIPTS_SH_GITHUB-DISCUSSION-QUERY_EOF + chmod +x /opt/gh-aw/mcp-scripts/github-discussion-query.sh + cat > /opt/gh-aw/mcp-scripts/github-issue-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF' #!/bin/bash - # Auto-generated safe-input tool: github-issue-query + # Auto-generated mcp-script tool: github-issue-query # Query GitHub issues with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. set -euo pipefail @@ -998,11 +998,11 @@ jobs: fi - GH_AW_SAFE_INPUTS_SH_GITHUB-ISSUE-QUERY_EOF - chmod +x /opt/gh-aw/safe-inputs/github-issue-query.sh - cat > /opt/gh-aw/safe-inputs/github-pr-query.sh << 'GH_AW_SAFE_INPUTS_SH_GITHUB-PR-QUERY_EOF' + GH_AW_MCP_SCRIPTS_SH_GITHUB-ISSUE-QUERY_EOF + chmod +x /opt/gh-aw/mcp-scripts/github-issue-query.sh + cat > /opt/gh-aw/mcp-scripts/github-pr-query.sh << 'GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF' #!/bin/bash - # Auto-generated safe-input tool: github-pr-query + # Auto-generated mcp-script tool: github-pr-query # Query GitHub pull requests with jq filtering support. Without --jq, returns schema and data size info. Use --jq '.' to get all data, or specific jq expressions to filter. set -euo pipefail @@ -1085,11 +1085,11 @@ jobs: fi - GH_AW_SAFE_INPUTS_SH_GITHUB-PR-QUERY_EOF - chmod +x /opt/gh-aw/safe-inputs/github-pr-query.sh + GH_AW_MCP_SCRIPTS_SH_GITHUB-PR-QUERY_EOF + chmod +x /opt/gh-aw/mcp-scripts/github-pr-query.sh - - name: Generate Safe Inputs MCP Server Config - id: safe-inputs-config + - name: Generate MCP Scripts Server Config + id: mcp-scripts-config run: | # Generate a secure random API key (360 bits of entropy, 40+ chars) # Mask immediately to prevent timing vulnerabilities @@ -1100,32 +1100,32 @@ jobs: # Set outputs for next steps { - echo "safe_inputs_api_key=${API_KEY}" - echo "safe_inputs_port=${PORT}" + echo "mcp_scripts_api_key=${API_KEY}" + echo "mcp_scripts_port=${PORT}" } >> "$GITHUB_OUTPUT" - echo "Safe Inputs MCP server will run on port ${PORT}" + echo "MCP Scripts server will run on port ${PORT}" - - name: Start Safe Inputs MCP HTTP Server - id: safe-inputs-start + - name: Start MCP Scripts HTTP Server + id: mcp-scripts-start env: DEBUG: '*' - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-config.outputs.safe_inputs_port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Environment variables are set above to prevent template injection export DEBUG - export GH_AW_SAFE_INPUTS_PORT - export GH_AW_SAFE_INPUTS_API_KEY + export GH_AW_MCP_SCRIPTS_PORT + export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway env: - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-start.outputs.api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-start.outputs.port }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} @@ -1148,7 +1148,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="copilot" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -e GH_TOKEN -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' mkdir -p /home/runner/.copilot cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh @@ -1164,11 +1164,11 @@ jobs: "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,discussions" } }, - "safeinputs": { + "mcpscripts": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", + "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { - "Authorization": "\${GH_AW_SAFE_INPUTS_API_KEY}" + "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" } }, "safeoutputs": { @@ -1333,14 +1333,14 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_copilot_log.cjs'); await main(); - - name: Parse Safe Inputs logs for step summary + - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() @@ -1375,7 +1375,7 @@ jobs: path: | /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/safe-inputs/logs/ + /tmp/gh-aw/mcp-scripts/logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ diff --git a/.github/workflows/daily-regulatory.md b/.github/workflows/daily-regulatory.md index c76a0c9a721..f1f3055de35 100644 --- a/.github/workflows/daily-regulatory.md +++ b/.github/workflows/daily-regulatory.md @@ -28,7 +28,7 @@ safe-outputs: max: 10 timeout-minutes: 30 imports: - - shared/github-queries-safe-input.md + - shared/github-queries-mcp-script.md - shared/reporting.md --- @@ -60,7 +60,7 @@ Review all daily report discussions from the last 24 hours and: ### Step 0.1: Verify GitHub Discussions Access -1. Test the `github-discussion-query` safe-input tool by running a simple query: +1. Test the `github-discussion-query` mcp-script tool by running a simple query: ``` github-discussion-query with limit: 1, jq: "." ``` @@ -102,7 +102,7 @@ Review all daily report discussions from the last 24 hours and: ### Step 1.1: Query Recent Discussions -Use the `github-discussion-query` safe-input tool to find all daily report discussions created in the last 24-48 hours. Call the tool with appropriate parameters: +Use the `github-discussion-query` mcp-script tool to find all daily report discussions created in the last 24-48 hours. Call the tool with appropriate parameters: ``` github-discussion-query with limit: 100, jq: "." diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 14a5cba2879..82199dd3651 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -27,7 +27,7 @@ # Imports: # - shared/go-make.md # -# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"f25ce343847e9c88cf0b683033fae1614998f81e330da7bf355bcf7a2e50e199","strict":true} +# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"9fc05dd97be30e5cf9eb349f0b5b33b6d3369786898cfab02a90664683961943","strict":true} name: "Go Logger Enhancement" "on": @@ -653,18 +653,18 @@ jobs: bash /opt/gh-aw/actions/start_safe_outputs_server.sh - - name: Setup Safe Inputs Config + - name: Setup MCP Scripts Config run: | - mkdir -p /opt/gh-aw/safe-inputs/logs - cat > /opt/gh-aw/safe-inputs/tools.json << 'GH_AW_SAFE_INPUTS_TOOLS_EOF' + mkdir -p /opt/gh-aw/mcp-scripts/logs + cat > /opt/gh-aw/mcp-scripts/tools.json << 'GH_AW_MCP_SCRIPTS_TOOLS_EOF' { - "serverName": "safeinputs", + "serverName": "mcpscripts", "version": "1.0.0", - "logDir": "/opt/gh-aw/safe-inputs/logs", + "logDir": "/opt/gh-aw/mcp-scripts/logs", "tools": [ { "name": "go", - "description": "Execute any Go command. This tool is accessible as 'safeinputs-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", + "description": "Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", "inputSchema": { "properties": { "args": { @@ -682,7 +682,7 @@ jobs: }, { "name": "make", - "description": "Execute any Make target. This tool is accessible as 'safeinputs-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", + "description": "Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make \u003cargs\u003e. Use single quotes ' for complex args to avoid shell interpretation issues.", "inputSchema": { "properties": { "args": { @@ -700,30 +700,30 @@ jobs: } ] } - GH_AW_SAFE_INPUTS_TOOLS_EOF - cat > /opt/gh-aw/safe-inputs/mcp-server.cjs << 'GH_AW_SAFE_INPUTS_SERVER_EOF' + GH_AW_MCP_SCRIPTS_TOOLS_EOF + cat > /opt/gh-aw/mcp-scripts/mcp-server.cjs << 'GH_AW_MCP_SCRIPTS_SERVER_EOF' const path = require("path"); - const { startHttpServer } = require("./safe_inputs_mcp_server_http.cjs"); + const { startHttpServer } = require("./mcp_scripts_mcp_server_http.cjs"); const configPath = path.join(__dirname, "tools.json"); - const port = parseInt(process.env.GH_AW_SAFE_INPUTS_PORT || "3000", 10); - const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || ""; + const port = parseInt(process.env.GH_AW_MCP_SCRIPTS_PORT || "3000", 10); + const apiKey = process.env.GH_AW_MCP_SCRIPTS_API_KEY || ""; startHttpServer(configPath, { port: port, stateless: true, - logDir: "/opt/gh-aw/safe-inputs/logs" + logDir: "/opt/gh-aw/mcp-scripts/logs" }).catch(error => { - console.error("Failed to start safe-inputs HTTP server:", error); + console.error("Failed to start mcp-scripts HTTP server:", error); process.exit(1); }); - GH_AW_SAFE_INPUTS_SERVER_EOF - chmod +x /opt/gh-aw/safe-inputs/mcp-server.cjs + GH_AW_MCP_SCRIPTS_SERVER_EOF + chmod +x /opt/gh-aw/mcp-scripts/mcp-server.cjs - - name: Setup Safe Inputs Tool Files + - name: Setup MCP Scripts Tool Files run: | - cat > /opt/gh-aw/safe-inputs/go.sh << 'GH_AW_SAFE_INPUTS_SH_GO_EOF' + cat > /opt/gh-aw/mcp-scripts/go.sh << 'GH_AW_MCP_SCRIPTS_SH_GO_EOF' #!/bin/bash - # Auto-generated safe-input tool: go - # Execute any Go command. This tool is accessible as 'safeinputs-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. + # Auto-generated mcp-script tool: go + # Execute any Go command. This tool is accessible as 'mcpscripts-go'. Provide the full command after 'go' (e.g., args: 'test ./...'). The tool will run: go . Use single quotes ' for complex args to avoid shell interpretation issues. set -euo pipefail @@ -731,23 +731,23 @@ jobs: go $INPUT_ARGS - GH_AW_SAFE_INPUTS_SH_GO_EOF - chmod +x /opt/gh-aw/safe-inputs/go.sh - cat > /opt/gh-aw/safe-inputs/make.sh << 'GH_AW_SAFE_INPUTS_SH_MAKE_EOF' + GH_AW_MCP_SCRIPTS_SH_GO_EOF + chmod +x /opt/gh-aw/mcp-scripts/go.sh + cat > /opt/gh-aw/mcp-scripts/make.sh << 'GH_AW_MCP_SCRIPTS_SH_MAKE_EOF' #!/bin/bash - # Auto-generated safe-input tool: make - # Execute any Make target. This tool is accessible as 'safeinputs-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. + # Auto-generated mcp-script tool: make + # Execute any Make target. This tool is accessible as 'mcpscripts-make'. Provide the target name(s) (e.g., args: 'build'). The tool will run: make . Use single quotes ' for complex args to avoid shell interpretation issues. set -euo pipefail echo "make $INPUT_ARGS" make $INPUT_ARGS - GH_AW_SAFE_INPUTS_SH_MAKE_EOF - chmod +x /opt/gh-aw/safe-inputs/make.sh + GH_AW_MCP_SCRIPTS_SH_MAKE_EOF + chmod +x /opt/gh-aw/mcp-scripts/make.sh - - name: Generate Safe Inputs MCP Server Config - id: safe-inputs-config + - name: Generate MCP Scripts Server Config + id: mcp-scripts-config run: | # Generate a secure random API key (360 bits of entropy, 40+ chars) # Mask immediately to prevent timing vulnerabilities @@ -758,31 +758,31 @@ jobs: # Set outputs for next steps { - echo "safe_inputs_api_key=${API_KEY}" - echo "safe_inputs_port=${PORT}" + echo "mcp_scripts_api_key=${API_KEY}" + echo "mcp_scripts_port=${PORT}" } >> "$GITHUB_OUTPUT" - echo "Safe Inputs MCP server will run on port ${PORT}" + echo "MCP Scripts server will run on port ${PORT}" - - name: Start Safe Inputs MCP HTTP Server - id: safe-inputs-start + - name: Start MCP Scripts HTTP Server + id: mcp-scripts-start env: DEBUG: '*' - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-config.outputs.safe_inputs_port }} - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-config.outputs.mcp_scripts_api_key }} run: | # Environment variables are set above to prevent template injection export DEBUG - export GH_AW_SAFE_INPUTS_PORT - export GH_AW_SAFE_INPUTS_API_KEY + export GH_AW_MCP_SCRIPTS_PORT + export GH_AW_MCP_SCRIPTS_API_KEY - bash /opt/gh-aw/actions/start_safe_inputs_server.sh + bash /opt/gh-aw/actions/start_mcp_scripts_server.sh - name: Start MCP Gateway id: start-mcp-gateway env: - GH_AW_SAFE_INPUTS_API_KEY: ${{ steps.safe-inputs-start.outputs.api_key }} - GH_AW_SAFE_INPUTS_PORT: ${{ steps.safe-inputs-start.outputs.port }} + GH_AW_MCP_SCRIPTS_API_KEY: ${{ steps.mcp-scripts-start.outputs.api_key }} + GH_AW_MCP_SCRIPTS_PORT: ${{ steps.mcp-scripts-start.outputs.port }} GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }} GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }} @@ -804,7 +804,7 @@ jobs: export DEBUG="*" export GH_AW_ENGINE="claude" - export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_INPUTS_PORT -e GH_AW_SAFE_INPUTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' + export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_MCP_SCRIPTS_PORT -e GH_AW_MCP_SCRIPTS_API_KEY -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' cat << GH_AW_MCP_CONFIG_EOF | bash /opt/gh-aw/actions/start_mcp_gateway.sh { @@ -818,11 +818,11 @@ jobs: "GITHUB_TOOLSETS": "context,repos,issues,pull_requests" } }, - "safeinputs": { + "mcpscripts": { "type": "http", - "url": "http://host.docker.internal:$GH_AW_SAFE_INPUTS_PORT", + "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { - "Authorization": "$GH_AW_SAFE_INPUTS_API_KEY" + "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" } }, "safeoutputs": { @@ -1055,14 +1055,14 @@ jobs: setupGlobals(core, github, context, exec, io); const { main } = require('/opt/gh-aw/actions/parse_claude_log.cjs'); await main(); - - name: Parse Safe Inputs logs for step summary + - name: Parse MCP Scripts logs for step summary if: always() uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); setupGlobals(core, github, context, exec, io); - const { main } = require('/opt/gh-aw/actions/parse_safe_inputs_logs.cjs'); + const { main } = require('/opt/gh-aw/actions/parse_mcp_scripts_logs.cjs'); await main(); - name: Parse MCP Gateway logs for step summary if: always() @@ -1103,7 +1103,7 @@ jobs: path: | /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/mcp-logs/ - /tmp/gh-aw/safe-inputs/logs/ + /tmp/gh-aw/mcp-scripts/logs/ /tmp/gh-aw/sandbox/firewall/logs/ /tmp/gh-aw/agent-stdio.log /tmp/gh-aw/agent/ diff --git a/.github/workflows/go-logger.md b/.github/workflows/go-logger.md index b3a43c56143..21596f1b6e7 100644 --- a/.github/workflows/go-logger.md +++ b/.github/workflows/go-logger.md @@ -64,8 +64,8 @@ You are an AI agent that improves Go code by adding debug logging statements to ## Available Safe-Input Tools This workflow imports `shared/go-make.md` which provides: -- **safeinputs-go** - Execute Go commands (e.g., args: "test ./...", "build ./cmd/gh-aw") -- **safeinputs-make** - Execute Make targets (e.g., args: "build", "test-unit", "lint", "recompile") +- **mcpscripts-go** - Execute Go commands (e.g., args: "test ./...", "build ./cmd/gh-aw") +- **mcpscripts-make** - Execute Make targets (e.g., args: "build", "test-unit", "lint", "recompile") Use these tools for consistent execution instead of running commands directly via bash. @@ -220,17 +220,17 @@ For each file: After adding logging to the selected files, **validate your changes** before creating a PR: 1. **Build the project to ensure no compilation errors:** - Use the safeinputs-make tool with args: "build" + Use the mcpscripts-make tool with args: "build" This will compile the Go code and catch any syntax errors or import issues. 2. **Run unit tests to ensure nothing broke:** - Use the safeinputs-make tool with args: "test-unit" + Use the mcpscripts-make tool with args: "test-unit" This validates that your changes don't break existing functionality. 3. **Test the workflow compilation with debug logging enabled:** - Use the safeinputs-go tool with args: "run ./cmd/gh-aw compile dev" + Use the mcpscripts-go tool with args: "run ./cmd/gh-aw compile dev" Or you can run it directly with bash if needed: ```bash @@ -242,7 +242,7 @@ After adding logging to the selected files, **validate your changes** before cre - Debug logging from your changes appears in the output 4. **If needed, recompile workflows:** - Use the safeinputs-make tool with args: "recompile" + Use the mcpscripts-make tool with args: "recompile" ### 6. Create Pull Request diff --git a/.github/workflows/security-review.md b/.github/workflows/security-review.md index e8e7261f264..3054bbc24dd 100644 --- a/.github/workflows/security-review.md +++ b/.github/workflows/security-review.md @@ -97,7 +97,7 @@ The AWF controls network access, sandboxing, and command execution. Look for: - Target repositories being expanded (`target-repo:`) - Label or permission restrictions being removed -**Safe Inputs (`safe-inputs:` field)** +**MCP Scripts (`mcp-scripts:` field)** - New scripts being added with secret access - Environment variables exposing sensitive data - External command execution in scripts diff --git a/.github/workflows/shared/gh.md b/.github/workflows/shared/gh.md index 72d81ebe624..126c0c39cdc 100644 --- a/.github/workflows/shared/gh.md +++ b/.github/workflows/shared/gh.md @@ -1,7 +1,7 @@ --- -safe-inputs: +mcp-scripts: gh: - description: "Execute any gh CLI command. This tool is accessible as 'safeinputs-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues." + description: "Execute any gh CLI command. This tool is accessible as 'mcpscripts-gh'. Provide the full command after 'gh' (e.g., args: 'pr list --limit 5'). The tool will run: gh . Use single quotes ' for complex args to avoid shell interpretation issues." inputs: args: type: string @@ -16,25 +16,25 @@ safe-inputs: GH_TOKEN="$GH_AW_GH_TOKEN" gh $INPUT_ARGS --- -**IMPORTANT**: Always use the `safeinputs-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `safeinputs-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default. +**IMPORTANT**: Always use the `mcpscripts-gh` tool for GitHub CLI commands instead of running `gh` directly via bash. The `mcpscripts-gh` tool has proper authentication configured with `GITHUB_TOKEN`, while bash commands do not have GitHub CLI authentication by default. **Correct**: ``` -Use the safeinputs-gh tool with args: "pr list --limit 5" -Use the safeinputs-gh tool with args: "issue view 123" +Use the mcpscripts-gh tool with args: "pr list --limit 5" +Use the mcpscripts-gh tool with args: "issue view 123" ``` **Incorrect**: ``` -Use the gh safe-input tool with args: "pr list --limit 5" ❌ (Wrong tool name - use safeinputs-gh) +Use the gh mcp-script tool with args: "pr list --limit 5" ❌ (Wrong tool name - use mcpscripts-gh) Run: gh pr list --limit 5 ❌ (No authentication in bash) Execute bash: gh issue view 123 ❌ (No authentication in bash) ```